This paper describes a method for model-based development of software for programmable logic controllers (PLC). The method includes modeling of a control algorithm, verifying the algorithm with respect to the requirements, and automatically generating the code in one of the IEC 61131 languages. The modeling language is UML state machine diagram, and the verification tool is UPPAAL model-checking toolbox. The method has good scalability with respect to the number of the modeled objects and the ability to cope with integer values by means of variables and function blocks.
INTRODUCTION
This paper describes a method for model-based development of software for programmable logic controllers -PLC. The method includes modeling of a control algorithm, verifying the algorithm, and automatically generating the code for a PLC.
The development cycle is shown in Figure 1 . The modeling language is UML state machine diagram (OMG, 2005) , which has been widely accepted as a means for specifying the controller at a suitable high level of abstraction. The verification tool is the UPPAAL model-checker (Behrmann et al, 2004) . When the verification has been finished, the implementation code can be generated automatically in one of the IEC 61131 languages (IEC, 1993) . A formal semantics for a UML state machine is given by a translatable finite state time machine -FSTM (Sacha, 2007 (Sacha, , 2008 . Modeling a controller in UML, modeling the environment in UPPAAL, and formulating safety requirements in a formal language of CTL formulae are done manually. The tasks of converting the model from UML to UPPAAL and to FSTM, verifying the model, and generating the program code are done automatically.
The unique features of the method described in this paper are the use of UML state machine as a problem modeling tool, and the ability to verify time dependent behavior of the controller. Widely accepted models of timed automata (Alur, Dill, 1996) and timed I/O automata (Kaynar et al, 2006) are used mainly for modeling and verification of time-dependent behavior of state systems. Still another models of time triggered automata (Krcal et al, 2004) and PLC-automata (Dierks, 1997) are used for code generation only.
The paper is organized as follows. Section 2 gives an overview of PLC controller and finite state time machine. Section 3 defines the semantics of UML state machine in FSTM. Section 4 presents a conversion algorithm from FSTM to UPPAAL and explains the verification process. The conversion of finite state time machine into a program code is described in Section 5. A discussion of the results and plans for future work are given in Conclusions.
The controller counts time using timers. A timer can be activated in a given a set of states. An active timer counts time and expires when it has continued to be active for a predefined period of time. An expired timer is perceived by the controller similarly as an input signal. The execution of a controller can be described in a pseudo-code, which creates a reference model for PLC execution: The semantics of a PLC program is defined by a finite state time machine (Sacha, 2007) , which is a 
is the domain of a function δ, card(X) is the cardinality of a set X, and φ is an empty set. 
The machine executes in a state ( s k , ŧ k ) by taking an input symbol a k and moving to the next state s k+1 defined by the transition function:
where k= 0,1,..... The state space of a PLC as well as of an FSTM can be defined by enumerating all of the elements, eg. S = { s 1 , s 2 ,..., s n }. An alternative way is to allow for using variables and to define the state space as a Cartesian product of a set of enumerated elements and a set of all possible valuations of those variables. This is only a shorthand notation, which does not add any new semantics to the model, and therefore it is not shown in the formal definition.
In the rest of this paper, we will adopt a naming convention of UPPAAL (Behrmann et al, 2004 ) and refer to the enumerated elements of state as locations. Locations will be shown in graphical models explicitly, as the nodes of a graph, while variables will be referred to by guard expressions and will be assigned values within actions of transitions.
UML STATE MACHINE
UML state machine diagram is a graph composed of nodes, which are locations, and edges, which are labeled transitions. A transition can be triggered by a signal received from the outside. A transition which is triggered can fire, if the corresponding guard expression over a set of variables evaluates to true. Firing of a transition can move the machine to a new location, change the values of variables and send a signal. This way, the state space of a UML state machine is a Cartesian product of the set of locations and the set of all possible valuations of variables.
UML allows for nesting of locations. However, a hierarchy of locations can always be flattened. A formal model and an algorithm for flattening the hierarchy were described in detail in (Sacha, 2007) an will not be discussed in the rest of this paper.
Relating this model to a PLC, one can note that a received signal corresponds to a combination of the input signals of the PLC, and a sent signal corresponds to a combination of the output signals.
States of an UML state machine and transitions between states correspond to states of a PLC and to the next-state function defined by a program code.
A conversion algorithm of a UML state machine into a FSTM can be described as follows.
S equals to the Cartesian product of the set of all locations of the UML state machine and the valuations of variables used in guard expressions.
Σ equals to the set of external signals, which trigger transitions in the UML state machine; a signal is a combination of all the input signals of the PLC.
Γ is a set of timer symbols t 1 ,...,t n ; there is one timer symbol t i for each timed transition (i.e. transition with an after clause) in the UML state machine, τ is the timer function, which assigns to each timer symbol t i created for a timed transition T a pair composed of a source state of this transition and the value of the after clause of this transition. Figure 2 . The locations within the graph correspond to states of the crossing with respect to train positions. The transitions bear labels of the type event / action, where event corresponds to a condition on the input signals or timers, and action corresponds to setting the values of variables. 
VERIFICATION
UPPAAL is a toolbox for modeling and verification of real time systems, based on the theory of timed automata. The core part of the toolbox is a modelchecking engine, which enables for verification of properties defined as CTL path formulae.
A timed automaton (Alur, Dill, 1996) , as used in UPPAAL, is a finite state machine extended with clock variables that evaluate to positive real numbers and state variables that evaluate to discrete values. State variables are part of the state. All the clock variables progress simultaneously. An automaton may fire a transition in response to an action, which can be thought of as an input symbol, or to a time action related to the expiration of a clock condition. A clock variable can be reset to zero at a transition.
A set of timed automata can be composed into a network over a common sets of clocks, variables and actions. This way a cooperation between a controller and a controlled plant can be modeled.
The use of a dense-time model-checker to verify a discrete-time model may look as an overkill. But in fact it is not, because the environment of the controller works in real-time and must be modeled using a dense-time method.
A conversion algorithm of FSTM into UPPAAL is described in (Sacha, 2008) .
Verification. UPPAAL can verify the model with respect to the requirements, expressed formally as CTL formulae. To do this, UPPAAL model-checker evaluates path formulae over the reachability graph of a network of timed automata.
The query language consists of state formulae and path formulae. A state formula is an expression that can be evaluated for a particular state in order to check a property (e.g. a deadlock). Path formulae quantify over paths of execution and ask whether a given state formula ϕ can be satisfied in any or all the states along any or all the paths.
Path formulae can be classified into three types:
• Reachability properties: E<>ϕ. (will ϕ be satisfied in a state of a path?)
• • Liveness properties: A<>ϕ and ψ -->ϕ. (will ϕ eventually be satisfied? will ϕ respond to ψ?)
Example. Consider again the railroad crossing described in Section 3. A train cannot be stopped instantly. When a train is detected by a train position sensor, a controller has 30 seconds to close the gate and display a green signal, which allows the train to continue its course. After these 30 seconds, it takes further 20 seconds to reach the crossing. Otherwise, if the green signal is not displayed within these 30 seconds, the train must break in order to stop safely before the crossing. Closing the gate must last less than 20 seconds, or else an alarm must sound. The gate can be opened when the position sensor has sent a leave signal after the last train has left the crossing. The environment of the controller consists of a number of trains and a gate. Each of these elements can be modeled in UPPAAL and synchronized with the controller within a network of timed automata.
The template of a train is shown in Figure 3 . Actions, which names bear the suffix '?', act like input symbols that enable the associated transitions. Actions, which names bear the suffix '!', act like output symbols that are passed to other automata in order to trigger the respective input symbols. This way the execution of one automaton can control the execution of a other automata. Figure 3: UPPAAL model of a train.
MODEL-BASED DESIGN OF CODE FOR PLC CONTROLLERS
Time invariant t≤30 of state Approaches forces a transition after 30 seconds have passed since the train has entered the state. This models the necessity of breaking the train if green has not been displayed in time. Time condition t>20 at the transition from On crossing to Faraway reflects the minimum time of passing the crossing by a fast train. Time invariant t≤40 of the state On crossing reflects the maximum time of passing by a slow train.
The template is parameterized with the train identifier id. A set of n trains, e.g. four, can be generated using the values of id = 0 through 3.
A model of the gate is shown in The liveness properties can check consequences of an event, e.g.:
• train1.Approaches --> train1.On crossing: This ensures that whenever train 1 approaches the crossing, it will eventually pass it.
In our example the liveness condition is not satisfied: Assume that the train 2 approaches when train 1 is just leaving. The controller does not react to approach in state Leaving, hence, the transition to Outside appears without displaying green signal for train 2. The train will stop and can never reach the crossing.
The corrected finite state time machine model of the controller is shown in Figure 5 . 
CODE GENERATION
The semantics of a PLC program is defined within the reference model by the semantics of its programming language (IEC, 1993) The program for PLC is a ladder diagram (IEC, 1993) consisting of a sequence of lines, each of which describes a Boolean expression to set or reset a flip-flop or an output signal, to activate a timer, or to call a function block to operate a variable, according to the values of input signals, states of flip-flops, variables and timers. The expressions reflect the coding of locations and implement the functions active_timers, next_state and count_output described in Section 2. An example is shown in Figure 6 , which presents the transitions from Entering to Alarm and from Entering to Inside (Figure 5 ). M11 and M13 are auxiliary flip-flops, which mirror the main flip-flops M1 and M3, in order to assure atomicity of the transitions. 
CONCLUSIONS
A method is described for the specification, verification and automatic generation of code for PLC controllers. The advantages of the method are intuitive modeling by means of a widely accepted UML state machine, and a potential for automatic verification and implementation of the model.
A tool which implements the steps of the method has been implemented and verified on small scale examples. The verification included experiments in a lab equipped with a few process models and a set of S7 PLC controllers from Siemens.
