Formal verification of sequence controllers

Abstract

Sequence controllers are widely used in the chemical processing industries due to the inherently sequential nature of many process operations. In particular, start-up and shut-down operations in continuous processes and any batch operation require sequence controls to force the time-dependent progression of the operation. One incorrect sequence embedded in a sequence control system can potentially cause severe problems. Therefore, all sequences embedded in a sequence control system need to be checked for consistency with design specifications. A formal verification methodology is developed that can systematically verify the functionality of sequence control systems represented at the logic level. Our approach is based on extensions of the recently developed implicit model checking technology, which is particularly well suited to the verification of large and complex systems. The sequence control system is represented implicitly as a system of Boolean equations, and the sequences to be verified are specified formally with temporal logic. Formal verification then requires the solution of a series of Boolean satisfiability problems, which are solved efficiently as integer programming feasibility problems. The methodology is applied to a simplified sequence control system to illustrate its application during the design of sequence control systems. Finally, the methodology is applied to an existing industrial burner management system.

Introduction

Many transients in the chemical processing industries exhibit both discrete and continuous characteristics. While continuous behavior arises in a familiar manner from phenomena such as mass, energy, and momentum conservation, discrete behavior arises from autonomous discontinuities, and discrete control actions and/or disturbances. Examples of autonomous discontinuities include phase changes, flow reversals, shocks and transitions (e.g. laminar to turbulent), discontinuities in equipment geometry, and internal features of vessels (e.g. weirs). Examples of discrete controls and/or disturbances include the response of automatic protective devices to process upsets, planned operational changes such as start-up, shutdown, and feedstock changeovers, and manual operator intervention. Furthermore, there are whole classes of processes such as batch, semi-continuous, and periodic processes that rely on sequential discrete control actions to implement normal operation.

The complex nonlinear and discontinuous nature of process dynamics dictates that sequences of discrete control actions are often required to force the process to follow the desired transient for a particular operation. In particular, sequence controllers are extensively used in the chemical processing industries to implement these discrete control actions. Sequence controls are necessary in continuous processes, especially during start-up, shut-down, and changeover operations. On the other hand, sequence controls are mandatory in batch processes even for routine operations. Sequencing operations vary from a single action to a series of actions for a particular purpose. For example, only one contact closure is required to start/stop a pump, while a series of opening/closing of valves is required to charge material to a reactor. In general, sequence control represents the most complicated body of control actions in a batch process automation system (Rosenof & Ghosh, 1987).

Sequence control systems do not exist in isolation, but instead are closely coupled to other control systems such as regulatory control systems and automatic protective systems that actually execute individual steps in a sequence. Fig. 1 shows the control systems hierarchy found in many modern plants up to the level of sequence control systems. Regulatory control systems automatically regulate the process by controlling a set of variables within some neighborhood of their set points. Automatic protective systems or safety interlock systems provide automatic action to correct abnormal plant behavior that has not been controlled and/or caused by actions in regulatory control systems and/or sequence control systems. In particular, safety interlock systems shut down the plant or part of it if abnormal conditions are detected, and check the existence of prerequisites for a specific action (such as running a pump) before actually implementing it (permissive functionality). Sequence control systems interact with regulatory control systems by manipulating final control elements and providing set points. Therefore, the commands issued by the sequence control systems are typically checked by safety interlock systems before action is taken, and an incorrect command issued by the sequence control system can activate the shutdown action of the safety interlock system. Note that both sequence control systems and safety interlock systems are discrete state systems while regulatory control systems are most appropriately modeled as continuous state systems. For any sequence control to be successful, the role played by the regulatory control and safety interlock systems is crucial. Furthermore, integration between three systems is required.

As an example, consider the batch reactor process shown in Fig. 2 (Lim & Ray, 1989) consisting of ingredient storage tanks, a mixer, additive storage tanks, and a reactor. Ingredients are measured into the mixer, and are mixed and preheated according to the recipe. The mixture is discharged to the reactor, where the reaction is initiated by adding catalytic additives. The finished product is discharged to the finishing lines. Reaction temperature and pressure are regulated to control the product quality by the regulatory control system. Safety interlocks are required for the additive valves. Since reactant additives must be added at a particular stage of the reaction, additives flow is interlocked with the sequence control to avoid accidental addition at an inappropriate stage. For example, only one additive valve should be open at a time. Sequence control is required to step the reactor through its processing sequence. Sequence control determines which output should be activated for a particular step by comparing inputs to the step requirements, and then advances to the next step. For example, on the step where ingredient A is added to the mixer, the sequence controller opens the valve for ingredient A, measures the amount of ingredient A, closes the valve, and then advances to the next step.

Fig. 3 shows a simplified functional design procedure for sequence control systems. In order to design a sequence control system for a particular process, operation of the process is first divided into steps before each individual step is designed. Sequence control systems execute each step one at a time or several steps concurrently, and control the transitions between steps. To insure the process proceeds in the appropriate sequence, the transition from one step to another must always be preceded by the satisfaction of permissives. During each step, the sequence controller turns on or off one or more outputs, waits for the response, then turns on or off another set of outputs, and so on. Functional specifications define these requirements for sequence control, and state diagrams are most commonly used to represent sequences. Examples include step diagrams, Petri-nets, and Grafcet (David, 1993). Based on these specifications, the details of the sequence control logic are designed, which includes transitions between steps, a set of statements executed in each individual step, and permissives for each transition.

Standard industrial practice is to represent the implementation-independent functionality of safety interlock systems as logic systems such as binary logic diagrams or ladder logic diagrams (AIChE/CCPS, 1993). However, there is no standard way to represent implementation-independent functionality of sequence control systems. Some techniques that are currently being used include function blocks, ladder logic, state diagrams, and general-purpose programming languages (IEC, 1993). Programmable logic controllers (PLCs) have been used extensively in sequence control applications, and ladder logic is the most commonly used representation in a PLC (Rosenof & Ghosh, 1987). Even though ladder logic does not provide the ease of implementation of sequence control logic, the majority of controls are implemented at the logic level using ladder logic (Zapolin, 1990). In principle, sequence control logic can be constructed by building up elementary functions at the logic level. Furthermore, it is favorable to represent the functionalities of the sequence control and the safety interlocks at the same level because the sequence control system is closely coupled to the safety interlock system (Lim & Ray, 1989). Once the design of the sequence control logic is completed, it should be verified rigorously against the original functional specifications. After successful verification, the system can then be implemented using particular hardware or software.

Verification should include not only the sequence control system but also its interaction with the safety interlock system, the regulatory control system, and the underlying chemical process. This requires the formal verification of a hybrid discrete/continuous dynamic system, where the sequence control and safety interlock systems are modeled as discrete state sub-systems and the process and regulatory control systems are modeled as continuous state sub-systems, including autonomous discontinuities such as controller saturation. However, only an extremely limited class of hybrid systems can be formally verified (Alur, Courcoubetis, Henzinger & Ho, 1993, Kestne, Pnueli, Sifakis & Yovine, 1993). Therefore, the hybrid system composed of the sub-systems shown in Fig. 1 cannot be verified formally. Instead, the original verification problem can be decomposed into two solvable sub-problems. The first problem is to validate the performance of the sequence control system considering its interaction with other systems. This dynamic validation problem can be resolved by employing hybrid discrete/continuous dynamic simulation technologies (Barton & Park, 1997). The second problem is to verify formally the functionality of the sequence control system including its interaction with the safety interlock system, which is the main topic of this article.

In this article, we present a formal verification technology for the sequence control system including its interactions with the safety interlock system. Implicit model checking technology (Park & Barton, 1997) has recently been developed for the formal verification of large-scale logic-based control systems. In this paper, implicit model checking will be extended to formulate specifications for sequences and to verify sequence control systems.

Other formal verification methods have been applied in the chemical processing industries. Powers and coworkers (Moon, Powers, Burch & Clarke, 1992, Turk, Probst & Powers, 1997) have applied symbolic model checking (Clarke, Emerson & Sistla, 1986, Burch, Clarke, McMillan & Dill, 1990) to medium-scale verification problems. Kowalewski and Preussig (1996) applied condition/event system-based method to verify sequential controllers. Both approaches will not be suitable to solve large-scale verification problems because of the state explosion problem in model formulation (Park & Barton, 1997). A more detailed comparison between implicit model checking and other approaches can be found in Park and Barton (1997). Dimitriadis, Shah and Pantelides (1997) proposed mixed-integer optimization-based verification method for hybrid systems containing both continuous and discrete state systems. Their approach will also suffer from the state explosion problem in model formulation because their discrete state system is modeled by explicit finite state machines.

The rest of the article is organized as follows. Section 2 describes the implicit model checking technology for sequence control systems. In particular, models and specifications for sequence controllers are developed along with verification algorithms. In Section 3, the developed formal verification technology is applied to the design of a simple sequence controller, which is followed by an industrial-scale example.