Abstract: This paper proposes a work flow for the model-based design of industrial logic controllers implemented in Sequential Function Charts (SFC). The design procedure starts from informal natural-language requirements that are formalized in an iterative refinement process. The results of this tool-supported process are (1) a formal specification of the logic controller, (2) a documentation of the design decisions, and (3) the logic controller as SFC. The SFC controller can either be directly implemented or connected with a plant model to generate a model of the controlled system. To this end, the plant model as well as the model of the logic controller are transformed algorithmically to the Compositional Interchange Format for Hybrid Systems (CIF) which is connected to a variety of modeling formalisms for e.g. simulation, testing, verification, and the design of continuous controllers.
INTRODUCTION
Dependable control solutions are indispensable to prevent damage to the equipment and operators as well as to assure product quality and profitability. Due to the continuous increase of the complexity of industrial plants, the design and development of logic controllers requires teams of experts of different engineering disciplines and, therefore, different backgrounds. Today, the implementation procedure used in industrial practice is characterized by a manual conversion of goal-oriented, natural-language requirements into signal-oriented logic controller code. This approach has some major drawbacks:
• The manual transformation does not consider the connection of specification and implementation. This separation of the specification and implementation phases carries the inherent risk of misunderstandings and implementation errors, and changes of the specification, particularly the correction of errors, require significant effort.
• The documentation of the design is usually done implementation-based so that it only partly reflects the specification that was implemented. Adaptations during implementation and deployment make it difficult to keep the documentation up-to-date and useful.
Many methods for the enhancement of the design of logic controllers have been developed, which can be grouped into two groups: The first group consists of methods for the for-⋆ The work reported in this paper was partly funded by the European FP7 project MULTIFORM, INFSO-ICT-224249, www.ictmultiform. eu. This support is gratefully acknowledged.
malization of the requirements and the specification using a variety of formalisms such as Petri-nets (e.g. Feldmann et al. (1999) ; Ferrarini and Piroddi (2003) ) or automatabased formalisms (e.g. Ramadge and Wonham (1989); Stursberg (2005) ). The formalized specification is then used to (algorithmically) derive logic controllers which are correct by design. The second group of approaches focuses on quality control and comprises methods for the algorithmic generation of test cases (e.g. Provost et al. (2009)) or for the verification of logic controllers using formalisms like timed automata (see e.g. Stursberg and Lohmann (2005) ; L'Her et al. (2001)) or Petri nets (see e.g. Fujino et al. (2000) ).
The key problem of most design approaches realized in practice and of many formal methods proposed by academia is that the presence of interdisciplinary design teams is not addressed sufficiently and that most methods, particularly those utilizing code generation or model-checking techniques, have problems to tackle design problems of industrial scale. In this contribution, a methodology for the design of logic controllers is described that starts from informal, natural-language requirements of both the controlled plant as well as the logic controller itself. The resulting logic controller is implemented as a Sequential Function Chart (SFC) which is one of the five programming languages for Programmable Logic Controllers (PLCs) that are defined in the standard IEC 61131-3 (IEC (2003) ). SFC is widely used to implement logic controllers that realize e.g. production recipes, startup or shut-down procedures, and safety routines. The design process presented here is shown in Fig. 1 . The informal requirements are mapped into two data formats that are successively refined and formalized using the concepts of hierarchy and modularization. The results of this systematic design process are (1) a formal specification of the logic controller as well as an implementation in the SFC formalism and (2) a documentation of the design process since the original informal requirements and the formal specification are both part of the resulting hierarchical XML-based data structure, from which executable SFCs as well as controller models for further analysis and simulation of the logic controller can be generated. (2008)). It is connected to a variety of model-based formalisms and tools that cover most problems occurring in model-based design projects.
EXAMPLE PROCESS
The methodology described in this paper is applied to the benchmark process described in de Prada et al. (2009) . The example process (see Fig. 2 ) is a simplified representation of a class of industrial-scale processes consisting of continuous and batch units. The underlying process consists of three major parts.
(1) A continuous production part converting a raw material into an intermediate product,
a set of batch units for the further treatment of the intermediate product, and (3) a continuous separation to separate the final product and by-product and remaining raw materials, which are fed back to the first part of the process. The simplified representation is composed of an upper tank (tank 1) representing the first continuous part of the process, of two batch units (1 and 2) representing the batch part of the process, and of the lower tank (tank 3) representing the continuous separation unit. A flow of cold water (of temperature T 0 ) is fed to tank 1 representing the raw material. The two batch units are fed from tank 1 by two pumps (P 11 and P 12 ) and are heated independently with electrical resistors of different power. T ank 3 is fed from the two batch units by the pumps (P 21 and P 22 ) and is equipped with an additional feed for raw material (again cold water). A specified ratio of the liquid (representing by-products and remaining raw-materials) in tank 3 is pumped back to tank 1 (P 31 ) while the other flow represents the final product of the process. For an efficient design of the controller, three properties of the design technique are of major importance: (1) Hierarchy and refinement to break down the large amount of information in the different phases of complex controller design processes systematically, (2) Flexibility to be able to react to revisions of the specification due to changes, or to a more detailed definition of the requirements of the plant and/or the controller, and (3) Documentation of the logic controller and the specification to avoid a loss of information during the design phases and to improve the quality of the controller. Furthermore, the inherent documentation of knowledge and expertise of all members of the team, irrespective of their technical background, supports the tracking and correction of design errors. The DC/FT approach first presented in Lohmann and Engell (2008) combines these properties by utilizing a hierarchical data structure for the specification and the design of logic controllers. The systematic design procedure is based on the refinement of coarse process descriptions. To reduce the effort required for design and implementation, Lohmann and Engell (2008) propose an automatic translation into SFC. Since the resulting SFC are hard to read and to maintain, the methodology in this contribution is altered such that the DC/FT data structure that results from the refinement of the specification is stored in a generic XML data format, from which both, DC/FT and SFC can be generated without translation. This ensures that both the DC/FT, where the specification is stored, and the implementation of the logic controller (in this case the SFC) are consistent and are similarly structured so that readability and maintainability are preserved.
The DC/FT data format
The DC/FT data format consists of two coupled data structures (see Fig. 3 ), the Dependency Chart (DC) and the Function Table (FT) . Both data structures are refined iteratively until a sufficient degree of detail is reached (e.g. until all specifications have been formalized).
Preprints of the 18th IFAC World Congress Milano (Italy) August 28 -September 2, 2011
Function Table   Dependency Chart   Function Table  Function Table   Function Table  Function Table  Function Table   Dependency A Dependency Chart (DC) is a two-dimensional graphical representation of the conceptual design of the logic controller (see Fig. 4 ). It consists of a set of Function Blocks (symbolized by horizontal bars) and a set of directed connections between them, the Transitions. The DC is an extended version of the Gantt chart, an intuitive representation for sequential processes which is used in e.g. scheduling and for project management tasks. In DC, the scaled time axis of the Gantt chart is replaced by a qualitative horizontal time axis. Hierarchy is introduced to the DC/FT formalism by the refinement of the DC function blocks. Each function block holds either a Function Table or one or more DCs (see Fig. 3 ). In contrast to the original definition of the Gantt chart, the DC supports the concepts of alternative branching (including priorities), loops, and jumps.
A Function Table ( FT, see Fig. 5 ) is a table-like data structure that consists of a set of Function Table Entries  (FTE, rows of the table) . A FTE holds an executable action with an assigned action qualifier and, optionally, a condition that must evaluate to true before the execution of the action. If the FTE holds no condition, the last condition of the preceding part of the function table is used instead, so that two or more actions can be coupled. Both conditions and actions are defined by an informal description (in natural language) as well as by a formal description which represents the implementation. Since the informal parts of the table serve as documentation, it is expedient to include appropriate comments in these columns to track design decisions as well as changes in the specification.
The set of FT action qualifiers is the same as the set of qualifiers of SFC (see below) to facilitate the coupling of both. Actions can be executed in a stored fashion (qualifiers S, SL, DS, SD) which means that they remain active until the action is reset with the qualifier R, or in a non-stored fashion (N , L, D) which means that they are switched off automatically when the following condition evaluates to true. A third group of qualifiers (P , P 0 , P 1 ) represents the case that the action is executed as a pulse (one PLC cycle). Some of the qualifiers involve time (e.g. to delay the execution of an action). If these qualifiers (D, L, SL, SD, DS) are assigned to an action, the appropriate time span has to be specified in the last column of the function table. The FTEs of a FT are executed sequentially without branching or repetition. To avoid time delays between the executions of the DC function blocks, an end-FTE is utilized, which represents a waiting step. The grammar of DC/FT is given in the following definition:
ω }, a set of auxiliary variables Ψ = {dc, chain, f b, f b start , f b end , f t, f te, f te end , jump}, the start symbol σ dcf t , and the set Φ containing following production rules:
+ , T i α , J ω As an example, the DC/FT in Fig. 4 can be represented by the following string:
Sequential Function Charts
The target format of the design process is Sequential Function Chart (SFC) (see Fig. 6 ), which is a graphical programming language defined in the standard IEC 61131-3. SFCs consist of rectangular boxes (steps) that represent (2010)) a state of the controller and hold the actions that are executed by the program, and horizontal bars (transitions) with transition conditions. A SFC program is executed top-down starting from the first step, the start step. An action qualifier is assigned to each action and defines the execution mode of the action, as described above.
Since DC/FT and SFC are represented by a shared XML data format, a clear definition of syntax and semantics of SFC is needed, which is not sufficiently precise in the standard. Thus, the formal syntax and semantics definition of safe SFCs (as defined in Huuck et al. (2003) ) given in Sonntag and Fischer (2010) forms the basis of the DC/FT method. This SFC definition contains all elements of SFC defined in the standard as e.g. alternative branching, parallel branching, and loops. Additionally, the concept of jumps is introduced, which goes beyond the standard IEC 61131-3 but is supported by all relevant commercial software tools.
Systematic Design of a Logic Controller for the Example Process
The specification for the logic controller for the benchmark plant (see Sec. 2) is as follows: A logic controller for the control of the batch sequence in the two reactors has to be implemented. This logic controller has to realize the following sequence of actions for each batch unit independently:
(1) The unit is empty and waiting until the level of the upper tank reaches the threshold (18 cm). Furthermore, the logic controller has to maintain the liquid levels of tank 1 and tank 3 between their minimum and maximum levels (h 1min = 15 cm, h 3min = 15 cm, h 1max = 20 cm, h 3max = 20 cm). To achieve this goal, the recirculation stream from tank 3 to tank 1 and the cold water stream to tank 3 can be manipulated by the logic controller. The variable run is an operator input to start (run=1 ) and stop (run=0 ) the controller.
The design of the controller starts with a DC on the highest level. Since the control of the levels in the tanks and the sequence in the batch units has to be separated, a parallel execution is needed so that a function block is added to the DC, which in turn is refined by four DCs (level control tank 1, level control tank 3, batch sequence 1, batch sequence 2 ). The two DCs for the level control and the two DCs for the control of the batch sequence are very similar so that they can be reused (see Fig. 7 ). All four parts of the controller have to be executed in a loop until the operator stops the controller (run is set to 0). Therefore, a loop is added to the function blocks. The control of the batch sequence can be specified and implemented using a FT while the level control requires another DC on a lower level each (see Fig. 7 ).
RESULTS OF THE MODEL-BASED WORK FLOW
An exemplary model-based work flow for the design of the logic controller of the plant described above is depicted in Fig. 8 . The design of the logic controller starts with a dynamic model of the process that is developed in the process simulator gPROMS (PSE (2010)), and a set of informal specifications for the logic controller as described in the section above. The gPROMS model is algorithmically transformed to the CIF (see Hendriks et al. (2011) ). The informal specification is used to design the logic controller within a multi-formalism environment utilizing the methodology and the tool described in the previous section. The resulting DC/FT can be used to automatically generate a logic controller implemented in SFC (see Fig. 9 ) and can be exported into the CIF as described in Sonntag and Fischer (2010) . The models of the uncontrolled process and of the logic controller are connected using parallel composition. The resulting CIF model of the controlled process can be simulated using the CIF tool set 2 or can be translated into a variety of other formalisms for testing, simulation, (performance) analysis, verification, or the design of continuous controllers.
CONCLUSIONS AND OUTLOOK
The model-based design approach for logic controllers presented in this paper tackles several problems of the currently used design methodologies, particularly (1) the support of interdisciplinary teams, (2) the generation of useful and up-to-date documentation on the specification level as well as (3) the ability to test and analyze the control system before commissioning to the real plant. Using the DC/FT approach, a formalization of the specification using the intuitive, XML-based DC/FT data format replaces an informal and manual development procedure. This data format facilitates the communication in heterogeneous design teams and the tracking of errors. The utilization of plant models of different levels of abstraction allows for tests and simulations in early design phases and during the design phase of the plant. Furthermore, the hierarchical and modular structure of DC/FT is partly preserved and recognizable in the SFC.
The current approach focuses on the design of logic sequence controllers, as DC/FT is strongly related to SFC. However, the design of controllers for continuous plants or interlocks can benefit from the basic ideas of the systematic design procedure such as iterative refinement, starting from informal requirements, systematic documentation, modularization, and hierarchy. A promising extension in this direction based on hierarchical Cause-Effect-Charts is currently under development. This technique will also enable the algorithmic generation of controllers following the approach of Ramadge and Wonham (1989) . To preserve hierarchy and modularity of the DC/FT in the resulting logic controller, an extension of the methodology towards the object-oriented features of the standard IEC 61499 Vyatkin (2006) will be considered.
