- Email: [email protected]
Modelling and Verifying Timing Properties in Distributed Computer Control Systems
Copyright © IFAC Distributed Computer Control Systems, Toulouse-Blagnac, France, 1995
MODELLING AND VERIFYING TIMING PROPERTIES IN DISTRIBUTED COMPUTER CONTROL SYSTEMS A.G. Stothert* and I.M. MacLeod*t ·University of the Witwatersrand, Department of Electrical Engineering, Johannesburg , South Africa tOn lea ve at University of Newcastle, Centre for Industrial C ontrol Sci ence, NSW 2308, Australia
Abstract: Temporal variables can be used to verify and enforce the timing properties required for the safe operation of physical processes and devices. A theory of non-continuous intervals is used to represent temporal variables. This results in a set of five axioms which form the foundation for an intuitive , deductive temporal logic. A simple simulated distributed real-time control example is used to demonstrate the application of the proposed temporal logic . Advantages of the approach are that it does not suffer from the problem of state explosion and does not require graphing techniques to maintain temporal relationships between variables. Keywords: Temporal logic; real-time control; distributed computer control; consistency ; safety ; verification; process control
ral relationships as intervals rather than using a graphing technique. The deductive nature of the proposed logic and its ability to manipulate variables allows the development of formulae which can be used either to verify temporal relationships or to generate temporal variables that satisfy temporal relationships. For example, given the statement : X can only be true when Y holds , it is required to find the interval (possibly noncontinuous) when X can be true .
1. INTRODUCTION
Maintaining temporal consistency between a physical plant and a distributed computer control system requires both a temporal modelling technique (to verify consistency) and a method for generating temporal controllers (to enforce temporally consistent behaviour) . Temporal variables which can be used to reason in , with and about time provide the foundation for ensuring temporal consistency.
2. REPRESENTING TIME
Existing temporal logic frameworks have developed from predicate logic (Ostroff, 1989 ; Moszkowski , 1986) or natural language processing (Allen , 1983 ; Allen , 1984) . Apnlying these frameworks to real-time control problems often presents difficulties. Temporal logic relies on the use of a state representation (Moszkowski , 1986; Seow and Devanathan , 1994) of the problem and state diagrams (Ostroff, 1989). While interval temporal logic (Allen , 1983 ; Allen, 1984) moves away from the state diagram approach , a graph-theoretic approach (Allen , 1983; van Beek, 1992) is adopted to aid in maintaining relationships between temporal variables. As is the case with state diagrams , the graphing technique can easily become computationally expensive .
The time axis is defined as the set of real numbers plus the three sp ecial "points", -00 , +00 and 8, i.e. , T = {IR. , -00 , + 00, 8}. T is an ordered set such that -00 < t < +00 , where t E IR. and 8 is defined as the next real number bigger than zero , i.e., b = limx_ o+ x . It is necessary for implementation reasons as discussed in section 3. Using the time axis , a period P is defined as
and an interval I is defined as a finite ordered set of periods ,
I A temporal variable conslstmg of a set of nonoverlapping time regions (called periods) that form an interval is discussed. In a similar way to standard logic this representation allows temporal variables to be used to generate other temporal variables-the aim being to represent all tempo-
[{P 1 , P2 , ... ,Pn } : nEIN , Pn EP and (Pn + 1
> Pn ) ] U ri"
where IN is the set of all natural numbers .
Notation. For A E I the nth period is referred to as A .Pn , while A.PJast refers to the last period
25
-
r-
~
o
-5
-10
5
15
10
20
25
30
Fig.!. A temporal variable
of A. The coordinates of period n are referenced as A ,Pn,XI and A.Pn ·X2.
the standard not and and operators, respectively. From these the standard logic system can be derived .
An example of an interval is shown in Fig. 1. The interpretation of a temporal variable A is
Vt ,t E T,A E I , 3P EA: (A.P.XI
~
t
~
A ,P.X2)
The following axioms extend the temporal system developed thus far to include temporal operators. OA
(1)
that is, A is true when t lies between the end points of periods of A. The temporal variable in Fig. 1 is represented as an interval containing four periods, each period (-00 to 4, 6 to 8, 15 to 17 and 23 to 00) defines where the temporal variable is true and the interval defines the truth value (true or false) of the temporal variable across all time according to (1) .
!A AU B
Vt , t ET, A E I , PEA : (Plast.XI ~ t) and (Pl ast .X2 = +00) Vt, t ET , A E I , PEA:
(t 2 Pl .Xl) Vt, t ET , A , B E I , 3P, PEA , 3Q , Q E B : (P.X2
(t
(4) (5)
2 Q .Xl) and (t 2 P.xd and
~ Q.X2)
and [JlR , R E B , R =f:. Q :
(R.x22 P.XI) and (R.X2 < Q.XI)
and (R.Xl ~ P.Xl)]
2.1. Axioms
OA is read as "henceforth A" , !A as the event "start A" and A U B as "A is true until B is true".
The logic of temporal variables is developed from five axioms, two of which develop a standard Boolean logic (Millman and Grabel , 1988) for temporal variables and three of which introduce temporal logic into the framework based on the logic of Manna and Pnueli (Ostroff, 1989; pp . 155171) .
A
2.2. Derived Formulae
The axioms of section 2.1 are now used to construct some useful basic formulae . The formulae , which are used to deduce new temporal relationships from existing temporal variables , demonstrate how the axioms can be combined to construct more complicated temporal expressions.
Vt , t E T, A E I , PEA,
Jl
P : P.XI - 0 < t < P.X2
+0
(2)
Equation (2) is interpreted as not A is true when there does not exist a period of A which has a start value less than t and end value greater than t , where t ranges across all time .
The formulae are , A v B=AI\B Either A or B is true.
For intervals A and B with periods M and N, respectively, AI\B
A Ell B = (A 1\ B ) V (A 1\ B) Either only A or only B is true (exclusive or) .
Vt, t ET , A, B E I , M EA ,
OA= OA It is not true that henceforth A is false , or eventually A is true.
NE B, 3M, 3N : (M.XI < N.x2) and (M.X2 > N .xd
and [max(M.xI, N .Xl) ~
t ~ min(M ,x2 ' N. X2)]
jA= lOA Not the start of henceforth A is false , or the event which stops A.
(3)
Axioms (2) and (3 ) are the temporal equivalents of 26
(6)
Temporal Variables
~
I
I
I I
W
I
A
J
I
B
I
B until A
weak A before B
I
weak B after A
I
A before B
I o
L
5
I
B overlap A 15
10
20
Time
Fig. 2. Illustration of temporal logic formulae
A (3 B =I(A A B A OB) The sub-formula A A B A 0 is used to isolate the region where B is false , A is true and eventually B will be true, i.e. , A is "before" B . From this we need to decide on the interval where A before B is true. For example, consider a pump which can only be switched on if A is true before B . When is it valid to start the pump? Surely it can be switched on as soon as A becomes true and we know that B will be true in the future , hence !(ABOB). This definition for before is loose in the sense that we only require A to be true once. A tighter definition would require that after B goes false A must again be true before B is true.
A BB
A is true before and until B and A and B are true , or A overlaps B . Overlaps can be thought of as "leads into" . @A=iA An interval which is true at least until A is true. @A = (lA ) An interval which is true before A is true. Plots of some derived temporal logic formulae are shown in Fig. 2. The axioms and formulae presented above provide a mechanism for deducing the relationships between temporal variables and a mechanism for combining temporal variables to generate further temporal variables . This provides a foundation for reasoning with and about time .
iB A [[(AB OB)A
O(ABOB) U Bl VB U ABOB] This definition of before is more restrictive , it results in an interval that is true when either A is true or will be true and B is true after A is true. Notice that the sub-formula AB OB plays an important role in deciding the final result , this subformula can be thought of as a root for before.
3. IMPLEMENTATION DETAILS
To facilitate manipulation and verification the temporal logic described in section 2 was imple. mented on a personal computer . Two-dimensional matrices were used to represent intervals and special matrix elements were used for -00 and 00 . In the implementation 8, which is used to calculate A in such a way as to avoid "divided instant" problems (Allen, 1983 ; Jixin and Knight, 1994) was set to 10- 5 .
A Q B =1 [(A A DB)AIB] True when A is true and B is false from then on, but B was true at some time . This is a weak version of A after B-a more restrictive version must check every occasion that B is true to see if A is true after B and before B is true again .
The temporal axioms A, AAB , Q0, lA and A U B were coded from first principles. Only the implementation of A differed from the axiom representation . The approach was to shift the period start and end points so that end points become start points and vice versa. The point -00 or 00 was
A 0 B =!(A B BAAU B)Ai(AU B)AA
27
then added as required. All other temporal formulae were constructed using the axioms.
the temporal variables that describe when the controlled equipment is being operated . The cooler is the more complex of the plant components in terms of its operating requirements. The cooler can only be switched on if either of its inlet valves is already on and can not be on when both inlet valves are on . Also, the cooler can only be on when one of the outlet valves is on. These requirements are implemented in temporal logic on the cooler processor node as follows
4. DISTRIBUTED REAL-TIME CONTROL EXAMPLE The distributed process to be controlled is shown in Fig. 3. The cooler is restricted in that it can cool the feed from only one mixer at a time. Other restrictions regarding the start-up procedure for the mixers and cooler are introduced later . Three processing nodes are used to monitor and control the plant. A processor monitors each mixer and its inlet valve. The third processor controls the cooler and its inlet and outlet valves. Communication between the processors is limited to message passmg.
templ
( Valve4 U Cooler)
A two-tiered design approach is followed . First the constraints on operation are specified then a controller is designed. The controller is deemed correct when it satisfies the constraint requirements. This approach distinguishes between two
Feed1
va~ve1 I val~e2 l'
Mixer1
( Valve3 1\ Cooler) EB ( Valve4 1\ Cooler)
temp3
( Valve3 1\ Valve5 ) EB
Csafe
( Valve4 1\ Valve6 ) templ 1\ temp2 1\ temp3 Csafe 1\ Cooler
Each mixer processor node must ensure that the mixers are only switched on after both the relevant feed and inlet valve have been on. Additionally, the mixers can only be on while their feed and inlet valves are off and before the outlet valve is switched on . A message passing protocol must be used to communicate the outlet valve temporal variable from the cooler processor to the mixer processor .
Mixer2 Valve4
.---r--_1'
va~::n
U
temp2
Cerror
Feed2
l'
( Valve3 U Cooler) V
templ Prod1
(Feed f3 Mixer) 1\ (Valve f3 Mixer)
Cooler
(Feed 1\ va:fVe)
temp2
Mixer 1\
temp3
Mixer 1\ Outlet Valve 1\
<> Msafe Merror
Outlet Valve templ 1\ temp2 1\ temp3
Msafe 1\ Mixer
Fig. 3. Process plant
uses of the temporal logic formulae. Temporal logic can be used to find intervals where a property holds or to generate an interval which satisfies a given property with another interval. Note that the two uses of temporal logic relate to being able to reason about time (first type) and with time (second type) . The differences in temporal logic use are highlighted by the process plant example.
A sample output from the constrainer is shown in Fig. 4. The plot immediately shows at which times it is safe to operate the cooler and mixers and when an error in operation would occur . The plot was generated by using the controller output but neglecting to open Valve4 while the cooler was on and failing to shut Valve2 while Mixer2 was on.
4.1. The Constraint System 4.2. The Control System Each node in the distributed system implements a diagnostic system that uses temporal logic to determine whether the equipment being controlled by the node satisfies temporal operating constraints. Each constraint system takes as input
In addition to the constraint system implemented by each processing node each node also uses temporal logic to control plant equipment . The control system takes as input the intervals where 28
Temporal Variables
L
I Csafe
I Cerror
U
l L
M 1 safe M 1 error M2safe
U
M 2error 4
6
8
1
10 Time
12
14
16
Fig. 4. Output from constraint system
[ ( Cooler 1\ Prod2 ) B ( Cooler 1\ Prodl ) )
Prodl and Prod2 are required and outputs the intervals (future) where plant equipment must be turned on. The controller is designed to satisfy the constrainer developed in section 4.1. Controller design is an iterative and intuitive process using the constrainer to guide the choice of the controller equations. For input intervals Prodl [8 11) and Prod2 [3 6) (time zero is the present) a sample plot of the intervals generated by controller is shown in Fig. 5.
=
V [ ( Cooler 1\ Prodl ) B ( Cooler 1\ Prod2 ) )
temp3
( temp2 1\ Valve3 1\ Valve4) temp4
Prodl EB Prod2 Prodl 1\ Cooler
Valve6
Prod2 1\ Cooler
Valve4
@( @( @( @(
temp3 1\ [4 +(0)
Valve4
temp4 1\ [4 +(0)
Once the values for Valve3 and Valve4 are known they are passed via messages to the processors that control the mixers. The mixer control is readily controlled via temporal logic.
The control of the inlet valves to the cooler is more complex, involving intermediate steps. The aim is to open the valves before the cooler starts and to ensure that only one of the valves is open at a time. Making sure that only one valve is on at a time is the more difficult design problem. Valve3
Valve3
The intermediate values temp3 and temp4 represent IF statements that choose which valve to turn off while the other valve is on . The choice is made based on which valve is required firsttempl is true when Prodl is true before Prod2 and temp2 is true when Prod2 is true before Prodl . The final two lines are needed since the intervals generated by temp3 and temp4 could start at -00.
Consider the cooler processing node. The initial control choice is to start the cooler and downstream valves directly from the control inputs, making sure that the cooler is not on when both products are required: Cooler
( temp2 1\ Valve4 ) V ( templ 1\ Valve4 1\ Valve3 )
=
Valve5
(templ 1\ Valve3) V
Mixerl Mixer2
Cooler 1\ Prodl ) 1\
Valvel
Cooler 1\ Prod2 )
Valve2
Cooler 1\ Prod2 ) 1\
Feedl
Cooler 1\ Prodl )
Feed2
(@ Valve3 ) 1\ [3 +(0) (@ Valve4 ) 1\ [3 +(0) (@ Mixerl ) 1\ [0 +(0) (@ Mixer2 ) 1\ [0 +(0) Valve 1 .1.~ Valve2
templ [ ( Cooler 1\ Prodl ) B ( Cooler 1\ Prod2 ) ) V [ ( Cooler 1\ Prod2)
B ( Cooler 1\ Prod 1 ) )
temp2
29
The distributed controller and constraint system described relies on message passing between the
Temporal Variables
I
l
Cooler
I
Valve3
I
I
~
I
o
2
L
Mixer 1
I ~
L
l
Valve4
I
L
J
l
Mixer 2 Valve 1 Valve 2 4
6
8 Time
10
12
14
16
Fig. 5. Output from control system
qune state- and / or graph-theoretic representations .
cooler and mixer processing nodes. Message communication delays could result in the outlet valve temporal variables being received by the mixer processors after the valve had been turned on meaning that the mixer controllers would not hav~ time to turn the mixers on before the outlet valve. The constraint system would not be affected by this, it would still identify a violation . However the control system would have to be altered to take maximum communication delays into account when determining the start time for the outlet valves. Loss of communication messages is more fatal , neither the constraint system nor the control system could operate properly. For these reasons the message passing protocol used must guarantee delivery of messages within a known maximum delay time.
6. ACKNOWLEDGEMENTS The support of the South African Foundation for Research Development , the University of the Witwatersrand and the Department of Electrical Engineering and Computer Science at the University of Newcastle is gratefully acknowledged .
7. REFERENCES Alien , J.F . (1984) . Towards a general theory of action and time. A rtificial Intelligence , 23(2) , 123-154. Alien , J .F . (1983). Maintaining knowledge about temporal intervals . Communications of th e A CM, 26(11) , 832-843 . Jixin , M. and B. Knight (1994) . A general temporal theory. Th e Computer Journal, 37(2), 114123 . Millman , J . and A. Grabel (1988) . Microelectronics. McGraw-Hill , New York, pp . 209-219 . Moszkowski , B. (1986) . Executing t emporal logi c programs. Cambridge University Press. Ostroff, J .S . (1989). Temporal Logic for Real- Tim e Systems. Wiley, New York . Seow , K.T. and R . Devanathan (1994) . A temporal framework for assembly sequence representation and analysis. IEEE Transactions on Robotics and Automation, 10(2) , 220-229 . van Beek , P. (1992) . Reasoning about qualitative temporal information. Artificial Intelligence , 58(1-3) , 297-326.
5. CONCLUSIONS A logic of temporal variables has been presented. It allows the representation and manipulation of temporal variables and supports reasoning with and about time which is essential for verifying and enforcing temporally-consistent behaviour in control systems. However mechanisms for reasoning in time have not been presented. This requires an extension to include the time point .,., (now). Including the time point now will complete the temporal system and provide mechanisms to handle causality deadlines and problems like delayed communication messages. Application of the temporal logic to a simple distributed computer control example demonstrates the intuitive feel of the framework and highlights t he advantages over other techniques which re30
MODELLING AND VERIFYING TIMING PROPERTIES IN DISTRIBUTED COMPUTER CONTROL SYSTEMS A.G. Stothert* and I.M. MacLeod*t ·University of the Witwatersrand, Department of Electrical Engineering, Johannesburg , South Africa tOn lea ve at University of Newcastle, Centre for Industrial C ontrol Sci ence, NSW 2308, Australia
Abstract: Temporal variables can be used to verify and enforce the timing properties required for the safe operation of physical processes and devices. A theory of non-continuous intervals is used to represent temporal variables. This results in a set of five axioms which form the foundation for an intuitive , deductive temporal logic. A simple simulated distributed real-time control example is used to demonstrate the application of the proposed temporal logic . Advantages of the approach are that it does not suffer from the problem of state explosion and does not require graphing techniques to maintain temporal relationships between variables. Keywords: Temporal logic; real-time control; distributed computer control; consistency ; safety ; verification; process control
ral relationships as intervals rather than using a graphing technique. The deductive nature of the proposed logic and its ability to manipulate variables allows the development of formulae which can be used either to verify temporal relationships or to generate temporal variables that satisfy temporal relationships. For example, given the statement : X can only be true when Y holds , it is required to find the interval (possibly noncontinuous) when X can be true .
1. INTRODUCTION
Maintaining temporal consistency between a physical plant and a distributed computer control system requires both a temporal modelling technique (to verify consistency) and a method for generating temporal controllers (to enforce temporally consistent behaviour) . Temporal variables which can be used to reason in , with and about time provide the foundation for ensuring temporal consistency.
2. REPRESENTING TIME
Existing temporal logic frameworks have developed from predicate logic (Ostroff, 1989 ; Moszkowski , 1986) or natural language processing (Allen , 1983 ; Allen , 1984) . Apnlying these frameworks to real-time control problems often presents difficulties. Temporal logic relies on the use of a state representation (Moszkowski , 1986; Seow and Devanathan , 1994) of the problem and state diagrams (Ostroff, 1989). While interval temporal logic (Allen , 1983 ; Allen, 1984) moves away from the state diagram approach , a graph-theoretic approach (Allen , 1983; van Beek, 1992) is adopted to aid in maintaining relationships between temporal variables. As is the case with state diagrams , the graphing technique can easily become computationally expensive .
The time axis is defined as the set of real numbers plus the three sp ecial "points", -00 , +00 and 8, i.e. , T = {IR. , -00 , + 00, 8}. T is an ordered set such that -00 < t < +00 , where t E IR. and 8 is defined as the next real number bigger than zero , i.e., b = limx_ o+ x . It is necessary for implementation reasons as discussed in section 3. Using the time axis , a period P is defined as
and an interval I is defined as a finite ordered set of periods ,
I A temporal variable conslstmg of a set of nonoverlapping time regions (called periods) that form an interval is discussed. In a similar way to standard logic this representation allows temporal variables to be used to generate other temporal variables-the aim being to represent all tempo-
[{P 1 , P2 , ... ,Pn } : nEIN , Pn EP and (Pn + 1
> Pn ) ] U ri"
where IN is the set of all natural numbers .
Notation. For A E I the nth period is referred to as A .Pn , while A.PJast refers to the last period
25
-
r-
~
o
-5
-10
5
15
10
20
25
30
Fig.!. A temporal variable
of A. The coordinates of period n are referenced as A ,Pn,XI and A.Pn ·X2.
the standard not and and operators, respectively. From these the standard logic system can be derived .
An example of an interval is shown in Fig. 1. The interpretation of a temporal variable A is
Vt ,t E T,A E I , 3P EA: (A.P.XI
~
t
~
A ,P.X2)
The following axioms extend the temporal system developed thus far to include temporal operators. OA
(1)
that is, A is true when t lies between the end points of periods of A. The temporal variable in Fig. 1 is represented as an interval containing four periods, each period (-00 to 4, 6 to 8, 15 to 17 and 23 to 00) defines where the temporal variable is true and the interval defines the truth value (true or false) of the temporal variable across all time according to (1) .
!A AU B
Vt , t ET, A E I , PEA : (Plast.XI ~ t) and (Pl ast .X2 = +00) Vt, t ET , A E I , PEA:
(t 2 Pl .Xl) Vt, t ET , A , B E I , 3P, PEA , 3Q , Q E B : (P.X2
(t
(4) (5)
2 Q .Xl) and (t 2 P.xd and
~ Q.X2)
and [JlR , R E B , R =f:. Q :
(R.x22 P.XI) and (R.X2 < Q.XI)
and (R.Xl ~ P.Xl)]
2.1. Axioms
OA is read as "henceforth A" , !A as the event "start A" and A U B as "A is true until B is true".
The logic of temporal variables is developed from five axioms, two of which develop a standard Boolean logic (Millman and Grabel , 1988) for temporal variables and three of which introduce temporal logic into the framework based on the logic of Manna and Pnueli (Ostroff, 1989; pp . 155171) .
A
2.2. Derived Formulae
The axioms of section 2.1 are now used to construct some useful basic formulae . The formulae , which are used to deduce new temporal relationships from existing temporal variables , demonstrate how the axioms can be combined to construct more complicated temporal expressions.
Vt , t E T, A E I , PEA,
Jl
P : P.XI - 0 < t < P.X2
+0
(2)
Equation (2) is interpreted as not A is true when there does not exist a period of A which has a start value less than t and end value greater than t , where t ranges across all time .
The formulae are , A v B=AI\B Either A or B is true.
For intervals A and B with periods M and N, respectively, AI\B
A Ell B = (A 1\ B ) V (A 1\ B) Either only A or only B is true (exclusive or) .
Vt, t ET , A, B E I , M EA ,
OA= OA It is not true that henceforth A is false , or eventually A is true.
NE B, 3M, 3N : (M.XI < N.x2) and (M.X2 > N .xd
and [max(M.xI, N .Xl) ~
t ~ min(M ,x2 ' N. X2)]
jA= lOA Not the start of henceforth A is false , or the event which stops A.
(3)
Axioms (2) and (3 ) are the temporal equivalents of 26
(6)
Temporal Variables
~
I
I
I I
W
I
A
J
I
B
I
B until A
weak A before B
I
weak B after A
I
A before B
I o
L
5
I
B overlap A 15
10
20
Time
Fig. 2. Illustration of temporal logic formulae
A (3 B =I(A A B A OB) The sub-formula A A B A 0 is used to isolate the region where B is false , A is true and eventually B will be true, i.e. , A is "before" B . From this we need to decide on the interval where A before B is true. For example, consider a pump which can only be switched on if A is true before B . When is it valid to start the pump? Surely it can be switched on as soon as A becomes true and we know that B will be true in the future , hence !(ABOB). This definition for before is loose in the sense that we only require A to be true once. A tighter definition would require that after B goes false A must again be true before B is true.
A BB
A is true before and until B and A and B are true , or A overlaps B . Overlaps can be thought of as "leads into" . @A=iA An interval which is true at least until A is true. @A = (lA ) An interval which is true before A is true. Plots of some derived temporal logic formulae are shown in Fig. 2. The axioms and formulae presented above provide a mechanism for deducing the relationships between temporal variables and a mechanism for combining temporal variables to generate further temporal variables . This provides a foundation for reasoning with and about time .
iB A [[(AB OB)A
O(ABOB) U Bl VB U ABOB] This definition of before is more restrictive , it results in an interval that is true when either A is true or will be true and B is true after A is true. Notice that the sub-formula AB OB plays an important role in deciding the final result , this subformula can be thought of as a root for before.
3. IMPLEMENTATION DETAILS
To facilitate manipulation and verification the temporal logic described in section 2 was imple. mented on a personal computer . Two-dimensional matrices were used to represent intervals and special matrix elements were used for -00 and 00 . In the implementation 8, which is used to calculate A in such a way as to avoid "divided instant" problems (Allen, 1983 ; Jixin and Knight, 1994) was set to 10- 5 .
A Q B =1 [(A A DB)AIB] True when A is true and B is false from then on, but B was true at some time . This is a weak version of A after B-a more restrictive version must check every occasion that B is true to see if A is true after B and before B is true again .
The temporal axioms A, AAB , Q0, lA and A U B were coded from first principles. Only the implementation of A differed from the axiom representation . The approach was to shift the period start and end points so that end points become start points and vice versa. The point -00 or 00 was
A 0 B =!(A B BAAU B)Ai(AU B)AA
27
then added as required. All other temporal formulae were constructed using the axioms.
the temporal variables that describe when the controlled equipment is being operated . The cooler is the more complex of the plant components in terms of its operating requirements. The cooler can only be switched on if either of its inlet valves is already on and can not be on when both inlet valves are on . Also, the cooler can only be on when one of the outlet valves is on. These requirements are implemented in temporal logic on the cooler processor node as follows
4. DISTRIBUTED REAL-TIME CONTROL EXAMPLE The distributed process to be controlled is shown in Fig. 3. The cooler is restricted in that it can cool the feed from only one mixer at a time. Other restrictions regarding the start-up procedure for the mixers and cooler are introduced later . Three processing nodes are used to monitor and control the plant. A processor monitors each mixer and its inlet valve. The third processor controls the cooler and its inlet and outlet valves. Communication between the processors is limited to message passmg.
templ
( Valve4 U Cooler)
A two-tiered design approach is followed . First the constraints on operation are specified then a controller is designed. The controller is deemed correct when it satisfies the constraint requirements. This approach distinguishes between two
Feed1
va~ve1 I val~e2 l'
Mixer1
( Valve3 1\ Cooler) EB ( Valve4 1\ Cooler)
temp3
( Valve3 1\ Valve5 ) EB
Csafe
( Valve4 1\ Valve6 ) templ 1\ temp2 1\ temp3 Csafe 1\ Cooler
Each mixer processor node must ensure that the mixers are only switched on after both the relevant feed and inlet valve have been on. Additionally, the mixers can only be on while their feed and inlet valves are off and before the outlet valve is switched on . A message passing protocol must be used to communicate the outlet valve temporal variable from the cooler processor to the mixer processor .
Mixer2 Valve4
.---r--_1'
va~::n
U
temp2
Cerror
Feed2
l'
( Valve3 U Cooler) V
templ Prod1
(Feed f3 Mixer) 1\ (Valve f3 Mixer)
Cooler
(Feed 1\ va:fVe)
temp2
Mixer 1\
temp3
Mixer 1\ Outlet Valve 1\
<> Msafe Merror
Outlet Valve templ 1\ temp2 1\ temp3
Msafe 1\ Mixer
Fig. 3. Process plant
uses of the temporal logic formulae. Temporal logic can be used to find intervals where a property holds or to generate an interval which satisfies a given property with another interval. Note that the two uses of temporal logic relate to being able to reason about time (first type) and with time (second type) . The differences in temporal logic use are highlighted by the process plant example.
A sample output from the constrainer is shown in Fig. 4. The plot immediately shows at which times it is safe to operate the cooler and mixers and when an error in operation would occur . The plot was generated by using the controller output but neglecting to open Valve4 while the cooler was on and failing to shut Valve2 while Mixer2 was on.
4.1. The Constraint System 4.2. The Control System Each node in the distributed system implements a diagnostic system that uses temporal logic to determine whether the equipment being controlled by the node satisfies temporal operating constraints. Each constraint system takes as input
In addition to the constraint system implemented by each processing node each node also uses temporal logic to control plant equipment . The control system takes as input the intervals where 28
Temporal Variables
L
I Csafe
I Cerror
U
l L
M 1 safe M 1 error M2safe
U
M 2error 4
6
8
1
10 Time
12
14
16
Fig. 4. Output from constraint system
[ ( Cooler 1\ Prod2 ) B ( Cooler 1\ Prodl ) )
Prodl and Prod2 are required and outputs the intervals (future) where plant equipment must be turned on. The controller is designed to satisfy the constrainer developed in section 4.1. Controller design is an iterative and intuitive process using the constrainer to guide the choice of the controller equations. For input intervals Prodl [8 11) and Prod2 [3 6) (time zero is the present) a sample plot of the intervals generated by controller is shown in Fig. 5.
=
V [ ( Cooler 1\ Prodl ) B ( Cooler 1\ Prod2 ) )
temp3
( temp2 1\ Valve3 1\ Valve4) temp4
Prodl EB Prod2 Prodl 1\ Cooler
Valve6
Prod2 1\ Cooler
Valve4
@( @( @( @(
temp3 1\ [4 +(0)
Valve4
temp4 1\ [4 +(0)
Once the values for Valve3 and Valve4 are known they are passed via messages to the processors that control the mixers. The mixer control is readily controlled via temporal logic.
The control of the inlet valves to the cooler is more complex, involving intermediate steps. The aim is to open the valves before the cooler starts and to ensure that only one of the valves is open at a time. Making sure that only one valve is on at a time is the more difficult design problem. Valve3
Valve3
The intermediate values temp3 and temp4 represent IF statements that choose which valve to turn off while the other valve is on . The choice is made based on which valve is required firsttempl is true when Prodl is true before Prod2 and temp2 is true when Prod2 is true before Prodl . The final two lines are needed since the intervals generated by temp3 and temp4 could start at -00.
Consider the cooler processing node. The initial control choice is to start the cooler and downstream valves directly from the control inputs, making sure that the cooler is not on when both products are required: Cooler
( temp2 1\ Valve4 ) V ( templ 1\ Valve4 1\ Valve3 )
=
Valve5
(templ 1\ Valve3) V
Mixerl Mixer2
Cooler 1\ Prodl ) 1\
Valvel
Cooler 1\ Prod2 )
Valve2
Cooler 1\ Prod2 ) 1\
Feedl
Cooler 1\ Prodl )
Feed2
(@ Valve3 ) 1\ [3 +(0) (@ Valve4 ) 1\ [3 +(0) (@ Mixerl ) 1\ [0 +(0) (@ Mixer2 ) 1\ [0 +(0) Valve 1 .1.~ Valve2
templ [ ( Cooler 1\ Prodl ) B ( Cooler 1\ Prod2 ) ) V [ ( Cooler 1\ Prod2)
B ( Cooler 1\ Prod 1 ) )
temp2
29
The distributed controller and constraint system described relies on message passing between the
Temporal Variables
I
l
Cooler
I
Valve3
I
I
~
I
o
2
L
Mixer 1
I ~
L
l
Valve4
I
L
J
l
Mixer 2 Valve 1 Valve 2 4
6
8 Time
10
12
14
16
Fig. 5. Output from control system
qune state- and / or graph-theoretic representations .
cooler and mixer processing nodes. Message communication delays could result in the outlet valve temporal variables being received by the mixer processors after the valve had been turned on meaning that the mixer controllers would not hav~ time to turn the mixers on before the outlet valve. The constraint system would not be affected by this, it would still identify a violation . However the control system would have to be altered to take maximum communication delays into account when determining the start time for the outlet valves. Loss of communication messages is more fatal , neither the constraint system nor the control system could operate properly. For these reasons the message passing protocol used must guarantee delivery of messages within a known maximum delay time.
6. ACKNOWLEDGEMENTS The support of the South African Foundation for Research Development , the University of the Witwatersrand and the Department of Electrical Engineering and Computer Science at the University of Newcastle is gratefully acknowledged .
7. REFERENCES Alien , J.F . (1984) . Towards a general theory of action and time. A rtificial Intelligence , 23(2) , 123-154. Alien , J .F . (1983). Maintaining knowledge about temporal intervals . Communications of th e A CM, 26(11) , 832-843 . Jixin , M. and B. Knight (1994) . A general temporal theory. Th e Computer Journal, 37(2), 114123 . Millman , J . and A. Grabel (1988) . Microelectronics. McGraw-Hill , New York, pp . 209-219 . Moszkowski , B. (1986) . Executing t emporal logi c programs. Cambridge University Press. Ostroff, J .S . (1989). Temporal Logic for Real- Tim e Systems. Wiley, New York . Seow , K.T. and R . Devanathan (1994) . A temporal framework for assembly sequence representation and analysis. IEEE Transactions on Robotics and Automation, 10(2) , 220-229 . van Beek , P. (1992) . Reasoning about qualitative temporal information. Artificial Intelligence , 58(1-3) , 297-326.
5. CONCLUSIONS A logic of temporal variables has been presented. It allows the representation and manipulation of temporal variables and supports reasoning with and about time which is essential for verifying and enforcing temporally-consistent behaviour in control systems. However mechanisms for reasoning in time have not been presented. This requires an extension to include the time point .,., (now). Including the time point now will complete the temporal system and provide mechanisms to handle causality deadlines and problems like delayed communication messages. Application of the temporal logic to a simple distributed computer control example demonstrates the intuitive feel of the framework and highlights t he advantages over other techniques which re30