Formal methods for batch production systems Ronan Champagnat Robert Valette Hervé Pingaud – e-mail :
[email protected] – http://www.laas.fr/~robert
This work has been partially supported by the French-Spanish integrated program PICASSO in cooperation with the DIIS-CPS (U. Zaragoza)
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
1
Plan • Introduction • Hybrid modeling with Petri nets – – – –
Abstracting continuous behavior by means of time Modeling with colored Petri nets Modeling with hybrid Petri nets Modeling with Petri nets and differential algebraic equations
• Analysis – – – –
Analysis needs for batch systems Analysis with ordinary Petri nets Analysis with t-time Petri nets Analysis with differential predicate transition nets
• Conclusion Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 1
2
Introduction (1) What is a batch production system ? • A manufacturing system – recipes are part routes, equipments to process raw material, handling/storage units
• Batches of raw material – numbers of batches are integers, production management, event driven production => discrete aspect – batches of continuous raw material, batch size and storage capacity are real numbers => continuous aspect
Hybrid Modeling Issues for Formal Methods Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
3
Introduction (2) What is a hybrid formal model ? • Continuous (dense, real numbers) state variables • Discrete (finite set of values or integers) state variables • Continuous dynamics on a dense time (differential algebraic eq.) • Discrete event dynamics on a discrete time (automata, Petri nets) A wide range of approaches / proportion of these items Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 2
4
Introduction (3) In a batch system : • Continuous variables : – batch size, quantities of mole in the solvent, temperature, pressure etc.
• Continuous dynamics : – heat exchange system (cooling device, sterilization of milk), fluid transfers betw. vessels
• Discrete variables : – vessel and device states, batch states in a recipe, flowsheet configurations (on/off valves)
• Discrete dynamics : – recipes, cleaning procedures, set up and shut down procedures
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
5
Hybrid modeling with Petri nets (1) Abstracting continuous behavior by means of time (1) – time Petri net, timed Petri nets, stochastic Petri nets
start filling (open valve) di
Vai
Tank
stop filling after ∆t (the correct pressure is reached)
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 3
6
Hybrid modeling with Petri nets (2) Abstracting continuous behavior by means of time (1) • Only one continuous variable : time • Only the simplest continuous dynamics : dx/dt = 1 – not always possible to predict duration (transfer of variable size batches)
• No restriction about discrete states (places) • Complex discrete event dynamics : Petri net – resource allocation (conflicts) – true concurrency (not interleaving, partial order semantics) Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
7
Hybrid modeling with Petri nets (3) Modeling with colored Petri nets (1) – continuous attributes on tokens – based on discrete time (sampled system) start filling di
Vai
Tank
[∆θ, ∆θ] if V=Vbatch then close Vai
P2
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 4
8
Hybrid modeling with Petri nets (4) Modeling with colored Petri nets (2) • Continuous variables (token attributes) • Discrete variables (places) • Complex discrete event dynamics • Complex continuous dynamics by means of sampling process? Yes but approximation and cumbersome simulation Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
9
Hybrid modeling with Petri nets (5) Modeling with colored Petri nets (3) V
Inconsistency between continuous time and discrete one (events).
Vbatch
For more precision, many samples. Results in cumbersome simulations 0
1∆θ
2∆θ
3∆θ
4∆θ
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 5
time
10
Hybrid modeling with Petri nets (6) Modeling with hybrid Petri nets (1) – continuous token loads for cont. places, – continuous firing of cont. transitions – hourglass (water clock or clepsydra) principle start filling
di
Vai
t1
di
P2
Vbatch
Tank
t2 stop filling
P1 Vbatch Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
11
Hybrid modeling with Petri nets (7) Modeling with hybrid Petri nets (2) • Continuous variables (positive?) : cont. place token loads • Discrete variables : discrete place markings • Complex discrete event dynamics • Linear continuous dynamics : dx/dt = t_speed Ensure consistency between dense time and events Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 6
12
Hybrid modeling with Petri nets (8) Modeling with hybrid Petri nets (3) V Vbatch
Simulation remains an efficient discrete event one Only events are considered and precision is ensured
0
1∆θ
2∆θ
Vbatch/di
4∆θ
time
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
13
Hybrid modeling with Petri nets (9) Modeling with hybrid Petri nets - extensions (4) • negative token loads (zero threshold is no longer an event) • predefined set of cont. variables and equations (batch Petri nets) Pr1
• variable jumps
Va1
Va2
Pr3
di
Pr2
Va3 Pr4
algebraic constraints ? Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 7
Tank
14
Hybrid modeling with Petri nets (10) Modeling with Petri nets and differential algebraic equations (1) – continuous variables, global or token attributes – differential algebraic syst. attached to places or markings
Pr1
Va1
Va2
Pr3
di
Pr2
if C2 then close Va2; open Va1 t1
t3
Va3 Pr4
Tank
Pr3 = Pr1 P1
Pr3 = Pr2 P2
t2 if C1 then close Va1; open Va2
P3
di = f(Pr3, Pr4) dU/dθ = di Pr4 = g(U)
t4 if Pr4 > Prmax then close Va3
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
15
Hybrid modeling with Petri nets (11) Modeling with Petri nets and differential algebraic equations (2) • General approach for continuous variables and their dynamics • General approach for discrete event variables and dynamics • Open to any solver for ensuring consistency between events and integration steps • But it is necessary to choose an adequate solver for each case Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 8
16
Hybrid modeling with Petri nets (12) Modeling with Petri nets and differential algebraic equations (2) Pr4 Prmax
The selected solver has to ensure consistency between integration steps and events
0
s1
s2
s3 s4
s6
s5
time
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
17
Hybrid modeling with Petri nets (13) Modeling with Petri nets and differential algebraic equations (3) • purpose of the solver : find the first solution in time for event • may be done analytically => time colored Petri nets • can be seen as a generalization of "batch" Petri nets (& hybrid) • can be seen as an extension to Petri nets of hybrid automata Requires modularity of continuous and discrete view Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 9
18
Analysis (1) Analysis needs for batch systems • In food industry, fine chemical : consumer & environment • market competition : satisfy demand on due date Safety properties – critical resource available when required, buffer capacity sufficient (overflow / shortage)
Liveness properties – no deadlock, recipes can indeed be executed (trajectories from initial to final possible)
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
19
Analysis (2) Analysis with ordinary Petri nets (1) : redundant places – safety property, critical resource p6 p10
t1
p2
t3
p4
p1
t2
p3
t4
p7
p8
t5
t6
If for security reasons it is absolutely necessary to have a resource available, then the corresponding place has to be redundant (P10)
p9 p5
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 10
20
Analysis (3) Analysis with ordinary Petri nets (2) • More generally, any property which has to be logically ensured – logically = does not depend on time or continuous variables
• Deadlock free, liveness, boundedness, reversibility • p-invariant (and redundant place), siphon, etc for analyzing resource allocation policies All the classical Petri net analysis remains valid Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
21
Analysis (4) Analysis with t-time Petri nets (1) • Operation durations (observed / required) abstract cont. behav. – can easily be represented by PN – for example observed : enabling transition durations, required : sojourn time on places – they are relative time
• Due dates from demand, dates for workload balance – they derive from an aggregate point of view – they are absolute time points, they are not easily expressed by means of PN
• Logical constraints as Kanban policies, cyclic ones – may be described by places and transitions
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 11
22
Analysis (5) Analysis with t-time Petri nets (2) • Systematic analysis (state enumeration) => class graph construction for t-time and p-time – formal proof that a state is reachable or not : safety or liveness – decidability (if PN bounded) but state space explosion - relative time
• Minimal and maximal scenario duration => dioides (max, +) algebra, linear logic sequent calculus
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
23
Analysis (6) Analysis with t-time Petri nets (3) : a resource is idle when required [5,6] p5
t4
[0,0] p6
[3,4]
t5
p7
t6
p8
t4 fired, resource required only class5 is reached
p3
t3
p4
M = p4 p6 p9 t5 enabled [0,0]
p9 p1
t1
p2
[1,2]
t2 [0,0]
ft1 class1
ft2 class2
No wait
[1,2]
ft3 class3
ft4 class4
ft5 class5
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 12
ft6 class6
class7
24
Analysis (7) Analysis with differential predicate transition nets (1) • No decidability (consistent with hybrid automata) – the number of states is infinite, the number of classes is infinite Decidability : – firing date (first solution of DAE system) delimited by a static interval
• Algebraic properties differ if cont. var. or discrete ones • Region graph approach (Regions: Hyb. Aut., Classes: t-time PN) – – – –
local information => exploit concurrency a fragment of marking (i.e. all the markings such that some place token load > 1) a set of constraints (invariant) => static delimitation of events (trans. fir.) proof that some state cannot be reached => Safety Properties
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
25
Analysis (8) Analysis with differential predicate transition nets (2) : Safety – To be proved : "there is no overflow of the buffer" input
input t5
R1
p3
t4
R2 B. to R.
p5 output
p4
Reactor free
Buffer idle
R. to B. t1
Buffer
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 13
p1
t2
p2
t3
26
Analysis (9) Analysis with differential predicate transition nets (3) : Safety – – – – –
To be proved : "there is no overflow of the buffer" VB only increases when at least one token in p2 p-invariant implies "one token at most in p2" Condition t2 : VB < Vmax - VR Invariant (VB + VR = Const) and (VR > 0)
t5
t4
B. to R.
p5
=> VB < Vmax
p3
p4
Reactor free
Buffer idle
R. to B.
Proof with one region encapsulating all markings with M(p2) = 1 all time points in dense time By : when go in and out the region
t1
p1
t2
p2
t3
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
27
Analysis (10) Analysis with differential predicate transition nets (4) : Safety – – – – – –
To be proved : "there is no deadlock" The underlying Petri net is live => analyze trans. with conditions Condition t2 : VB < Vmax - VR M(p1) > 1 t5 To decrease VB : M(p3) = 1 It is not reachable if M(p1) = 2 p5
=> the property is not verified if the region can be reached
p3 B. to R. p4
Reactor free
t4
Buffer idle
R. to B.
Proof with one region
t1
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 14
p1
t2
p2
t3
28
Analysis (11) Analysis with differential predicate transition nets (5) : Safety – Example of Differential Predicate Transition net without deadlock input
input t5
R1
p3
t4
R2 B. to R.
p5 output
p4
Reactor free
Buffer idle
R. to B. p1
t1 Buffer
t2
p2
t3
p6
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
29
Analysis (12) Analysis with differential predicate transition nets (6) : Liveness – – – – –
Reachability to be proved : "once enabled, t4 may be fired" Condition t4 : VB > VR M(p5) > 1 and M(p4) = 1 To increase VB : M(p2) = 1 Fire t1; t2; t3 possibly several times
t5
p4
Reactor free
Proof with one token (remains valid whatever location of second token in p5 not in p3)
t4
B. to R.
p5
=> the property is verified
p3
Buffer idle
R. to B. t1
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 15
p1
t2
p2
t3
30
Conclusion (1) Modeling • Formal methods for modeling batch production systems – – – – –
A whole range of Petri net based formal methods may be used Ordinary Petri nets (complete abstraction of continuous dynamics, qualitative model) Time Petri nets (encapsulation with time) Hybrid Petri nets (encapsulation with linear differential equations) Differential Predicate Transition nets (representation by means of DAEs)
• Colored Petri net – Continuous variables but no dense time – analysis is done in a sampling framework with a discrete view
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
31
Conclusion (2) Analysis and formal verification • Decidability is lost when continuous dynamics "is not time" – Analysis of colored Petri net with continuous attribute is not decidable – Analysis of time Petri net is very complex
• Validation (does the system correspond to the requirements?) – Complex and not totally formal – Formal verification : formal model is an abstraction, requirement is not always formal – The elaboration of a formal model and its evaluation (performance) by simulation is the typical way validation is addressed in industry
Workshop "Formal Methods for Manufacturing", Zaragoza, sept. 1999
Page 16
32
