Documente Academic
Documente Profesional
Documente Cultură
J. Jiang
D.Azzopardi
D.J. Holding
GI F. Ca rpenter
J.S.Sagoo
Indexing terms: Real-time control, Hybrid control, Discrete event systems, Synchronisation, SFC, Petri nets, Specijkution, Verijicution, High-speed machinery,
Manufacturing system
+c t1
action A
in Figs. 2 and 3.
The execution models of SFC and CPN are some-
what different: the nature of the difference depends on
the particular interpretation of the CPN model. For the
purpose of exploring the potential behaviours of the
system, the simultaneous firing of enabled transitions
i---
tad
in SFC is translated into the interleaved firing of the
transitions in the CPN model. This has the disadvan-
Fig. 1 SFC components tage of generating a larger state space; however, this
encompasses all reachable states of the SFC model.
An SFC model evolves as steps complete their associ-- The additional complexity is offset by the ability of the
ated actions and the successor transitions fire, activat-. interleaved CPN model to represent explicitly the
ing the next steps. To describe and constrain the timing; notion of nondeterministic choice which commonly
and duration of actions, SFC defines a set of qualifiers., occurs in reactive systems.
IEE Proc.-Control Theory Appl., Vol. 143, No. 2, March 1996 165
In general, large parts of an engineering functional
Construct 1 SFC CPN
requirement can be interpreted as liveness properties
and those parts of a functional requirement which refer
to constraints or things which should not happen can
be interpreted as safety properties. In Petri nets, live-
ness properties may be demonstrated by exhaustive
Transition
t f search techniques involving the generation of the state
coverability graph or reachability tree, a system can be
0 shown to be live by investigating the transition firing
sequences, and safety properties may be verified using
p1
t wpc P-invariants [15] or by exhaustive search techniques.
An engineering functional requirement defining the
synchronisation requirements of a multiaxis machine
will comprise both liveness properties and safety prop-
i I
erties. In such loosely coupled concurrent systems, the
reachable space or coverability graph is often large
Divergence because of all the possible combinations of states which
or sequence
selection may occur in the asynchronous subsystems. To inter-
pret such data and manage its complexity, this paper
(1) makes use of the notion of concurrency sets (which
were developed for analysing communication protocols
Fig.2 Controlled Petri nets representation of reduced set of SFC con- [7]) and applies them to the analysis of the semantics of
structs Petri net models. In the context of a Petri net, the con-
(i) Note: selection conditions must be mutually exclusive
currency set for place p z is the set of all places that are
potentially concurrent with place pi.Thus, the concur-
Construct SFC CPN rency set for place p z provides a concise and tangible
representation of what the rest of the system may be
5 doing while the local state p z is active. In the following,
Convergence
following concurrency sets are used to present a concise demon-
selection stration of certain safety properties.
The Petri net model of the SFC-defined synchronisa-
tion logic for a multiaxis machine system will typically
be large and somewhat complex. To analyse such sys-
Simultaneous
tems automated tools are required. The IT research
divergence group at Aston University have developed a software
or parallel workbench to analyse the behavioural properties of
SFC designs. The system specification is input in the
form of an SFC data file which is automatically trans-
lated into an equivalent Petri net. The design engineer
Convergence can then invoke tools to verify behavioural properties
following such as freedom from deadlock, boundedness, reacha-
simultaneous
divergence bility [6, 111, P- and T-invariants [15], concurrency sets
or parallel [7], quasi-liveness, home state and reversibility [16-1 XI.
p14 Tools in the workbench are implemented in object
I I I I oriented C++. They make use of the three analysis
Fig.3 Controlled Petri nets representation of reduced set of SFC con- techniques: (i) incidence matrix / invariant analysis of
structs
the structure of the Petri net; (ii) coverability graph
analysis to enumerate all the possible states; and (iii)
4 Design verification Petri net reduction to produce a reduced Petri net
which preserves the desirable properties of the original
Co-ordination and synchronisation logic defined in the Petri net, but is easier to analyse since it produces a
restricted subset of SFC can be translated into a CPN smaller coverability graph. Results of the Petri net
model using the component representations shown in analysis are fed back to the design engineer, either
Figs. 2 and 3. The resulting CPN model can be ana- directly or in terms of the original SFC, for system
lysed using well established Petri net theory. However, verification.
the design of concurrent real-time synchronisation logic
is a complex and subtle process, and detailed analysis 5 Design case study
and interpretation is necessary to determine whether a
design satisfies the system functional requirement. This approach is illustrated by considering the design
In this paper the term live will refer to freedom from of synchronisation logic for a prototype high-speed can
deadlock, and the term liveness properties will be used packaging machine, shown in Fig. 4. The machine
in its temporal logic sense to primarily define what the comprises six independent axes: feeder, drum 1, drum
system should do [13]. The terms safe and safety will be 2, conveyor, and sliderlactuators which transfer cans
used in the general control engineering sense [14]. (The from feeder to drum 1, drum 1 to drum 2, and drum 2
Petri net notion of a safe net will be avoided by refer- to conveyor. (For simplicity, the conveyor and feeder
ence to a l-bound net). The term safety properties will are connected directly, thus forming a single axis.) The
be used in its temporal logic sense to primarily define six axes have asynchronous motions unless forced into
what the system should not do [13]. local synchronisation by the synchronisation logic. The
166 IEE Proc -Control Theory Appl., Vol. 143, No. 2, March 1996
Table 1: Semantics for SFC of Fig. 5
motion phases of the six independently driven axes are transfer motions of the slider/actuators only takes place
defined in the SFC diagram, Fig. 5, and the semantics when the appropriate drums are stationary and a can is
of the SFC steps, transitions and events are shown in present at the source of the transfer and no can is
Table 1. present at the destination. The transfer slider/actuator
between drum 1 and drum 2 is more complex: to
increase machine performance the slider is permitted to
move asynchronously towards the drums. On reaching
a decision point, a time-critical decision is made
whether to insert (if at that instant both drum 1 (with a
can) and drum 2 (with no can) are in position and sta-
tionary), or abort (if any insert condition is not satis-
feeder
fied).
i:i
if transferm
slider
~ IIJU I1 I"""vcy"'
tll
t4
t5
drum1
I
1 \ { \ drum2 7
t6 t32
Fig.4 Six axis prototype machine
t7
IEE Prac.-Control Theory Appl., Val. 143, No. 2, March 1996 167
Table 2: Synchronising conditions for SFC of Fig. 5
Transition Associated condition Transition Associated condition
tl l S t e p 2 5 A Step10 t17 Step14
t2 Stepl 1 AT Step25 A-I Step26 t18 Step15 A-I Step31
t3 t19
t4 Druml-rotate-nocan-complete t20 Step6
t5 Step18 t21 Step7 AT Step29
t6 Step19 A-I Step29 t22
t7 t23 Step3 A Stepl 1
t8 Druml-rotate-can-complete t24 l S t e p 3 VT Stepl 1
t9 l S t e p 2 5 A Step2 t25 Step3 A Stepl 1
t10 Step3 AT Step25 A-I Step26 t26 Slider-insert-complete
tl1 t27 Slider-motion-complete
t12 Drum2-rotate-can-complete t28 Slider-approach-complete
t13 Step21 t29 Step7 A Step19
t14 Step22 AT Step31 130 Feeder-slider-insert-complete
t15 t31 Step15 A Step22
t16 Drum2-rotate-nocan-complete t32 Conv-slider-insert-complete
6 Conclusions
-
event-driven concurrent or distributed systems, such as
independently driven multiaxis machinery, is a complex
and subtle process. Without a means of probing the
possible behaviour of a system, the system designer
cannot determine whether a design satisfies functional
and performance requirements. The approach pre-
sented in this paper focuses on specifications and
F I 7 Controlled Petri net model of SFC of Fig. 6
designs captured using the IEC 1131 SFC notation
N : the nine control places are omitted to reduce complexity which forms an industry standard for PLC and special-
ist machine-drive control systems. The paper has
The principal functional requirements of the overall shown how designs expressed using a restricted subset
system can be expressed precisely and concisely using of SFC can be translated into a CPN model. This was
the logic operators: (not), A (and), v (or); the tempo- analysed using established and novel Petri net tech-
ral operators [19]: 0 (next), 0 (always), 0 (eventually); niques to determine generic aspects of behaviour such
and the places of the net. In the following, key require- as freedom from deadlock, boundedness, state reacha-
ments are demonstrated using Petri net theory. bility and concurrency sets. The concurrency set tech-
Liveness property 1: Every time the slider reaches the nique was shown to provide a relatively concise
summary of the potential concurrent behaviours of the
decision point, it will eventually insert into the drum:
system. The set of concurrency sets can be accessed
OO(p24) a OOp25. Liveness property 1 has been dem-
onstrated using exhaustive search techniques. directly by applications engineers who wish to examine
the juxtaposition of behaviours in a distributed or
Safety Property 1: A situation will never occur in which decentralised system; they are particularly useful when
the slider is at the decision point and no decision is demonstrating certain types of safety property. The
made: O ~ [ p ~ ~ ~ ~ ( pThis ~ ~ property
v p ~ ~ )has
] . been overall approach is consistent with formal approaches
demonstrated by a search of all states of the coverabil- and proof systems. The method has been illustrated by
ity graph which include the local state pz4. application to the design and verification of synchroni-
Safety Property 2: A situation will never occur in which sation logic for a medium-scale prototype high-speed
any drum rotates when an associated slider is inserted: manufacturing system comprising multiple, software-
controlled, independently driven axes or machine func-
&[P25A(Pl VPSVP9VPI 3 ) 1 V O 4 P 2 9 4 P I V P 3 ) l V ~ 4 P , I4 P 9 V P l J I. tions.
This property is demonstrated by inspection of the con-
currency set for ~25,p29 and ~ 3 1 . 7 Acknowledgments
Safety Property 3: A situation will never occur in which
any slider inserts when an associated drum is rotating: This research was supported by EPSRC/DTI grants
GRlR60666 and GRlJ09352, and has been carried out
O~[(P,VP5)~(P25VP29)l~~~[(P9VP13)~(P2SVP~l)l. in conjunction with Eurotherm Controls Ltd, U.K.
This property is demonstrated by inspection of the can-
currency set for pl, p5, p9 and PI3. 8 References
In the above, formally specified properties were demon- 1 HOLDING D.J., and SAGO0 J.S.: A formal approach to the
strated using Petri net theory. They may also be proved software control of high-speed machinery in IRWIN, G.W., and
using temporal logic by setting the control places to FLEMING, P.J. (Eds.): Transputers in real-time control
(Research Studies Press. 1992). Chao. 9
one, reducing the 1-bound CPN to a condition event 2 GROSSMAN, R.L., NERODE: A., RAVN, A.P., and
(CE) net which can be translated into temporal logic, RISCHEL, H. (Eds.): Hybrid systems, LNCS-vol. 736 (Springer
and using the temporal logic proof system [20, 211. For Verlag, 1993)
3 LANGMAACK, H., DE ROEVER, W.-P., and VYTOPIL, S.
the design engineer, equally interesting and tangible (Eds.): Formal techniques in real-time and fault-tolerant sys-
results and insights can be gained from inspection of tems, LNCS-vol. 863 (Springer Verlag, 1994)
4 IEC 1131, International Electrotechnical Commission: Interna- 14 LEVENSON, N.G.: Safeware-system safety and computers
tional standard for programmable controllers, programming lan- (Addison Wesley, 1995)
guages, March 1993 15 MURATA, T.: Petri nets: Properties, analysis and applications,
5 JIANG, J., and HOLDING, D.J.: The formalisation and analy- Proc. IEEE, 1989, 77, (4), pp. 541-580
sis of sequential function charts using a Petri net approach, 13th 16 DAVID, R., and ALLA, H.: Petri nets and Grafcet: Tools for
IFAC world congress, IFAC96, San Francisco, 1996, (in press) modelling discrete event systems (Prentice Hall, 1992)
6 PETERSON, J.L.: Petri net theory and the modelling of systems 17 ZURAWSKI, R., and ZHOU, M.C.: Petri nets and industrial
(Prentice Hall. 19811 applications: A tutorial, IEEE Trans. Indust.Electron., 1994, 41,
7 SKEEN, D., and STONEBRAKER, M.: A formal model of (6), pp. 567-585
crash recovery in a distributed system, IEEE Trans. Softw. Eng., 18 DESROCHERS, A.A., and AL-JAAR, R.Y.: Applications of
1983, 9, (3), DD. 213-228 Petri nets in manufacturing systems (IEEE, New York, 1995)
8 DAVID, R.:-Modelling of dynamic systems by Petri nets, ECC 19 SUZUKI, I., and LU, H.: Temporal Petri nets and their applica-
91 European Control conference, 2-5 July 1991, Laboratoire tion to modelling and analysis of a handshake daisy chain arbi-
dAutomatique de Grenoble, Grenoble, France, pp. 136147 ter. IEEE Trans. Comnut.. 1989. 38. (51.
I ,, DV. 641-704
\
9 MALLABAND, S.: Specification of real time control systems by 20 HE; X., and LEE, J.A.N.: Integrating predicate transition nets
means of sequential function charts, International conference on with first order temporal logic in the specification and analysis of
Software engineeringfor real-time systems, 16-18 September 1991, concurrent systems, Form. Asp. Comput., 1990, 2, pp. 226-246
pp. 57-61 21 SAGOO, J.S., and HOLDING, D.J.: A comparison of temporal
Petri net based techniques in the specification and design of hard
10 HOARE, C.A.R.: Communicating sequential processes (Prentice real-time systems, Microprocess. Microprogr., 1991, 32, (1-5), pp.
Hall, 1985) 111-118
11 REISIG, W.: Petri nets: an introduction (Springer Verlag, 1985) 22 MERLIN, P.M., and FARBER, D.J.: Recoverability of commu-
12 HOLLOWAY, L.E., and KROGH, B.H.: Synthesis of feedback nication protocols, implications of a theoretical study, IEEE
control logic for a class of controlled Petri nets, IEEE Trans. Trans.. 1976. COM-24. VU. 1036-1043
Autom. Control, 1990, 35, (5), pp. 516523 23 LEVENSON, N.G., and STOLZY, J.L.: Safety analysis using
13 LAMPORT, L.: Proving the correctness of multiprocess pro- Petri nets, lEEE Trans. Softw. Eng., 1987, SE-13, (3), pp. 386-
grams, IEEE Trans. Softw. Eng., 1977, SE-3, (2), pp. 125-143 397
170 IEE Proc.-Control Theory Appl., Vol. 143, No. 2, March I994