- Email: [email protected]
Automatic Verification of Consistency Between Diagrams for Process Control
Copyright © IFAC Safety and Reliability in Emerging Control Technologies, Daytona Beach, Florida, USA, 1995
AUTOMATIC VERlFICATION OF CONSISTENCY BETWEEN DIAGRAMS FOR PROCESS CONTROL T. URAOKA*, A. OHSUGA* and S. HONIDEN* • Systems and Software Engineering Laboratory, Toshiba Corporation, Kawasal.-i 210, Japan
Abstract. This paper presents an algorithm for automatically verifying the consistency between a state transition diagram and a logic diagram, where the state transition diagram is a specification for a process control system, and the logic diagram is the design. State transition diagrams represent control from a dynamic viewpoint, while logic diagrams represent it from a logical viewpoint. Therefore, their consistency increases the reliability of the design . Because the verification algorithm is based on Boolean function manipulations, it can be efficiently implemented using binary decision diagrams. Key Words. Consistency; verification; process control; logic diagrams, Boolean functions
verification method is proposed.
1. INTRODUCTION
• Describe specification for process control using state transition diagrams(STDs). • Describe design for process control using logic diagrams or ladder diagrams. • Verify the consistency between the specification and the design.
Design for process control is described using logic diagrams or ladder diagrams (see Figure 1 (a) , (b»). A logic diagram is composed of logic symbols, while a ladder diagram is composed of relay symbols. They are suitable for representing logical connections between inputs and outputs, but it is difficult to understand the system behavior as a whole from them. In the case of sequential control, sequential function charts(SFCs) can solve this problem(see Figure 1 (c»). An SFC explicitly represents sequential control by connecting steps with transitions. However, SFCs are not suitable for some types of control, for example, the control to keep a plant state constant is not sequential. For such objects, logic diagrams or ladder diagrams are used.
STDs, which are widely used to specify real-time systems, are also appropriate for process control (Leveson N. G. et al., 1994). Moreover, STDs represent control from a dynamic viewpoint, while logic diagrams and ladder diagrams represent it from a logical viewpoint. Therefore, their consistency increases the reliability of the design. For hardware verification, there are techniques to check the equivalence between two sequential machines. However, the equiValence is too strict to compare a specification with a design for process control. Therefore, this paper introduces a concept of consistency between a STD and a logic diagram, and presents an algorithm for automatically verifying the consistency. (Note that since ladder diagrams can be transformed to logic diagrams, only logic diagrams are considered in this paper.) Because the algorithm is based on Boolean function manipulations, it can be efficiently implemented using binary decision diagrams(BDDs) .
Many process control systems require high reliability, and methods to strictly ensure the correctness are desirable. For this reason, the following
::~ (a)
Logic Diagram
~Il ~MtJ (b)
, ",
~ JfMl
The next section introduces an"example of process control, the corresponding logic diagram and the STDs which are used to clarify the subject of this paper. Section 3 gives formal interpretations for logic diagrams and STDs, and defines their consistency. Section 4 presents the consistency verifi-
12
Ladder Diagram
(c)
Fig. 1. Diagrams for process control
121
xl
water level too high
x2
wa.ter level too low
x3
stop- PS " ON
x, pool - valve closed
star t pump
yl
stop pump
y2
open pool - va l ve
y3
close pool-valve
y4
open tank - va l ve
y5
close tank-va lve
y6
open test-valve
y7
close t.est-valve
ya
x5 tank-valve closed x6 test-valve closed x7
pump stopped
x8
test-PS -
ON
x5 tank-valve closed
x9
flow rate enough
x4
pool - valve closed
x6 test-valve closed x7
pump stopped
Fig. 2. Logic diagram for water-supply system
cation algorithm and applies the algorithm to the logic diagram and the STDs in Section 3. Section 5 describes related studies and Section 6 is the conclusion.
and the outputs are on the right. The logical connections between the inputs and the outputs are represented by combinations of logical symbols. Lines with a label(A ..E) are connected to lines with the same label. It is difficult to check the correctness of the design of even such a small example. One factor which makes it difficult is the ambiguity in the specification. STDs are useful to strictly represent specification. An STD is composed of states connected by transitions. States may have a name and actions, and transitions must have a condition. A black circle indicates the initial state. Figure 5 is an STD for the water-supply system focusing on the pump control. Figure 4 is the detailed STD. Both represent the behavior of the water-supply system as a whole, which is hidden in the logic diagram. The STD in Figure 5 is flat, while the STD in Figure 4 is hierarchically structured. Because a hierarchical STD can be transformed to a flat STD, the following discussion assumes flat STDs. The consistency between Figure 2 and Figure 5 is examined in Section 4.
2. LOGIC DIAGRAMS AND STDS As an example, consider the water-supply system in Figure 3. This system consists of a pool, a tank, a pump, piping, and three valves. The system automatically supplies water from the pool to the tank through route 1, when the waterlevel of the tank becomes too low. When the water-level becomes too high, the system suspends the supply by circulating water through route 2. There are two push-buttons, one to stop and one to test. 'Vhen the stop-button is pressed, the system stops unless the water-level is too low. When the test-button is pressed, the system circulates water through route 2 to test the equipment. Figure 2 shows a logic diagram for the watersupply system. The inputs are listed on the left
(pool-valve closed) (tank-valve closed) ,.-.1-_--, (test-valve closed) (pump stopped)
test - valve
water leve too low
Fig. 3. Water-supply system
Fig. 5. STD for pump control
122
(test-PB ~ ON) and (tank - valve closed)
~
(pool - valve closed) and (tank-valve closed) and (test-valve closed) and (pump stopped)
stand by
stop close pool valve close tank-valve c l ose t est-valve
water level too low
(poo l -valve closed) and (t est-valve clos e d) and (pump stopped)
stop- PB
~
ON
stop pump
stop- PB
~
water level too low
operate
test
open pool - valve start pump
test-start
test-end
open pool-valve open test-valve sta r t pump
"-
ON
close pool-valve close test-valve
stop pump
~ ( water level too low
~
)
supply open tank-valve close test - valve
'--
flow rate enough
water level too high
suspend
close tank-valve open test - valve
.../
water level too low
Fig. 4. STD for water-supply system
3. FORMAL INTERPRETATIONS
variables. The verification algorithm in Section 4 is based on the fact that (j and ). are Boolean expression vectors.
This section gives formal interpretations for logic diagrams and STDs, and defines their consistency.
3.2. Interpretation for STDs 3.1. Interpretation for Logic Diagrams Transition conditions and actions in aQ STD can be interpreted as Boolean expressions which use input variables and Boolean expressions which use output variables respectively. Let j3 denote transition conditions, and Q denote actions. For example, the transition condition from 'stop' to 'stand-by' is j3(stop,stand-by) = X4 t\ Xs t\ X6 t\ X7, and the action of 'operate' is Q(operate) = Yl' A Boolean expression P characterizes a set {x I p(x) = T}. Therefore, j3 can be considered to be an input subset, Q to be an output subset. In this paper, a Boolean expression identified with the characterized set; x E p is used to denote p(x) = T and PI ~ P2 to denote (PI (x) = T =:::} p2(X) = T).
A logic diagram represents logical connections between inputs and outputs. However, outputs depend not only on inputs but on states, namely, values preserved in loops (see a, b, c, d, e in Figure 2). Inputs and states determine outputs and the next states. Therefore, a logic diagram is interpreted as a sequential machine composed of the following six-tu pie: input set X, output set Y, state set Z, initial state z/ state transition function {j : X x Z -+ Z, output function A : X x Z -+ Y As an example, consider the sequential machine defined by Figure 2. Let XI , ... , Xg be input variables, and YI,' .. ,Ys be output variables, and a, b, c, d, e be state variables. They are Boolean variables, whose domain is {T,F}. The initial state is. The state transition function {j =< {ja, {jb, {jc, {jd, (je > is the following Boolean expression vector:
<
V(-,x2t\a), X2 V (-,c t\ b), (b t\ X3) V (-'(X4 t\ Xs t\ X6 t\ X7) t\ c), (d V (xs t\ xs)) t\ -,c t\ -,e, (e V (d t\ Xg)) t\ -'(X4 t\ X6 t\ X7)
An STD is interpreted as the following six-tuple: input set X, output set Y, state set S, initial state s], transition conditions j3 : S x S -+ 2x , actions Q : S -+ 2 Y
3.3. Consistency between an STD and a Logic Diagram
XI
Suppose that an STD and a logic diagram are compared as in Figure 6. They start from each initial state, given arbitrary inputs and observe the outputs. The observation is based on the following suppositions.
>
The output function A is also a Boolean expression vector, whose dimension is the number of output
123
· .. , x 3' x 2' x 1 r -____~A~
Z
f
0.
Input
______~
t
s
+:_:1 51
"---+ s2 Logic Diagram
0 Calculating Algorithm
4.1.
"
Let X be a Boolean expression for inputs, and w be a Boolean expression for states for a logic diagram. 6.(X,w) is defined as follows:
STD
if (X t\ w) ~ 6v if (X t\ w) ~ -.6 v otherwise
Fig. 6. Consistency between an STD and a logic diagram
(1)
where V is the set of state variables of the logic diagram.
(SI) The time required for transitions in STDs is zero. (S2) The time required for transitions in logic diagrams can be considered to be zero compared with the speed of changes of inputs.
6.(X, w) includes all the next states from states satisfying w for any input satisfying X. In addition, 6.*(X,w) is defined as follows:
The outputs are not observed at every specific interval but rather when the input changes. Let the STD be in s, and the logic diagram be in z, and the input change. From (SI) and (S2), the states finally reached from sand z by the input are more meaningful than the next states of sand z. (They, however, may not necessarily reach a stable state.) If the reached states are determined, the action and the output are observed. The action and the output are consistent if the characterized set of the action includes the output.
6. *(X, w) {
=
~*(x,6.(x,w»
if 6.(X,w)=w otherwise
(2)
6. *(X, w) is undefined if it does not converge. If 6. *(X, w) is obtained, it includes all the reached states from states satisfying w for any input sequence satisfying X. Figure 7 shows the 0 calculating algorithm using 6.*. Given a logic diagram and an STD, the algorithm calculates 0. Let 0 be a Boolean expression array indexed by states of the STD for the calculation. The algorithm starts from their initial states. First, 6. *b( SI), {zIl), which is all the reached states from Zl for any input sequence which puts the STD in sI, is substituted to 0[s/) . Next, 0[s) is calculated for every state s which has a transition from SI. The condition to move from SI to s and not to pass through s is f3(sl,s) t\ ,(s). After taking the transition, the condition to stay in s is ,(s). Then, 6. * b( s), 6. * (f3( SI,s) t\ ,( s), 0[s I))) is substituted to 0[s). This calculation is repeated from state to state following transitions. If 0[s) is calculated more than once, logical addition is applied to the results, which means that the characterized set of 0[s) monotonically increases. Because the states of the logic diagram are finite, the algorithm surely terminates. It may happen that 6.' does not converge, which can be detected in the calculation. In this case the algorithm gives up the calculation of 0.
An STD and a logic diagram are defined to be consistent if they satisfy the following conditions at every observation described above.
(Cl) If the STD reaches a stable state, the logic diagram reaches a stable state. (C2) The action and the output from the reached states are consistent. This concept of the consistency is looser than the equivalence, because only stable reached states are involved. The next section presents the verification algorithm for the consistency.
4. CONSISTENCY VERIFICATION Assume an STD and a logic diagram are being compared. Let 0( s) be the set of all the possible states of the logic diagram when the STD is in state s . If 0(s) is obtained for every state s of the STD, (C2) can be replaced by the following expression: Vs E S, Vz E 0(s) , "Ix E ,(s), >'(x, z) E o:(s)
The algorithm in Figure 7 calculates 0 using f3 . However, it does not cope with the concatenations of transitions. For example, if f3(SI, S2) t\ f3(S2, S3) t\ , (S3) is satisfied in SI , the STD moves from SI to S3 . To consider this concatenation, 0[S3) is calculated not only by
where , ( s) is the condition that the STD stays in s: ,(s) = I\s'ES -.f3(s, s') . Because it is difficult to get the exact 0, Section 4.1 proposes the approximation of 0. Section 4.2 shows the consistency verification algorithm using
124
1: var 6: Boolean expression array 2: 3: procedure calc_theta 4: var P: set of pairs of states 5: var E : Boolean expression 6: 7: 8: 6[SIJ := ~·(r(SI) , {ZI }); 9: For any S E S s.t. S =1= SI , 6[sJ := F; 10: P:= {< SI,S >1 P(SI , S) =1= F}; 11: while (P =1= {}) do 12: Select < Si , S2 > from P; 13: E := ~·(P(Sl,S2) tl'}'(s2) , 6[Sl]); E:= ~·(r(S2),E); 14: 15: E := 6[S2J V E ; 16: if (E =1= 6[S2]) then 17: 6[S2J := E ; 18: P := PU {< S2,S >1 P(S2,S) =1= F}; endif 19: 20: P:= P\ {< Sl,S2 >}; 21 : enddo 22: endproc Fig. 7.
As an example, examine the consistency between the logic diagram in Figure 2 and the STD in Figure 5. First, 0[stand-by] is calculated.
o [stand-by] = ~ "(((stand-by), {}) = ~"( -'X2, -.a /\ -.b /\ -.c /\ -.d /\ -.e) = -.b /\ -.c Next, 0[operate] and 0[stop] are calculated, following the transitions.
o [operate] = ~ *({( operate) , ~ * (,6(stand-by, operate) /\,(operate),0[stand-by]))
= ~*(-'X3,~*(X2 /\-,x3 , -.b/\-.c)) = b/\-.c 0[stop]
= ... = -.b /\ c
0[stop] causes the recalculation of 0[operate]. 0[operate] = ~ *( ,(operate), ~ * (,6(stop, operate) /\,( operate), o [stop])) = ~ *(-'X3 , ~ *(X2 /\ -'X3 , -.b /\ c)) = T
e calculating algorithm
~ "({(S3), ~ "(,6(S2' S3) /\ ,(S3) , 0[S2])) but also by ~"({( S3), ~ * (,6( SI, S2) /\,6( S2, S3) /\,( S3), 0[sd))·
Even if the calculation is continued, 0[operate] = T does not change, and (*) is not satisfied by 'operate'.
To calculate the complete 0, ,6 is replaced with ,6*:
(3)
0[operate] /\ ,(operate) = T /\ -'X3 = -'X3 , a(operate). A = b V d => 0[operate] /\ , (operate) g a(operate). A
4.2. Consistency Verification Algorithm
This inconsistency is explained as follows. If the water-level becomes too low, state b changes to ON. Afterward, if the stop-button is pushed, state c changes to ON, and resets state b to stop the operations. At this time, if the water-level becomes too low again, state b changes to ON, but does not reset state c. Therefore, the system stops the operations as soon as the water-level becomes normal , without having to push the stop-button again. This situation is not consistent with the STD.
The following is the consistency verification algorithm for a given logic diagram and STD.
Figure 8 shows a modification of Figure 2. This modification changes be:
1. Calculation of 0 Calculate 0 using the 0 calculating algorithm. If the calculation fails, the logic diagram and the STD are inconsistent because of a violation of (Cl) . 2. Consistency check Check the following.
The verification algorithm shows that the modified logic diagram is consistent with the STD in Figure 5 as follows.
The expansion of ,6 to ,6* is finite because the possible concatenations of transitions are finite. However, the 0 calculation with ,6* takes more time than the one with ,6. Therefore, the expansion of ,6 depends on the situation. For the fast detection of inconsistency, 0 by ,6 is suitable. For the careful verification, 0 by ,6* is better.
0[stand-by] = -.b /\ -.c, 0[operate] = b /\ -.c, 0[stop] = -.b /\ c /\ -.d
VSES, 0[s]/\,(s) ~ a(s).A --(*)
0[operate] /\ ,(operate) = (b /\ -.c) /\ -'X3 , a(operate). A = b V d => 0[operate] /\ , (operate) ~ a(operate). A
where p(YJ , . .. ,Yn) • A = p(AJ, . .. , An) . If (*) is satisfied, the logic diagram and the STD are consistent.
125
x3
ure 5 and 4, an STD is not detailed enough to be equal to design. Besides, the equivalence, which requires equal outputs for any time, is too strict. The consistency based on suppositions (SI) and (S2) requires consistent outputs only in reached states for inputs.
:stop-PS"" ON
x4 pool-valve closed x5 tank-valve closed x6 test-valve closed
x2
Fig. 8. Modification of logic diagram
0[stop] 1\ ,(stop) = (,b 1\ c 1\ ...,d) 1\ ,X2 1\ (,X4 V 'XS V ,X6 V ,X7 ), Q(stop).'\ = ,b 1\ (C V e) => 0[stop] 1\ , (stop) ~ Q(stop).'\
Equivalence checking methods tend to confront the long computation time or the state explosion problem. On the ot.her hand, the consistency verification algorit.hm uses ~. t.o calculate reached states. This approximation makes the algorithm efficient. In addition, the verification time can be adjusted by selecting the expansion of (3.
6. CONCLUSION A state transition diagram is a specification for a process control system, and a logic diagram is the design. This paper introduced a concept of consistency between an STD and a logic diagram, and presented an algorithm for automatically verifying their consistency. An example was used to illustrate how this algorithm detects errors in design. The discussion about the verification algorithm assumed flat STDs. However, the algorithm can be applied to structured STDs, because a structured STD can be transformed to a flat STD.
Because the STD in Figure 4 is hierarchically structured, it has to be flattened. before the verification. The modified logic diagram is also consistent with the flat STD equal to Figure 4. The o is as follows. 0[stand-by] = ,b 1\ ,C 1\ ,d 1\ ,e, 0[supply] = ,a 1\ b 1\ 'c, 0[suspend] = a 1\ b 1\ ,c 0[stop] = ,b 1\ c 1\ ,d, 0[test-start] = ,b 1\ ,c 1\ d 1\ ,e, 0[test-end] = ,b 1\ ,c 1\ ,d 1\ e
7. ACKNOWLEDGMENTS The authors are grateful to S. \Vatanabe and K. Matsumura of Systems & Software Engineering Laboratory, Toshiba Corporation, for their support.
The verification algorithm uses I\(logical multi plication), V(logical addition), ~ (characterized set inclusion), and .(vector substitution). These Boolean function manipulations can be efficiently executed using binary decision diagrams(BDDs)(Bryant, R.E., 1986).
8. REFERENCES Bryant, R.E. (1986). Graph-Based Algorithms for Boolean Function Manipulation. IEEE Trans. Comput. C-35(8), 677- 69l. Coudert, 0., C. Berthet, and J .C. Mardre (1989). Verification of Synchronous Sequential Machines Using Symbolic Execution. In: Proc. Workshop on Automatic Verification Methods for Finite State Systems. Springer-Verlag, pp. 365-373. Harel D. (1987). Statechart.s: A Visual Formalism for Complex Systems. Sci. Comput. Program. 8,231-274. Jahanian F. , and K. Mok (1994). Modechart: A Specification Language for Real-Time Systems. IEEE Trans. Software Eng. 20(12),933-947. Leveson N. G., M.P.E. Heimdahl, H. Hildreth, and J .D. Reese (1994). Requirements Specification for Process-Control Systems. IEEE Trans. Software Eng. 20(9) , 684- 707.
5. RELATED STUDIES There are studies proposing STD-based languages for real-time systems or process control systems(Harel D. , 1987; Leveson N. G. et al., 1994; Jahanian F. and K. Mok, 1994). Those languages have richer notations to describe complicated systems. However, their discussions are closed on STDs and do not connect them to the implementations. On the other hand, this paper restricted the STD notation and compared it directly with the implementation, namely, a logic diagram. There are methods for checking equivalence between two sequential machines, which are used for hardware verification(Coudert, O. et al., 1989). The equivalence checking methods compare two sequential machines from each initial state. If their outputs are equal for any input sequence, they are equivalent. However, as shown in Fig-
126
AUTOMATIC VERlFICATION OF CONSISTENCY BETWEEN DIAGRAMS FOR PROCESS CONTROL T. URAOKA*, A. OHSUGA* and S. HONIDEN* • Systems and Software Engineering Laboratory, Toshiba Corporation, Kawasal.-i 210, Japan
Abstract. This paper presents an algorithm for automatically verifying the consistency between a state transition diagram and a logic diagram, where the state transition diagram is a specification for a process control system, and the logic diagram is the design. State transition diagrams represent control from a dynamic viewpoint, while logic diagrams represent it from a logical viewpoint. Therefore, their consistency increases the reliability of the design . Because the verification algorithm is based on Boolean function manipulations, it can be efficiently implemented using binary decision diagrams. Key Words. Consistency; verification; process control; logic diagrams, Boolean functions
verification method is proposed.
1. INTRODUCTION
• Describe specification for process control using state transition diagrams(STDs). • Describe design for process control using logic diagrams or ladder diagrams. • Verify the consistency between the specification and the design.
Design for process control is described using logic diagrams or ladder diagrams (see Figure 1 (a) , (b»). A logic diagram is composed of logic symbols, while a ladder diagram is composed of relay symbols. They are suitable for representing logical connections between inputs and outputs, but it is difficult to understand the system behavior as a whole from them. In the case of sequential control, sequential function charts(SFCs) can solve this problem(see Figure 1 (c»). An SFC explicitly represents sequential control by connecting steps with transitions. However, SFCs are not suitable for some types of control, for example, the control to keep a plant state constant is not sequential. For such objects, logic diagrams or ladder diagrams are used.
STDs, which are widely used to specify real-time systems, are also appropriate for process control (Leveson N. G. et al., 1994). Moreover, STDs represent control from a dynamic viewpoint, while logic diagrams and ladder diagrams represent it from a logical viewpoint. Therefore, their consistency increases the reliability of the design. For hardware verification, there are techniques to check the equivalence between two sequential machines. However, the equiValence is too strict to compare a specification with a design for process control. Therefore, this paper introduces a concept of consistency between a STD and a logic diagram, and presents an algorithm for automatically verifying the consistency. (Note that since ladder diagrams can be transformed to logic diagrams, only logic diagrams are considered in this paper.) Because the algorithm is based on Boolean function manipulations, it can be efficiently implemented using binary decision diagrams(BDDs) .
Many process control systems require high reliability, and methods to strictly ensure the correctness are desirable. For this reason, the following
::~ (a)
Logic Diagram
~Il ~MtJ (b)
, ",
~ JfMl
The next section introduces an"example of process control, the corresponding logic diagram and the STDs which are used to clarify the subject of this paper. Section 3 gives formal interpretations for logic diagrams and STDs, and defines their consistency. Section 4 presents the consistency verifi-
12
Ladder Diagram
(c)
Fig. 1. Diagrams for process control
121
xl
water level too high
x2
wa.ter level too low
x3
stop- PS " ON
x, pool - valve closed
star t pump
yl
stop pump
y2
open pool - va l ve
y3
close pool-valve
y4
open tank - va l ve
y5
close tank-va lve
y6
open test-valve
y7
close t.est-valve
ya
x5 tank-valve closed x6 test-valve closed x7
pump stopped
x8
test-PS -
ON
x5 tank-valve closed
x9
flow rate enough
x4
pool - valve closed
x6 test-valve closed x7
pump stopped
Fig. 2. Logic diagram for water-supply system
cation algorithm and applies the algorithm to the logic diagram and the STDs in Section 3. Section 5 describes related studies and Section 6 is the conclusion.
and the outputs are on the right. The logical connections between the inputs and the outputs are represented by combinations of logical symbols. Lines with a label(A ..E) are connected to lines with the same label. It is difficult to check the correctness of the design of even such a small example. One factor which makes it difficult is the ambiguity in the specification. STDs are useful to strictly represent specification. An STD is composed of states connected by transitions. States may have a name and actions, and transitions must have a condition. A black circle indicates the initial state. Figure 5 is an STD for the water-supply system focusing on the pump control. Figure 4 is the detailed STD. Both represent the behavior of the water-supply system as a whole, which is hidden in the logic diagram. The STD in Figure 5 is flat, while the STD in Figure 4 is hierarchically structured. Because a hierarchical STD can be transformed to a flat STD, the following discussion assumes flat STDs. The consistency between Figure 2 and Figure 5 is examined in Section 4.
2. LOGIC DIAGRAMS AND STDS As an example, consider the water-supply system in Figure 3. This system consists of a pool, a tank, a pump, piping, and three valves. The system automatically supplies water from the pool to the tank through route 1, when the waterlevel of the tank becomes too low. When the water-level becomes too high, the system suspends the supply by circulating water through route 2. There are two push-buttons, one to stop and one to test. 'Vhen the stop-button is pressed, the system stops unless the water-level is too low. When the test-button is pressed, the system circulates water through route 2 to test the equipment. Figure 2 shows a logic diagram for the watersupply system. The inputs are listed on the left
(pool-valve closed) (tank-valve closed) ,.-.1-_--, (test-valve closed) (pump stopped)
test - valve
water leve too low
Fig. 3. Water-supply system
Fig. 5. STD for pump control
122
(test-PB ~ ON) and (tank - valve closed)
~
(pool - valve closed) and (tank-valve closed) and (test-valve closed) and (pump stopped)
stand by
stop close pool valve close tank-valve c l ose t est-valve
water level too low
(poo l -valve closed) and (t est-valve clos e d) and (pump stopped)
stop- PB
~
ON
stop pump
stop- PB
~
water level too low
operate
test
open pool - valve start pump
test-start
test-end
open pool-valve open test-valve sta r t pump
"-
ON
close pool-valve close test-valve
stop pump
~ ( water level too low
~
)
supply open tank-valve close test - valve
'--
flow rate enough
water level too high
suspend
close tank-valve open test - valve
.../
water level too low
Fig. 4. STD for water-supply system
3. FORMAL INTERPRETATIONS
variables. The verification algorithm in Section 4 is based on the fact that (j and ). are Boolean expression vectors.
This section gives formal interpretations for logic diagrams and STDs, and defines their consistency.
3.2. Interpretation for STDs 3.1. Interpretation for Logic Diagrams Transition conditions and actions in aQ STD can be interpreted as Boolean expressions which use input variables and Boolean expressions which use output variables respectively. Let j3 denote transition conditions, and Q denote actions. For example, the transition condition from 'stop' to 'stand-by' is j3(stop,stand-by) = X4 t\ Xs t\ X6 t\ X7, and the action of 'operate' is Q(operate) = Yl' A Boolean expression P characterizes a set {x I p(x) = T}. Therefore, j3 can be considered to be an input subset, Q to be an output subset. In this paper, a Boolean expression identified with the characterized set; x E p is used to denote p(x) = T and PI ~ P2 to denote (PI (x) = T =:::} p2(X) = T).
A logic diagram represents logical connections between inputs and outputs. However, outputs depend not only on inputs but on states, namely, values preserved in loops (see a, b, c, d, e in Figure 2). Inputs and states determine outputs and the next states. Therefore, a logic diagram is interpreted as a sequential machine composed of the following six-tu pie: input set X, output set Y, state set Z, initial state z/ state transition function {j : X x Z -+ Z, output function A : X x Z -+ Y As an example, consider the sequential machine defined by Figure 2. Let XI , ... , Xg be input variables, and YI,' .. ,Ys be output variables, and a, b, c, d, e be state variables. They are Boolean variables, whose domain is {T,F}. The initial state is
<
V(-,x2t\a), X2 V (-,c t\ b), (b t\ X3) V (-'(X4 t\ Xs t\ X6 t\ X7) t\ c), (d V (xs t\ xs)) t\ -,c t\ -,e, (e V (d t\ Xg)) t\ -'(X4 t\ X6 t\ X7)
An STD is interpreted as the following six-tuple: input set X, output set Y, state set S, initial state s], transition conditions j3 : S x S -+ 2x , actions Q : S -+ 2 Y
3.3. Consistency between an STD and a Logic Diagram
XI
Suppose that an STD and a logic diagram are compared as in Figure 6. They start from each initial state, given arbitrary inputs and observe the outputs. The observation is based on the following suppositions.
>
The output function A is also a Boolean expression vector, whose dimension is the number of output
123
· .. , x 3' x 2' x 1 r -____~A~
Z
f
0.
Input
______~
t
s
+:_:1 51
"---+ s2 Logic Diagram
0 Calculating Algorithm
4.1.
"
Let X be a Boolean expression for inputs, and w be a Boolean expression for states for a logic diagram. 6.(X,w) is defined as follows:
STD
if (X t\ w) ~ 6v if (X t\ w) ~ -.6 v otherwise
Fig. 6. Consistency between an STD and a logic diagram
(1)
where V is the set of state variables of the logic diagram.
(SI) The time required for transitions in STDs is zero. (S2) The time required for transitions in logic diagrams can be considered to be zero compared with the speed of changes of inputs.
6.(X, w) includes all the next states from states satisfying w for any input satisfying X. In addition, 6.*(X,w) is defined as follows:
The outputs are not observed at every specific interval but rather when the input changes. Let the STD be in s, and the logic diagram be in z, and the input change. From (SI) and (S2), the states finally reached from sand z by the input are more meaningful than the next states of sand z. (They, however, may not necessarily reach a stable state.) If the reached states are determined, the action and the output are observed. The action and the output are consistent if the characterized set of the action includes the output.
6. *(X, w) {
=
~*(x,6.(x,w»
if 6.(X,w)=w otherwise
(2)
6. *(X, w) is undefined if it does not converge. If 6. *(X, w) is obtained, it includes all the reached states from states satisfying w for any input sequence satisfying X. Figure 7 shows the 0 calculating algorithm using 6.*. Given a logic diagram and an STD, the algorithm calculates 0. Let 0 be a Boolean expression array indexed by states of the STD for the calculation. The algorithm starts from their initial states. First, 6. *b( SI), {zIl), which is all the reached states from Zl for any input sequence which puts the STD in sI, is substituted to 0[s/) . Next, 0[s) is calculated for every state s which has a transition from SI. The condition to move from SI to s and not to pass through s is f3(sl,s) t\ ,(s). After taking the transition, the condition to stay in s is ,(s). Then, 6. * b( s), 6. * (f3( SI,s) t\ ,( s), 0[s I))) is substituted to 0[s). This calculation is repeated from state to state following transitions. If 0[s) is calculated more than once, logical addition is applied to the results, which means that the characterized set of 0[s) monotonically increases. Because the states of the logic diagram are finite, the algorithm surely terminates. It may happen that 6.' does not converge, which can be detected in the calculation. In this case the algorithm gives up the calculation of 0.
An STD and a logic diagram are defined to be consistent if they satisfy the following conditions at every observation described above.
(Cl) If the STD reaches a stable state, the logic diagram reaches a stable state. (C2) The action and the output from the reached states are consistent. This concept of the consistency is looser than the equivalence, because only stable reached states are involved. The next section presents the verification algorithm for the consistency.
4. CONSISTENCY VERIFICATION Assume an STD and a logic diagram are being compared. Let 0( s) be the set of all the possible states of the logic diagram when the STD is in state s . If 0(s) is obtained for every state s of the STD, (C2) can be replaced by the following expression: Vs E S, Vz E 0(s) , "Ix E ,(s), >'(x, z) E o:(s)
The algorithm in Figure 7 calculates 0 using f3 . However, it does not cope with the concatenations of transitions. For example, if f3(SI, S2) t\ f3(S2, S3) t\ , (S3) is satisfied in SI , the STD moves from SI to S3 . To consider this concatenation, 0[S3) is calculated not only by
where , ( s) is the condition that the STD stays in s: ,(s) = I\s'ES -.f3(s, s') . Because it is difficult to get the exact 0, Section 4.1 proposes the approximation of 0. Section 4.2 shows the consistency verification algorithm using
124
1: var 6: Boolean expression array 2: 3: procedure calc_theta 4: var P: set of pairs of states 5: var E : Boolean expression 6: 7: 8: 6[SIJ := ~·(r(SI) , {ZI }); 9: For any S E S s.t. S =1= SI , 6[sJ := F; 10: P:= {< SI,S >1 P(SI , S) =1= F}; 11: while (P =1= {}) do 12: Select < Si , S2 > from P; 13: E := ~·(P(Sl,S2) tl'}'(s2) , 6[Sl]); E:= ~·(r(S2),E); 14: 15: E := 6[S2J V E ; 16: if (E =1= 6[S2]) then 17: 6[S2J := E ; 18: P := PU {< S2,S >1 P(S2,S) =1= F}; endif 19: 20: P:= P\ {< Sl,S2 >}; 21 : enddo 22: endproc Fig. 7.
As an example, examine the consistency between the logic diagram in Figure 2 and the STD in Figure 5. First, 0[stand-by] is calculated.
o [stand-by] = ~ "(((stand-by), {
o [operate] = ~ *({( operate) , ~ * (,6(stand-by, operate) /\,(operate),0[stand-by]))
= ~*(-'X3,~*(X2 /\-,x3 , -.b/\-.c)) = b/\-.c 0[stop]
= ... = -.b /\ c
0[stop] causes the recalculation of 0[operate]. 0[operate] = ~ *( ,(operate), ~ * (,6(stop, operate) /\,( operate), o [stop])) = ~ *(-'X3 , ~ *(X2 /\ -'X3 , -.b /\ c)) = T
e calculating algorithm
~ "({(S3), ~ "(,6(S2' S3) /\ ,(S3) , 0[S2])) but also by ~"({( S3), ~ * (,6( SI, S2) /\,6( S2, S3) /\,( S3), 0[sd))·
Even if the calculation is continued, 0[operate] = T does not change, and (*) is not satisfied by 'operate'.
To calculate the complete 0, ,6 is replaced with ,6*:
(3)
0[operate] /\ ,(operate) = T /\ -'X3 = -'X3 , a(operate). A = b V d => 0[operate] /\ , (operate) g a(operate). A
4.2. Consistency Verification Algorithm
This inconsistency is explained as follows. If the water-level becomes too low, state b changes to ON. Afterward, if the stop-button is pushed, state c changes to ON, and resets state b to stop the operations. At this time, if the water-level becomes too low again, state b changes to ON, but does not reset state c. Therefore, the system stops the operations as soon as the water-level becomes normal , without having to push the stop-button again. This situation is not consistent with the STD.
The following is the consistency verification algorithm for a given logic diagram and STD.
Figure 8 shows a modification of Figure 2. This modification changes be:
1. Calculation of 0 Calculate 0 using the 0 calculating algorithm. If the calculation fails, the logic diagram and the STD are inconsistent because of a violation of (Cl) . 2. Consistency check Check the following.
The verification algorithm shows that the modified logic diagram is consistent with the STD in Figure 5 as follows.
The expansion of ,6 to ,6* is finite because the possible concatenations of transitions are finite. However, the 0 calculation with ,6* takes more time than the one with ,6. Therefore, the expansion of ,6 depends on the situation. For the fast detection of inconsistency, 0 by ,6 is suitable. For the careful verification, 0 by ,6* is better.
0[stand-by] = -.b /\ -.c, 0[operate] = b /\ -.c, 0[stop] = -.b /\ c /\ -.d
VSES, 0[s]/\,(s) ~ a(s).A --(*)
0[operate] /\ ,(operate) = (b /\ -.c) /\ -'X3 , a(operate). A = b V d => 0[operate] /\ , (operate) ~ a(operate). A
where p(YJ , . .. ,Yn) • A = p(AJ, . .. , An) . If (*) is satisfied, the logic diagram and the STD are consistent.
125
x3
ure 5 and 4, an STD is not detailed enough to be equal to design. Besides, the equivalence, which requires equal outputs for any time, is too strict. The consistency based on suppositions (SI) and (S2) requires consistent outputs only in reached states for inputs.
:stop-PS"" ON
x4 pool-valve closed x5 tank-valve closed x6 test-valve closed
x2
Fig. 8. Modification of logic diagram
0[stop] 1\ ,(stop) = (,b 1\ c 1\ ...,d) 1\ ,X2 1\ (,X4 V 'XS V ,X6 V ,X7 ), Q(stop).'\ = ,b 1\ (C V e) => 0[stop] 1\ , (stop) ~ Q(stop).'\
Equivalence checking methods tend to confront the long computation time or the state explosion problem. On the ot.her hand, the consistency verification algorit.hm uses ~. t.o calculate reached states. This approximation makes the algorithm efficient. In addition, the verification time can be adjusted by selecting the expansion of (3.
6. CONCLUSION A state transition diagram is a specification for a process control system, and a logic diagram is the design. This paper introduced a concept of consistency between an STD and a logic diagram, and presented an algorithm for automatically verifying their consistency. An example was used to illustrate how this algorithm detects errors in design. The discussion about the verification algorithm assumed flat STDs. However, the algorithm can be applied to structured STDs, because a structured STD can be transformed to a flat STD.
Because the STD in Figure 4 is hierarchically structured, it has to be flattened. before the verification. The modified logic diagram is also consistent with the flat STD equal to Figure 4. The o is as follows. 0[stand-by] = ,b 1\ ,C 1\ ,d 1\ ,e, 0[supply] = ,a 1\ b 1\ 'c, 0[suspend] = a 1\ b 1\ ,c 0[stop] = ,b 1\ c 1\ ,d, 0[test-start] = ,b 1\ ,c 1\ d 1\ ,e, 0[test-end] = ,b 1\ ,c 1\ ,d 1\ e
7. ACKNOWLEDGMENTS The authors are grateful to S. \Vatanabe and K. Matsumura of Systems & Software Engineering Laboratory, Toshiba Corporation, for their support.
The verification algorithm uses I\(logical multi plication), V(logical addition), ~ (characterized set inclusion), and .(vector substitution). These Boolean function manipulations can be efficiently executed using binary decision diagrams(BDDs)(Bryant, R.E., 1986).
8. REFERENCES Bryant, R.E. (1986). Graph-Based Algorithms for Boolean Function Manipulation. IEEE Trans. Comput. C-35(8), 677- 69l. Coudert, 0., C. Berthet, and J .C. Mardre (1989). Verification of Synchronous Sequential Machines Using Symbolic Execution. In: Proc. Workshop on Automatic Verification Methods for Finite State Systems. Springer-Verlag, pp. 365-373. Harel D. (1987). Statechart.s: A Visual Formalism for Complex Systems. Sci. Comput. Program. 8,231-274. Jahanian F. , and K. Mok (1994). Modechart: A Specification Language for Real-Time Systems. IEEE Trans. Software Eng. 20(12),933-947. Leveson N. G., M.P.E. Heimdahl, H. Hildreth, and J .D. Reese (1994). Requirements Specification for Process-Control Systems. IEEE Trans. Software Eng. 20(9) , 684- 707.
5. RELATED STUDIES There are studies proposing STD-based languages for real-time systems or process control systems(Harel D. , 1987; Leveson N. G. et al., 1994; Jahanian F. and K. Mok, 1994). Those languages have richer notations to describe complicated systems. However, their discussions are closed on STDs and do not connect them to the implementations. On the other hand, this paper restricted the STD notation and compared it directly with the implementation, namely, a logic diagram. There are methods for checking equivalence between two sequential machines, which are used for hardware verification(Coudert, O. et al., 1989). The equivalence checking methods compare two sequential machines from each initial state. If their outputs are equal for any input sequence, they are equivalent. However, as shown in Fig-
126