Symbolic Verification of Control Systems and Operating Procedures

Jan 28, 2014 - In this paper, we provide a review of Professor Powers's and his students' work on connecting fault analysis, discrete process control,...
1 downloads 11 Views 990KB Size
Article pubs.acs.org/IECR

Symbolic Verification of Control Systems and Operating Procedures Blake C. Rawlings,† Jinkyung Kim,‡ Il Moon,§ and B. Erik Ydstie*,† †

Department of Chemical Engineering, Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, Pennsylvania 15213-3890, United States ‡ Department of Chemical Engineering, Changwon National University, 20 Changwondaehak-ro Uichanggu Changwon-si, Gyeongsangnam-do 641-773, Korea § Department of Chemical Engineering, Yonsei University, 50 Yonsei-ro Seodaemun-gu, Seoul 120-749, Korea ABSTRACT: In this paper, we provide a review of Professor Powers’s and his students’ work on connecting fault analysis, discrete process control, human operating procedures, and symbolic model checking. In recent years, this type of research is placed under the banner of “cyber-physical systems research”. Some of the techniques and procedures Powers and his students developed can be found in the open literature and conference proceedings. However, they have not been published broadly due to the untimely passing of Professor Powers. A complete overview of the methods are not available, and the cap-stone results obtained in the two last Ph.D. theses have not been published.



INTRODUCTION AND LITERATURE REVIEW Professor Powers’s research at Carnegie Mellon University centered on design research and systems analysis. In particular, he was interested in developing rigorous methods for chemical process risk and reliability assessment. Rigorous means that a system consisting of chemical processes, discrete and continuous control logic, and human operator intervention would be provably correct with respect to a given set of specifications. Such specifications would include the property that a safe shut down procedure can always be executed, unsafe states are avoided, and failure of critical measurements do not lead to unsafe conditions. The strength of the method is that very large systems with 1020 states and more can be verified.1 However, realistic problems may have much larger state spaces. Modular decompositions are needed, and great care must be taken to make sure that the models and specifications have sufficiently rich structure to capture all eventualities. These problems were recognized in Professor Powers’s research and in his later research methods were developed for modular construction of very complex systems combining automation and human operator intervention using the verification-operating procedure language (V-OPL).2,3,4,5 The key idea behind this seminal work was that logic faults in real-time control systems and operating procedures for chemical processes could be found by combining discrete state models of systems with model checking. In particular, Powers and his students showed that efficient strategies for reliability analysis could be developed using formal methods for model checking developed in the Department of Computer Science at Carnegie Mellon University by Professor Edmund Clarke and his students. The work was distinct from parallel work in the area of discrete event control systems and supervisor synthesis.6 Powers and his students focused on the analysis of existing control systems and operating procedures, whereas the work in the area of supervisory control focused on how to synthesize control systems. The application domain, namely chemical process control, also presented unique challenges. © 2014 American Chemical Society

The earliest ideas were described in the paper by Moon, Powers, Burch, and Clarke.7 In this paper, the authors showed how the model checking tool SMV (symbolic model verifier) could be used to model and verify sequential control systems using temporal logic. The discrete dynamics of a chemical system were modeled through the definition of a finite state machine (FSM), and the specifications for the desired system behavior were expressed using computation tree logic (CTL). Model checking was then used to find counterexamples to the specifications. In this context, a counterexample represents a behavior that violates the specifications and leads to failure. Counterexamples can be analyzed and corrected. The control system is formally correct when no counterexamples are generated by the logic verification system. Powers and his students continued the development of these ideas in a sequence of papers, conference proceedings, and Ph.D. theses that appeared over the next decade. One of the last papers to appear in this sequence8 investigated the application of model checking to the fault analysis of chemical processing systems. The authors showed how SMV could be used to capture the significant behaviors generated by integrated control systems consisting of programmable logic controllers, failure prone human operators, and chemical processing equipment with continuous dynamics. The problems studied included transportation of multicomponent solids, leak testing in a fuel gas piping network, and a batch reactor. Numerous faults were revealed, and counterexamples generated by SMV were used to improve the control systems. There were considerable activities going on in the area of control of systems with discrete events when Professor Powers and his students developed their approach of combining discrete Special Issue: David Himmelblau and Gary Powers Memorial Received: Revised: Accepted: Published: 5299

September 11, 2013 January 27, 2014 January 28, 2014 January 28, 2014 dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310

Industrial & Engineering Chemistry Research

Article

event control with model checking. Most of the parallel work focused on developing system representations that could, at least in a formal sense, be viewed as extensions of the methods that were applied to control of continuous systems. The most celebrated of these approaches is the application of formal language and the automata theory to discrete event control.6 Early developments in the area of chemical process control were reported by Preisig,9 who developed the application of the theory of finite automata to sequential control of chemical processes. Yamalidou, Patsidou, and Kantor reviewed different methods to model discrete event dynamical systems,10 including temporal logic based techniques, Petri nets, and MinMax Algebras. The Petri net formulation appeared to be most useful for their purposes, and they presented optimal control methods for discrete event chemical processes.11 Meanwhile Sanchez and Macchietto developed methods to design procedural controllers for chemical processes.12 This work and the background theory for developing formal specifications and models for discrete event process systems is developed more completely in the monograph by Sanchez.13 Philips and Preisig investigated the use of discrete event models in hybrid systems control.14,15 Recent reviews of the state of the art and applications to nontrivial process problems is provided by Moon and Silva.16,17 It is not necessary nor within the scope of this paper to provide an exhaustive review of how the very rich field of discrete event control of continuous systems has developed and matured over the years. However, it is important and necessary to point out that the field has developed substantially and that a large number of applications have been developed in very disparate fields. Recent developments include the combination of model predictive control with hybrid systems theory,18 significant work on the application of formal language and automata theory,19 combination of hybrid systems control theory with symbolic model checking,20 use of optimization21,22 to solve verification problems, and conversion of discrete event systems to a series of constraints to be included in optimization problems.23 The issue of combinatorial complexity still looms, but computational speed keeps increasing, algorithms improve, and our modeling tools and formulations improve as well. It seems worthwhile at this point to take a serious look again at the problem of how to model and solve the challenging problems associated with chemical process reliability, risk, and supervisory control.

Figure 1. P&ID for the fertilizer plant.

that hydrogen developed in the process is oxidized to produce water vapor. Gases produced in the process vent to the scrubber to reduce the emission of sulfur containing gases to the atmosphere. The Powers research group modularized the process, control system, and operating procedures so that the dynamics could be described as a finite state machine (FSM) with events that were enabled or disabled by the automation systems or intervention by the operators. A FSM can be represented as a graph with nodes and edges. Each node in the process corresponds to a particular system state. The state, as the name suggests, includes all information about positions of valves and critical system variables, such as whether the flame is present or not and whether the acid is being sprayed or not. The edges represent transitions from one state to the next. These transitions may be spontaneous, or they may be enabled or disabled by the programmable logic control system or an operator. Diagrams are useful to explain the concept of a finite state machine. However, real systems generally have very large state spaces, and it is impossible to represent any but the simplest process submodule in diagram. For example, the fertilizer batch process described here is decomposed into nine submodules with varying degrees of complexity ranging form a few hundred states to more than one million states. A very large number of transitions are possible and need to be evaluated to verify that the control system and the operating procedures satisfy given safety and operability specifications. To solve any realistic problem, it is necessary therefore to apply modular decomposition and develop formal methods for system representation and verification that can be applied to processes with very large state spaces. In order to make the state space manageable, it was decided to develop submodels of the different processes involved in the fertilizer process and check these independently. For example, the mixer was modeled using a collection of submodules with Boolean variables to represent the presence of material, valve position for sulfuric acid, states of the three mixing motors, etc. The conveyor belt model included the state of the motor (on/off) and whether material is present on the belt or not. The programmable logic control system has 176 rungs of relay ladder logic, and operator intervention and failure modes were also included in the model. The different submodels are described,



MOTIVATING EXAMPLE In this section we describe one application study developed by Professor Powers and his students. In this case, we consider a semi-batch fertilizer that produces prills from byproducts generated in a magnesium plant8 as seen in the P&ID in Figure 1. The process is operated according to the following simplified recipe: Step 1: Mix raw materials. Step 2: Feed material to the mixer. Step 3: Spray sulfuric acid while mixing. Step 4: Discharge product when reaction is complete. Step 5: Convey product to storage. Explosions may occur in this process because hydrogen is produced during the reaction between the byproducts and the sulfuric acid in Step 3. In order to prevent such accidents, a natural gas burner has been installed as shown in Figure 1. The flame is burning at all times during the reaction step to ensure 5300

dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310

Industrial & Engineering Chemistry Research

Article

if < var 1> = 0

Table 1. Verification of Fertilizer Batch Control System and Operating Procedurea model name

Boolean variables

reachable states

OBDD nodes

CPU time (min)

base idle sensors bc56 sensors bc57 load-flame limit switch 1 limit switch 2 valves-gates motors-stuck

74 75 78 78 78 78 78 86 87

398 25,378 6027 14,579 11,021 6426 6888 1,821,060 791,160

65,321 65,357 65,691 69,690 68,172 70,246 70,590 125,552 133,773

0.5 14.6 6.2 61.3 15.6 10.0 3.7 183.7 33.3

if < var 1> = 0

open < var 2> or

< var 3> ≥2 open < var 4>

if < var 1> = 1 and < var 3> ≤2 open < var 3>

One conditional operator “or” is allowed per statement, while several “and”s can be used per statement. The allowed comparative operators included are “=, !=, , ≤, ≥”. The syntax corresponds closely to the natural language used to explain operating procedures. Once the operating procedures are written in V-OPL, they are translated into SMV to create logic models that can be verified according to the flowchart seen in Figure 2.4 The example above shows that V-OPL is very close to the natural language used to express operating procedures.

a

The number of Boolean variables and reachable states in nine different submodules are shown. The nodes in the ordered binary decision diagrams (OBDDs) represent the number of transitions. The computations were carried out using the HP 715/75 workstation.

and computational results are reviewed in Table 1. Each model has different failure modes to be verified. Several faults in the current operating procedure were identified. The idle process includes the system failure that results when the operator fails to complete a task specified in the operating procedure. Two faults were discovered in this submodel. One fault could lead to the spraying of sulfuric acid into an empty mixer. This could lead to corrosion and failure of the mixer to perform properly. The fault occurred because the purge times for the acid spray starts when the weight hopper is full. The original control logic assumed that the material was then dumped into the mixer so that the reaction could start after a given time. However, the discharge of the material from the hopper to the mixer does not take place in time if the operator fails to complete, or is slow in completing, his sequence of tasks including shutting off the conveyor belt and closing the mixer discharge gate. There was no check if the material was actually dumped or not, and sulfuric acid would be sprayed after a certain time whether or not the solid raw materials had been properly transferred to the mixer. After the error was discovered, the control system could then be modified to prevent this error. Several other errors in the control systems and operating procedures where detected and corrected using the verification system. Other applications include an overhead crane, leak test procedure, thermal oxidation process, coiled material transport process, and procedures for entry into confined spaces. Several of these examples were derived from industrial test cases supplied by member companies in the Center for Advanced Process Decision making (CAPD) in the Chemical Engineering Department at CMU. It was concluded that logic verification systems such as SMV can accurately verify a chemical process system provided (a) the system behaviors can be represented as a finite state machine and (b) the specifications are expressible using computation tree logic (CTL). To facilitate the application of the tools, Professor Powers’s last two Ph.D. students developed a modular approach to construct state models for verification.2 Using this approach, very complex process models could be constructed using simple subsystems. In addition, a high-level language (verificationoperating procedure language, V-OPL) was developed to construct logic models of operating procedures suitable for verification using SMV.4 V-OPL uses the following syntax to describe operating procedures:

Figure 2. Flowchart for using V-OPL for verification.

The purpose of the rest of the paper is to explain the mathematical machinery that exists behind V-OPL and how to construct logic models and specifications. We also show how the computational effort is simplified quite dramatically as seen in Table 1 by converting the problem to a BDD. In order to achieve these objectives it is useful to introduce a much simpler example than the ones typically tackled in Professor Powers’s research group.



FINITE STATE MACHINES AND ARCHITECTURE FOR SUPERVISORY CONTROL Figure 3 shows the architecture of a supervisory control system for chemical process control that includes continuous control, such as PID, feedforward, and model predictive control (MPC) and discrete control actions that manage the continuous control and optimization systems, start-up, shut-down, and transition among different production modes. The process itself takes resources such as energy, manpower, and raw materials and adds value by transforming these to products and services. This transformation should be carried out in a safe, environmentally acceptable, and economic manner while maintaining quality targets. Figure 3 emphasizes that the supervisory control system receives and transmits discrete signals. These signals may result 5301

dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310

Industrial & Engineering Chemistry Research

Article

Figure 3. Interactions between the supervisory control system, continuous control system, and process.

The variables h and f i denote the level and the flows; Kc,τI are the proportional and integral time constants; 1/s denotes integration with respect to time; hset is the set point; and hmax is the maximum level. An alarm sounds if the level rises above the high level. The operator may then stop the flow into the column and increase the flow out manually to mitigate the overflow risk. The state transition diagram in Figure 5 shows the finite state machines that represent the column and alarm dynamics. The level is represented by five discrete states corresponding to the low-level state where the liquid level does not reach the continuous level meter, normal operation (level in readable range where the continuous controller works), high level (continuous level meter is saturated), critical level, and column overflow. An alarm sounds if the level rises above a certain threshold to reach the critical level. The alarm is subject to component failure, in which case it remains off regardless of the liquid level. The discrete event model in Figure 5 shows that if the alarm fails, the level can reach the overflow state without the alarm sounding. The model does not say that such a failure necessarily will occur, but the possibility of failure exists. Another failure (not included in this simple example) might be that the alarm sounds, but the operator does not take appropriate action. This situation could be modeled by including a module representing the operator’s behavior with two states. In one case, the operator takes the correct action, and the system is brought back to the normal operating state. In the other case, no action is taken, and the level may or may not remain in the high state (or reach the overflow state). During a period of maintenance, the level control system was disabled, and the level was under manual operation while liquid was flowing into the column. The level indicator saturated, and under normal circumstances, the high-level alarm should have then activated. The alarm system had failed, however, so the level appeared to remain at the indicator’s saturation limit. The flammable liquid eventually overflowed the column and ignited, resulting in an explosion and fire. The accident was disastrous as there was loss of life and considerable material damage. The model size grows exponentially with the number of variables, so that it becomes close to impossible to evaluate all possible scenarios using conventional enumerative tools. Many industrial accidents happen by a combination of control system failures, lack of information, operator errors, and faulty

from automation systems that manage the process in real time by turning pumps or valves on or off, switching control logic, or managing continuous controllers such as PID or MPC algorithms in real time. They may also result from manual intervention. The supervisory system is typically active during start-up, shutdown, transition from one regime to another as may happen during product changeover in a continuous process, or as a batch system transitions from one regime to another. Supervisory control systems are active during abnormal conditions because an emergency shut-down or recovery from a fault typically involves sequences of discrete steps that need to be executed rapidly in order maintain safe operation. One important question verification can address is whether or not a safe shut-down can be executed from any state and disturbance pattern. To motivate the problem, we consider a very simple verification problem inspired by the 2005 explosion at BP’s Texas City refinery.24 A basic diagram of the process segment that failed is shown in Figure 4. A flammable liquid is pumped into the bottom

Figure 4. Level control system.

of a column. A level control system adjusts the flow out of the column to maintain the mass balance. This control logic can be modeled so that Aρ

dh = fin − fout dt

hmeas = h if h < hhigh , hhigh otherwise ⎛ 1⎞ fout = −Kc ⎜1 + ⎟e , e = (hset − hmeas) τIs ⎠ ⎝ Alarm = 0 if h < hmax , 1 otherwise 5302

dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310

Industrial & Engineering Chemistry Research

Article

Figure 5. FSM representing a level control system with high-level alarm.

procedures. The Chernobyl power plant explosion represents but one example where faulty operator procedure during a test led to tragic consequences.25



MODEL CHECKING AND SYMBOLIC MODEL VERIFICATION Model checking can be used to verify if a system of logical relationships satisfies a given set of specifications. The specification is a logical expression that describes properties that should hold along the transition paths in the system. For example, “the safe shut-down state is reachable” should be true in any state the system can occupy. In order to apply this idea to chemical process control problems, it is necessary to develop a state model of the process, models for external disturbances and controls that influence the behavior of the process, and a description of desired process behaviors. Once all these components are in play, it is conceptually possible to evaluate whether or not the system satisfies the specifications by carrying out simulations that take into account all the different initial conditions, disturbance signals, and failure modes that the process may experience. Figure 6 provides an overview of the approach. There are two possible outcomes, either the desired property is fulfilled or it is not. If it is not fulfilled, a counterexample is produced that can be used to improve the system. While explicit model checking tools suffer from combinatorial explosion due to exponential increase of the state space, symbolic algorithms make it possible to apply model checking to very large systems by using binary decision diagrams (BDDs) to represent the states and transitions. As described by Burch,1 BDDs can represent Boolean functions using fewer nodes than

Figure 6. Overview of symbolic model verification.

the corresponding truth table,26 so that model checking algorithms operating on the BDD representation of a system can solve larger problems. In the worst case, the BDD representation of a Boolean function will be the same size as the truth table, so the worst case complexity is still exponential. In practice, however, BDD representations are often more compact than explicit representations, so symbolic algorithms can greatly reduce the computational effort required to solve model checking problems.



STATE TRANSITION MODELS A state transition system, such as the FSM described by the graph in Figure 5, can be represented by the triple (S,R,s0). The finite set S consists of states the system can occupy; R is the set of transitions; and s0 ∈ S is the initial state (more generally, S0 ⊆ S is 5303

dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310

Industrial & Engineering Chemistry Research

Article

Figure 7. Labeled finite state machine.

a set of possible initial states).27 Such models can be extracted from sets of Boolean formulas, automata, computer codes, higher-level specification language descriptions, or mathematical descriptions of the mass and energy balances system once the continuous models have been discretized into different operating modes as seen in the tank example in Figure 4. In model checking, the discrete state transition model is augmented with a labeling function L that assigns to each state the set of properties that are satisfied in that state. Thus, we get the model structure.

Such infinite paths describe how the process responds to all admissible actions provided by the automation system, intervention by human operators, disturbances, and faults that result from the failure of equipment, faulty operating procedures, and faulty implementation of the operating procedure as described in the fertilizer example in the beginning of the paper.



COMPUTATION TREE LOGIC Computation tree logic (CTL) is a branching-time logic, meaning it can be used to describe the behavior of a system as it follows branching execution paths from state to state.28 A CTL formula consists of path quantifiers, temporal operators, atomic propositions, and logical connectives that allow a wide range of properties to be described. The temporal operators and the most common path quantifiers are described in Table 2.

M = ( S , R , L , s 0)

where (1) S is the finite set of states. (2) R ⊆ S × S is the transition function. R is left-total, i.e., for all s ∈ S, there exists a s′ ∈ S, so that (s,s′) ∈ R. R can be made lefttotal by adding transitions (s,s) as necessary. (3) L:S→P(AP) is a labeling function where AP is the set of atomic propositions, and P(AP) is the power set of AP. (4) s0 ∈ S is the initial state. Such structures are referred to as Kripke structures after S. Kripke, who worked extensively on modal logic in the 1950s and 1960s. A transition path in the structure M is a sequence of states ρ = s1,s2,s3,... such that for each i > 0,(si,si+1) ∈ R. Because R is lefttotal, it is always possible to construct an infinite path through the Kripke structure. A deadlock state is modeled by a single outgoing edge back to itself. The labeling function L defines for each state s ∈ S the set L(s) of all atomic propositions that are true in s. Consider for example the simple model with the three states s1,s2,s3 shown in Figure 7. The set of atomic propositions is given by AP = {x,y,z}, where x, y, and z model arbitrary Boolean properties of the system. Inspection of the graph yields the model M = (S,R,L,s0), where

Table 2. Overview of CTL Operators path formulas, f p F(fs) G( fs) X( fs) Af p Ef p q ∈ AP

fs holds eventually fs holds in all future states fs holds in the next state state formulas, fs The states from which all paths satisfy f p The states from which there exists a path that satisfies f p The states in which property q is true

A path formula f p describes a property that should hold along a transition path and returns the set of paths along which f p is true. Similarly, a state formula fs describes a property that should hold in a given state and returns the set of states in which fs is true. A CTL specification f is a state formula, so that if the system’s initial state is in the set described by f, then the specification is satisfied. The operators can be nested with any state formula substituted for fs, and any path formula for f p. State formulas can be combined using logical connectives such as ∧,∨, and ¬ to form more complex specifications. The formula f1 ∧ f 2 returns the intersection of the set of states that satisfy f1 and the set of states that satisfy f 2, and so on. Figure 8 shows example transition paths that satisfy basic CTL specifications. The label applied to each node (either q or ¬q) indicates whether or not the property q is satisfied by that state.

S = {s1 ,s2 ,s3} R = {(s1 ,s2),(s1 ,s3),(s2 ,s1),(s2 ,s3),(s3 ,s3)} L = {(s1 ,{x ,y}),(s2 ,{y}),(s3 ,{y ,z})} s0 = {s1}

A series of transitions in M may produce a path,

ρ = s1 ,s2 ,s1 ,s3 ,s3 ,... 5304

dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310

Industrial & Engineering Chemistry Research

Article

Figure 8. Example CTL specifications. In each case, the shaded nodes cause the specification to be satisfied.

In order to check if a logical control system meets the design objectives, those objectives can be posed as CTL specifications and then tested against the system using model checking. For example, the safety constraint the tank does not overf low, which corresponds to the CTL formula AG(¬overf low) was used in the example described in Figure 4. Other examples of CTL specifications related to process objectives can be found in the literature.2,7,16,29,30 For a discussion on the limits of what objectives can be expressed in CTL, and comparisons to other temporal logics, see ref 27.



MODEL CHECKING ALGORITHM The CTL model checking algorithm evaluates a CTL formula against the infinite behavior of an FSM to determine whether or not the specified temporal property holds. The algorithm is guaranteed to finish in finite time because the system is finite state, despite reasoning about behavior along infinite paths. If the answer is “yes”, then the system meets its specification. If the answer is “no”, then the system violates its specification. Modeling has many other strategies to minimize model checking time by reducing time or space, provide generality for all of the possibilities, and optimize clarity.31 As before, we denote the state space by S, and we let P(S) denote the set of all subsets of S (the power set of S). A function

The main importance of these observations is that we can evaluate CTL formulas by computing the least or greatest fixed points of corresponding predicate transformers, as shown in the examples below.

τ: P(S) → P(S)

that maps subsets of S into subsets of S will be referred to as a predicate transformer. A fixed point of τ is any set S* ∈ P(S) such that

AFf = lfpS[f ∨ AX(S)] EFf = lfpS[f ∨ EX(S)]

τ(S*) = S*

AGf = gfpS[f ∧ AX(S)]

We now define the following properties of predicate transformers

EGf = gfpS[f ∧ EX(S)]

Each CTL formula can be evaluated by computing the fixed point of a corresponding predicate transformer.27 The associations are not circular because the CTL formulas AX and EX are determined by analyzing the connectivity of the state graph, i.e., the states that satisfy EX(S) is given by {s | ∃(s,s′) ∈ R, s′ ∈ S}, and AX(S) is computed similarly. The procedures for calculating the value of the CTL formula for a given model is polynomial in the number of states in the graph. However, direct application of these ideas can still lead to state explosion because the number of states of a given system grows exponentially with the number of components that make up the system. In symbolic model checking, the state explosion problem is mitigated by using ordered binary decision diagrams (OBDDs)

monotonic: P ⊆ Q ⇒ τ(P) ⊆ τ(Q ) ∪‐ continuous: P1 ⊆ P2 , ... ⇒ τ( ∪ Pi) = ∪ τ(Pi) i

i

∩‐ continuous: P1 ⊇ P2 , ... ⇒ τ( ∩ Pi) = ∩ τ(Pi) i

i

A monotonic predicate transformer has a least fixed point (lfp), which is the intersection of all its fixed points, and a greatest fixed points (gfp), which is the union of all its fixed points.27 τ is monotonic if and only if it is ∪-continuous and ∩-continuous. It follows that Algorithm 1 computes the least fixed point, and that Algorithm 2 computes the greatest fixed point of the monotonic function τ(S). 5305

dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310

Industrial & Engineering Chemistry Research

Article

Figure 9. Original decision tree and reduced OBDD for a two-bit comparator, f(a1,b1,a2,b2) = (a1 ⇔ b1) ∧ (a2 ⇔ b2). Solid and dashed lines indicate assignment of 1 and 0 to the parent node, respectively.

problem of finding the optimal variable order is NP-hard.32 In many practical applications, however, variable reordering using simple rules and heuristics produces OBDDs with many fewer nodes than the corresponding truth table. If the entirety of the desired behavior is encoded in a set of specifications, f1...f n, then if the model satisfies all the

to encode the Kripke structure. Such encoding can reduce the complexity of model checking considerably as shown in the example in Figure 1. Table 1 shows that the submodule associated with valves-gates has 1,821,060 states. An order of magnitude reduction in complexity is achieved by representing the system using the OBDD because the equivalent diagram has only 125,552 nodes. In order to explain this idea, it is useful to first represent the Boolean formula by a truth table. In a truth table, there are 2n rows, where n is the number of variables in the formula. Each row describes a possible assignment and the value of the formula for that assignment. This idea can be expressed graphically by a decision tree like the one in Figure 9, where each non-terminal node is labeled with a variable and has two children. Each terminal node is labeled with either 0 or 1 as shown in the example shown in Figure 9(a) and represents the value of the formula for that variable assignment. This example corresponds to a two-bit comparator represented by the Boolean formula

n

specifications (M |= ∧ fi ), it is proven “correct”. When the i=1

model does not satisfy a specification, the model checker returns a counterexample. A counterexample includes an initial state and a series of transitions that leads to a state that violates the specification. The transitions contained in a counterexample can indicate what the problem is, so that correcting the issue should prevent that counterexample from occurring. This leads to the iterative process of producing a counterexample, correcting an error, then repeating the process until the model satisfies the specification and no more counterexamples exist. A model might produce multiple counterexamples, which can all be addressed one after the other. At the same time, multiple counterexamples may result from a single error, so that fixing the error removes more than one counterexample.

f (a1 ,a 2 ,b1 ,b2) = (a1 ⇔ b1) ∧ (a 2 ⇔ b2)

An OBDD is a binary decision diagram with a fixed variable order. The process of reducing an OBDD exploits the redundancy in the decision tree and reduces the number of nodes by combining duplicate nodes and removing redundant tests.26 This leads to a canonical representation (for a given variable order) that in many cases is much simpler than the original truth table. For example, Figure 9(b) shows the reduced OBBD for the truth table in Figure 9(a), with variable order a1 > b1 > a2 >b2. The variable order affects how much a given OBDD can be reduced in comparison to the decision tree. Certain Boolean functions require 2n nodes for any variable ordering, and the



VERIFICATION IN CHEMICAL PROCESSING SYSTEMS Safety engineers use a variety of tools such as hazards and operability analysis (HAZOP),33,34 fault tree analysis,35 and checklists36 to verify the safety of chemical plants and operating procedures. These methods are quite successful, and they certainly provide the necessary starting point for the application of formal verification. As is clear by now, model checking evaluates whether or not the proposed operating procedures satisfy a given set of specification. As yet, they cannot be used 5306

dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310

Industrial & Engineering Chemistry Research

Article

control systems (i.e., on-off switch, pump, relay, tank level, and switch). Moon29 also applied the method to verify the safety and operability of PLC-based chemical processing systems. Probst et al.30 proposed a method that combines unit modules to verify the entire process. It was used to formally verify safety and operability specifications on an industrial solid handling processes and leak detection. A procedure for the construction of a discrete model that captures relevant dynamics and phenomena for safety verification was presented by Turk.39 He also demonstrated the possibilities of using this type of framework for chemical processing systems but found that creating models could be time consuming and error prone and that the specification of safety constraints in CTL was not an easy task. This led to the definition of two new Ph.D. projects. One dealt with how to develop finite state machines in a modular fashion using basic building blocks. The other sought to develop a high-level language and compiler that would translate safety specifications and operating procedures to SMV. Milam2 worked on the problem of how to develop complex model systems from simpler modules. He developed a module library and showed how such a library facilitated rapid development of discrete event models of complex process systems. The module library included SMV codes for a tank, sink, source, valve, tap valve, and bubbler. The valve has two variables: status and condition. Status can be open or closed, and condition can be leaking (meaning that the valve does not properly close) or not leaking. The valve has a Boolean input indicating if the valve is being repaired. The module set can be extended to include a range of other building blocks needed to model chemical plants. The model synthesis procedure defined by Powers and Milam consists of seven steps: (1) Information gathering: Collect information about the system and its desired and prohibited behaviors. (2) Flowsheet and specification analysis: Analyze and complete the information gathered in the previous step. (3) Module selection: Select appropriate modules from the library. (4) Variable instantiation: Create a skeleton model with the correct number and type of variables. (5) Module connection: Define the inputs to each of the variables instantiated in the previous step. (6) Main module construction: Complete the main module. (7) Specification writing: Extract the specifications from the information gathered in Step 1 and translate from natural language to CTL using the variables defined in the model. After the seven step procedure is completed, SMV can be applied to verify the system. The modular method was applied to verify a leak test procedure.40 The modular approach allowed for rapid development of models and great flexibility so that the model could be adapted and changed without significant changes to the code. The largest system reported had nine valves and resulted in a model with ∼2.7 × 1017 states. This was reduced to 129,380 BDD nodes, and the verification problem was solved using NuSMV in 9600 CPU sec using a 750 MHz AMD Duron processor. Margolis4 developed the verification-operating procedure language (V-OPL) to solve two problems associated with operating procedures and the construction of logic models: (1) Operators often are unclear as to the appropriate action to take when the plant enters abnormal conditions. (2) Construction of logic models of operating procedures in CTL is a time-consuming, demanding, and non-intuitive task.

directly to generate the procedures. Nevertheless, formal mode checking is important because the heuristic methods all suffer from the same problem. They test the response of the system to only as many disturbances, initial conditions, events, and combinations thereof as the engineers performing the tests can enumerate. Typically, this is a very limited number, and large portions of the state space are left unexplored. In particular, the “combinations thereof” are easily missed, even when the individual events are correctly identified. These problems turned out to be particularly important in the Chernobyl and BP Texas City incidents because a number of faulty decisions were made that in combination led to disastrous results. In both cases, the plants were not running under normal conditions because they were being tested and maintained. Parts of the control system were switched off, sensors were ignored or did not work properly, and dangers that could be mitigated as the process conditions deteriorated did not come to the operators attention. Formal model checking has the advantage that all scenarios are explored, and the system is thereby provably correct provided no counterexamples are produced. As model checking originates in the field of computer science, significant hurdles must be overcome before this approach can become practical for safety analysis in chemical plants . In particular, model checking must be easy to use and enable fast evaluation of very large systems before it can be expected that this tool will succeed in improving the safety of chemical plants.2 Over a period of about 10 years, Professor Powers and his students developed logic models for discrete and continuous chemical processes and methods to express safety and reliability constraints so that the resulting models could be analyzed using SMV. Table 3 lists the topics they addressed. Table 3. Professor Powers’s Ph.D. Students in the Area of Model Checking graduation

thesis title

Il Moon

student

1992

Scott T. Probst Adam Turk Daniel Milam

1996

Automatic verification of discrete chemical process control systems Chemical process safety and operability analysis using symbolic model checking Event modeling and verification of chemical processes using symbolic model checking Synthesizing modular logic models of chemical engineering process equipment and control systems for verification A methodology for synthesizing logic models of operating procedures for process verification

Daniel Margolis

1999 2003 2003

The model development makes use of three basic elements: (1) Set of variables: A list of all variables in the model and the type for each variable (Boolean, integer range, enumerated set, and instances of modules that include other variables). If the variable is an enumerated set, then a list of allowed values for the variables must be specified. If the variable is a module that requires inputs, those must also be specified. (2) Initial conditions: The initial value of each variable. If left unspecified every possible value will be considered. (3) Variable evolution: A description of how the value of each variable evolves as the system makes transitions. Specifications for the safety and reliability of equipment, control systems, and operating procedures were expressed in CTL so that the model systems could be verified using SMV. The first results of the work were reported in the papers by Moon et al.7,37,38 These papers show how SMV could be applied for the automatic verification of simple discrete chemical process 5307

dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310

Industrial & Engineering Chemistry Research

Article

the set of reachable states or by checking CTL formulas on the content of queues. In this context, the model checking method makes use of efficient search strategies that can be applied to CTL expressions. First, a model of the overall undetermined process behavior has to be constructed. This model consists of all production steps (of all orders) at every state. Feasibility is formulated as a property using integer variables. The model checker then searches the reachable state space for a state where this property is held. If one is found, it provides a diagnostic trace. The diagnostic trace contains a sequence of processing and transitions from the initial state to the state found. The advantage of this approach is its robustness against changes in the setting of parameters, as the model’s general set of all the possibilities. Kim and Moon47 used SMV to find error-free makespan of operating schedules in a multi-purpose batch process. A modular-based approach was proposed by Kim et al.48 to describe reusable modules of common intermediate policies to synthesize the generally error-free operating procedure and to obtain a minimum makespan for both multi-purpose and multi-product batch processes using SMV. Kim46 tested his approach to synthesize optimal operating procedure according to the objective function of a paper mill process and optimize supply chain networks. Most of the literature on model checking in the chemical engineering field addresses the question whether a given control system or operating procedure satisfies the desired performance specifications. Application of the model checker simply reports back if the specification is satisfied or not. If it is not satisfied, then a counterexample is generated that may be used to generate an improved supervisor. This loop then continues until no more counterexamples are generated. It is not difficult to see that this iterative process can be very slow and tedious. Therefore, one important problem is how to generate supervisors directly from the discrete event model and the specified behavior. One can for example envisage an MPC type solution where the model and the specifications are used together to generate some future trajectory that maintains given performance requirements for some finite horizon. It would, however, be more useful to develop a system that is implemented as rules in a feedback setting. This is especially the case for control systems that are time critical and relate to safety, shut-down, and start-up and should be proven formally correct for all transition sequences. Alternatively, one can envision the use of model checking to generate feedback controls that develop discrete control signals based on the current state of the system. Several papers, some of which are referred to in the introduction, address different aspects of this problem, but complete theories are lacking. At this point, there are few applications of such methods to industrial control problems in the process industries. In the future, we expect to see progress on the key topics that aim to limit the state explosion problem by improving abstractions, better symbolic representations, broader parametrized reasoning techniques, and the development of temporal formalisms specialized to chemical processing systems.49 The most pressing challenge in symbolic model checking today is scaling up and reducing the space and time requirements. More efficient model checking techniques need to be developed in order to address industrial systems. It is also necessary to develop user interfaces and natural language support along the lines of V-OPL, templates for the automatic description of the system to be verified, and process modules that can be combined to form models quickly and reliably.50

V-OPL is written in English and is quite expressive so that it maintains intuitive simplicity and direct connections can be made to standard operating procedures. For example, a reactive task may be written if ( = 0) then open < var2> if ( = 0) and (

if ( = 0) and ( =1) then open

The logical operators allowed are “and” (&) and “or” (|). A compiler was developed to automatically translate from V-OPL to CTL. The system was used to verify operating procedures for realistic industrial case studies including overhead crane maintenance and a procedure for safe entry to a confined space. Methods of improving the search algorithm in its efficiency were studied by Kim and Moon.41 Yang et al.42 studied the verification of the safety interlock system operability. Automatic model checking method was used by Kim et al.16 to determine the error-free design of the safety instrumented system and to find the logical errors in the chemical processes.



FUTURE DIRECTIONS IN MODEL CHECKING There are a number of unresolved challenges in the area of control and verification of systems that either have a large number of discrete transitions or that combine time-dependent dynamics modeled by differential equations with discrete events. Such systems are referred to as hybrid systems because they combine continuous and discrete dynamics. Finite state machines approach the problem by approximating continuous dynamics using discretization. However, the size of the state space grows exponentially with the number of discretized variables, and it is difficult to handle anything but the smallest examples this way due to the significant increase in computational cost. The problem is highlighted in the paper by Clarke et al.20, which discusses the application of model checking to a simple hybrid system. Powers and his students mitigated the problem to some degree by being very careful in setting up the discretization while maintaining enough of the important dynamics to ensure that the verification could be carried out in a meaningful manner for the problems they considered. Some extensions have been made in other fields. Recently, researchers have explored the possibility of applying formal methods to biological and biochemical systems by combining differential equations and logic-based modeling frameworks. The computational tools Simpathica and XSSYS were used by Antoniotti et al.43 to perform verification on a set of differential equations by representing the behavior of biochemical pathways. Eker et al.44 have used the rewriting tool Maude to perform model checking on biological signaling pathways where possible reactions are modeled as logic rules. Chabrier and Fages45 have also modeled possible reactions as logic rules and used the computational tools NuSMV and DMC to perform model checking on a mammalian cell cycle control. Some of these ideas may be applied in the chemical engineering field, such as discovering alternative reaction pathways for chemicals or pharmaceuticals. Graphical modeling and model checking of alternative pathways with desired constraints in biochemical networks was applied by Kim et al.46 Model checking can also be used to assist in scheduling problems. Boundedness can be determined either by computing 5308

dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310

Industrial & Engineering Chemistry Research



CONCLUSION AND DISCUSSION



AUTHOR INFORMATION



Article

REFERENCES

(1) Burch, J. R.; Clarke, E. M.; McMillan, K. L.; Dill, D. L.; Hwang, L. J. Symbolic model checking: 1020 states and beyond. Inf. Comput. 1992, 98, 142−170. (2) Milam, D. E. Synthesizing Modular Logic Models of Chemical Engineering Process Equipment and Control Systems for Verification. Ph.D. Thesis, Department of Chemical Engineering, Carnegie Mellon University, 2003. (3) Milam, D.; Powers, G. J. Applying Hardware and Software Verification Techniques to Chemical Engineering Control Systems and Equipment. Proceedings of Ninth Annual International Conference on Information Systems, Analysis, and Synthesis, 2003. (4) Margolis, D. A methodology for synthesizing logic models of operating procedures for process verification. Ph.D. Thesis, Department of Chemical Engineering, Carnegie Mellon University, 2003. (5) Margolis, D. P.; Powers, G. J. Creating Logic Models of Operating Procedures for Sequential and Reactive Procedures. Proceedings of Ninth Annual International Conference on Information Systems, Analysis, and Synthesis, 2003. (6) Ramadge, P. J.; Wonham, W. M. Supervisory control of a class of discrete event processes. SIAM J. Control Optimization 1987, 25, 206− 230. (7) Moon, I.; Powers, G. J.; Burch, J. R.; Clarke, E. M. Automatic verification of sequential control systems using temporal logic. AIChE J. 1992, 38, 67−75. (8) Turk, A. L.; Probst, S. T.; Powers, G. J. In Hybrid and Real-Time Systems; Maler, O., Ed.; Lecture Notes in Computer Science; SpringerVerlag: Berlin, 1997; Vol. 1201; pp 259−272. (9) Preisig, H. A. The Application of Finite Automata Theory to Sequential Control of Chemical Processes; IFAC-DYCORD+; Maastrcht: The Netherlands,1989; pp 99−106. (10) Yamalidou, E. C.; Patsidou, E. P.; Kantor, J. C. Modeling discreteevent dynamical processes using Petri Nets. Comput. Chem. Eng. 1990, 14, 281−299. (11) Yamalidou, E. C.; Kantor, J. C. Modeling and control of discrete event chemical processes using Petri nets. Comput. Chem. Eng. 1991, 15, 503−519. (12) Sanchez, A.; Rotstein, G.; Alsop, N.; Macchietto, S. Synthesis and implementation of procedural controllers for event-driven operations. AIChE J. 1999, 45, 1753−1775. (13) Sanchez, A. Formal Specifications and Synthesis of Procedural Controllers for Process Systems; Lecture Notes in Control and Information Sciences; Springer-Verlag: Berlin, 1996; Vol. 212. (14) Philips, P. P. H. H.; Weiss, M. B. H.; Preisig, H. A. A Design Strategy for Discrete Control of Continuous Systems. Proceedings of the 1999 American Control Conference, Volume 3, 1999. (15) Philips, P. P. H. H.; Heemels, W. P. M. H.; Preisig, H. A.; van den Bosch, P. P. J. Control of quantized systems based on discrete event models. Int. J. Control 2003, 76, 277−294. (16) Kim, J.; Moon, I. Model checking for automatic verification of control logics in chemical processes. Ind. Eng. Chem. Res. 2011, 50, 905− 915. (17) Silva, B. I.; Stursberg, O.; Krogh, B. H.; Engell, S. An Assessment of the Current Status of Algorithmic Approaches to the Verification of Hybrid Systems. Proceedings of the 40th IEEE Conference on Decision and Control, 2001. (18) Bemporad, A.; Morari, M. Control of systems integrating logic, dynamics, and constraints. Automatica 1999, 35, 407−427. (19) Wonham, W. M. Supervisory Control of Discrete-Event Systems, ECE 1636F/1637S; University of Toronto: Toronto, 2007. (20) Clarke, E. M.; Fehnker, A.; Han, Z.; Krogh, B.; Ouaknine, J.; Stursberg, O.; Theobald, M. Abstraction and counterexample-guided refinement in model checking of hybrid systems. Int. J. Found. Comput. Sci. 2003, 14, 583−604. (21) Dimitriadis, V.; Hackenberg, J.; Shah, N.; Pantelides, C. A case study in hybrid process safety verification. Comput. Chem. Eng. 1996, 20, S503−S508. (22) Park, T.; Barton, P. I. Implicit model checking of logic-based control systems. AIChE J. 1997, 43, 2246−2260.

Professor Powers and his students pioneered the use of formal tools for model checking to evaluate the correctness of logic control systems operating and procedures for batch and continuous process plants. They were able to show that the tools developed in computer science could be adapted to chemical process problems. They developed a modular approach for building complex models (finite state machines) by connecting simpler structures together. The module library included, sink, source, tank, valve, and tap valve. These models could be combined so that they represented the discrete dynamics of chemical processes. At the same time, a language (V-OPL) was developed that could be used to encode operating procedures of chemical plants. Once compiled and connected with the model library, it was possible to check the correctness of the “closed loop behavior” of the discrete system, i.e., whether it satisfied the specifications or not using tools, such as SMV, developed for formal model checking. Formal model checking as a field has reached a stage of maturity in the field of computer science where it is now routinely used to solve very large verification problems. However, the techniques have so far failed to have a significant impact in the process industries despite their obvious and demonstrated potential to improve automation systems and operating procedures. Academic research into the application of model checking to chemical process control problems has so far been limited to a few research groups, and not many practical problems have been solved yet using these techniques. The theory for how the supervisory control systems work when they are integrated with a continuous chemical plant is very poorly developed at present. Theories do not exist to verify that these systems work well during plant upsets and abnormal working conditions, and it is still very time consuming and cumbersome to develop the model libraries and software needed to apply formal verification to a given process system. Also, it is still the case that chemical process systems typically have very large state space. Very significant progress has been made, however, during the past decade in computation. Not only are computers faster and algorithms better, but the software tools needed to apply these methods have also advanced significantly. It is now possible for engineers without significant training in computer science to develop discrete models and test logic statements without much difficulty. Chemical process modeling and control and safety analysis are quite different from software verification, however. This means that many of the theorems that have been developed for application in the computer science domain do not readily apply to chemical process problems. Only simple systems have been analyzed so far, and a new theory needs to be developed as new logic and language structures are developed to cope with these new applications.

Corresponding Author

*E-mail: [email protected]. Notes

The authors declare no competing financial interest.



ACKNOWLEDGMENTS Research was supported by the Dow Chemical Company and the Center for Advanced Process Decision-making. 5309

dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310

Industrial & Engineering Chemistry Research

Article

(23) Thorstensson, C.; Kanthabhabhajeya, S.; Lennartson, B.; Falkman, P. Optimization of Discrete Event Systems Using Extended Finite Automata and Mixed-Integer Nonlinear Programming. Proceedings of the 18th IFAC World Congress, 2011. (24) U.S. Chemical Safety Board, Investigation Report: BP Texas City, 2007. (25) Stein, G. Respect the Unstable. IEEE Control Systems Magazine, August 2003, pp 12−25. (26) Bryant, R. E. Graph-Based Algorithms for Boolean Function Manipulation. IEEE Trans. Comput. 1986, 677−691. (27) Clarke, E. M.; Grumberg, O.; Peled, D. A. Model Checking; The MIT Press: Cambridge, MA, 1992. (28) Clarke, E. M.; Emerson, E. A. 25 Years of Model Checking; Lecture Notes in Computer Science; Springer-Verlag: Berlin, 2008; Vol. 5000; pp 196−215. (29) Moon, I. Modeling programmable logic controllers for logic verification. IEEE Control Syst. 1994, 14, 53−59. (30) Probst, S. T.; Powers, G. J.; Long, D. E.; Moon, I. Verification of a logically controlled, solids transport system using symbolic model checking. Comput. Chem. Eng. 1997, 21, 417−429. (31) Rozier, K. Y. Linear temporal logic symbolic model checking. Comput. Sci. Rev. 2011, 5, 163−203. (32) Bollig, B.; Wegener, I. Improving the variable ordering of OBDDs is NP-complete. IEEE Trans. Comput. 1996, 45, 993−1002. (33) Kletz, T. A. Hazop and Hazan; IChemE: Warwickshire, U.K., 1999. (34) Zhao, C.; Bhushan, M.; Venkatasubramanian, V. Phasuite: An automated HAZOP analysis tool for chemical processes: Part I: Knowledge engineering framework. Process Saf. Environ. Prot. 2005, 83, 509−532. (35) Lapp, S. A.; Powers, G. Computer-aided synthesis of fault-trees. IEEE Trans. Reliab. 1977, R-26, 2−13. (36) Balemans, A. Check-list: Guidelines for Safe Design of Process Plants; First International Loss Prevention Symposium, 1974. (37) Moon, I. Automatic Verification of Discrete Chemical Process Control Systems. Ph.D. Thesis, Carnegie Mellon University, 1992. (38) Moon, I.; Ko, D.; Probst, S. T.; Powers, G. J. A symbolic model verifier for safe chemical process sequential control systems. J. Chem. Eng. Jpn. 1997, 30, 13−22. (39) Turk, A. L. Event Modeling and Verification of Chemical Processes Using Symbolic Model Checking. Ph.D. Thesis, Department of Chemical Engineering, Carnegie Mellon University, 1999. (40) Turk, A. L.; Probst, S. T.; Powers, G. J. Verification of Real Time Chemical Processing Systems. In Hybrid and Real-Time Systems; Lecture Notes in Computer Science; Springer-Verlag: Berlin, 1997; pp 259− 272. (41) Kim, J.; Kim, M.; Moon, I. Improved search algorithm for the efficient verification of chemical processes. Comput. Chem. Eng. 1999, 23 (Supplement), S601−S604. (42) Yang, S.; Tan, L.; He, C. Automatic verification of safety interlock systems for industrial processes. J. Loss Prev. Process Ind. 2001, 14, 379− 386. (43) Antoniotti, M.; Policriti, A.; Ugel, N.; Mishra, B. Model building and model checking for biochemical processes. Cell Biochem. Biophys. 2003, 38, 271−286. (44) Eker, S.; Knapp, M.; Laderoute, K.; Lincoln, P.; Talcott, C. Pathway Logic: Executable Models of Biological Networks; WRLA 2002, Rewriting Logic and Its Applications; Electronic Notes in Theoretical Computer Science; April 2004; Vol. 71, pp 144−161. (45) Chabrier, N.; Fages, F. In Computational Methods in Systems Biology; Priami, C., Ed.; Lecture Notes in Computer Science; SpringerVerlag: Berlin, 2003; Vol. 2602; pp 149−162. (46) Kim, J.; Park, J.; Moon, I. Automatic synthesis for the reachability of process systems with a model checking algorithm. Ind. Eng. Chem. Res. 2013, 52, 2613−2624. (47) Kim, J.; Moon, I. Synthesis of safe operating procedure for multipurpose batch processes using SMV. Comput. Chem. Eng. 2000, 24, 385−392.

(48) Kim, J.; Kim, J.; Moon, I. Error-free scheduling for batch processes using symbolic model verifier. J. Loss Prev. Process Ind. 2009, 22, 367− 372. (49) Emerson, E. In 25 Years of Model Checking; Grumberg, O., Veith, H., Eds.; Lecture Notes in Computer Science; Springer-Verlag: Berlin, 2008; Vol. 5000; pp 27−45. (50) Preuße, S.; Hanisch, H.-M. Verifying Functional and NonFunctional Properties of Manufacturing Control Systems. Proceedings of the Third International Workshop on Dependable Control of Discrete Systems, DCDS’11, 2011; pp 41−46.

5310

dx.doi.org/10.1021/ie402998g | Ind. Eng. Chem. Res. 2014, 53, 5299−5310