Error-free scheduling for batch processes using symbolic model verifier

Journal of Loss Prevention in the Process Industries 22 (2009) 367–372

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries journal homepage: www.elsevier.com/locate/jlp

Error-free scheduling for batch processes using symbolic model verifier Jinkyung Kim, Jiyong Kim, Il Moon* Department of Chemical & Biomolecular Engineering, Yonsei University, Seodaemun-gu Shinchon-dong 134, Seoul 120-749, Republic of Korea

a r t i c l e i n f o

a b s t r a c t

Article history: Received 6 January 2006 Received in revised form 18 November 2008 Accepted 6 January 2009

This paper focuses on the development of a new approach for the synthesis of error-free operating schedules in batch processes. The synthesis of error-free operating procedures for batch processes becomes an important issue in the safe operation of industrial plant. It spends considerable amount of time and effort in scheduling and verifying operating procedures for correctness and completeness. In this study, we adopted SMV (Symbolic Model Verifier), an automatic error finding system, which is applied to various batch processes to test their safety and feasibility. The strength of this method is to minimize safety hazard and operability errors, and adjust process and recipe changes during the planning of operating procedure. The proposed approach identifies embedded errors and finds a minimum makespan and synthesizes an error-free operating sequence at the same time. Several examples are presented to illustrate the effectiveness of the proposed approaches.  2009 Elsevier Ltd. All rights reserved.

Keywords: Error-free operating procedure Verification SMV Minimum makespan Batch process

1. Introduction Batch processes are widely used in the manufacturing industry of pharmaceutical products, food, specialty chemicals, and certain types of polymers. The standard, now known as S88, was created to provide a common language and models for the design and specification of control systems for batch processing (Thomaas, 1990). It has the added benefit of allowing users to more easily integrate products from different vendors. Since the production volumes are usually low, batch plants are often multi-product facilities in which various products share the same pieces of equipment. It is necessary to be scheduled efficiently and safely in batch processes. Many approaches have been introduced to optimize the schedule in these batch processes. More elaborate techniques for the schedule of batch process are needed because batch processes become more segmental but more complex to meet the requirement of the customer. In multi-product batch processes, completion time algorithms and production scheduling methods have been frequently studied in chemical process industry. When a batch process is used to manufacture two or more products, two major limiting types and several types of intermediate storage policies of plants can arise. When products are with high degree of similarity, they may need the same processing steps, and hence pass through the same series of processing units. Plants producing such products are called multi-product plants. However, when products are with low degree of similarity, they may need * Corresponding author. Tel.: þ82 2 2123 2761; fax: þ82 2 312 6401. E-mail address: [email protected] (I. Moon). 0950-4230/$ – see front matter  2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.jlp.2009.01.001

different processing steps, and hence visit different series of processing units. Such plants are referred to as multi-purpose plants. In batch plants, intermediate storage between processing units is also important to maintain smooth flow of materials and to satisfy the requirements of processing recipes. The different types of intermediate storage policies are unlimited intermediate storage (UIS), no intermediate storage (NIS), finite intermediate storage (FIS), and zero-wait (ZW). The process with various policies should be scheduled more efficiently and safely. The operating schedules include various policies to consider the nature of production recipes and processing units, and various errors are apt to be embedded in the operating schedules. However, manually finding a complete error-free operating schedule is almost impossible in industrial size of problems. Thus, the research for the automation of generating operating schedules and finding a minimum makespan without errors has been an important issue. Previous works of the synthesis of operating procedure have dealt with both continuous and batch processes. Fusillo and Powers (1987), and Lakshmana and Stepanopoulos (1990) have addressed this problem for continuous and semi-batch chemical processes. Fusillo and Powers introduced artificial intelligence (AI) techniques of symbolic functional modeling to represent units and their manipulations, and they used procedural planning methods to generate a set of operators for unit manipulations which yield a feasible sequence of state transitions from the initial to the goal state. Lakshmana and Stepanopoulos (1990) developed a methodology where they used an object-oriented modeling framework coupled with hierarchical non-linear planning techniques to synthesize operating procedures for continuous processes.

368

J. Kim et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 367–372

Hierarchical non-linear planning means generation of partial plans and refining these until a feasible plan is generated. For batch processes, Rotstein, Lavie, and Lewin (1994) and Crooks, Evans, and Macchietto (1994) worked for the synthesis of operating procedure. Rotstein et al. (1994) used concepts from qualitative process theory (QOT) to represent the knowledge about chemical process. Based on this representation, the sequences of process operations were generated in the form of an operating procedures network (OPNet). Crooks et al. (1994) developed an automated system called computer aided procedure synthesis (CAPS) for generating operating procedures for batch processes. They used state task networks (STNs) for the representation of the batch recipe. The STN representation is a structured method of modeling batch operations. These represents will be modeled through generalized disjunctive programming by Raman and Grossmann (1994) from which specific mixed-integer optimization models can be derived. The scheduling optimization problems are mostly described with discrete variables. Discrete optimization is the problem in which the decision variables assume discrete values from a specified set: when this set is set of integers, we have an integer programming problem. Combinatorial optimization is the problem which concerns choosing the best combination out of all possible combinations. Most combinatorial problems can be formulated as the integer programs. Scheduling optimization, based on model checking method, makes the use of the search strategies of CTL. First, a model of the overall, undetermined process behavior has to be constructed, which in case consists of all production steps (of all orders) at every state. Feasibility is formulated as a property using integer variables. The model checker searches the reachable state space for a state where this property holds. If one is found, it provides a diagnostic trace. The diagnostic trace contains a sequence of processing and transitions from the initial state to the state found. This suffices to extract a feasible schedule from a diagnostic trace. The advantage of this approach is its robustness against changes in the setting of parameters, as model provides a very general. The disadvantage lies in the well known state space explosion problem. For interesting cases, the model checking approach, described above, dose not terminate. The way out is to add heuristics or features of schedules, that reduce the search space to a size that can be traversed more easily. Kim and Moon (2000) introduced firstly the synthesis of operating schedule based on model checking in the batch process. His works were, however, tried to apply it only to the specified case such as ZW and FIS intermediate conditions of multipurpose batch processes. This study proposes a modular based approach by describing reusable modules of common intermediate policies to synthesize generally error-free operating procedure and to obtain a minimum makespan for both multi-purpose and multi-product batch processes using symbolic model checking method. The development of the generalized automatic method for the synthesis of operating procedure improves the engineer’s panning job by reducing the effort and time. Another merit of this approach is to minimize the safety hazard and operability errors, and adjust process and recipe changes in the planning of operating procedure.

Fig. 1. The structure of symbolic model verifier.

temporal logic and systems are represented by state-transition graph. The verification is accomplished by an efficient breadth first search procedure that views the transition system as a model for the logic, and determines if the specifications are satisfied by the model. There are several advantages to this approach. An important one is that the procedure is completely automatic. The model checker accepts a model description and specifications written as temporal logic formulas, and it determines if the formulas are true or not for the model. Another advantage is that, if the formulas are not true, the model checker provides a counterexample. This is an execution trace that shows why the formula is not true. The procedures of generating counterexamples by SMV are as follows. When model checker receives two inputs (system model and assertions), it determines whether the assertion is satisfied in the model being verified. The model checker constructs a complete state-transition graph of the system. For each CTL operator, there is an algorithm for determining the truth of a formula constructed with the operator, given that the truth of the sub-formulas has already been determined. The model checker is the combination of these algorithms. The model checker may also be used to provide a counterexample to a false assertion. The trace of the counterexample to a sequence of states demonstrates why the formula being tested is false. When the model checker determines that an assertion is false, it tries to find a path that demonstrates that the negation of the assertion is true. SMV would be of little value without the ability to generate counterexamples to illustrate cases in which specifications may be violated. Counterexamples are generated for violated specifications beginning with a universal path quantifier A. A single counterexample cannot be found for a violated, existentially quantified specification, E, because all paths in the computation tree would have to be revealed to demonstrate

2. Modeling and its verification 2.1. Model checking method Model checking verification method is an alternative approach that has achieved significant results recently. Efficient algorithms are able to verify properties of extremely large systems. In these techniques, specifications are written as formulas in a proposition

Fig. 2. Examples of computation trees satisfying four common CTL formula.

J. Kim et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 367–372

369

Fig. 3. Total structure for the synthesis.

that the formula is false. However, if an existentially quantified formula is proven true, a witness is generated which demonstrates one instance in which the specification holds.

2.2. Temporal logic symbolic model checking Temporal logic model checking is a method for the formal verification of finite state reactive and concurrent systems. The specification and verification of such systems is difficult due to their complexity. Temporal logic expresses events in time without using an explicit notion of time. Specifications in Fig. 1 are expressed in temporal logic formula, which are then proved to be true with regards to the structure. A temporal (‘‘Kripke’’) structure M is labeled state-transition graph given by the tuple M ¼ (AP, S, R, L), where AP is a set of atomic formulas, S is a finite set of states, R 4 S  S is a transition relation and L : S/§ (AP) is a function labeling every state with a set of atomic formulas. A path is an infinite sequence of states s0s1 ., such that ci: (si, siþ1) ˛ R. Each temporal structure can also be represented by all its computation trees starting in each of its states. The syntax of CTL includes propositional logic with additional temporal operators. The letters are used to relate states of the computation tree to each other. Each temporal operator has to be composed of a path quantifier – all (‘‘A’’) and some (‘‘E’’) path quantification – and one of the four operators next (‘‘X’’), globally (‘‘G’’), eventually (‘‘F’’) and until (‘‘U’’). Propositional and temporal operators can be arbitrarily composed. (Froessl, Gerlach, & Kropf, 1996) The following abbreviations are used in writing CTL formulas Fig. 2 (Moon, Powers, Burch, & Clarke, 1992, Moon, 1994): EF(f): E[TRUE U f] means that there is some path from s0 that leads to f; i.e., f holds potentially. AF(f): A[TRUE U f] means that f holds in the future along every path from the initial state s0; i.e., f is inevitable. EG(f): wAF(wf) means that there is some path from s0 on which f holds at every state. AG(f): wEF(wf) means that f holds at every state on every path from s0; i.e., f holds globally.

2.3. Symbolic model verifier with applications The verification method is based on SMV (Symbolic Model Verifier) originally developed by Clarke et al. (1986). SMV makes BDD (Binary Decision Diagram) automatically with combinations of variables and verifies the model whether it satisfies the CTL (Computation Tree Logic) assertion. The model description in SMV is expressed by the state transition. Moon et al. (1992) applied this verification method to the research of the automatic verification of discrete chemical process control system (i.e. on-off switch, pump, relay, tank level, and switch). He also applied the method on the verification of safety and operability of PLC-based chemical processing systems (1994). Probst et al. (1997) suggested the method of using SMV in decisive operating steps by using the examples of the valve toughness in furnace system. Adam (1999) presented a procedure for the construction of a discrete model that captures relevant dynamics and phenomena for safety verification. Kim, Lee, and Moon (1999) proposed the method to find errors of operating schedules for batch processes, and Lee, Kim, and Moon (1999)

Fig. 4. The generation algorithm for all of possible operating procedures.

370

J. Kim et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 367–372

Fig. 5. The schematic diagram of multi-product example.

applied this method to real time batch process schedules using SMV. Kim and Moon (2000) proposed a new methodology of finding a makespan of operating schedules in a multi-purpose batch process without any safety error.

3. New approach for synthesis of operating procedures New method is developed for solving the problems of synthesizing an error-free operating procedure and of finding a minimum makespan in this study. The following algorithms are considered indispensable.  The modeling algorithm describes how to represent the process and panning recipes in an efficient manner which generates all of possible operating procedures. (Modeling issue)  The safety verification algorithm describes how to represent the intermediate storage tank policies which prune out the paths including various errors in the operating procedures. (Safety and operability issue)  The time related algorithm describes how to effectively connect above modules with the timer module that produces a minimum makespan. (Time related issue)  The assertion algorithm describes how to question about the synthesis and the time related issues in a correct CTL logic which make a safe operating procedure and obtain a minimum makespan. (Operating procedure synthesis issue) The modeling algorithm is developed to express all of possible operating schedules that can be generated in batch processes, but it does not really generate all possible states in computer. Rather than that, it keeps only the expression of the possible schedules and generates the states if only necessary. This algorithm adopts undetermined variables in order to make random production sequence. All units operate sequentially and simultaneously with random operating schedules. Scheduling times of all units have time constraints (such as run time) using defined variables. All of

Fig. 6. Gantt chart of synthesized safe operating procedure (NIS policy).

possible operating schedules for batch processes according to unit time constraints are expressed completely. Safety verification algorithms are used to find errors for intermediate storage tank policies (i.e. ZW, UIS, FIS, NIS) and production recipes. These modules can remove unsafe and infeasible sequences among all of possible operating schedules. These sequences can be verified by CTL in the assertion algorithm. Time related algorithm uses real time variables to synchronize the processing unit timer with the global timer. All of the unit modules have their own scheduling timers that make process work at the exact prespecified time. The global timer makes all of unit timers linked symmetrically. The constraint module for the terminal condition (e.g. production numbers) is added to limit batch numbers. Finally, the assertion algorithm using CTL synchronously obtains a minimum makespan and a safe operating schedule. Our study has the strength of generating safe operating procedures efficiently and achieving error-free systems simultaneously in batch processes. Fig. 3 shows a library of modules (representation module for the candidate operating procedures, timer module, sequence module and intermediate modules as a safety constraint) which serve as building the model synthesis procedures. This is not a complete or exhaustive list, additional modules can be defined as necessary. In the future it would be advantageous for the more generalized module to synthesize for another similar group to add a comprehensive library of modules similar product priority modules, processing unit options modules or emergency production modules. 4. Case studies The main goal of this work is to develop an algorithm of synthesizing error-free operating procedures automatically and to obtain a minimum makespan according to the various intermediate storage tank policies for both multi-purpose and multi-product batch processes. Fig. 4 shows a module to make all of possible operating procedures in the model description. This module generates all of possible operating schedules by adopting

Fig. 7. Gantt chart of synthesized safe operating procedure (FIS policy).

J. Kim et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 367–372

371

Fig. 8. Schematic diagram of multi-purpose example.

undetermined variables for the manufacturing sequence. Undetermined variables are one of the advantages of using SMV that describes the system including multiple possible paths. Processing time of all units is defined by the initial conditions. The connectivity among the units and intermediate storage tank policy are also defined by initial conditions. All of possible operating schedules for the target process are expressed completely and all probabilities of faults are verified automatically by using this algorithm. Two timer modules are used to obtain a makespan: process timer module and unit timer module. The process timer module expresses the overall time that works during the whole operation and the unit timer module represents each unit processing time related to recipe of each product and unit. The unit timer module refers to the process timer that guarantees the exact transition time. In order to verify the error-free operating schedules, intermediate storage tank modules are used as a conditioning module. Timer modules and the conditioning modules are connected and they are computed simultaneously.

4.1. Multi-product batch process All products require all stages following the same sequence of operations in multi-product plants. It requires that the production in these plants should be scheduled efficiently and safely. All four products follow the same processing sequence in Fig. 5. In this example, we have assumed two intermediate transfer options. One is known as no-intermediate storage (NIS), which allows the possibility of holding the material inside the vessel. Another option is finite intermediate storage (FIS) in which it is assumed that the batch can be stored with capacity limit in the storage tank. The intermediate storage tank of this target process is located at stage 3 with the same capacity as the corresponding vessel.

Fig. 9. Gantt chart of synthesized safe operating procedure (UIS policy).

4.1.1. Assertion for the operating procedure and makespan The following question described by CTL (computation tree logic) asks to model checker for synthesizing an error-free operating procedure with a minimum makespan. CTL (for NIS transfer policy) AG (&sim ((Production_P1_num ¼ 1 & Production_P2_num ¼ 1 & Production_P3_num ¼ 1 & Production_P4_num ¼ 1 & (Ptime.t ¼ 120))) : This question means there is no path that the operation of all four products becomes over until the process time becomes 120. 4.1.2. Verification results If the above CTL logic is true, there is no one path that the operation is over when the process time is 120. Otherwise, in case of false, the operation of making all four products is over. Here, we can find an operating sequence because the model checker provides a counterexample. The counterexample becomes an operating procedure that is finished before 120. Therefore, as the value of the process time changes, this algorithm can find a minimum makespan and synthesize an operating procedure. In addition to the above assertion, many more questions can be asked by adding more CTL assertions as illustrated in other literature (Moon 1994, Moon, Ko, Probst, & Powers, 1997). The strength of this method is that an operating procedure can be generated and its verification regarding safety and feasibility of the system is preceded simultaneously. So the final result is an error-free operating procedure with NIS intermediate transfer option at 118. In case of FIS intermediate transfer option, a safe operating sequence could be found when process time is 115. Gantt charts of synthesized error-free operation procedure for multi-product example with NIS and FIS transfer options are shown in Fig. 6 and Fig. 7.

Fig. 10. Gantt chart of synthesized safe operating procedure (ZW policy).

372

J. Kim et al. / Journal of Loss Prevention in the Process Industries 22 (2009) 367–372

In the case of NIS, each process unit allows to hold the material inside the vessel until it can be transferred to the next process unit. On the other hands, in the case of FIS, processing time can be reduced in the 3rd unit process because the intermediate storage tank of the target process is located right after the 3rd unit and it is assumed to have the same capacity with corresponding unit. Overall makespan with FIS, therefore, is shorter than the makespan with NIS.

4.2. Multi-purpose batch process Not all products require all stages and/or follow the same sequence of operations in multi-purpose batch plants. All six products follow the different processing sequence in Fig. 8. The operation of multi-purpose batch processes should be scheduled with special care due to their complexity and embedded errors. In this multi-purpose process example, we have also assumed two intermediate transfer options. One is known as unlimited intermediate storage (UIS) in which it is assumed that the batch can be stored without any capacity limit in the storage tank. Another assumption is that the batch at any stage would be transferred immediately to the next stage. It is known as zero-wait (ZW) transfer and is commonly used when no intermediate storage tank is available or when it cannot be held further inside the current vessel (e.g., due to chemical reaction). 4.2.1. Assertion for the operating procedure and makespan CTL (for UIS transfer policy) AG (&sim ((Production_P1_num ¼ 1 & Production_P2_num ¼ 1 & Production_P3_num ¼ 1 & Production_P4_num ¼ 1 & Production_P5_num ¼ 1 & Production_P6_num ¼ 1 & (Ptime.t ¼ 95))) : This question means there is no path that the operation of all six products becomes over until the process time becomes 95. 4.2.2. Verification results The result of the above CTL logic is false. The operation of making all six products is over until process time is 95. In case of ZW transfer policy, the operation sequence can be found when process time is 105. Gantt charts of operating procedure for the target process can be shown by analyzing SMV result files in Fig. 9 and Fig. 10 respectively.

References Adam, L. T. (1999). Event modeling and verification of chemical processes using symbolic model checking. PhD thesis Department of Chemical Engineering. Carnegie Mellon University: Pittsburg, PA, USA. Clarke, E. M., Emerson, E. A., & Sistla, A. P. (1986). Automatic verification of finitestate concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8, 244–263. Crooks, C. A., Evans, S. F., & Macchietto, S. (1994). An application of automated operating procedure synthesis in the nuclear industry. Computers and Chemical Engineering, 18, 385–389. Froessl, J., Gerlach, J., & Kropf, T. (1996). An efficient algorithm for real-time symbolic. ED&TC’96. Paris, France. Fusillo, R. H., & Powers, G. J. (1987). A synthesis method for chemical plant operating procedures. Computers and Chemical Engineering, 11, 369–382. Kim, J., Lee, H., & Moon, I. (1999). Automatic safety verification of operating schedules for batch processes. The 8th APCChE Congress Proceeding 219–222. Kim, J., & Moon, I. (2000). Synthesis of safe operating procedure for multi-purpose batch processes using SMV. Computers and Chemical Engineering, 24, 385–392. Lakshmana, R., & Stepanopoulos, G. (1990). Synthesis of operating procedures for complete chemical plants – III: nonlinear planning for qualitative mixing constraints. Computers and Chemical Engineering, S14, 301–317. Lee, H., Kim, J., & Moon, I. (1999). Automatic verification of real time batch process schedules using symbolic model verification. AIChE Annual Meeting. Moon, I. (1994). Modeling PLCs for logic verification. IEEE Control Systems, 14, 53–59. Moon, I., Ko, D., Probst, S. T., & Powers, G. J. (1997). A symbolic model verifier for safe chemical process control systems. Journal of Chemical Engineering of Japan, 30, 13–23. Moon, I., Powers, G. J., Burch, J. R., & Clarke, E. M. (1992). Automatic verification of sequential control systems using temporal logic. AIChE Journal, 38, 67–75. Probst, S. T., Powers, G. J., Long, D. E., & Moon, I. (1997). Verification of logically controlled, solids transport system using symbolic model checking. Computers and Chemical Engineering, 21, 417–429. Raman, R., & Grossmann, I. E. (1994). Modelling and computational techniques for logic based integer programming. Computers and Chemical Engineering, 18, 563–578. Rotstein, G. E., Lavie, R., & Lewin, D. R. (1994). Automatic synthesis of batch plant procedures: a process-oriented approach. AIChE Journal, 40, 1650–1664. Thomaas, G. F. (1990). Batch control systems: design, application, and implementation. Instrument Society of America.

Nomenclature Logic w: NOT &: AND Relations S  S: the cross or Cartesian, product of sets S, S R 4 S S : R is a relation from S to S L: S/§: L is a function from S to § CTL operators A: for all computation paths (path quantifier) E: for some computation paths (path quantifier) F: in the future (state quantifier) G: globally all along the states (state quantifier) U: until (state quantifier) X: in the next time (state quantifier) f: CTL formula M: state-transition structure AP: set of atomic proposition R: transition relation S: set of states s: istate i

5. Conclusions

Subscripts i: state number i

A novel method for the synthesis and the safety verification of the operating procedure is developed for batch processes. The modeling algorithm is developed to represent all of possible operating procedures using undeterministic variables. Assertions are described by CTL to generate an error-free operating schedule and to obtain a minimum makespan. Safety constraint algorithms are added for the safety and operability of the intermediate transfer policies. As a result of applying these algorithms to multi-product and multi-purpose batch processes with various intermediate transfer options. The proposed approach can find minimum makespan and error-free operating procedure successfully. This approach for the synthesis of operating procedures using SMV has the strength of generating safe operating procedures efficiently and achieving error-free systems simultaneously in batch processes.

Case studies P1: product type 1 P2: product type 2 P3: product type 3 P4: product type 4 P5: product type 5 P6: product type 6 U1: processing unit 1 U2: processing unit 2 U3: processing unit 3 U4: processing unit 4 Ptime.t: processing time Product_P1_num: binary Product_P2_num: binary Product_P3_num: binary Product_P4_num: binary Product_P5_num: binary Product_P6_num: binary

variable, 1 variable, 1 variable, 1 variable, 1 variable, 1 variable, 1

if if if if if if

product product product product product product

type type type type type type

1 2 3 4 5 6

is is is is is is

produced, produced, produced, produced, produced, produced,

otherwise otherwise otherwise otherwise otherwise otherwise

0 0 0 0 0 0