A Framework for the Hazard Analysis of Chemical Plants I

Transposing the notion of software frameworks to the abstract ion level of formal specifications and verifications, we developed a framework supporting the formal hazard analysis of chemical plants. It provides generic specification modules for the description of safety properties, specification modules for the description of plant models, and theorems stat ing that certain subsystem structures of the plant model imply certain safety properties. Using the framework for hazard analysis, one firstly describes the plant and its control equipment as a composition of framework module instances. Secondly, one expresses the different safety properties of interest by parameterized framework modules. Finally, a safety property is proven when an appropriate theorem instance of the framework can be found. Thus, the framework facilitates the formal modeling. Moreover, the efforts for formal verifications are reduced drastically since framework theorem instances can replace explicit proofs. The framework utilizes modular temporal logic specifications supported by the specification language cTLA which is a variant of Lampor t ' s temporal logic of actions TLA and in part icular is devoted to the compositional description of process systems. 1 I n t r o d u c t i o n Modern chemical plants are complex hybrid systems consisting of various process and control equipment. Continuous mass and energy flows of chemical production processes are controlled by event-discrete real-time hardware and software systems. As a rule, the operation of chemical plants entails diverse risks. Therefore, the design of plants has to be accompanied with careful and responsible hazard analysis procedures. Since comprehensive and easyapplicable formal methods are not yet available, the analysis procedures are mainly based on informal discussions following the well-established "Hazard and Operabil i ty Studies" approach (HazOp) [16]. The potential value of formal methods, however, is appreciated and several approaches were proposed applying tool-assistance, formal modeling, and formal model based reasoning to tasks and subtasks of hazard analysis. Thus, expert systems can provide automated procedure assistance [4, 6, 19, 22] and simulation tools provide helpful insight into a system under design [5, 17, 23]. Moreover, approaches exist which support the direct formal analysis in order to achieve formal safety proofs using tThis work was funded by the German research foundation DFG. 0-7803-6566-6/00510.00~2000 IEEE 3 5 qualitative equation models [3, 23], petr i net models [20], and temporal logic [18]. The approaches are related to techniques known from the field of formal hardware and software system verification. As in this field, the experience is gained that formal verification introduces considerable additional costs and is moreover prone to errors. Therefore, tool support is of high interest lowering the costs due to automation and increasing the reliability of proofs due to mechanical reasoning. Corresponding tools were developed using exhaustive s ta te space exploration [21] or symbolic model checking techniques [2, 15, 18]. When analyzing complex systems of practical interest, the tool support , however, is not satisfactory. Fully au tomated s tate space exploration tools fail due to the very high number of reachable system states to be managed. Symbolic theorem proving tools need active and intelligent user guidance providing suitable proof structures. Consequently, substantial efforts are needed either to develop abstractions and simplifications for au tomated state space exploration or to design lemmas, strategies, and proof outlines to be supplied to symbolic theorem provers. Our general approach is also based on symbolic logic theorem proving and uses modular temporal logic specifications [10]. Since we aimed to the efficient verification of complex practical systems, we looked for additional means in order to complement the support provided by an appropriate formal modeling technique and its tools. Firstly, we focused on the modular description of hybrid systems obtaining re-usable specification modules (generic process type definitions) and verification elements (theorems). This supported the efficient re-use and the structuring of verifications into a series of relatively small subproofs [7]. Secondly, we wanted to facilitate the proof design. Therefore we proposed relatively direct mappings of tradit ional informal HazOp argumentat ions to formal proofs [9]. Nov,', we propose a third complementary approach. It adopts the well-known notion of "frameworks" from software engineering (cf. [11]) and transfers it from the construction of software systems to the construction of formal models and proofs. Software frameworks are devoted to special application domains. They provide rules governing the architecture of software systems and moreover supply modules support ing their efficient composition. Similarly, our specification and verification framework is devoted to the special application domain of chemical plants. Besides of architectural rules it comprises two collections of generic specification modules. One collection contains modules describing components used by chemical plants (e.g., vessels, valves, pumps, mixers) as well as specifications of the components of plant control systems (e.g., sensors, actuators, controllers). Based on these modules specifications are developed in two quite easy steps. Firstly, generic modules are instantiated in order to model components of a part icular plant. Secondly, the entire plant is specified by a composition of these module instances. The other specification module collection contains modules modeling safety properties to be kept by a plant (e.g., no excess pressure above a certain limit in a vessel). The use of two groups of specification modules addressing two different abstract ion levels (i.e., plant component models and abstract safety properties) is an extension to software frameworks which supply only software modules but do not provide formal specification elements. Moreover, there is a second important extension. In addit ion to these two groups of specification modules, our framework provides verification elements facilitating formal proofs tha t chemical plants keep certain safety properties. A collection of generic theorems is included where each theorem instance ensures that a safety property is provided by specific subsystems of plant models. Since we already proved the validity of the theorems, framework users only need to select a suitable theorem, to ins tant ia te it according to the parameter settings of the plant models and safety property specifications, and, finally, to perform some simple checks guaranteeing the consistency of the theorem instance and plant model. Therefore, the framework does not only facilitate the efficient construction of formal models and specifications, but also supports the formal reasoning directly, since formal proofs can relatively easily be combined from theorems of the framework. For example, we specified the example plant used in this paper and proved 33 safety properties within four days. Our approach roots in an approach for the formal verification of complex da ta communication protocols (cf. e.g. [8]) introducing the temporal logic specification language cTLA for the description of event-discrete distr ibuted and concurrent process systems, cTLA is based on Leslie Lampor t ' s Temporal Logic of Actions TLA [14]. Particularly, it supports the modular description of process types. System descriptions can be composed from implementationoriented as well as from constraint-oriented processes. Process composition has the character of superposition (cf. [12]), i.e., relevant properties of processes and subsystems are also properties of the embedding system. Therefore, s t ructured verification can be applied, i.e., for the verification of u system proper ty it is sufficient to prove tha t a subsystem exists which has the property. Moreover, since cTLA facilitates the description of systems as appropriate constraint compositions, specifications can reflect the logical connections and dependencies of systems. Therefore, mostly small subsystems can be identified supporting the s t ructured verification of interesting system properties. Because of these features, cTLA proved to be very well suited for the establishment of specification and verification frameworks. We developed extensions for the modeling of realt ime and continuous properties which keep the superposition character of composition [7]. Based on these extensions, frameworks for hybrid systems like the framework for the formal hazard analysis of chemical plants can be established. In the remainder we firstly concentrate on the essentials of our approach. We discuss the framework structure and describe an example system. Moreover, a short comparison with t radi t ional HazOp shall clarify the approach. 36 Thereafter, we enter into more details. The specification technique cTLA is outl ined and a sketch of a formal verification is given verifying a safety proper ty of the example system.