46
Formal Specification of Software Steam Boiler Control An Example in Z Formalisation Bernhard Beckert U NIVERSITÄT KOBLENZ -L ANDAU B. Beckert: Formal Specification of Software – p.1
Formal Specification of Software
Steam Boiler ControlAn Example in Z Formalisation
Bernhard Beckert
UNIVERSITÄT KOBLENZ-LANDAU
B. Beckert: Formal Specification of Software – p.1
Steam Boiler Control: Scenario
4
w
w
d
w
/ k
/ k
k k
l/ δ
δ
p1 / . . . / p4v
a
z
p1 p4/ ... /
d
w
min
max
p
d System Components
steam boiler
water level measuring device
four pumps
four pump controlers
steam quantity measuring device
valve for emptying the boiler
B. Beckert: Formal Specification of Software – p.2
Steam Boiler Control: Scenario
4
w
w
d
w
/ k
/ k
k k
l/ δ
δ
p1 / . . . / p4v
a
z
p1 p4/ ... /
d
w
min
max
p
d
Physical constants
wmin minimal water level
wmax maximal water level
l water amount per pump
dmax maximal quantity of steam
exiting the boiler
δp error in the value of l
δd error in steam
measurement
B. Beckert: Formal Specification of Software – p.3
Steam Boiler Control: Scenario
4
w
w
d
w
/ k
/ k
k k
l/ δ
δ
p1 / . . . / p4v
a
z
p1 p4/ ... /
d
w
min
max
p
d
Measured values
w water level
d amount of steam exiting
the boiler
kp,i pump i works/broken
kw water level measuring device
works/broken
kd steam amount measuring
device works/broken
B. Beckert: Formal Specification of Software – p.4
Steam Boiler Control: Scenario
4
w
w
d
w
/ k
/ k
k k
l/ δ
δ
p1 / . . . / p4v
a
z
p1 p4/ ... /
d
w
min
max
p
d
Control values
pi pump i on/off
v valve open/closed
a boiler on/off
z state init/norm/broken/stop
B. Beckert: Formal Specification of Software – p.5
Steam Boiler Control
Types
State ::= init | norm | broken | stop
OnOff ::= on | off
OpenClosed ::= open | closed
B. Beckert: Formal Specification of Software – p.6
Steam Boiler Control
Physical constants
wmin : N
wmax : N
l : N
dmax : N
δp : N
δd : N
wmin < wmax
Measured values
Inputw? : N
d? : N
B. Beckert: Formal Specification of Software – p.7
Steam Boiler Control
Physical constants
wmin : N
wmax : N
l : N
dmax : N
δp : N
δd : N
wmin < wmax
Measured values
Inputw? : N
d? : N
B. Beckert: Formal Specification of Software – p.7
Steam Boiler Control
Control values
Pumpsp1, p2, p3, p4 : OnOff
SteamBoiler0Pumpsv : OpenCloseda : OnOffz : State
B. Beckert: Formal Specification of Software – p.8
Auxiliary Schemata
Auxiliary Schemata
PumpsOffPumps′
p′1 = off ∧ p′2 = off ∧ p′3 = off ∧ p′4 = off
PumpsOnPumps′
p′1 = on ∧ p′2 = on ∧ p′3 = on ∧ p′4 = on
B. Beckert: Formal Specification of Software – p.9
Steam Boiler Initial State
SteamBoilerInit0SteamBoiler0′
a′ = offz′ = init
B. Beckert: Formal Specification of Software – p.10
Operations for Initialisation
SInitNormal0∆SteamBoiler0Input
z = initd? = 0w? ≥ wmin + dmaxw? ≤ wmax
PumpsOffz′ = normv′ = closeda′ = on
B. Beckert: Formal Specification of Software – p.11
Operations for Initialisation
SInitStop0∆SteamBoiler0Input
z = initd? > 0z′ = stop
B. Beckert: Formal Specification of Software – p.12
Operations for Initialisation
SInitFill0∆SteamBoiler0Input
z = initd? = 0w? < wmin + dmax
PumpsOnz′ = zv′ = closeda′ = off
B. Beckert: Formal Specification of Software – p.13
Operations for Initialisation
SInitEmpty0∆SteamBoiler0Input
z = initd? = 0w? > wmax
PumpsOffz′ = zv′ = opena′ = off
B. Beckert: Formal Specification of Software – p.14
Operations for Initialisation
ControlInit0 =̂ SInitNormal0∨ SInitStop0∨ SInitFill0∨ SInitEmpty0
B. Beckert: Formal Specification of Software – p.15
Operations for Normal State
SNormalFill0∆SteamBoiler0Input
z = normw? ≥ wminw? ≤ wopt − 3lPumpsOnv′ = closed ∧ a′ = on ∧ z′ = z
Note:Simplified version where all four pumps are switched simultaneously
B. Beckert: Formal Specification of Software – p.16
Operations for Normal State
SNormalContinue0ΞSteamBoiler0Input
z = normw? > wopt − 3lw? ≤ wopt
B. Beckert: Formal Specification of Software – p.17
Operations for Normal State
SNormalNotFill0∆SteamBoiler0Input
z = normw? > woptw? ≤ wmax
PumpsOffv′ = closed ∧ a′ = on ∧ z′ = z
B. Beckert: Formal Specification of Software – p.18
Operations for Normal State
SNormalStop0∆SteamBoiler0Input
z = normw? < wmin ∨ w? > wmax
a′ = off ∧ z′ = stop
B. Beckert: Formal Specification of Software – p.19
Complete Operation
ControlNormal0 =̂ SNormalFill0∨ SNormalContinue0
∨ SNormalNotFill0∨ SNormalStop0
Control0 =̂ ControlInit0∨ ControlNormal0
B. Beckert: Formal Specification of Software – p.20
Extended Solution
Additional Type
WorksBroken ::= works | broken
Additional measured values
ControlInputkw? : WorksBrokenkd? : WorksBrokenkp1? : WorksBrokenkp2? : WorksBrokenkp3? : WorksBrokenkp4? : WorksBroken
B. Beckert: Formal Specification of Software – p.21
Extended Solution
Additional Type
WorksBroken ::= works | broken
Additional measured values
ControlInputkw? : WorksBrokenkd? : WorksBrokenkp1? : WorksBrokenkp2? : WorksBrokenkp3? : WorksBrokenkp4? : WorksBroken
B. Beckert: Formal Specification of Software – p.21
Extended Solution
Control values
SteamBoiler1SteamBoiler0s : N
δ : N
Initial State
SteamBoilerInit1SteamBoiler1′
a′ = offz′ = init
B. Beckert: Formal Specification of Software – p.22
Extended Solution
Control values
SteamBoiler1SteamBoiler0s : N
δ : N
Initial State
SteamBoilerInit1SteamBoiler1′
a′ = offz′ = init
B. Beckert: Formal Specification of Software – p.22
Extended Auxiliary Schemata
Auxiliary Functions
pswitch : (OnOff × WorksBroken) → OnOff
pswitch(on, works) = onpswitch(on, broken) = offpswitch(off , works) = offpswitch(off , broken) = off
pamount : (OnOff ×WorksBroken) → N
∀x : OnOff , y : WorksBroken| x = off ∨ y = broken • pamount(x, y) = 0
pamount(on, works) = 1
B. Beckert: Formal Specification of Software – p.23
Extended Auxiliary Schemata
Auxiliary Schemata
PumpsControlledOnPumps′ControlInput
p′1 = pswitch(on, kp1?) ∧ p′2 = pswitch(on, kp2?)p′3 = pswitch(on, kp3?) ∧ p′4 = pswitch(on, kp4?)
PumpsControlledOffPumps′ControlInput
p′1 = pswitch(off , kp1?) ∧ p′2 = pswitch(off , kp2?)p′3 = pswitch(off , kp3?) ∧ p′4 = pswitch(off , kp4?)
B. Beckert: Formal Specification of Software – p.24
Operations for Initialisation
SInitNormal1∆SteamBoiler1InputControlInput
z = initd? = 0kw = works ∧ kd = worksw? ≥ wmin + dmaxw? ≤ wmax
z′ = normv′ = closeda′ = ons′ = w?PumpsOff
B. Beckert: Formal Specification of Software – p.25
Operations for Initialisation
SInitFill1∆SteamBoiler1InputControlInput
z = initd? = 0kw = works ∧ kd = worksw? < wmin + dmax
z′ = zv′ = closeda′ = offPumpsOn
B. Beckert: Formal Specification of Software – p.26
Operations for Initialisation
SInitEmpty1∆SteamBoiler1InputControlInput
z = initd? = 0w? > wmax
z′ = zv′ = opena′ = offPumpsOff
B. Beckert: Formal Specification of Software – p.27
Operations for Initialisation
SInitStop1∆SteamBoiler1InputControlInput
z = initd? > 0 ∨ kw = broken ∨ kd = brokenz′ = stop
B. Beckert: Formal Specification of Software – p.28
Operations for Initialisation
ControlInit1 =̂ SInitNormal1∨ SInitFill1∨ SInitEmpty1
∨ SInitStop1
B. Beckert: Formal Specification of Software – p.29
Operations for Normal State
SNormalFill1∆SteamBoiler1InputControlInput
z = normkw = worksw? ≥ wminw? ≤ wopt − 3ls′ = w?PumpsControlledOnv′ = closed ∧ a′ = on ∧ z′ = z
B. Beckert: Formal Specification of Software – p.30
Operations for Normal State
SNormalContinue1∆SteamBoiler1InputControlInput
z = normkw = worksw? > wopt − 3lw? ≤ wopt
p′1 = pswitch(p1, kp1) ∧ p′2 = pswitch(p2, kp2)p′3 = pswitch(p3, kp3) ∧ p′4 = pswitch(p4, kp4)s′ = w?v′ = v ∧ a′ = a ∧ z′ = z
B. Beckert: Formal Specification of Software – p.31
Operations for Normal State
SNormalNotFill1∆SteamBoiler1InputControlInput
z = normkw = worksw? > woptw? ≤ wmax
s′ = w?PumpsControlledOffv′ = closed ∧ a′ = on ∧ z′ = z
B. Beckert: Formal Specification of Software – p.32
Operations for Normal State
SNormalWaterStop1∆SteamBoiler1InputControlInput
z = norm ∨ z = brokenkw = worksw? < wmin ∨ w? > wmaxa′ = off ∧ z′ = stop
B. Beckert: Formal Specification of Software – p.33
Operations for Normal State
SNormalControlStop1∆SteamBoiler1InputControlInput
z = normkw = broken ∧ kd = brokena′ = off ∧ z′ = stop
B. Beckert: Formal Specification of Software – p.34
Schema AmountComputation
AmountComputationSteamBoiler1ControlInputamount : N
δpumps : N
amount = l ∗ (pamount(p1, kp1?) + pamount(p2, kp2?) +
pamount(p3, kp3?) + pamount(p4, kp4?))δpumps = δp ∗ (pamount(p1, works) + pamount(p2, works) +
pamount(p3, works) + pamount(p4, works))
B. Beckert: Formal Specification of Software – p.35
Operations for Normal State
SNormalBroken1∆SteamBoiler1InputControlInputAmountComputation
z = normkw = brokenkd = workss′ = s + amount − d?δ ′ = δpumps + δds′ ≥ wmin + δ ′
s′ ≤ wmax − δ ′
s′ < (wmin + wmax)/2 → PumpsControlledOns′ ≥ (wmin + wmax)/2 → PumpsControlledOffv′ = closed ∧ a′ = onz′ = broken
Note:Simple strategy because number of workin pumps is unknown
B. Beckert: Formal Specification of Software – p.36
Complete Operation
ControlNormal1 =̂ SNormalFill1∨ SNormalContinue1
∨ SNormalNotFill1∨ SNormalWaterStop1
∨ SNormalControlStop1
∨ SNormalBroken1
B. Beckert: Formal Specification of Software – p.37
Operations for Broken State
SBrokenContinue1∆SteamBoiler1InputControlInputAmountComputation
z = brokenkw = brokenkd = workss′ = s + amount − d?δ ′ = δ + δpumps + δds′ ≥ wmin + δ ′
s′ ≤ wmax − δ ′
s′ < (wmin + wmax)/2 → PumpsControlledOns′ ≥ (wmin + wmax)/2 → PumpsControlledOffv′ = closed ∧ a′ = onz′ = broken
B. Beckert: Formal Specification of Software – p.38
Operations for Broken State
SBrokenNormal1∆SteamBoiler1InputControlInputAmountComputation
z = brokenkw = worksw? ≥ wminw? ≤ wmaxw? < (wmin + wmax)/2 → PumpsControlledOnw? ≥ (wmin + wmax)/2 → PumpsControlledOffs′ = w?v′ = closed ∧ a′ = onz′ = norm
B. Beckert: Formal Specification of Software – p.39
Operations for Broken State
SBrokenControlStop1∆SteamBoiler1InputControlInput
z = brokenkw = brokenkd = brokena′ = off ∧ z′ = stop
B. Beckert: Formal Specification of Software – p.40
Operations for Broken State
SBrokenWaterStop1∆SteamBoiler1InputControlInputAmountComputation
z = broken ∨ z = normkw = brokenkd = workss′ = s + amount − d?z = broken → δ ′ = δ + δpumps + δdz = norm → δ ′ = δpumps + δds′ < wmin + δ ′ ∨ s′ > wmax − δ ′
a′ = off ∧ z′ = stop
B. Beckert: Formal Specification of Software – p.41
Operations for Broken State
ControlBroken1 =̂ SBrokenContinue1
∨ SBrokenNormal1∨ SBrokenControlStop1
∨ SBrokenWaterStop1
B. Beckert: Formal Specification of Software – p.42
Complete Operation
Control1 =̂ ControlInit1∨ ControlNormal1∨ ControlBroken1
B. Beckert: Formal Specification of Software – p.43
