- Email: [email protected]
Synthesis and Analysis of Logic Automation Systems
SYNTHESIS AND ANALYSIS OF LOGIC AUTOMATION SYSTEMS
J. L. Boussin
namely the y disaopea r spcntareous ly whe n powe r is cut off (as in the case of insu lat o r b ridging resul t in g f ro m li gntn ing overvoltagesJ , it is of i nterest to the operator to insert a series of ret u r n -to-service au t oma +ion systems, in parallel wi th th e p rotection devices , respo nsible for cutti ng i n any structures switched off as a result of a fault , following the execution o f appropriate tests .
Summary A new method for the synt he sis and analysi s of automation systems is described, in the context of a project for an EHV substation with digital automation systems . There are many reaso ns why an automati on system fails to operate perfectly. Following an analysis of the situation, the present paper describes the general characteristics to be sought in an automation system, in terms of its functional diagrams. We then suggest a method of synthesis and analysis whereby these general characteristics can be obtained.
1 . 3 - Principles of execution By reason of operating safety r eq uirements, we are alwa ys obliged to adopt a general plan based on the utilization of decen tralized protection and automation equ ipment. By precise demarcation of the zone of action for an item of equipment , and by making operation of the same as autonomous as possible, we can provide for back-up of defective equipment by other equipment still fully operational . The down-graded level of operations thus obtained avoids the effect of a local equipment failure producing a generalized fault on the grid .
The method is easy to apply, and can be computer- backed in the case of large and comp le x systems. 1 - PROBLEMS SET BY PROTECTION DEVICES AND AUTOMATION SYSTEMS FOR EHV GRIDS (1J 1.1 - General presentation of the grid
The evolution of a grid cha ra cteristic has led to an increased level of performance for protection devices, now excluding the use of electromechanical equipment . For th is reason, the most recent protection and automation systems use hard-wired electronic techno l ogy .
In France. the EHV grid mainly comprises a series of 400 and 225 kV three-phase lines. For thechnical and economic reasons, the system comprises a national mesh grid, corresponding to a total length of about 40 000 km. The g r id nodes, some of which are j unction poin t s with l ower voltage networks , are the EHV substations .
1 .4 - Cont ribution of mi c r op r oce ssors In view of the cost of data processin? eq uipment, relatively high until recently, the installation of programmed automation sys tems could not be justified except f or relatively comp l ex applications. Engineering costs were therefo r e much the same as those for the equipment .
1 . 2 - Purpose of protection devices and a uto mat io n systems The various structures of the grid are the origin of short-circuits and insulation faults. Such incide nts are prejudicial to efficie nt operation of the grid, both as a result of the additional co nst ra ints that they impose on the equipment and by the consequent risks incurred with respect to g r id stability. For this reason, the grid is e quippe d with protection devices acting on the EHV switchgear,designed to isolate any part of the g rid affected by a fault from th e rest of same. Nevertheless, as the majority of faults (approximately three quartersJ are of th e non -permanent type,
The appearance of microprocessors has complete l y reversed this trend. The sharp drop in the cost of programmable digita l equip men t (approximately 70 % down in two ye ars) has provoked a ve ry sharp reawakening of i nterest in compact prog ram automation systems, now highly competitive(7). However, this job in hardware costs cou ld on l y lead t o an increase in that pa rt of
1527
1528
J . L. Boussin
final global cost devoted to system engineering . In order to obtain the fullest benefit from technological progress , it was therefore essential to carry out a reappraisal of t he method used for synthesis and programming of automation systems (8 , 9, 10 and 11) .
Having analysed the reason why an automation system does not operate perfectly , we consider various general characteristics that are desirable for an automation system, and propose a method of synthesis and analysis whereby these general characteristics can be obtained .
1 . 5 - Principles of a new method for the synthesis of programmed automation systems
2 - REASONS FOR INCORRECT OPERATION OF AN AUTOMATION SYSTEM
The application of Petri nets to the description and execution of hard-wired modular automation systems proved extremely fruitful (9 and 10) . It was tempting to try the same technique with the view to execution in programmed form, the objective being to reduce system engineering time, and therefore costs .
An automation system may fail to give full satisfaction for three reasons : 1) the scheme does not cover all possible cases, or fails to provide the desired solutions . These are design errors .
The method developed by EoF Research and Development Division , in connection with work on grid protection devices and automation systems (3) , is based on the following four points - the use of Petri nets for the study and formulation of automation system operation - the use of microcomputer as an automation system support ; - the use of a simulation program to reproduce the operating rule for Petri nets . This program is unique , irrespective of the Petri net considered . - the use of a translating program, for very rapid conversion of data contained in the Petri net , representing an automation system , in a form understood by the simulation program , and using the microcomputer in the role of a "micro-automat". Using this method therefore, we can program an automation system for which we know the functional specifications without difficult y" Ensuring appropriate characteristics for these specifications at the time of their elaboration is a problem of analysis and synthesis that we know go on to consider . 1 . 6 - A solution for the synthesis and analysis of logic automation systems A major problem has existed for some time concerning any automation system or set of systems : are the functional specifications correct ? Up until now we have not obtained a satisfactory reply to this question . For want of any better solution , methods were proposed by simulation (construction of a "micro-sub-station") knowing that it was practically impossible to test all the possible operating situations (6) . Using the v~ry latest theoretical developments with the Petri nets (1) , a simole and efficient method of ensuring the" correct charac teristic9 for automation systems, thus avoiding the simulation of a large number of tests (unfortunately not all) , was sought .
2) rhe equipment does not operate correctly . These are component failures . 3) The designed scheme is not followed strictly in the physical execution of the automation system . These are errors of transposition . Points 2 and 3 are not covered by the present study : - point 2 concerns acceptance tests and equipment maintenance methods that are under continuous redefinition and improvement . - point 3, considerable progress has been made with solution of the problem of transposition by the use of a method for automatic transposition of an automation system, as represented by its Petri net . In particular , this gives us a series of "reference automats" that can be used to check physical execution obtained by different means , or , conversely , to obtain physical execution of automation systems with very low risk of transposition errors (2) . We are particularly concerned with the first point in the following pages , namely a search fo r the optimum method of avoiding design errors . Im provements have already been obtained on the road to this result, in particular as a result of the use of Petri nets , providing graphic representation for a model for the specifications of an automation system (3) . However, these impr.ovements can be extended , taking account of the results of studies (1 and 4) demonstrating the utility of an automation ~ ~ stem possessing a certain number of gene,al characteristics . On the basis of this work and certain theorems , demonstrated elsew he re , we define the general characteristics that an automation system should embody . We then demonstrate the method that can be used to obtain these characteristics at system functional diagram levels .
1529
Synthesis and Analysis of Logic Automation Systems
3 - GENERAL CHARACTERISTICS DESIRABLE FOR AN AUTOMAT I ON SYSTEM For an automation system to meet all de ~ ands from the process that it controls correctly, it is desirable for the system to embo~y t he characteristics defined below . 3.1. - Definitions al The automation system must not be blockable , namely there must not be eny input sequence that places the system in a state where certain scheduled actions are not or are no longer possible . A system of this type is said to be live. bl The automation system must be able t o return to any state through which it has already passed,and in particular it must be able to 'return to the stand-by state . A system of this type is said to be proper .
on safe, live and proper Petri nets , is prooosed be low. But first, some neces sary defini tions . Oefini tior,s - a Petri net is safe i f there is never more tha n one t o ken in one place .
- a Pet ri net is boundeo , if there are nev e r more than q t okens in one place .
- a Petr i net is live , if any tra nsition can ce fired (u sing ar, adequate transition +iring sequence) . well-formed nets (live , proper, bounded o t her conditions)
+
Safe
cl The automation system must maintain properties a and b (live and proper), irrespective of its internal state and irrespective of input signals (1) . 3 .2 - Are these charac :e ristics always necessary In the case of normal operation (generally dictated by the process), these characteristics are not absolutely necessary if the automation system is strictly for clearly defined input configuration. Any other configuration is not covered in these specifications. Nevertheless, in the case of failure (process or transmission), unforeseen input sequences can appear on the automation system terminals. The behaviour of the system is then unpredictable. Generally , the system reaction is random and in some cases the system blocks with no possibility of restart (non-live and non-proper) , or can no longer execute certain functions even when the fault has been cleared (non-live), etc. As a result, the general characteristics defined above should be guaranteEd. The automation system should be live and proper. Live nets
proper nets
3.3 - A simple method for analysis and synthesis of an automation system functional diagram. This method rests on the fact that if the functional diagram of an automation system is represented by a Petri net, the properties of the Petri net are those of the functional diagram. As a result, if we succeed in constructing a Petri net which guarantees a live and proper automation system, irrespective of input signals, we have solved the problem. A method of analysis and synthesis, based
FIG 1
Classification of Petri nets
Correct nets (safe , live and proper), this being the class in which we are interested. Note 1 : the notions of "b ounded" "live" and "proper" are independent. Note 2 : A "safe" net is "bounded". Note 3 : Each class is infinite, each net being represented by a point.
J . L. Bo u ss in
1 530
- a Pet r i net i s o r o o e r i f it is al ~ ays poss ic l e to retu r n to a st a te alr e ady ob :aina c; , i n pa r ticul ar t he stand-t>y s t ate . Th ese no t ion s a r e il l us t r ate d in Fi G. 1 . T ~e y 2an be su~~ ar ized as f o ll ows : - a co rr e ct Pe tri net
:5
s af e , li v e a n d
p ro pe r. (see Annex,) . - a f unct i onal ~ ! a g ~a~ i s co rr ect i~ it =an be r eo r esen t e d by a Pet ri net that i s als o
Lbl
,s
=
corr e st .
The me t hod the r efo r e c onsists in constr uc tin g co rr ect Pet r! nets , so t ha t t he a u t omatio n system t hat t he y r e p re s en t is i t se lf cor r e ct . It s hou d be not ed , ho we ve r, tha t t he method d e sc ribed bel ow is suppo rt ed by t heori ca l ar gume nt s not r ep r od uced i n t hi s doc ument . 4 - SYNTHESIS AN D ANA LYSIS OF THE FUNC TI ONA L DI AGRAM OF AN AUTOMAT I ON SY ST EM Synt he si s c o ns ist s i n c ons tr ucti ng a c orr ect funct i onal di ag ram from the se sp e cification s . Analys is co nsists i n c heck i ng that th e fu ncti ona l d ia gra ms of t he au tomati on s ys t em i s correct. 4. 1 Synthesi s of a corr ec t functio nal diagram a) Construction of a c orr e ct Pet ri ne t Co rrect basi c co nversi ons f or t he con structi on of a corre ct Petri net ar e g iven i n th e Annex 2. Thes e c on vers i ons are ap p li e d fr om a ba s i c net whi c h is it se lf c l early c orre ct .
This c haracteristic is mai ntai ned f o r each c o rre c t c o nvers ion . As the auto mati on s ys tem i s con s t r uct ed by application of s ucces3ive correct convers ions , i t grows and crystallizes , while r emaining co rre ct a~ e a ch stage . Exampl e :
R3 'let s
,, ~ ,
R4 q :: , R3 and R4 a r e a ll 20 rre c t .
b) Cha r ac ter is t ics of system construc t ion usi ng co rr ec t co nversions - I f o nl y corre ct co nve r sions fr om a co rr ec t net ar e us ed, t he f ina l r e su lt it se lf ca n o n l y be c o rr ec t . - Assoc iatio n of inpu t s wit h t ra nsi ti ons and ou tp uts wit h pla ces ~ as no in f luenc e (b y definition) on th8 ch aracteri s tic considered . In fa c ~ , wc ob tain a class of cor r ect au t omati o n s ystem when we achieve R4 . The problem of inp uts an d o utputs i s co nsi d er ed in pa ra g raph 3 . 3 . - Any correct net alread y ob tained can be modified us i ng corre c t conversi ons , fac i li t a ting executi on of the synth e sis . Further more , this la st cha ra cte r i s tic is par ticular ly inte r estin g , if we wish t o modify a co r rect Pe tri net r ep resenti ng a complex ex i sting automation sy stem . The r e is no r is k of upsetti ng a ll the c haracteri s tics of t his system, if corre c t c onversions are applied . 4 . 2 - Anal ysi s of an au t omatio n sys t em a ) Anal ysi s of an unk nown Pe tri ne t We start wi th t his Pet ri net , and a p p l y i nverse co r rect conve r s i ons , these being exact l y the opposite of no rmal c orr ec t con versions . If the r ed uced net i s corre ct , we can c o nclude t hat the net an al ysed is al s o cor r ect , and vice ve rs a . b) Br ief explanation
,s
6s
=
~
R1
(ba sic ne t)
R2
If we pass from the net to be ana l ysed to a correc t r educed net by path C (by inve r se correct conversio ns) , we c a n r e tra c e path C [no r ma l cor r ect co nv e r s i ons ) to return t o the initial ne t . Unde r t hese c o nd i ti o ns , the net ana l ysed is co rr ec t. This can be i l lu strated by simple examp l es .
153 1
Synthes i s and Analysis of Logic Automation Sys t ems c)
E xa~pl e s
~,
Is ne t q4
1
~~ I 6
I ~t t
R4
c~ rre c t
?
~\
)~
The
a tta i ne d f o r ea c ~ sys t e n can ~ e i np r sv ej . T~ i s ~~3 : c er t a i n l y ~ e t~e c a ss fe r a co mp le x a ~t ~ ma t ion s syt er ~ sus, 3 S ~~ t e st s a nd c or~ ~ : :
rl !
TI
e~u i ~~en t
la
E
~
r es~ lt
fc ~
~aj or
i~d~3 tri a l
:s~D l ~ x Es .
The o esi gne r a nd : ~e 8D9 rat o ~ ar e bQt ~ con c e r ne d ~ n ~: D~~B ~i ng ~~Et ~er t he syst e ~ will coDe co r rect l y w i~ ~ o ~e r a t ing c c ~ ti ~ ge ~ c i e s t hat ~a v e be e n i mpe r fec t ly p r ov ~ jec fe r o r no t at a ll .
~
6a
fi~s t
~ n= ~ v id u al
:
~
T
4 . 4 - Pro o l ems arisi ng wit n a co mo l e x sys t e::1
of a nal ys is
~ :::
Tw o p ro j l ems a ri se i n the au t omati on s yst em :
65
f."
co~tE xt
- the cons tr uc ti cn of a ":J erf sc: " sy stem ( sy nt he si s )
f
R3
R1 correct
t R2
t
of a n
func~ :'onal
- ev a lu ation o f "perfect" oo erat i on of th e sy st em , o nce co ns t ru cted ( an alysis). The fol l owing c hapt e rs examine t he po ssibl e e xistence of a method or met ho ds of ans we ring t hese questions .
R1
R4 Correct
5 - APPLICATIO N OF METHODS OF SYN THESIS AN D ANALYSIS
The explanation given in paragraph b applie d to this example means that path C ( l A, 5A, l A) retraced (dotted path : 1S , 5S , l S) takes us back to net R4 . As R1 is correct , R4 is also correct .
Apart fro m the study of a single automation system , this method can be used in the following two cases :
2) Is net A1 correct
a) Single automation system coupled to a pr ocess 1) The automation system and process are both represented by correct Petri nets . 2) Inputs and outputs are assigned to each of the two Petri nets, producing functional diagrams . A4
A4 is not safeos n firings of tran s ition T1 put n + 1 tokens in place P1 . A4 is not correct, nor therefore is A1 .
3) All imputs and outputs resulting from links between process and automation systems are eliminated , proceeding as follows :
3
31y
Important note : This method of analysis can be programmed without difficulty, as it comprises a set of basic algorithms applicable sequentially .
!
4 4
4 . 3 - Comments on the method of analysis and synthes i s
3
~
., t 2
2
t2 4
ft2
f t2
Fina l ly we have a method giving step-by-step sy nt hesis of an automation system, each i mprove~e nt maintain i ng the desired charac te ri st i cs ( safe , l ive and prope r ) a t each s t age . The a utomatio n system rema i ns correct . Note tha t if an automa tion system is cor r ect , it can be impr oved late r witho u t dif f icu l ty wi t h app li catio n of a n a ut hori zed mo dification ( sequence of co rr ect conversio ns) , and s t i ll rema i ns corr ect .
Automation sys t em
Process
Automation system
pr ocess
1532
J . L. Bo u ssin
LivE ,
~on-sa~ s
anc
. non - !i ve a~= I Safe nOC'-:: r' c:er'
... 1
V" 11
cnce
OP3
+12 OP4 /13
Q1
L
14
non-safe
proper
~ ired ,
s=
no~-l!ve
~=
is
(=3
T1
=~ ) .
can~ot
~ith
T ~
s o Q1 nor-crop e r
be refirsj . se
fi r eo , F1
an~
F2
r Q r -Dr a C8~ .
~ired .
so C3 non- liv e .
( T1 . T2) 2 tokens in P4 . so Q3 non-
Q2 !.. i ve . safe
tokens cannot be
~Me5e
TE cannot be
~
Prope r non-live anc
:1 f aces '2 : ckens ::'r F3 . se P3
r'enc vec fro r
!
I
-r-::
nc n-safe .
safe . and non-
C4
once T1 has been fir ec . P1 and P3 cannot be marked simultaneo usly . so 04 i n non-proper .
1P1
p2 • 05
11~
~~:;
06
P30 l/p4t~
~
T4 ca nno t be fired so 05 is non-live .
12
14!
p1\
15
1
16
Q4
Q3 Pr'o;Jer . safe anc nor'l-
Live . proper and ncn -
live
safe
Cb pI llll ~12 P2~ 4P3
11 11" I
I~T,/-15
I
I
~P4
-,-16
QS
2 tok ens in P4 after (T1 . T2). so 06 is non-safe .
.P2 12 p5
I I
Q6
' of Logic Automation Systems na l YS1S Synthesis and A
RULES FOR ANALYSIS ANNEX (a) 2 and SYNTHESIS
----
EXTENSION OF RULES FOR AND SYNTHESIS ANALYSIS RULE I . For two input pI aces ( one transitions havin g common common . sufficient) input place is
INOICA TIONS ON
RULE
(S)
1533
OIAGR,A,MS
la
la-
1~ 15
RULE 2 2s
o
Pi
Pi
3a
pa
0
4S
~
~ 4a
T~ 'l~
5a
1~
It.
W ~ pp.~l
m
~ 3a
4s
~ ~ 4a
5s
~ Pi
~ 5a
6s
~
~6a
li
For each rule th to dan extension b ut we have no place here ere is escribe th em ...
1534
J . L . Boussin
4) Inputs and ou tputs resulting from basic delay lines are also eliminated.
~ft
5) The resultant global net is analysed, applying inverse correct conversions to places and transitions without inputs .
I~
3cf! 3, ! : 2 2
3/il
' 1~! 3, ~ ! 1
,~" ~ lJ .+ ~
(5) This net is not live at T1 and T3 cannot be fired , and continuation of the analysis is pointless . In this case, therefore, we must reconsider the links between process and automatio n system . If a correct net remains on completion of phase 5, this means that automation system + process will operate well (in the normal sense of t~e term). b) Several automation systems coupled to each other and to a process 1) Each automation system and the process is represented by a correct Petri net . 2) Inputs and outputs are assigned to each Petri net , producing a functional diagram for the complete system. 3) All inputs and outputs resulting from inter-automat and automat-process links are del e ted . 4) Basic delay lines are dele ted .
stage . The automation sys t em remains correc t Note that if an automation system is correct it can be improved later without difficulty with a~plication of an authorized mOd ification (sequence of correct conversions) , and still remains correct . Th is method can be used for rapid analysis of very l arge exis ti ng systems . Unfortunately, existing systems are pract ic ally all non correct , which goes a long way to explaining the circumstances in event of failures (see paragraph 3.2 . a) . The method can be applied manually in the case of small systems . For larger systems , as in the case of EHV substation automation systems , a computer-backed concept with graph ic inputlo utput is in course of developmen t. A medium-size EHV substation would require about 10 microprecessors , each microprocessor then representing a set of automation systems corresponding to about 200 places and transition s . CONCLUSION We have demonstrated that it is possible to ensure that an automation system embodies certain characteristics (principally nonblocking and guaranteed reinitialization) , by representing the functional diagram of the system by a correct Petri net (one which is safe, live and proper) . We have given a simple method of construction and analysis for correct Petri nets , showing how this method can be used in a case of multiple automation systems, interconnected with each other and to a process . BIBLIOGRAPHY (1) R. Valette . Doctorate of Science thesis , Toulouse, 24/11/76 . (2) L. Tourres . Methode de synth e se d ' automatismes programmes .
5) The resultant Petri net is analysed, applying inverse correct conversions to the places and transitions not assigned by inputs and ouputs . 6) The reduced net should normally be much simpler than the initial net . A direct study is then made, or a simulation if the reduced net is still too big . In all cases a considerable amount of time is saved . 6 - COMMENTS ON THE METHOD OF ANALYSIS AND SYNTHESIS Fina ll y we have a method giving step - by-step synthesis of an automation system, each improvement maintaining the desired charac· teristics (safe , live and pr oper) at each
AFCET Symposium : evolution dans la conception des systemes logiques NICE,27/6/75 . (3) L. Tourres . Une nouvelle methode d ' etude des systemes logiques et son application a la realisation d ' automatismes programmes. Revue generale de l ' Electricite , March 1976 , t . 85 , N° 3 , pp . 215-219 . (4) C. Andre . Sur une methode de conception assistee par ordinateur des systemes logiques a evolutions simultanees . Doctorate of Electronics thesis . Nice 26/6/75 . (5) J . Miroux , L . Tourres and Tesseron . An automation microprocessor based system to be used in an EHV substation .
Synthes i s a nd Ana l ysis of Logic Automa ti on Sys t ems
IFAC - Symposium on Automatic Control and Pr otection of El ectric Power Systems. Melbourne . 21 25/2/77 . (6) L. Tourres . J . L. Boussin. Le mi croposte application des reseaux de Petri a la realisation d ' automatismes programmes et au contr6 l e de specifications . AFCET/AOEPA Symposium - Automatismes logiques Paris . 6-8/12/1976 . (7) B. Lussato. B. France-Lanord and J . P . Bouhot . La micro-i nformatique . introduction a ux systemes repart i s . Edit io ns d 'in formatique 1975 .
1535
(8) P. Girard and P . Naslin . Construction des machines sequenti el les industrielles . Ounod . 1973 . (9) S . S . Patil and Dennis . The description and realization of dlFital systems . Revue Fran~aise d ' Informatique. d ' Automatisme et de Recherche Operationnelle . February 1973 . (10) M. Blanchard . J . C. Cavarr uc. J . Gil l on , J . Marchand. G. Guidez and G. Thuilier . Automatismes a sequences - OGRST Report N° 71 . 7 . 2912 . Toulouse 1973. (11) M. Cou r voisier . Etude des systemes logiques de commande asynch r ones a evo l utions simultanees . Doctorate of Sciences thesis . Toulouse . 1974 .
J. L. Boussin
namely the y disaopea r spcntareous ly whe n powe r is cut off (as in the case of insu lat o r b ridging resul t in g f ro m li gntn ing overvoltagesJ , it is of i nterest to the operator to insert a series of ret u r n -to-service au t oma +ion systems, in parallel wi th th e p rotection devices , respo nsible for cutti ng i n any structures switched off as a result of a fault , following the execution o f appropriate tests .
Summary A new method for the synt he sis and analysi s of automation systems is described, in the context of a project for an EHV substation with digital automation systems . There are many reaso ns why an automati on system fails to operate perfectly. Following an analysis of the situation, the present paper describes the general characteristics to be sought in an automation system, in terms of its functional diagrams. We then suggest a method of synthesis and analysis whereby these general characteristics can be obtained.
1 . 3 - Principles of execution By reason of operating safety r eq uirements, we are alwa ys obliged to adopt a general plan based on the utilization of decen tralized protection and automation equ ipment. By precise demarcation of the zone of action for an item of equipment , and by making operation of the same as autonomous as possible, we can provide for back-up of defective equipment by other equipment still fully operational . The down-graded level of operations thus obtained avoids the effect of a local equipment failure producing a generalized fault on the grid .
The method is easy to apply, and can be computer- backed in the case of large and comp le x systems. 1 - PROBLEMS SET BY PROTECTION DEVICES AND AUTOMATION SYSTEMS FOR EHV GRIDS (1J 1.1 - General presentation of the grid
The evolution of a grid cha ra cteristic has led to an increased level of performance for protection devices, now excluding the use of electromechanical equipment . For th is reason, the most recent protection and automation systems use hard-wired electronic techno l ogy .
In France. the EHV grid mainly comprises a series of 400 and 225 kV three-phase lines. For thechnical and economic reasons, the system comprises a national mesh grid, corresponding to a total length of about 40 000 km. The g r id nodes, some of which are j unction poin t s with l ower voltage networks , are the EHV substations .
1 .4 - Cont ribution of mi c r op r oce ssors In view of the cost of data processin? eq uipment, relatively high until recently, the installation of programmed automation sys tems could not be justified except f or relatively comp l ex applications. Engineering costs were therefo r e much the same as those for the equipment .
1 . 2 - Purpose of protection devices and a uto mat io n systems The various structures of the grid are the origin of short-circuits and insulation faults. Such incide nts are prejudicial to efficie nt operation of the grid, both as a result of the additional co nst ra ints that they impose on the equipment and by the consequent risks incurred with respect to g r id stability. For this reason, the grid is e quippe d with protection devices acting on the EHV switchgear,designed to isolate any part of the g rid affected by a fault from th e rest of same. Nevertheless, as the majority of faults (approximately three quartersJ are of th e non -permanent type,
The appearance of microprocessors has complete l y reversed this trend. The sharp drop in the cost of programmable digita l equip men t (approximately 70 % down in two ye ars) has provoked a ve ry sharp reawakening of i nterest in compact prog ram automation systems, now highly competitive(7). However, this job in hardware costs cou ld on l y lead t o an increase in that pa rt of
1527
1528
J . L. Boussin
final global cost devoted to system engineering . In order to obtain the fullest benefit from technological progress , it was therefore essential to carry out a reappraisal of t he method used for synthesis and programming of automation systems (8 , 9, 10 and 11) .
Having analysed the reason why an automation system does not operate perfectly , we consider various general characteristics that are desirable for an automation system, and propose a method of synthesis and analysis whereby these general characteristics can be obtained .
1 . 5 - Principles of a new method for the synthesis of programmed automation systems
2 - REASONS FOR INCORRECT OPERATION OF AN AUTOMATION SYSTEM
The application of Petri nets to the description and execution of hard-wired modular automation systems proved extremely fruitful (9 and 10) . It was tempting to try the same technique with the view to execution in programmed form, the objective being to reduce system engineering time, and therefore costs .
An automation system may fail to give full satisfaction for three reasons : 1) the scheme does not cover all possible cases, or fails to provide the desired solutions . These are design errors .
The method developed by EoF Research and Development Division , in connection with work on grid protection devices and automation systems (3) , is based on the following four points - the use of Petri nets for the study and formulation of automation system operation - the use of microcomputer as an automation system support ; - the use of a simulation program to reproduce the operating rule for Petri nets . This program is unique , irrespective of the Petri net considered . - the use of a translating program, for very rapid conversion of data contained in the Petri net , representing an automation system , in a form understood by the simulation program , and using the microcomputer in the role of a "micro-automat". Using this method therefore, we can program an automation system for which we know the functional specifications without difficult y" Ensuring appropriate characteristics for these specifications at the time of their elaboration is a problem of analysis and synthesis that we know go on to consider . 1 . 6 - A solution for the synthesis and analysis of logic automation systems A major problem has existed for some time concerning any automation system or set of systems : are the functional specifications correct ? Up until now we have not obtained a satisfactory reply to this question . For want of any better solution , methods were proposed by simulation (construction of a "micro-sub-station") knowing that it was practically impossible to test all the possible operating situations (6) . Using the v~ry latest theoretical developments with the Petri nets (1) , a simole and efficient method of ensuring the" correct charac teristic9 for automation systems, thus avoiding the simulation of a large number of tests (unfortunately not all) , was sought .
2) rhe equipment does not operate correctly . These are component failures . 3) The designed scheme is not followed strictly in the physical execution of the automation system . These are errors of transposition . Points 2 and 3 are not covered by the present study : - point 2 concerns acceptance tests and equipment maintenance methods that are under continuous redefinition and improvement . - point 3, considerable progress has been made with solution of the problem of transposition by the use of a method for automatic transposition of an automation system, as represented by its Petri net . In particular , this gives us a series of "reference automats" that can be used to check physical execution obtained by different means , or , conversely , to obtain physical execution of automation systems with very low risk of transposition errors (2) . We are particularly concerned with the first point in the following pages , namely a search fo r the optimum method of avoiding design errors . Im provements have already been obtained on the road to this result, in particular as a result of the use of Petri nets , providing graphic representation for a model for the specifications of an automation system (3) . However, these impr.ovements can be extended , taking account of the results of studies (1 and 4) demonstrating the utility of an automation ~ ~ stem possessing a certain number of gene,al characteristics . On the basis of this work and certain theorems , demonstrated elsew he re , we define the general characteristics that an automation system should embody . We then demonstrate the method that can be used to obtain these characteristics at system functional diagram levels .
1529
Synthesis and Analysis of Logic Automation Systems
3 - GENERAL CHARACTERISTICS DESIRABLE FOR AN AUTOMAT I ON SYSTEM For an automation system to meet all de ~ ands from the process that it controls correctly, it is desirable for the system to embo~y t he characteristics defined below . 3.1. - Definitions al The automation system must not be blockable , namely there must not be eny input sequence that places the system in a state where certain scheduled actions are not or are no longer possible . A system of this type is said to be live. bl The automation system must be able t o return to any state through which it has already passed,and in particular it must be able to 'return to the stand-by state . A system of this type is said to be proper .
on safe, live and proper Petri nets , is prooosed be low. But first, some neces sary defini tions . Oefini tior,s - a Petri net is safe i f there is never more tha n one t o ken in one place .
- a Pet ri net is boundeo , if there are nev e r more than q t okens in one place .
- a Petr i net is live , if any tra nsition can ce fired (u sing ar, adequate transition +iring sequence) . well-formed nets (live , proper, bounded o t her conditions)
+
Safe
cl The automation system must maintain properties a and b (live and proper), irrespective of its internal state and irrespective of input signals (1) . 3 .2 - Are these charac :e ristics always necessary In the case of normal operation (generally dictated by the process), these characteristics are not absolutely necessary if the automation system is strictly for clearly defined input configuration. Any other configuration is not covered in these specifications. Nevertheless, in the case of failure (process or transmission), unforeseen input sequences can appear on the automation system terminals. The behaviour of the system is then unpredictable. Generally , the system reaction is random and in some cases the system blocks with no possibility of restart (non-live and non-proper) , or can no longer execute certain functions even when the fault has been cleared (non-live), etc. As a result, the general characteristics defined above should be guaranteEd. The automation system should be live and proper. Live nets
proper nets
3.3 - A simple method for analysis and synthesis of an automation system functional diagram. This method rests on the fact that if the functional diagram of an automation system is represented by a Petri net, the properties of the Petri net are those of the functional diagram. As a result, if we succeed in constructing a Petri net which guarantees a live and proper automation system, irrespective of input signals, we have solved the problem. A method of analysis and synthesis, based
FIG 1
Classification of Petri nets
Correct nets (safe , live and proper), this being the class in which we are interested. Note 1 : the notions of "b ounded" "live" and "proper" are independent. Note 2 : A "safe" net is "bounded". Note 3 : Each class is infinite, each net being represented by a point.
J . L. Bo u ss in
1 530
- a Pet r i net i s o r o o e r i f it is al ~ ays poss ic l e to retu r n to a st a te alr e ady ob :aina c; , i n pa r ticul ar t he stand-t>y s t ate . Th ese no t ion s a r e il l us t r ate d in Fi G. 1 . T ~e y 2an be su~~ ar ized as f o ll ows : - a co rr e ct Pe tri net
:5
s af e , li v e a n d
p ro pe r. (see Annex,) . - a f unct i onal ~ ! a g ~a~ i s co rr ect i~ it =an be r eo r esen t e d by a Pet ri net that i s als o
Lbl
,s
=
corr e st .
The me t hod the r efo r e c onsists in constr uc tin g co rr ect Pet r! nets , so t ha t t he a u t omatio n system t hat t he y r e p re s en t is i t se lf cor r e ct . It s hou d be not ed , ho we ve r, tha t t he method d e sc ribed bel ow is suppo rt ed by t heori ca l ar gume nt s not r ep r od uced i n t hi s doc ument . 4 - SYNTHESIS AN D ANA LYSIS OF THE FUNC TI ONA L DI AGRAM OF AN AUTOMAT I ON SY ST EM Synt he si s c o ns ist s i n c ons tr ucti ng a c orr ect funct i onal di ag ram from the se sp e cification s . Analys is co nsists i n c heck i ng that th e fu ncti ona l d ia gra ms of t he au tomati on s ys t em i s correct. 4. 1 Synthesi s of a corr ec t functio nal diagram a) Construction of a c orr e ct Pet ri ne t Co rrect basi c co nversi ons f or t he con structi on of a corre ct Petri net ar e g iven i n th e Annex 2. Thes e c on vers i ons are ap p li e d fr om a ba s i c net whi c h is it se lf c l early c orre ct .
This c haracteristic is mai ntai ned f o r each c o rre c t c o nvers ion . As the auto mati on s ys tem i s con s t r uct ed by application of s ucces3ive correct convers ions , i t grows and crystallizes , while r emaining co rre ct a~ e a ch stage . Exampl e :
R3 'let s
,, ~ ,
R4 q :: , R3 and R4 a r e a ll 20 rre c t .
b) Cha r ac ter is t ics of system construc t ion usi ng co rr ec t co nversions - I f o nl y corre ct co nve r sions fr om a co rr ec t net ar e us ed, t he f ina l r e su lt it se lf ca n o n l y be c o rr ec t . - Assoc iatio n of inpu t s wit h t ra nsi ti ons and ou tp uts wit h pla ces ~ as no in f luenc e (b y definition) on th8 ch aracteri s tic considered . In fa c ~ , wc ob tain a class of cor r ect au t omati o n s ystem when we achieve R4 . The problem of inp uts an d o utputs i s co nsi d er ed in pa ra g raph 3 . 3 . - Any correct net alread y ob tained can be modified us i ng corre c t conversi ons , fac i li t a ting executi on of the synth e sis . Further more , this la st cha ra cte r i s tic is par ticular ly inte r estin g , if we wish t o modify a co r rect Pe tri net r ep resenti ng a complex ex i sting automation sy stem . The r e is no r is k of upsetti ng a ll the c haracteri s tics of t his system, if corre c t c onversions are applied . 4 . 2 - Anal ysi s of an au t omatio n sys t em a ) Anal ysi s of an unk nown Pe tri ne t We start wi th t his Pet ri net , and a p p l y i nverse co r rect conve r s i ons , these being exact l y the opposite of no rmal c orr ec t con versions . If the r ed uced net i s corre ct , we can c o nclude t hat the net an al ysed is al s o cor r ect , and vice ve rs a . b) Br ief explanation
,s
6s
=
~
R1
(ba sic ne t)
R2
If we pass from the net to be ana l ysed to a correc t r educed net by path C (by inve r se correct conversio ns) , we c a n r e tra c e path C [no r ma l cor r ect co nv e r s i ons ) to return t o the initial ne t . Unde r t hese c o nd i ti o ns , the net ana l ysed is co rr ec t. This can be i l lu strated by simple examp l es .
153 1
Synthes i s and Analysis of Logic Automation Sys t ems c)
E xa~pl e s
~,
Is ne t q4
1
~~ I 6
I ~t t
R4
c~ rre c t
?
~\
)~
The
a tta i ne d f o r ea c ~ sys t e n can ~ e i np r sv ej . T~ i s ~~3 : c er t a i n l y ~ e t~e c a ss fe r a co mp le x a ~t ~ ma t ion s syt er ~ sus, 3 S ~~ t e st s a nd c or~ ~ : :
rl !
TI
e~u i ~~en t
la
E
~
r es~ lt
fc ~
~aj or
i~d~3 tri a l
:s~D l ~ x Es .
The o esi gne r a nd : ~e 8D9 rat o ~ ar e bQt ~ con c e r ne d ~ n ~: D~~B ~i ng ~~Et ~er t he syst e ~ will coDe co r rect l y w i~ ~ o ~e r a t ing c c ~ ti ~ ge ~ c i e s t hat ~a v e be e n i mpe r fec t ly p r ov ~ jec fe r o r no t at a ll .
~
6a
fi~s t
~ n= ~ v id u al
:
~
T
4 . 4 - Pro o l ems arisi ng wit n a co mo l e x sys t e::1
of a nal ys is
~ :::
Tw o p ro j l ems a ri se i n the au t omati on s yst em :
65
f."
co~tE xt
- the cons tr uc ti cn of a ":J erf sc: " sy stem ( sy nt he si s )
f
R3
R1 correct
t R2
t
of a n
func~ :'onal
- ev a lu ation o f "perfect" oo erat i on of th e sy st em , o nce co ns t ru cted ( an alysis). The fol l owing c hapt e rs examine t he po ssibl e e xistence of a method or met ho ds of ans we ring t hese questions .
R1
R4 Correct
5 - APPLICATIO N OF METHODS OF SYN THESIS AN D ANALYSIS
The explanation given in paragraph b applie d to this example means that path C ( l A, 5A, l A) retraced (dotted path : 1S , 5S , l S) takes us back to net R4 . As R1 is correct , R4 is also correct .
Apart fro m the study of a single automation system , this method can be used in the following two cases :
2) Is net A1 correct
a) Single automation system coupled to a pr ocess 1) The automation system and process are both represented by correct Petri nets . 2) Inputs and outputs are assigned to each of the two Petri nets, producing functional diagrams . A4
A4 is not safeos n firings of tran s ition T1 put n + 1 tokens in place P1 . A4 is not correct, nor therefore is A1 .
3) All imputs and outputs resulting from links between process and automation systems are eliminated , proceeding as follows :
3
31y
Important note : This method of analysis can be programmed without difficulty, as it comprises a set of basic algorithms applicable sequentially .
!
4 4
4 . 3 - Comments on the method of analysis and synthes i s
3
~
., t 2
2
t2 4
ft2
f t2
Fina l ly we have a method giving step-by-step sy nt hesis of an automation system, each i mprove~e nt maintain i ng the desired charac te ri st i cs ( safe , l ive and prope r ) a t each s t age . The a utomatio n system rema i ns correct . Note tha t if an automa tion system is cor r ect , it can be impr oved late r witho u t dif f icu l ty wi t h app li catio n of a n a ut hori zed mo dification ( sequence of co rr ect conversio ns) , and s t i ll rema i ns corr ect .
Automation sys t em
Process
Automation system
pr ocess
1532
J . L. Bo u ssin
LivE ,
~on-sa~ s
anc
. non - !i ve a~= I Safe nOC'-:: r' c:er'
... 1
V" 11
cnce
OP3
+12 OP4 /13
Q1
L
14
non-safe
proper
~ ired ,
s=
no~-l!ve
~=
is
(=3
T1
=~ ) .
can~ot
~ith
T ~
s o Q1 nor-crop e r
be refirsj . se
fi r eo , F1
an~
F2
r Q r -Dr a C8~ .
~ired .
so C3 non- liv e .
( T1 . T2) 2 tokens in P4 . so Q3 non-
Q2 !.. i ve . safe
tokens cannot be
~Me5e
TE cannot be
~
Prope r non-live anc
:1 f aces '2 : ckens ::'r F3 . se P3
r'enc vec fro r
!
I
-r-::
nc n-safe .
safe . and non-
C4
once T1 has been fir ec . P1 and P3 cannot be marked simultaneo usly . so 04 i n non-proper .
1P1
p2 • 05
11~
~~:;
06
P30 l/p4t~
~
T4 ca nno t be fired so 05 is non-live .
12
14!
p1\
15
1
16
Q4
Q3 Pr'o;Jer . safe anc nor'l-
Live . proper and ncn -
live
safe
Cb pI llll ~12 P2~ 4P3
11 11" I
I~T,/-15
I
I
~P4
-,-16
QS
2 tok ens in P4 after (T1 . T2). so 06 is non-safe .
.P2 12 p5
I I
Q6
' of Logic Automation Systems na l YS1S Synthesis and A
RULES FOR ANALYSIS ANNEX (a) 2 and SYNTHESIS
----
EXTENSION OF RULES FOR AND SYNTHESIS ANALYSIS RULE I . For two input pI aces ( one transitions havin g common common . sufficient) input place is
INOICA TIONS ON
RULE
(S)
1533
OIAGR,A,MS
la
la-
1~ 15
RULE 2 2s
o
Pi
Pi
3a
pa
0
4S
~
~ 4a
T~ 'l~
5a
1~
It.
W ~ pp.~l
m
~ 3a
4s
~ ~ 4a
5s
~ Pi
~ 5a
6s
~
~6a
li
For each rule th to dan extension b ut we have no place here ere is escribe th em ...
1534
J . L . Boussin
4) Inputs and ou tputs resulting from basic delay lines are also eliminated.
~ft
5) The resultant global net is analysed, applying inverse correct conversions to places and transitions without inputs .
I~
3cf! 3, ! : 2 2
3/il
' 1~! 3, ~ ! 1
,~" ~ lJ .+ ~
(5) This net is not live at T1 and T3 cannot be fired , and continuation of the analysis is pointless . In this case, therefore, we must reconsider the links between process and automatio n system . If a correct net remains on completion of phase 5, this means that automation system + process will operate well (in the normal sense of t~e term). b) Several automation systems coupled to each other and to a process 1) Each automation system and the process is represented by a correct Petri net . 2) Inputs and outputs are assigned to each Petri net , producing a functional diagram for the complete system. 3) All inputs and outputs resulting from inter-automat and automat-process links are del e ted . 4) Basic delay lines are dele ted .
stage . The automation sys t em remains correc t Note that if an automation system is correct it can be improved later without difficulty with a~plication of an authorized mOd ification (sequence of correct conversions) , and still remains correct . Th is method can be used for rapid analysis of very l arge exis ti ng systems . Unfortunately, existing systems are pract ic ally all non correct , which goes a long way to explaining the circumstances in event of failures (see paragraph 3.2 . a) . The method can be applied manually in the case of small systems . For larger systems , as in the case of EHV substation automation systems , a computer-backed concept with graph ic inputlo utput is in course of developmen t. A medium-size EHV substation would require about 10 microprecessors , each microprocessor then representing a set of automation systems corresponding to about 200 places and transition s . CONCLUSION We have demonstrated that it is possible to ensure that an automation system embodies certain characteristics (principally nonblocking and guaranteed reinitialization) , by representing the functional diagram of the system by a correct Petri net (one which is safe, live and proper) . We have given a simple method of construction and analysis for correct Petri nets , showing how this method can be used in a case of multiple automation systems, interconnected with each other and to a process . BIBLIOGRAPHY (1) R. Valette . Doctorate of Science thesis , Toulouse, 24/11/76 . (2) L. Tourres . Methode de synth e se d ' automatismes programmes .
5) The resultant Petri net is analysed, applying inverse correct conversions to the places and transitions not assigned by inputs and ouputs . 6) The reduced net should normally be much simpler than the initial net . A direct study is then made, or a simulation if the reduced net is still too big . In all cases a considerable amount of time is saved . 6 - COMMENTS ON THE METHOD OF ANALYSIS AND SYNTHESIS Fina ll y we have a method giving step - by-step synthesis of an automation system, each improvement maintaining the desired charac· teristics (safe , live and pr oper) at each
AFCET Symposium : evolution dans la conception des systemes logiques NICE,27/6/75 . (3) L. Tourres . Une nouvelle methode d ' etude des systemes logiques et son application a la realisation d ' automatismes programmes. Revue generale de l ' Electricite , March 1976 , t . 85 , N° 3 , pp . 215-219 . (4) C. Andre . Sur une methode de conception assistee par ordinateur des systemes logiques a evolutions simultanees . Doctorate of Electronics thesis . Nice 26/6/75 . (5) J . Miroux , L . Tourres and Tesseron . An automation microprocessor based system to be used in an EHV substation .
Synthes i s a nd Ana l ysis of Logic Automa ti on Sys t ems
IFAC - Symposium on Automatic Control and Pr otection of El ectric Power Systems. Melbourne . 21 25/2/77 . (6) L. Tourres . J . L. Boussin. Le mi croposte application des reseaux de Petri a la realisation d ' automatismes programmes et au contr6 l e de specifications . AFCET/AOEPA Symposium - Automatismes logiques Paris . 6-8/12/1976 . (7) B. Lussato. B. France-Lanord and J . P . Bouhot . La micro-i nformatique . introduction a ux systemes repart i s . Edit io ns d 'in formatique 1975 .
1535
(8) P. Girard and P . Naslin . Construction des machines sequenti el les industrielles . Ounod . 1973 . (9) S . S . Patil and Dennis . The description and realization of dlFital systems . Revue Fran~aise d ' Informatique. d ' Automatisme et de Recherche Operationnelle . February 1973 . (10) M. Blanchard . J . C. Cavarr uc. J . Gil l on , J . Marchand. G. Guidez and G. Thuilier . Automatismes a sequences - OGRST Report N° 71 . 7 . 2912 . Toulouse 1973. (11) M. Cou r voisier . Etude des systemes logiques de commande asynch r ones a evo l utions simultanees . Doctorate of Sciences thesis . Toulouse . 1974 .