Intelligent Modeling and VerificationView this Special Issue
Automata-Based Analysis of Stage Suspended Boom Systems
A stage suspended boom system is an automatic steeve system orchestrated by the PLC (programmable logic controller). Security and fault-recovering are two important properties. In this paper, we analyze and verify the boom system formally. We adopt the hybrid automaton to model the boom system. The forward reachability is used to verify the properties with the reachable states. We also present a case study to illustrate the feasibility of the proposed verification.
The special effects in live performance make the audience astonishing through colorful background and a stage suspended boom system. Generally, the background indicates a stable scene, but the suspended boom system shows a dynamic stunt. The special effects for live performance are always implemented by suspending objects and/or human in midair from the boom system, such as “little girl flying a kite” in the Olympic Games in Beijing 2008.
The contemporary boom systems contain a fixed physical mechanism and a programmable controller, such as the steeve system and PLC. The PLC samples the position of each steeve and restricts their movement periodically. Since human life is at stake, security is the top priority. The boom system is also mission critical due to its live performance nature-stunt. Generally, the stunt is against the security deeply; the audience wants exciting stunts, but actors need safe shows, which makes “Stunt Injuries and Fatalities Increasing” stated by McCann .
We focus on the formal aspect of analyzing and verifying stage suspended boom systems. The boom system exhibits a hybrid behavior; for example, the continuous behavior in a time period interacts with the discrete events. Therefore, it is natural to adopt hybrid automaton to model and verify this type of system.
Hybrid automaton is a formal model for precisely describing hybrid system in which computational processes interact with physical processes. Similar to other types of automaton, the hybrid contains states and transitions, but it also labels and groups relevant dense states as activities to express continuous behaviors, which are described by state functions. Then the behavior of the hybrid system is composed of discreteness of state transitions and continuity of state evolution.
The hybrid automaton was introduced in [2, 3] with analysis for some linear and nonlinear examples, and in , the authors focused on its verification aspect. There are many works on verification and analysis of hybrid automata now [4–7] studied the model checking of hybrid automata; [2, 3, 8] performed reachability analysis; [9, 10] studied probabilistic hybrid automata;  studied the hybrid automata with a domain-theoretic semantics. Moreover, there are many prior works on the case study of hybrid systems with automata. In , the safety properties of the automobile control system are studied. In , the hybrid automaton was used to analyze the circuit system. In , the authors focused on the sensor-driven hybrid automaton and gave a concrete example of goal network. In , an automated manufacturing system is studied. But to the best of our knowledge, no article studies the boom system formally in terms of hybrid automata.
In Section 2, we show the behaviors of the boom system in a formal way. In Section 3, we analyze a concrete case study for feasibility. We conclude in Section 4.
2. Modeling Stage Suspended Boom System
A stage suspended boom system is the system used to achieve a stunt. The contemporary boom system is composed of automatic electromechanical controllers and physical mechanisms, including PLCs, steeves, curtains, and electrical motors. We study this type of system in terms of interactions of steeves and PLCs.
A boom system performs a stunt by controllable steeves. The steeves are directly driven by electrical motors. We analyze the movement of the system by the movement of steeves. For example, we establish a 4-dimensional mathematical model describing the locus of each steeve, the first 3 dimensions express where the steeve is, and the last one specifies when it arrives there. Let , , and be the first three dimensions and the last one.
The whole movement of steeves is seen as a scene of a boom system. The controllable movement of each steeve is always adjusted and restricted manually or automatically by PLCs. In contemporary boom systems, manual control is only adopted to start a scene or stop it in an emergency. Once the automatic control is triggered, the PLCs manage the movement of steeves continuously unless an emergency occurs.
A stunt in a stage provides audience the astonishing effects; at the same time it also provides high risks for an actor/actress. Generally, the inertia and rotation are two main risks while steeves moving. In order to prevent these phenomena, the steeves in a real boom system move slowly and smoothly to reduce inertia; meanwhile, several steel wires connect a steeve and its driver for a consistent movement.
For each steeve, it is a mechanical device that behaves under the laws of physics, dealing with quantities of displacement, velocity, and acceleration. The steeve reports its current condition through sensors, adjusts its movement by the reference of actuators, and thus shows a controllable (piecewise) continuous time-variant property. We analyze its behavior by those physics laws.
We express the movement of a boom system with the velocity of steeves. To keep the movement slowly and smoothly, the acceleration is really low and close to 0; then in most cases, the velocity is a constant. In addition, the motors in the stage suspended system are commonly constant speed electric ones or the variable-frequency direct-current ones, which makes the control easy and effective. So this type of control belongs to linear ones.
Let us show the movement of a steeve. Each steeve of a stage is driven by the electro-motors. Each motor drives a steeve to move forward or backward, left or right, or up or down in terms of a control signal. So the movement of a steeve is a combination of drives of motors. We use the vector and matrix to express the following analysis formally. Let us consider -coordinates of a 3-dimension stage; be a velocity of the steeve indexed by , a control, , , and time differential, for example, velocities; , , and controls; then and . So the movement of the whole boom system, , is . Let be a control matrix, for example, The movement of boom system could be reexpressed as the following: Equation (3) shows that the movement of a boom system is depending on the velocity of each motor, for example, velocities in every direction and a control matrix.
We call the movement of boom system under a concrete control matrix an activity, whose number is finite because of the finite number of signals.
The steeves and the PLCs communicate and cooperate to implement a live performance, for example, a scene.
A scene shows the configuration of activities of a boom system in terms of controls from PLCs. Each control is a matrix of concrete control signals, for example, a concrete control value for its movement in a special direction. Let be the valuation of a control matrix to a control value matrix. A scene formally defines a sequence of valuations, , that . We call scene related controls.
PLCs implement a scene by configuring activities, which construct a hybrid system essentially. For example, the continuous behavior is determined by the steeves, while the discrete one by relation among their movement. The implementation of the scene is complex owing to the nondeterministics of the movement. Steeves driven by motors may not always move functionally, so the PLC owns a mechanism of exceptions.
There are two types of nondeterministics: timeout and inconsistency. The timeout indicates that the movement has to finish in a max time duration or the system suspends. The inconsistency involves two phenomena: the inconsistency of the steeve movement in different directions (the motors of a steeve do not cooperate well) or the inconsistency among the moving steeves (the steeves do not cooperate well). All of them have to be treated safely. Let us adjust our scene analysis in terms of these nondeterministics.
Let next be a function of getting a next control value matrix with current value. Then for a current control value matrix , the next may involve three types of matrix: one for the scene requirement, one for the timeout fault, and one(s) for the inconsistent movement.
The inconsistency involves source control value matrices, destination matrix, and inconsistent matrix. Let be different controls; for example, not all control signals of motors are the same, that . We say is processably inconsistent whenever . Then if processable inconsistence holds, and then direction of the movement does not change.
Now we can show next control valuation matrix by the scene relation and the processable inconsistency relation. Let with the following. (i) is scene related; (ii) there exists a valuation matrix, , that is processably inconsistent, and is scene related; (iii) there exist two activities, and (), that is scene related and and are processably inconsistent; or (iv) is a suspend control; for example, all control values are 0.
2.3. Hybrid Automaton Model
There are several types of definitions for hybrid automata [2–4], all of which construct a position (control model) graph with the events of jump transitions. A hybrid automaton is a sextuple of positions, real-valued variables, event labels, transitions, activities, and invariants. We study the formal model by (forward) reachability analysis; for example, let , , and be a time elapsing, location and variable, and the activity is denoted by . We can verify a hybrid system by the forward analysis of reachability analysis. We compute “time can progress” of max time duration that elapsed in the position by , if for all that . Then we compute forward time closure of the valuation set of -position and a special valuation set by , which means , if and only if . And then we compute postcondition of a set of valuations generated through transitions by , which means if and only if . So finally we compute the set of reachable states by the fixpoint of the following equation: with being a set of initial states.
The (piecewise) continuous movement (see Section 2.1) builds the part of (piecewise) continuous behavior of a boom system. In contrast, periodically and discretely, the PLC implements a scene of live performance, by monitoring the continuous behavior (by sensors), generating decisions (by logic reasoning and data processing programs), and then writes the compatible controls into the actuators, instantaneously. The control may change the system movement by adding the boom system discrete behaviors (see Section 2.2). In short, the interacted (piecewise) continuity and discreteness of this system present a hybrid behavior, indeed.
It is very convenient to translate the analysis in previous subsections into a hybrid automaton. The variables include all movement variables, signal variables, and other special ones; the locations, as well as activities contained in the location, are corresponding to the activities of system movement directly; the edges between the activities are described by the next function; the invariant of each location involves the max time allowed for every activity, which is concluded from scene. We will show the hybrid automaton in the following case study.
3. A Case Study
For this specific boom system, each steeve is driven by two constant speed electric motors located in vertical and horizontal directions. A moving steeve could be stopped at any position if a stop button is pushed for some security reasons; moreover, after the operator pushes the start button, each steeve moves automatically under the control of the PLCs. The PLCs are used as intelligent controllers. The electric motor rotates in a constant speed to keep the steeve moving placidly. The transducers fixed on motors will send 256 pulses per motor rotation cycle, and the steeve will move 16cm. The PLCs memorize and calculate the number of pulses to control the electric motor. Moreover, the direction of motor rotation can be adjusted to move down (or left) or to up (or right) by the PLC signals.
We study an interesting scene, for example, a stunt that actor/actress riding a bicycle to climb “hill”, the bicycle is hung on a steeve in a coordination. Initially, the bicycle locates at the position, then the bicycle, as well as the actor, begins to climbing a hill, for example, moves slowly to position , and then of the top of the hill. Then the bicycle moves from one peak to another horizontally. And then moves down the hill and arrives at foot . Finally, moves to the initial position and begins to another cycle.
We consider the following problems. (i) Does the state suspended boom system perform safely? (ii) Does the state suspended boom system perform correctly?
3.1. Hybrid Automata
We have two button-related variables: start and stop for start and stop stunt manually. The scene of this case study involves one steeve and one PLC and plays a 2D movement. So we get two movement related variables: and for -axis and -axis. The PLC samples the movement indirectly; it records and calculates the pulse number of each angular transducer of motors. Then two special variables are necessary, let be pulse counter for -axis moving, and for the other. Moreover, we use another variable for local timer, for example, let record the elapsed time of a position (or control model). Then the variable set is , and controlled variable set .
Let and be constants for velocities of the steeve in and directions separately. Only one steeve be used in this scene; the movement is expressed by velocities and rates of pulse; so by the way introduced in Section 2, we get and .
According to the specification, the control () makes a steeve moving left or right (up or down); so we set its value as for moving left, stopping moving, and right (similar to ). Then we get the nine activities in Table 1 with (3).
The scene defines a sequence of controls: , , , , , and . We extend this control sequence by consistency and timeout analysis; let us take a scene relation as an example,
So when the steeve is moving up-right, it may suspend for timeout, or its horizontal/vertical movement finishes but the vertical/horizontal not (see the shadow in Figure 1). In this figure, the -position movement finishes in time point; the -direction displacement of any (red) line in the shadow is necessary for the consistency. After calculating all the next control valuation matrixes, we get the connected graph in Figure 2 without formulas.
PLC cannot add more movement of boom system but only can organize some activities to form a scene; so as we talked in Section 2.3, we can build the hybrid automaton according to the patterns of movement, for example, We write as up-right for short; others are similar. The of a location is the same as the corresponding activity previously.
The PLC reads transducer sensors to adjust movement of a steeve to implement the stunt, the rate of pulse of a sensor is the same as the velocity of a steeve, and it is convenient to show the invariant and edges by pulse counter and . Let us define hypothesis to make the following expression simple. Let and be two pulse constants with and ; let returns the integer portion of a number and be a function of getting the remainder produced by being divided into two integers. We define the following assertions: where and are two assertions for the steeve suspending and moving automatically, and for moving horizontally and vertically, and for sleeping on horizontal or vertical directions, and the last one for the max time duration of a movement. Then the of each location will be
We get from the function, which defines the transition among control valuation matrixes. According to the definition of , we know the next location of up-right will be , , and as seen in Table 1. Let us show an example of the transition from to . In each cycle, the moving distance on -axis is that the direction of the displacement changes once increasing and so is the movement along the -axis. The to transition happens to recover the moving error when the up-right movement of scene performs; for example, if the movement on -axis finishes before the one on -axis, the bicycle moves up-right, then up, and finally up-left; then the condition of the jump shows the finish of the first -axis movement, for example, the distance. So we get the following formulae: Then the transition expression is in which is an event label.
Step by step, we construct a hybrid automaton in Figure 2 (each position is indexed by an integer number for utility).
3.2. Reachability Analysis
We can prove some interesting properties by reachability analysis of the hybrid automaton in Figure 2. Let us use the forward analysis method in Section 2.3 to compute reachable state set from initial states.
The initial states illustrate that the steeve starts moving up-right from the coordination ; meanwhile, the elapsed time begins to be recorded. Let be an integer over indexes of positions; we express the initial states as a formula :
According to (5), the reachable states are characterized by the least fixpoint of the following nine equations:
By the initial states, and , we can calculate the fixpoint of (12) iteratively, for example, let be the times iterated; we calculate the first equation by ; then we get with being the number of cycles of movement, , , and so are the others.
The safety properties can be studied in terms of the reachable states. We list properties as the lemmas bellow.
Lemma 1. After a scene begins to perform, the movement of the boom system will be in a safe area, for example, a rectangle of :
Lemma 2. In each activity, if duration of the activity is longer than , the movement will stop, for example.
These two security properties are direct from the reachable states.
Lemma 3. The behavior of the system conforms to the specification of the scene.
Proof. This lemma requires that the movement of steeves follows the scene specification; for example, implementation of the bicycle climbing the hill-zigzag traces appears once duration resetting transition () is triggered. For example, if the steeve arrives at the position (the PLC controller only knows this from with being the number of cycles of movement), a zigzag appears, for example, The formula implies that , , , , and hold. Then we can check that the set of states characterized by the formulas after is a subset of states defined by . The formal specifications and proofs of other zigzag trace, are similar. So we know that the hybrid system of the boom system holds the specification of the scene, and then lemma 3 is proved.
Lemma 4. The boom system recovers its fault movement by itself.
Proof. Let us take the zigzag trace for example, if the time duration of the up-right movement is less than and the -direction movement finishes but -direction movement not, then -direction movement stops and waits for the -direction movement, for example, The proof can be directly reasoned from the formulas of reachable states. Similarly, we can verify other fault-recovering requirements by their characterization of the reachable states.
In this paper, we adopted hybrid automaton as the model of the boom system, and then used the forward method to analyze its reachability problem. Some important properties were verified in terms of the reachable states. An interesting case study of scene of bicycle climbing hill was shown to prove the feasibility of our study.
In future, we will adopt tools of hybrid automata to make the analysis and verification (possibly) automatically. After many case studies, we regard there could be a framework of modeling and verifying this type of system; so we will study more cases to find their characteristics, and then propose a practice framework (which may not only be solvable by hybrid automata).
This work is partly supported by Grants (HCIC201110) of Guangxi HCIC lab Open Fund, the Fundamental Research Funds for the Central Universities of Lanzhou University, no. 860772, and NSF of China no. 60973147, the Doctoral Fund of Ministry of Education of China under Grant no. 20090009110006 the NSF of Guangxi no. 2011GXNSFA018154, the Science and Technology Foundation of Guangxi no. 10169-1, and Guangxi Scientific Research Project No.201012MS274.
M. McCann, “Stunt injuries and fatalities increasing, Tech. Rep.,” http://www.uic.edu/sph/glakes/harts1/HARTS_library/stunts.txt.View at: Google Scholar
R. Alur, C. Courcoubetis, N. Halbwachs et al., “The algorithmic analysis of hybrid systems,” Theoretical Computer Science, vol. 138, no. 1, pp. 3–34, 1995.View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
T. A. Henzinger, P.-H. Ho, and H. Wong-Toi, “Algorithmic analysis of nonlinear hybrid systems,” IEEE Transactions on Automatic Control, vol. 43, no. 4, pp. 540–554, 1998.View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
T. A. Henzinger, “The theory of hybrid automata,” Tech. Rep. UCB/ERL M96/28, EECS Department, University of California, Berkeley, Calif, USA, 1996.View at: Google Scholar
C. S. F. Balduzzi and A. Giua, “Modelling automated manufacturing systems with hybrid automata,” in Proceedings of the Workshop on Formal Methods and Manufacturing, vol. 138, pp. 33–48, Zaragoza, Spain, 1999.View at: Google Scholar
R. Gentilini, K. Schneider, and B. Mishra, “Successive abstractions of hybrid automata for monotonic CTL model checking,” in Proceedings of the International Symposium on Logical Foundations of Computer Science (LFCS '07), pp. 224–240, June 2007.View at: Google Scholar
A. Podelski and S. Wagner, “Model checking of hybrid systems: from reachability towards stability,” in Hybrid Systems: Computation and Control, vol. 3927 of Lecture Notes in Computer Sciences, pp. 507–521, Springer, Berlin, Germany, 2006.View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
T. A. Henzinger, P. W. Kopke, A. Puri, and P. Varaiya, “What's decidable about hybrid automata?” Journal of Computer and System Sciences, vol. 57, no. 1, pp. 94–124, 1998.View at: Google Scholar
B. C. Williams, M. M. Henry, and M. M. Henry, Model-Based Estimation of Proba- Bilistic Hybrid Automata, 2002.
J. M. B. Braman and R. M. Murray, “Probabilistic safety analysis of sensor-driven hybrid automata,” in Hybrid Systems: Computation and Control, 2008.View at: Google Scholar
A. Edalat and D. Pattinson, “Denotational semantics of hybrid automata,” in Proceedings of the Foundations of software science and computation structures (FoSSaCS '06), vol. 3921, pp. 231–245, Springer, 2006.View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
O. Msller and T. Stauner, “Modelling and verification using linear hybrid automata-a case study,” Mathematical Modelling of Systems, vol. 1, no. 1, 111 pages, 1996.View at: Google Scholar