A Scalable Approach for Re-Configuring Evolving Industrial Control Systems

Roopak Sinha  
Computer & Mathematical Sciences  
Auckland University of Technology  
New Zealand  
Email: roopak.sinha@aut.ac.nz

Kenneth Johnson  
Computer & Mathematical Sciences  
Auckland University of Technology  
New Zealand  
Email: kenneth.johnson@aut.ac.nz

Radu Calinescu  
Department of Computer Science  
University of York  
United Kingdom  
Email: radu.calinescu@york.ac.uk

Abstract—We present a scalable approach to automatically re-configure evolving IEC 61499 systems for deployment onto an available set of resources. We capture system architecture and high-level configuration requirements formally, and use an efficient SMT-based constraint resolution to generate a valid system configuration. Any changes in the system architecture, configuration requirements, or resources are automatically translated into a minimal set of updated constraints, allowing a faster reconfiguration as compared to a monolithic approach where the whole system is re-configured. We show the feasibility of our approach by studying an airport baggage handling system developed using the IEC 61499 standard.

I. INTRODUCTION

The IEC 61499 [1] standard allows designers to write complex distributed industrial control software as a network of reusable software components called function blocks. Some examples of systems developed using function blocks are airport baggage handling systems [2] (BHS), power grid systems [3], and factory automation systems [4]. Such complex function block systems are manually distributed over several hardware devices like programmable logic controllers (PLCs) [1] or cloud services [5], [6]. The manual step, called system configuration, can prove to be a bottleneck when the software architecture or device availability changes [7], [8].

Many function block systems must be downtimeless, or remain operational for extended periods of time with zero downtime [9], [10], [11]. We must handle changes in system architecture, configuration requirements, or device availability without halting operation. Several approaches have targeted this dynamic configuration problem. In [10], a framework to manage changes in communication protocols, architectural change and internal changes within individual components is proposed. This framework can check that key functional requirements are met after changes are applied but requires user-provided configurations. Likewise, other existing approaches deal only with functional requirements [12], [13] and/or require user-specified (re-)configurations [12], [14], [15].

We focus on two key questions of dynamic configuration:

- How can a function block system be automatically configured such that high-level configuration requirements are satisfied?
- How can a function block system automatically re-configure itself according to changes in system architecture, device availability, and configuration requirements?

Our solution is a framework that allows users to formally specify high-level configuration requirements, and an algorithm that identifies configurations that satisfy these requirements. The architecture re-configuration process presented in this paper is based on the incremental verification approaches described in [16], [17], [18]. The process is depicted in Fig. 1 and comprises four steps:

1. Algebraic model generation: The model synthesiser accepts as input a function block system and generates an algebraic model of its architecture.
2. Requirement specification: Configuration requirements are specified as quantifier-free first order formulae and accepted as input into the configuration engine.
3. Compositional resolution: The configuration engine performs compositional resolution and computes a satisfiable configuration for the system. The actions associated with this step are depicted by solid lines in Fig. 1.
4. Incremental re-resolution: When a change in the system’s architecture or requirements is detected, the notifier triggers an update to the algebraic model and associated first-order formulae. The configuration engine responds by carrying out incremental re-resolution whereby only the components affected by the change are re-configured. The actions associated with this step are depicted by dashed lines in Fig. 1.

The primary contributions of this paper are:

- a formal specification of the configuration problem for industrial control software as an SMT constraint problem,
- an application of the compositional SMT approach developed in [16] for configuring and an incremental re-configuring method for function block systems, and
- an evaluation of our solution involving the re-configuration of a realistic airport baggage handling (BHS) system.
A. Implementing the BHS using Function Blocks

The IEC 61499 standard is an architectural framework that specifies control software for distributed automation systems in terms of reusable modules called function blocks [19], [1]. Fig. 3a uses this framework to describe the top-level BHS system as a function block network that contains two function blocks, called ModelView and Mutex. ModelView contains all individual conveyor and photo-eye controllers and views to simulate the status of these components in the system, while Mutex implements mutual exclusion logic which guarantees that merging luggage from two or more conveyors can never overlap. Blocks like ModelView, Mutex, and Conveyors (contained inside ModelView) are called composite function blocks as they contain (finitely nested) networks of function blocks. Networks are designed by manually inter-connecting the event and variable inputs and outputs of constituent blocks. As our approach is not affected by the interconnections between the blocks of a network, we do not discuss this aspect in detail. Interested readers will find details in [1].

In addition to composite blocks, a function block network can contain basic and service-interface function blocks. Both basic and service-interface blocks are atomic blocks and cannot be further broken down. The behaviour of basic blocks is modelled by finite state machines called execution control charts, while service-interface blocks contain platform-specific implementations of system services like network connections and timers. For illustration purposes, we assume that blocks A - H shown in Fig. 3a are atomic blocks. In reality, the BHS system contains 281 function blocks.

B. Extracting the architecture of the BHS

Let \( \mathcal{FB} \) denote the set of all function blocks. We can identify a subset \( \{b_1, \ldots, b_c\} \subset \mathcal{FB} \) as the set of atomic (basic or service-interface) blocks. A composite function block \( \mathcal{CF} \in \mathcal{FB} \) is composed of other function blocks. Mathematically, we define a compositional operation \( \text{comp} : \mathcal{FB}^n \to \mathcal{FB} \) such that \( \mathcal{CF} \equiv \text{comp}(f_1, \ldots, f_m) \) means that \( \mathcal{CF} \) contains function blocks \( f_1, \ldots, f_m \). Repeated application of the \( \text{comp} \) operation on basic function blocks enable more complex function blocks to be specified. In this way, we express the top-level system of the the baggage-handling case study shown in Fig. 3a as

\[
\text{BHS} \equiv \text{comp}(\text{ModelView}, \text{Mutex})
\]  

where \( \text{ModelView} \equiv \text{comp}(\text{Conveyors}, \text{PhotoEyes}) \) and \( \text{Mutex} \equiv \text{comp}(\text{Mutex1}, \text{Mutex2}) \). Each composite function block ultimately contains atomic blocks labelled \( A \) to \( H \). Fig. 3b illustrates the hierarchical architecture of the BHS network expressed in (1). Nodes represent function blocks and edges denote compositional dependencies between nodes.

C. BHS Configuration Requirements

The IEC 61499 standard stipulates that the user must (manually) identify a BHS configuration which specifies a mapping of multiple copies of the basic function blocks \( A - H \) to computing resources residing in separate programmable-logic controllers (PLCs). PLCs are industrially-hardened computers with independent power supplies, networks and computing capacities and communications between function blocks executing on different PLCs are channelled via service-interface function blocks while intra-device or intra-resource communications use local mechanisms like pipes or shared memory.

We assume that \( \text{BHS} \) is to be distributed over PLCs numbered \( 1, \ldots, p \), where \( p \geq 2 \). Each PLC has a total of \( q_i \geq 2 \) resources for \( 1 \leq i \leq p \). Each resource can schedule and execute multiple function blocks. In accordance to standard practices in industrial system configuration to improving reliability, function blocks are copied and deployed multiple times across computing resources according to the following high-level requirements:

\begin{itemize}
  \item[R1] All function blocks have between 1 and 5 copies.
  \item[R2] B has at least 3 copies, all of which must be distributed over exactly two different PLCs.
\end{itemize}
R3 D is deployed over four PLC resources.
R4 C has exactly 1 copy.
R5 The basic blocks of Conveyors are identically deployed.
R6 All instances of Mutex2 are deployed on PLC 1.
R7 Each PLC 2 resource has a copy of Mutex1.

III. ALGEBRAIC MODELS OF FUNCTION BLOCKS

The first step of the incremental re-resolution approach uses the model synthesiser to generate an algebraic model from an input system specified in the IEC 61499 standard. The algebraic model is used for incremental (re)-resolution.

Definition 3.1 (Function Block Models): Let $Z$ be a set of variables. We define the model $Z_f \subseteq Z$ of function block $f \in FB$ by induction on the structure of function blocks.

Base case: $Z_b, b_i \in P(Z)$, for each basic block $b_i$ in $FB$ such that models are pairwise disjoint: $Z_b \cap Z_{b_j} = \emptyset$ for $i \neq j$.

Structural induction: $Z_{\text{comp}}(f_1, \ldots, f_m) = \bigcup_{i=1}^{m} Z_{f_i}$, for the composition operation $\text{comp}$ and blocks $f_1, \ldots, f_m$ in $FB$.

For example, we model the basic function block $A$ of the BHS case study introduced in Section II algebraically as the set

$$Z_A = \{ A_{\mathcal{z}_{11}}, \ldots, A_{\mathcal{z}_{q_1}}, \ldots, A_{\mathcal{z}_{p_1}}, \ldots, A_{\mathcal{z}_{q_p}} \}$$

of integer-typed variables $A_{\mathcal{z}_{ij}}$ such that the assignment $A_{\mathcal{z}_{ij}} = n$ of a value $n \in Z$ to the variable $A_{\mathcal{z}_{ij}}$ corresponds to the scenario where $n$ copies of block $A$ are deployed on the $i^{th}$ resource of the $j^{th}$ PLC.

By Definition 3.1, the model for each function block is the union of the function block models from which it is composed. For example, the function block Conveyors $\equiv \text{comp}(A, B)$ depicted in Fig. 3b is composed of two basic function blocks A and B and thus has the model $Z_{\text{Conveyors}} = Z_A \cup Z_B$.

IV. REQUIREMENT SPECIFICATION

The second step of our approach involves the specification of high-level configuration requirements of the system as quantifier-free first order formulae. The formulae are input to the configuration engine and subsequently solved as a constraint problem. Before describing this step in detail, it is useful to recall some basic results from universal algebra and formal logic. Interested readers may refer to the standard texts [20], [21] for a detailed discussion of these topics.

A. Quantifier-free first order formulae

We define a standard signature $\Sigma$ of the integers and Booleans consisting of the sort $\text{Integer}$, a constant 0 $: \text{Integer}$ and the operation symbols $+, -, \times, \div : \text{Integer} \times \text{Integer} \rightarrow \text{Integer}$ for addition and subtraction. We add the sort $\text{Bool}$ to $\Sigma$ and include the constant Boolean truth symbols $true, false : \text{Bool}$. The standard logical operation symbols $\land, \lor : \text{Bool} \times \text{Bool} \rightarrow \text{Bool}$ and $\neg : \text{Bool} \rightarrow \text{Bool}$ are also included in the signature $\Sigma$.

We define the set of quantifier-free first order formulae as follows. Let $Z$ be the set of integer-typed variables. The set of $\Sigma$-terms over $Z$ are defined inductively by the rules

$$ t ::= z \mid 0 \mid t_1 + t_2 \mid t_1 - t_2 \mid b_1 \land b_2 \mid b_1 \lor b_2 \mid \neg b_1 \quad (2) $$

where $z$ is an integer-typed variable and $t_1, t_2$ and $b_1, b_2$ are integer and Boolean-typed $\Sigma$-terms respectively. By adding relations $=:, \times, \longrightarrow : \text{Integer} \times \text{Integer} \rightarrow \text{Bool}$ and $> : \text{Integer} \times \text{Integer} \rightarrow \text{Bool}$ to the signature, we define the set $F$ of quantifier-free first order formulae over the signature $\Sigma$ inductively by the rules

$$ \alpha ::= t_1 = t_2 \mid t_1 > t_2 \mid \neg \alpha_1 \mid \alpha_1 \land \alpha_2 \mid \alpha_1 \lor \alpha_2 $$

where $t_1$ and $t_2$ are terms obtained from application of the rules specified by Equation (2) and $\alpha_1$ and $\alpha_2$ are quantifier-free first order formulae. When dealing with formulae arising in applications, we write $\alpha(z)$ to mean the formula $\alpha$ contains at least one instance of the variables in the tuple $z = (z_1, \ldots, z_p)$.

Let $[Z \rightarrow Z]$ denote the set of assignment functions mapping integer values to the variables in $Z$. Given an assignment $a : Z \rightarrow Z$ term evaluation $[\alpha(z)](a)$ works out the value of a logical formula by substituting the value $a(z)$ for each variable $z$ in the formula $\alpha(z)$. The satisfiability relation $\models$ over $Z$ is defined as $a \models \alpha(z) \iff [\alpha(z)](a) = t$. In this case, we say that $a$ is a satisfiable assignment of the formula $\alpha(z)$, where the satisfiability relationship $\models$ is defined inductively over the structure of the formula in $F$.

Configuration requirements are specified in terms of logical formulae expressed over variables in $Z$ used in Definition 3.1 to model function blocks within the system. Each function block $f$ in the system is associated with a formula in $F$ and contains variables from the function block model $Z_f \subseteq Z$. Formally, we define a requirement mapping $\phi : FB \rightarrow F$ which associates each function block $f \in FB$ (the system architecture) with a logical formula $\phi_f \in F$. This requirement mapping has the property $\text{var}(\phi_f) \subseteq Z_f$ meaning that the
variables appearing in logical formula formalising the requirements of \( f \) must be formed from variables within its function block model. When no requirements are needed for \( f \) we set \( \phi_f = \epsilon \), the empty formula which is trivially satisfiable by any variable assignment.

**B. Baggage-Handling System Requirements**

Suppose there are \( p \geq 2 \) PLCs available and that there are \( q_i \) resources available on the \( i \)th PLC. We translate the high-level requirements (R1) to (R7) for the airborne baggage-handling system described in Section II into logical formulae over integer-typed variables in the function block model of \( \text{BHS} \). The translation outputs a requirement mapping \( \phi^{\text{BHS}} : FB \rightarrow F \) which associates each function block comprising \( \text{BHS} \) with a logical formula:

**Requirement (R1)** specifies that each function block has between one and five copies, and a negative number of copies may not appear on any PLC. This requirement is expressed by the formula

\[
\alpha_A := \bigwedge_{i=1}^{p} \bigvee_{j=1}^{q_i} A z^i_j \geq 0 \land \bigwedge_{i=1}^{p} \sum_{j=1}^{q_i} A z^i_j \geq 1 \land \sum_{i=1}^{p} \sum_{j=1}^{q_i} A z^i_j \leq 5
\]

for function block \( A \). The requirements for each basic function blocks \( B \) to \( H \) have similar formulae \( \alpha_B \) to \( \alpha_H \).

**Requirement (R2)** specifies that the basic function block \( B \) has at least 3 copies distributed over two PLCs. This requirement is expressed by the formula

\[
\phi_B := \alpha_B \land \bigwedge_{i=1}^{p} \bigvee_{j=1}^{q_i} B z^i_j \geq 3 \land \bigwedge_{i=1}^{p} \sum_{j=1}^{q_i} n z(D z^i_j) = 2
\]

where \( nz(n) = 1 \) if \( n \neq 0 \) and 0 otherwise, for \( n \in \mathbb{Z} \).

**Requirement (R3)** specifies the basic function block \( D \) is deployed over 4 PLC resources. It is expressed as

\[
\phi_D := \alpha_D \land \bigwedge_{i=1}^{p} \sum_{j=1}^{q_i} n z(D z^i_j) = 4
\]

**Requirement (R4)** further constrains the basic function block \( C \) by stipulating exactly 1 copy is to be deployed. This requirement is expressed by the formula

\[
\phi_C := \alpha_C \land \sum_{i=1}^{p} \sum_{j=1}^{q_i} C z^i_j = 1
\]

**Requirement (R5)** states that the basic function blocks \( A \) and \( B \) must be deployed exactly 1 copy. This means that each PLC resource that hosts a copy of \( A \) must also host a copy of \( B \). We formalise this requirement as the formula

\[
\phi_{\text{Conveyors}} := \bigwedge_{i=1}^{p} \bigwedge_{j=1}^{q_i} (A z^i_j = B z^i_j).
\]

**Requirement (R6)** states that all copies of function block \( \text{Mutex2} \) are on PLC 1. As \( \text{Mutex2} \equiv \text{comp}(G, H) \), we partition the requirement into two formulae:

\[
\phi_G := \alpha_G \land \sum_{i=2}^{p} \sum_{j=1}^{q_i} G z^i_j = 0, \quad \phi_H := \alpha_H \land \sum_{i=2}^{p} \sum_{j=1}^{q_i} H z^i_j = 0
\]

**Requirement (R7)** specifies that each resource of PLC 2 must have a copy of \( \text{Mutex1} \). Since \( \text{Mutex1} \equiv \text{comp}(E, F) \), we partition the requirement into the following two formulae

\[
\phi_E := \alpha_E \land \bigwedge_{j=1}^{q_1} E z^1_j > 0 \quad \text{and} \quad \phi_F := \alpha_F \land \bigwedge_{j=1}^{q_1} F z^2_j > 0.
\]

As we have described above, high-level configuration requirements are specified as logical formulae. The formula constrain the \( \text{BHS} \) system, with each function block associated with a formula by the requirement mapping \( \phi^{\text{BHS}} : FB \rightarrow F \).

**V. Compositional Resolution**

Satisfiability modulo theories (SMTs) [22] represent a class of tools and techniques that determine the satisfiability of formulae expressed in a logical theory. An SMT decision procedure computes and returns an assignment of values to variables that satisfy the formula. For formulae over variables in \( Z \), we model an SMT decision procedure as a total function \( \text{smt} : F \rightarrow [Z \rightarrow Z] \) such that \( \text{smt}(\alpha) \models \alpha \) if \( \alpha(z) \) is satisfiable in \( Z \). Otherwise, the procedure reports \( \alpha(z) \) as unsatisfiable. We wish to apply the SMT decision procedure \( \text{smt} \) to determine compliance of a system \( f \) to the requirements specified by the requirement map \( \phi \). We formulate the SMT constraint problem comprising the logical conjunction of all formulae associated with the system function blocks according to \( \phi \). We make this mathematically precise in the following:

**Definition 5.1 (SMT constraint problem):** Let \( \phi : FB \rightarrow F \) be a requirement mapping and let \( f \) be a function block. We define the function \( \rho : FB \times [FB \rightarrow F] \rightarrow F \) over the inductive structure of function blocks:

**Base case:** If \( f \) is a basic function block then \( \rho(f, \phi) = \phi_f \).

**Structural Induction:** If \( f \equiv \text{comp}(f_1, \ldots, f_m) \) for \( f_1, \ldots, f_m \) in \( FB \) then \( \rho(f, \phi) = \phi_f \land (\text{comp} \circ \rho)(f_1, \phi) \).

From this definition, we formulate a mathematically precise notion of compliance, whereby a function block \( f \) is compliant with requirements \( \phi \) if, and only if,

\[
\text{smt}(\rho(f, \phi)) \models \rho(f, \phi).
\]

Since modern industrial automations such as the \( \text{BHS} \) from the case study comprise large numbers of components, the SMT constraint problem as defined in (3) is often very large, making efficient resolution of constraints difficult. To overcome this difficulty, we describe a divide-and-conquer approach to resolving constraints.

The compositional SMT approach to constraint resolution is based on the observation that a logical formula \( \alpha \in F \) may be syntactically decomposed into a sequence

\[
\pi(\alpha) = (\alpha_1, \ldots, \alpha_n)
\]

of independent formulae \( \alpha_i \) such that no two formulae in the sequence share common variables. In symbols,

\[
\text{var}(\alpha_i) \cap \text{var}(\alpha_j) = \emptyset, \quad i \neq j,
\]

for \( 1 \leq i, j \leq n \). The compositional approach \( \text{comp} : \text{Seq} \rightarrow [Z \rightarrow Z] \) is defined by the equation

\[
\text{comp}(\pi(\alpha)) = \text{smt}(\alpha_1) \oplus \cdots \oplus \text{smt}(\alpha_n)
\]

for the sequence \( \pi(\alpha) \in \text{Seq} \) where the operation \( \oplus \) combines assignment functions obtained from resolving smaller constraint satisfiability problems rather than solving the equivalent and potentially huge monolithic constraint problem (3) (cf. Theorem 4.1 [16]).
TABLE I: Single-step resolution of basic blocks A and B.

<table>
<thead>
<tr>
<th>Step</th>
<th>( z_1 )</th>
<th>( z_2 )</th>
<th>( z_3 )</th>
<th>( z_4 )</th>
<th>( z_5 )</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>1</td>
<td>0</td>
<td>0</td>
<td>1</td>
<td></td>
</tr>
<tr>
<td>2</td>
<td>0</td>
<td>1</td>
<td>0</td>
<td>0</td>
<td></td>
</tr>
</tbody>
</table>

a) Compositional SMT Analysis of BHS: We apply the compositional SMT approach to compute a valid configuration of the function block BHS for the baggage-handling system case study over two PLCs, each with two resources. Mathematically, each basic function block is modelled by a set of four variables from \( Z \), e.g. \( Z_A = \{z_{A1}, z_{A2}, z_{A3}, z_{A4} \} \) for the basic function block A. We construct the sequence from the requirement map \( \phi_{BHS} \) specified for the block BHS to obtain

\[
\pi = (\phi_{Conveyors} \land \phi_A \land \phi_B, \phi_C, \phi_D, \phi_E, \phi_F, \phi_G, \phi_H).
\]

(7)

We note that the formulae in (7) are pairwise disjoint and satisfy (5). In particular, the first element \( \phi_{Conveyors} \land \phi_A \land \phi_B \) of the sequence comprises formulae that are not pairwise independent e.g. \( \text{var}(\phi_{Conveyors}) \land \text{var}(\phi_A) \land \text{var}(\phi_B) \neq \emptyset \) and thus cannot be decomposed in any way such that (5) is satisfied. Computing \( \text{smt}(\phi_{Conveyors} \land \phi_A \land \phi_B) \) yields the assignment presented in Table I of integer values to function block model variables in \( \text{Z}_{\text{Conveyors}} \) satisfying \( \phi_{\text{Conveyors}} \land \phi_A \land \phi_B \). Similarly, the remaining basic function blocks C to H are resolved in a series of six SMT resolution steps. Table II lists the resolution results. The compositional approach (6) composes the results of each SMT analysis step in Tables I and II to obtain a system configuration of the function block BHS that is compliant to the high-level requirements (R1) - (R7).

VI. INCREMENTAL RE-RESOLUTION

While compositional analysis provides a speedup over a monolithic approach, it may still be unnecessary and infeasible to re-resolve every function block due system size and frequency of change. To address this limitation, an incremental re-resolution step re-resolves only affected function blocks after changes in the system architecture (addition/removal of components), and system requirements (addition/removal/update). We model change as a transformation \( (f, \phi) \rightarrow (f', \phi') \), transforming the function block \( f \) and its requirement map \( \phi \) to an updated function block \( f' \) and updated requirement map \( \phi' \). The transformation \( T \) of any function block \( g \) of \( f \) is a pair comprising \( g' \in FB \) and \( \tau : FB \rightarrow F \) and is carried out in the following steps:

1. Perform function block substitution \( f' = f[g/g'] \), substituting all instances of the function block \( g \) in \( f \) with the new function block \( g' \).
2. Perform requirement substitution \( \phi' = \phi[\tau] \), substituting a formula \( \phi(f_i) \) with a new formula \( \tau(f_i) \) for \( f_i \in \text{dom}(\tau) \).

Not all sub-blocks of block \( f \) must be re-resolved to ensure compliance after a transformation \( T \). In order to identify those SMT analysis steps in the sequence \( \pi \) of the form (4) that must be re-resolved, we define the characteristic set

\[
U = \bigcup_{\tau \in \text{dom}(\tau)} \text{var}(\tau(f))
\]

which specifies the set of variables whose formulae have been affected by \( \tau \) in transformation \( T \). The characteristic set \( U \) contains all variables that are altered (directly or indirectly) by a transformation \( T \) in the function block \( f \). We use \( U \) to identify the steps in the sequence \( \pi \) obtained from the compositional SMT analysis of \( f \) that have been modified by a change and thus require re-resolution. Each logical formulae \( \alpha \in \pi \) is checked according to the criteria

\[
\alpha \in \mu \iff \text{var}(\alpha) \cap U \neq \emptyset
\]

(9)

\[
\alpha \in \sigma \iff \text{var}(\alpha) \cap \emptyset
\]

(10)

partitioning \( \pi \) into two sequences \( \mu \) and \( \sigma \). If Criteria (9) is satisfied \( \alpha \in \mu \), forming the re-resolution sequence \( \mu \). Otherwise, the step remains unchanged and \( \alpha \in \sigma \). We define the incremental re-resolution approach as

\[
\text{comp}(\mu) \odot \alpha \equiv \rho(f', \tau')
\]

(10)

where the assignment \( \alpha : Z \rightarrow Z \) represents the satisfiable assignment of the logical formulae in the sequence \( \sigma \) obtained in previous SMT analysis steps and \( \text{comp}(\mu) \) carries out compositional SMT analysis on the re-resolution sequence \( \mu \) (cf. Theorem 4.2 [16]).

b) Basic Function Block Addition: We suppose that after composition resolution has been performed that a new basic block I is added to the composite block Conveyors in the baggage-handling system BHS. We assume at least four copies of I are to be deployed and Requirement (R5) requiring all basic blocks of Conveyors to be identically distributed must be maintained. We model this change as a transformation \( T \) involving the term substitution \( BHS = BHS[\text{comp}(A, B)/\text{comp}(A, B, I)] \) which updates the system architecture. The requirement map \( \phi_{BHS} = \phi_{BHS}[\tau_{add}] \) is updated, where \( \tau_{add} : \{I, \text{Conveyors}\} \rightarrow F \) is the requirement map such that

\[
\tau_{add}(I) = \bigwedge_{i=1}^{p} \bigwedge_{j=1}^{q_i} I_z^i_j \geq 0 \land \bigwedge_{i=1}^{p} \sum_{j=1}^{q_i} I_z^i_j \geq 4
\]

(11)

\[
\tau_{add}(\text{Conveyors}) = \phi_{\text{Conveyors}} \land \bigwedge_{i=1}^{p} \bigwedge_{j=1}^{q_i} (B_z^i_j = I_z^i_j)
\]

(12)

where \( p = 2 \), and \( q_1 = q_2 = 2 \) specify two PLCs each with two resources. The requirement map \( \tau_{add}(I) \) formalises the non-negative requirement and that at least four copies of I are to be deployed. The formula \( \phi_{\text{Conveyors}} \) is the original formula associated to \( \text{Conveyors} \) by the translation of Requirement (R5) and \( \tau_{add}(\text{Conveyors}) \) ensures the identical distribution of basic function blocks A, B and I.

c) Characteristic set of \( \tau_{add} \): We compute the characteristic set \( U_{add} \) of \( \tau_{add} \) containing new requirements (11) and (12) for function blocks I and Conveyors as \( U_{add} = \{A_1, A_2, A_3, A_4\} \cup \{B_1, B_2, B_3, B_4\} \cup \{I_1, I_2, I_3, I_4\} \), comprising variables from the models of A, B and I.

TABLE II: Six-step resolution of basic blocks C to H.

<table>
<thead>
<tr>
<th>Step</th>
<th>( z_1 )</th>
<th>( z_2 )</th>
<th>( z_3 )</th>
<th>( z_4 )</th>
<th>( z_5 )</th>
</tr>
</thead>
<tbody>
<tr>
<td>2</td>
<td>1</td>
<td>0</td>
<td>0</td>
<td>0</td>
<td></td>
</tr>
<tr>
<td>3</td>
<td>D</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td></td>
</tr>
<tr>
<td>4</td>
<td>E</td>
<td>0</td>
<td>0</td>
<td>1</td>
<td></td>
</tr>
<tr>
<td>5</td>
<td>F</td>
<td>0</td>
<td>0</td>
<td>0</td>
<td></td>
</tr>
<tr>
<td>6</td>
<td>G</td>
<td>1</td>
<td>0</td>
<td>0</td>
<td></td>
</tr>
<tr>
<td>7</td>
<td>H</td>
<td>1</td>
<td>0</td>
<td>0</td>
<td></td>
</tr>
</tbody>
</table>
TABLE III: Re-resolution of function blocks A, B and I.

<table>
<thead>
<tr>
<th>Step</th>
<th>z₁</th>
<th>z₂</th>
<th>z₃</th>
<th>z₄</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>A</td>
<td>0</td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td></td>
<td>B</td>
<td>0</td>
<td>1</td>
<td>0</td>
</tr>
<tr>
<td></td>
<td>I</td>
<td>0</td>
<td>1</td>
<td>0</td>
</tr>
</tbody>
</table>

**d) Re-resolution of BHS:** Applying Criteria (9) to the compositional SMT sequence (7) of block BHS and the characteristic set \( U_{add} \), we define

\[
\mu = (\phi_{Conveyors} \land \phi_A \land \phi_B \land \phi_I)
\]

\[
\sigma = (\phi_C, \phi_D, \phi_E, \phi_F, \phi_G, \phi_H)
\]

and compositional SMT analysis on the subsequence \( \mu \) yields the satisfiable solution \( \text{comp}(\mu) \) presented in Table III.

By the incremental re-resolution approach (10) we have \( \text{comp}(\mu) \oplus a \models \rho(\text{BHS}, \phi_{\text{BHS}}) \), where \( a \) is the assignment presented in Table II from previous resolution steps.

c) Requirement update of function block C: For the BHS case study, we suppose that a change in function block C's requirement specifies a total of four copies to be distributed across PLCs instead of one. We model this change by the transformation \( T \) comprising \( \tau_{update}(C) = \alpha_C \land \bigwedge_{i=1}^{p} \sum_{i=1}^{m_{i}} C_{z_i}^2 = 4 \), where \( p = 2 \) and \( q_1 = q_2 = 2 \) and \( \alpha_C \) is the formula obtained in the translation of Requirement (R1). Requirement substitution yields a new requirement map \( \phi'_{\text{BHS}} = \phi_{\text{BHS}}[\tau_{update}] \).

Since \( T \) does not change the architecture of BHS', term substitution is unnecessary. We compute the characteristic set as \( U_{update} = \{ C_{z_1}^2, C_{z_2}^2, C_{z_3}^2, C_{z_4}^2 \} \).

Applying incremental re-resolution, we obtain the sequence \( \mu = (\phi'_{\text{C}}) \) and \( \text{comp}(\mu) \) yields the satisfiable assignment shown in Tab. IV. Since no other steps are necessary, we conclude \( \text{comp}(\mu) \oplus a' \models \rho(\text{BHS}, \phi'_{\text{BHS}}) \), where \( a' \) is the satisfiable assignment obtained in the previous re-resolution step in Ex. VI-0d.

f) Function block removal: Removing function blocks updates the system architecture but no re-resolution is required. Consider the change scenario in which the basic function block H is removed from BHS. This scenario is a transformation involving term substitution whereby BHS' \( \equiv \text{BHS}[\text{Mutex2}/\text{G}] \).

Since no new requirements are added, we specify \( \tau_{remove} : \emptyset \rightarrow F \), which leaves the requirement map \( \phi'_{\text{BHS}} \) unchanged. The characteristic set \( U_{remove} = \emptyset \) and no resolution satisfies Criteria (9) and \( \mu = (\cdot) \).

VII. IMPLEMENTATION AND SCALABILITY EXPERIMENTS

To demonstrate the scalability of the incremental re-configuration approach described in this paper, we adapted the prototype tool implemented in [16]. The core component of the tool is the Z3Engine that realises the workflow presented in Figure 1 and carries out the compositional configuration and incremental re-configuration steps using the Z3 SMT tool. The model synthesis step generates models specified by the Z3Model class, adapted to suit the algebraic model (Def. 3.1) of the baggage-handling system BHS. The requirements-to-formula translation step was implemented by the Requirement class that automatically translates high-level system configuration requirements into logical formulae expressed in terms of the Z3 assertion language.

The Z3Engine features the following methods for configuration and re-configuration of industrial systems:

monolithicSolve() computes a satisfiable configuration monolithically (3), compositionalSolve() computes a satisfiable configuration compositionally (6), and incrementalSolve() computes a re-configuration satisfying updated requirements (10). To compare the performance of the proposed approaches we carried out a range of experiments on a 2.3 GHz Intel Core i7 MacBook Pro computer with 16GB of memory.

We created larger BHS systems by adding conveyors and photo-eye controllers and some mutual exclusion logic. This functionality added 25 blocks to the system including atomic and composite blocks (at the same level as blocks Conveyors and Mutex1 in Fig. 3b). We used this step-size of 25 to create 20 variants of BHS, with the largest system containing 781 function blocks. We kept the number of PLCs to be constant at 5 for all the BHS variants, with each PLC assumed to contain 4 resources. The algebraic model of the smallest system containing 281 blocks had 5620 variables (281×5 PLCs×4 resources per PLC) while the largest system containing 781 function blocks had a model with 15620 variables. Each newly added atomic block was constrained to have 1-5 copies. A quarter of the composite blocks added at the level of Conveyors or Mutex1 in Fig. 3b were constrained to have identical deployment for their constituent blocks. Only one block at the level of ModelView in Fig. 3b was required to have identical deployment for all of its children blocks.

The performance of both the monolithic and compositional SMT methods to configure the BHS variants is presented in Fig. 4. On average, the compositional approach was 9.347 times faster than the monolithic approach, with the gap between the two approaches steadily increasing with larger system sizes. This clearly shows that the compositional approach was able to configure systems in a much more scalable manner.

<table>
<thead>
<tr>
<th>Step</th>
<th>z₁</th>
<th>z₂</th>
<th>z₃</th>
<th>z₄</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>C</td>
<td>1</td>
<td>1</td>
<td>0</td>
</tr>
</tbody>
</table>

TABLE IV: Re-resolution of C.

Fig. 4: Experiment results comparing monolithic and compositional configuration approaches

Next, we used incremental re-resolution and compositional resolution to re-configure all BHS variants in response to three kinds of changes. Fig. 5a shows that the incremental approach provided an average speedup of 1.12 seconds over the compositional approach when a single basic block was added to the system. Fig. 5b presents the results of an experiment in which a composite function block with two basic function blocks is
added whose requirements constrain each of its basic function blocks. The speedup obtained by the incremental approach over the compositional approach was 1.10 seconds. Finally, Figure 5c presents the results of an experiment in which the constraints of a basic function block are updated in accordance to changing system requirements. We observed an average speedup of 1.09 seconds when the incremental approach was used, as compared to the compositional approach. For function block removals, the incremental approach requires zero time while the compositional approach takes between 2 and 20 seconds. In a real-world scenario, a system may undergo many basic and composite block additions and removals, and thus the average speedup of incremental re-configuration would be much larger.

In summary, both the incremental and compositional approaches provide significant speedup over monolithic and manual reconfiguration. This enables automatic reconfiguration for a wider range of systems - those for which the range of response times exhibited by our approaches is acceptable. The performance of our approach will depend on how decomposable the (re)configuration requirements are. This provides yet another reason why building complex monolithic systems tends to be poor engineering practice.

VIII. CONCLUDING REMARKS

We present an approach that synthesises configurations that comply with the requirements of evolving control systems. These requirements can be expressed as SMT constraints. We described a compositional approach which improved the ability to determine re-configuration of function blocks affected by change. We applied our approach to a real-world airport baggage handling system whose configuration requirements were specified in terms of logical formulae to form a constraint satisfiability problem. Our experiments showed that the incremental approach performed consistently better than compositional SMT analysis in response to slight changes in the system. We extend the incremental framework of [16], to create new algebraic models for function blocks and used the Z3 SMT solver to determine valid configurations.

There are several directions in which we plan to extend our work. The framework we have implemented can be extended to a software tool which enables our approach to be used in existing frameworks for industrial automation and control. An important step in this process is the development of a domain-specific language to express requirements to be automatically translated into an SMT constraint problem. We also plan to extend the theoretical foundations of our approach to include the use of temporal logics to specify requirements for IEC 61499 systems to be verified during runtime.

REFERENCES


