INTRODUCTION
This contribution deals with the problem of analyzing the behavior of technical systems which are composed of a logic controller and a plant with continuous dynamics which can be switched by the controller outputs. The work is motivated by the current situation in the processing industry where such constellations are widespread nowadays due to the increasing use of programmable logic controllers (PLCs) or distributed control systems (DCSs). The major part of the software running on these systems performs logic control functions. This occurs in the classical applications of logic controllers as, for example, process supervision to avoid unwanted states of the process or damage to the equipment, sequence control, or startup and shutdown procedures. Even if the core part of the automation software is for continuous control, it will be supported by a large portion of discrete control logic being responsible, e.g., for the supervision of sensor inputs and outputs to actuators with respect to violation of thresholds for the values and the rates of change, their replacement by default values in case of assumed failures, or switching the mode of operation.
Both from the point of view of economic plant operation and from the point of view of safety and environment protection, it is highly desirable, that the enormous amount of control softand hardware which processes discrete signals and performs logical operations works correctly. Design errors in the control logic are much more costly than in continuous controllers (which usually are put to manual operation if they do not work properly). In contrast, whereas continuous controllers can be and in some cases even really are designed using sophisticated methods and extensive simulation studies, the discrete control logic is still produced in a much less systematic manner. In the worst but not unusual case, incomplete specifications are implemented directly in low-level code which has then to be improved by testing on-site.
The described situation has led to a number of activities in the process industry, the related standardization organisations and process control system vendors to support a systematic and less error-prone development process of logic control software. Notable examples are the standards ISA SA88 (ISA, 1995) which proposes a certain structure of the sequence control logic for batch processes, and IEC 1508 (IEC, 1996) which includes a reference model for the software development lifecycle of safety related software. This model presents a systematic development process consisting of several successive steps as e.g. requirements specification, architecture design, system and module design. The result of each step is first compared to the requirements from the previous step and, after coding, tested against specifications on a suitable level of abstraction. Both activities are termed "verification" whereas the overall aim, to show that the safety requirements are met, is called "validation" and builds on all the single verifications steps. Note that in this paper, a different notion of verification is used. A further initiative to improve the logic control software reliability is represented by the "Good Manufacturing Practice" guidelines of the FDA (FDA, 1975 (FDA, -1997 which, among many other requirements, demand that all relevant information about the control logic, its development process, and changes to it, has to be documented carefully and discussed with experts both inside the companies and from authorities outside. All the mentioned guidelines complement standard methods for systematic safety analysis of process designs and operating procedures like HAZOP (CCPS, 1985) which usually are not applied to check control logic.
These examples show that there exist a number of approaches to improve the development process of logic control software. However, all these methods are not strictly formal which means that the representations do not have a mathematical foundation and and activities cannot be realized completely algorithmically. This implies that the success of their application relies to a certain extent on the intuition and experience of the user. In this paper, a formal verification approach is presented which builds on formal models of the logic controller, the plant and the behavior specifications for the closed-loop system, and uses mathematical procedures for transforming and analyzing these models. In the development process of logic control software, it can be applied when the complete control system consisting of the already designed controller and the given plant has to be checked against specifications for the behavior of the controlled process. Thus, it complements the final validation testing. It should not be seen as a substitute for testing because in this approach, all possible reactions of the continuous plant in all conceivable situations including equipment failures have to be included in the model, and in practice, this is can only be achieved up to a some level of certainty and complexity. Still, there may be an enormous benefit from a systematic exploration of the huge space of all possible combinations and sequences of events if compared with discussions based solely on common sense.
The notion of formal verification originates from computer science where, in general terms, it means a mathematical proof that a model of an algorithm fulfills given formal properties. In the last decades, different representations and methods have been developed and, in the recent years, some of them have been applied successfully in the area of hardware and communication protocol design (see Clarke and Kurshan, 1996 , for a survey). In the context of this paper, i.e. logic controllers for processing systems, the pioneering work goes back to Moon et al. (1992) for control programs represented in Relay Ladder Logic. They applied the symbolic model checking method according to Burch et al. (1992) in which the system to be verified is modeled as a finite state machine and the specifications of the desired behavior are represented by temporal logic expressions. The approach has been extended to include plant models and recent applications show that the formal verification of logic controllers for processes of moderate size is possible (Probst et al., 1997) . The continuous dynamics of subsystems of the plant are discretized in an elementary manner: The range of values of each continuous variable is partitioned into intervals and the model simply describes the transitions between these intervals. Timers are captured in the same qualitative fashion by neglecting the timer value and keeping only two states, running and elapsed. This information is not sufficient for checking real-time constraints, e.g., whether a controller response to a plant event is fast enough to avoid unwanted process behavior.
A verification method based on a switched continuous model and, in principle, avoiding any abstraction has been suggested by Dimitriadis et al. (1996 and . The reachability problem is reformulated as an optimization problem in the discrete time domain which can be solved by Mixed Integer Programming. Basically, the optimization determines the worst possible controller behavior meaning that the system is most often in an undesired region of the continuous state space. The approach is general in the sense that it can be applied to hybrid systems as well as to purely discrete or purely continuous systems. Its strength lies in the ability to take advantage of well tested and efficient optimization procedures. A limitation is given by the fact that the size of the Mixed Integer Program grows with the product of the number of discrete time steps and the number of equations describing and the plant and logical expression describing the controller. It is therefore unclear whether this approach can handle problems of realistic size.
In this contribution an approach is presented which builds on recent extensions of model checking to capture real-time and hybrid dynamics, and introduces a modular, block-oriented modeling framework for hybrid systems. It aims at applications where formal verification requires a quantitative analysis of the interaction between timers or threshold values in the logic control program and the plant dynamics. The particular modeling paradigm used is that of timed condition/event systems. Subsystems with continuous dynamics are mapped to a timed condition/event system by an automatic abstraction procedure. The resulting models for plant and controller are composed and analyzed by means of HyTech, a tool from computer science for the analysis of timed and hybrid automata.
The remainder of the paper is organized as follows. To provide a motivation for the practical need for formal verification of logic control programs and to give an impression of the type of problems found in practice , we start with a simple process engineering example. It is used throughout the paper to illustrate important concepts. In Sec. 3, the methodology of the approach is sketched. Section 4 describes the modeling framework including the approximation procedure for continuous systems. Aspects of the analysis and results for the example are presented in Section 5. A discussion concludes the paper.
EXAMPLE
The following example of a batch evaporation process serves to motivate the verification problem considered in this paper. Fig. 1 shows the piping and instrumentation diagram of the evaporator plant. The following production sequence takes place. First, the solution which has to be separated is filled into tank T1 and the solvent is evaporated until a desired concentration of the dissolved substance is reached. During the evaporation stage, the condenser C1 is in operation and collects the vapour coming from T1. When the desired concentration is reached, the material is drained from T1 into T2 as soon as T2 is available (i.e. emptied from the previous batch). A post-processing step then takes place in T2, before the material can be pumped out of T2 to a downstream part of the plant.
We focus our attention on the problem of the appropriate reaction of the controller to a cooling breakdown in the condenser. This failure leads to a temperature and pressure increase in the condenser tube C1 and the evaporator tank T1, if the evaporation process is not stopped.
It has to be avoided that the pressure in C1 rises above an upper limit. To achieve this, the heating in T1 has to be switched off before the safety pressure valve (not shown in Fig. 1 ) is triggered. This, in turn, causes a decrease of the temperature of the material in T1. When the temperature in T1 becomes too low, crystallization leads to precipitation of solids which spoils the batch. This, of course, is also an undesired situation. Thus, the timespan between the cooling failure and switching-off of the heating is critical: it has to be short enough such that the pressure increase is limited but on the other hand has to be as long as possible such that crystallization will not occur.
The described desired reaction of the controller can be implemented either by a limit switch which indicates a critical temperature in the evaporator or, for example to save the costs of the sensor, by a waiting time in the control program. Fig. 2 shows control code for both possibilities. The variables are explained in Table 1 . The representation in Fig. 2 is a Sequential Function Chart (SFC) according to the IEC 1131 standard (IEC, 1992) . In particular, action blocks are used to specify the control actions performed in each step. An action block consists of a qualifier, an action name, and a manipulated variable. The leftmost branch of Fig. 2 represents the normal operation sequence. In the undisturbed case, the system will leave the step Evaporating when the desired concentration is reached. The part branching to the right describes the control actions during an emergency shut-down after a cooling breakdown. Alternative 1 represents the implementation of a waiting time between the cooling failure and stopping the heater. In alternative 2, a limit switch for an alarm temperature in T1 is used. As discussed above, in both cases, the controller will open valve 18 and start pump 1 to drain T2 as soon as the flow of cooling agent is too low. The corresponding actions are labeled with the qualifier "S", which means that the variables V18 and P1 are set to TRUE and will remain TRUE when the step is inactive again. In alternative 1, the label "RD t#5m"
on the third action in the step Draining T2 and switching off the heating symbolizes that the heating is switched off with a delay of 5 minutes, even if the step has become inactive in the meantime. In alternative 2, the heating is stopped when the condition TempAlarm=TRUE forces the control program to move to the second step. In both cases, as soon as T2 will be empty, the SFC will switch to the subsequent step and open valve 15. When T1 is empty and the heating is switched off, the controller assumes the system to be in a state of safe shutdown.
The main problem is to determine whether both control programs (in particular the choice of the waiting time or the threshold temperature, respectively) will prevent, under any circumstances, that the pressure and the temperatures in T1 and C1 become too high or that the material in T1 starts to crystallize. Of course, this question is not depending on the fact that the control law is realized as a computer program. However, even if it would be a guideline for an operating procedure, it cannot be answered by intuition because the plant behaviour is too complex. And, obviously, on-line testing is not the method of choice. Even simulation is difficult, because a cooling failure may happen at any point during a batch run and thus at any possible state of the system. Of course, in this simple example it would be possible to determine the worst case scenarios and simulate them. But this will be impossible or at least very tedious for more complex problems. In these cases, the only way to make sure that the proposed control program will fulfill its task is to apply a formal verification method.
THE GENERAL APPROACH
The example in the previous section demonstrates the typical situation which is encountered when logic controllers for continuous processes have to be verified. Three elements are given:
First, there is the plant to control. It may be existing already or be in the planning phase. In both cases, usually semi-formal descriptions (e. g. flowcharts) and further knowledge about the physical behavior are available. Second, a control program is given which usually was created from experience and first principles based reasoning on the basis of a more or less detailed specification. And as the third element, some information about the desired behavior of the process is given, usually formulated in natural language.
Given the situation described above and the incentive to clearly distinguish between plant and controller behaviors and specifications, the formal verification method consisting of the steps illustrated in Fig. 3 is proposed. The grey blocks represent steps which can be performed automatically if appropriate tool support is available (the plant modeling step can only be automated partly, cf. the next section). The major effort required is to build a model of the plant. This model has to capture the uncontrolled behavior of the plant, that is, all possible undesired situations, disturbances, faults and even obviously wrong operator actions have to be included. Otherwise, it is not possible to prove that a critical situation is reliably prevented by the controller. Then, the control program has to be translated into the same modeling framework, so that a composition of the plant model and the controller becomes possible. The composition of the models of the plant and the controller constitutes the model of the controlled plant. This model can then be analyzed and compared to a formalized description of the desired plant behavior. In the approach presented in the following sections, this will be a check whether undesired discrete states are still reachable under control. Fig. 4 shows a more detailed representation of the modeling step for the plant. Two paths from the real system to the model are possible: Either a plant module is directly modelled as a timed discrete event system using available knowledge of the process, or a (switched) continuous model is built using first principles and then approximated automatically. The first option is appropriate if the natural level of abstraction for the subsystem model is discrete (e.g., on/off valves). If the system under consideration has non-trivial continuous dynamics, the second way usually is less error-prone. We present an approximation procedure in Sec.
4.3.
discrete event systems (DES), this is usually achieved either by conditioning transitions on states of another module (e.g. in Petri nets) or by synchronization of events (e.g. for automata). A framework combining both concepts is provided by the Condition/Event (C/E) systems according to Sreenivas and Krogh (1991a) . In this section we review basic notions of C/E systems and present a real-time extension. Then, a procedure is described which maps continuous dynamical systems into timed C/E systems.
Untimed Condition/event systems
C/E systems were introduced to model interconnected discrete event and hybrid systems in a modular, block diagram and signal flow oriented fashion similar to continuous dynamical systems. When developing the model, Sreenivas and Krogh were motivated by the observation that in existing DES models the interaction of systems is either based on synchronization of events or conditioning of event occurence depending on state information. This distinction is also well known from logic controller programming languages and from the field of switching circuits (e.g. edge-triggered function block inputs in contrast to regularly scanned inputs in the IEC 1131 standard (1992)). In general, a C/E system has a conditon input signal u(t), an event input signal v(t), a condition output signal y(t) and an event output signal z(t). The corresponding sets of conditions or events are U, V, Y, and Z, respectively. The basic definition of a C/E system defines its input/output behavior by a mapping which gives the set of admissible output signal trajectories for each possible input signal trajectory:
This definition only characterizes the input/output behavior and provides no specification or restriction of the model of the internal behavior of a C/E system. In (Sreenivas and Krogh, 1991a ) any formal representation which describes an input/output relation according to the definition above is called a C/E model. Note that a C/E model does not necessarily have to be discrete. In particular, even continuous dynamics are possible as long as the system interacts with its environment by condition and event signals. Examples for C/E models based on Petri nets were presented by Sreenivas and Krogh (1991b) and Hanisch et al. (1997) . In our verification approach, we apply two different C/E models, discrete state C/E systems and C/E timers.
Discrete state C/E systems were introduced by Sreenivas and Krogh to model untimed DES.
They are defined as follows.
Definition 1 (Discrete state C/E system).
A discrete state C/E system is a 9-tupel S= (U, V, X, Y, Z, f, g, h, x 0 ) where U, V, Y, Z are the same as above, X is a finite set of discrete states; f, g and h are functions defined as: f:
X×U×V 0 →2 X -∅, the state transition function satisfying ∀x∈X, u∈U: x∈f (x,u,0) , g: X×U→Y,
the condition output function, and h: X×X×V 0 →Z 0 , the event output function satisfying ∀x∈X:
0=h(x,x,0). X is the set of discrete states, V 0 and Z 0 symbolize that 0 is included. x 0 ∈X is the initial state. Given a discrete state C/E system S and input signals
the set of valid of state trajectories and output signals consists of all triples of signals (x(⋅),
where
x(t -) and u(t -) are abbreviations of lim ∆→0 x(t-∆) and lim ∆→0 u(t-∆).
The semantics of a discrete state C/E system can be interpreted as an untimed finite state machine which is embedded in a time-dependent signal space formed by the condition and event input and output signals. The two kinds of signals realize the above mentioned interaction concepts of conditioning and synchronization in a specific way: The condition input signal constitutes conditions for changes of the state of the system (hence can disable or enable certain transitions) whereas the event input signal can force transitions in the sense that they must occur at the instance when a specific event is received. Transitions can also take place spontaneously and can be nondeterministic. The two properties ∀x∈X, u∈U: x∈f (x,u,0) and ∀x∈X: 0=h(x,x,0) of f and h guarantee that transitions and output events will not be forced by condition input changes.
To illustrate the use of condition and event signals, a discrete state C/E model of the condenser from the evaporator example in Sec. 2 is considered. Assume that the state x of the condenser is described in a sufficiently accurate manner by three discrete values X={"off", "on", "danger"}. The last element is representing the situation of dangerously high pressure.
Note that in this simple example the state of the system represents the equipment status ("off", "on") as well as a classification of the operational mode ("danger"). In more complex examples, it may be useful to distinguish between these two levels of abstraction.
The concept of forcing by event signals is useful if, for instance, the cooling can be switched off by a control command "stop". The state transition function f then has to represent the fact that for the current state "on" and an incoming event "stop" the set of possible next states is a singleton, namely "off" (see Eq. 4, the "-" is the so-called "don't-care" symbol and means that any value of u(t − ) is allowed.).
A different description is necessary when, for example, the possibility of a transition to the state "danger" depending on the state of the heating in the evaporator has to be described.
Obviously, the pressure in the condenser will only rise to a dangerous value if the heating is on. This is the concept of enabling or disabling and can be expressed in the C/E framework in the following manner (cf. Eq. 5 and Eq. 6). "Heating on" and "heating off" are values of a condition signal coming from the evaporator to the condenser.
{off } = f (off, heating off, 0)
Timed Condition/Event Systems
In addition to the discrete dynamics, quantitative timing information has to be incorporated in this framework to be able to formally verify control programs with timers against real-time constraints and to represent the plant dynamics at least in an approximate fashion . This can be done within the same conceptual framework by introducing C/E timers as a new class of C/E systems. C/E timers can be coupled to the untimed subsystems by condition and event signals again. Thus, the basic C/E system definition applies also to timers. The advantage is obvious:
Describing the timing is part of the modular concept. The untimed dynamics and the timing conditions are separated and can be modeled independently. Timing information can be added to an already existing model without changing any block of the C/E block diagram by simply adding the necessary timer blocks and connecting them to the appropriate discrete blocks.
Such configurations consisting of at least one discrete state C/E system and a C/E timer are called timed C/E systems (TCESs for short) (Kowalewski and Preußig, 1996a) . C/E timers were introduced in (Engell et al., 1995) and are defined as follows.
Definition 2 (C/E timer).
is the clock function given by τ(t 0 )= T θ +ε with ε arbitrary but fixed and ε > 0, and for all t ∈ [t 0 , ∞):
and 0 )
A C/E timer can be interpreted as an alarm clock which is reset and started by the input event "t θ := 0" and which indicates that it has reached its threshold time T θ by sending out an event "t θ = T θ ". The condition outputs "0< t θ <T θ " and "t θ ≥ T θ " provide the information that the threshold has not yet been reached or has been crossed, respectively.
The evaporator example can be used again to illustrate the use of C/E timers to include timing constraints into C/E models. Suppose, that the period T is known in which the pressure increases up to the critical value after a cooling failure. This information can be incorporated into the untimed model by introducing a C/E timer with a threshold time T. It is started by the event "cooling_failure" which is emitted by the condensator model, and it returns an event "t = T" which triggers the transition from "off" to "danger". Figure 6 shows the trajectory of τ(⋅). The cooling failure happens at time t 1 and T = t 2 − t 1 . The corresponding parts of the functions h and f of the condenser are given by Eq. 11 and Eq. 12.
The fact that the C/E system framework is a modular input-output description in which different types of interactions of logical systems can be expressed conveniently, and all external quantities are defined over continuous time makes it possible to couple C/E systems and continuous systems in a straightforward manner. The result can be the basis of a general modular modeling paradigm for hybrid systems in which C/E systems are connected to switched DAE-systems which include threshold functions to generate condition and event outputs from continuous variables (Krogh, 1993; Engell and Hoffmann, 1996) . This framework is useful for, e.g., simulation of hybrid systems. For the purpose of verification, the model is too general. If continuous dynamics are part of the model, they have to be approximated by TCESs. This is described in the next section.
Approximation of continuous models
We assume that the continuous system which has to be approximated is given as a system of switched ODEs of the form
where X denotes the n-dimensional continuous state space and U the input space. For the input trajectories u(t) we assume that they are piecewise constant. Furthermore, f shall be
Lipschitz-continuous between the switching points of u(t).
We introduce a rectangular partition of the continuous state space which is derived from those thresholds of the state variables which are crucial for a particular controller verification problem. The controller receives the information whether the values of the state variables are below or above certain landmarks and computes an appropriate command depending on this discrete information. The threshold detection corresponds to a partition of the range of each state variable x j into a finite number of discrete intervals (qualitative states), e. g. "low", "normal", "high" and "critical" for the temperature in a chemical reactor. Formally, we define a mapping D X : X → {1, ..., p 1 )} × ... × {1, ..., p n } which divides the state space X into a finite set of n-dimensional rectangular partition elements. D X is characterized by an ordered set of landmarks:
for each x j , where a landmark l j,k , k ∈ {1, ..., p j } corresponds to one of the p j thresholds. For each partition element, the mapping D X generates an index vector d = (d 1 , ..., d n ), which specifies the number of the actual discrete interval (defined by two consecutive landmarks) for each x j :
We assume that X is a bounded region such that the physically admissible range of The idea is to interprete the region between adjacent gridpoints on the cells' boundaries as discrete states and to determine transitions by calculating continuous trajectories between different states. This is different to earlier approaches (Stursberg et al., 1997a and 1997b) in which the cells were directly mapped into the discrete states. When all CITs and the corresponding TTIs are computed, the representation as a TCES is straightforward. A discrete state C/E system is introduced with a state space equal to the set of the cell boundary regions, X = Σ d , and with a discrete transition for any CIT. The timing information is given by the TTIs. They can be regarded as the lower and upper bound for the instances at which a transition takes place. Thus, for any discrete transition two thresholds define its timing: a lower threshold T l gives the time at which the transition can happen at the earliest instance, a upper threshold T u gives the time at which the transition has to take place eventually. In other words, the condition "time is beyond T l " enables the transition while the condition "time is below T l " disables it. And the event "time reaches T u " will force the transition if it has not happened already in the meantime. It is obvious that this behavior can nicely be modeled by means of TCESs.
Application of the approximation procedure to the example
To illustrate the approximation procedure sketched above, we return to the evaporation process from Sec. 2. Now, it is assumed that a switched continuous model is available. The set of differential and algebraic equations is listed in Table 2 . It decribes the emergency shutdown sequence. The process consists of three phases: first a period with condenser malfunction and heat input, where the temperature ϑ and pressure p in (the closed) tank T1 rise due to continuing evaporation, and where T2 is drained. In this case, the heater is switched off when a corresponding alarm temperature is reached. Now, ϑ decreases because of heat transfer to the environment. First vapor condenses and, after reaching atmospheric pressure, the temperature falls below the boiling point. This process step, denoted phase 2, is finished when T2 becomes empty. Changing the positions of V15 and V18, the liquid content of T1 is drained into T2, where T1 is assumed to be ventilated in this stage and the temperature decrease proceeds. The task is to verify, whether the alarm temperature was chosen sufficiently high to avoid that ϑ falls below a crystallization temperature before the liquid level in T1, denoted H 1 , becomes zero. Thus, we have a hybrid 3-dimensional system with the state vector x = (ϑ, H 1 ,
H 2 ) and a discrete input vector u = (Heat, V15, V18) . For the computations, we determined values for the parameters from Tab. 2 for an existing laboratory plant.
The continuous state space is partitioned by introducing the following sets of landmarks: 
ANALYSIS
The last step of the verification procedure according to Fig. 3 is the analysis of the model of the controlled plant. In our approach, this problem is solved by model checking, similar to the approach by Powers et al. (see Sec. 1) . However, since TCESs permit the formulation of realtime constraints, purely discrete approaches like are not appropriate and model checking techniques for real-time systems have to be chosen. Such techniques were recently developed for the Timed Automata (TA) model by Alur and Dill (1994) (Henzinger et al., 1994) . To apply these methods we take advantage of the fact that TCESs are equivalent in expressive power to a subclass of TAs called Safety TAs (Huuck et al. 1997a ). This allows us to transform TCES models to TA models and use existing model checkers for TAs, e.g.
KRONOS (Olivero and Yovine, 1993) or HyTech (Henzinger et al., 1996) .
TAs are a generalization of Büchi Automata by adding real-valued variables, called clocks, the value of which increases by a rate of one and which can be reset by transitions. Transitions can be made dependent on the values of the clocks by clock constraints, i.e. Boolean combinations of formulas of the form c#n with c being a clock, #∈{=, <, ≤, >, ≥} and n a nonnegative integer. A TA is then defined over an alphabet Σ as a 4-tuple A = (Q, q 0 , C, E) with:
Q, a finite set of locations (discrete states), q 0 ∈ Q, the initial location, C, a finite set of clocks, (Alur and Dill, 1994) .
Obviously, the definition of the behavior of a TCES and a TA is based on completely different concepts: A TCES is specified as a relation associating a set of output signal trajectories to input signal trajectories, whereas the behavior of a TA is defined as a set of timed words.
However, a translation from TCESs to TAs can be realized by a two-step procedure. First, the underlying transition system of the TCES is mapped into an isomorphic state transition structure for the TA. Then the relevant conditions and events for each transition of the TCES are mapped into transition constraints for the TA. An algorithm for automatic translation of a TCES into a TA is given in (Huuck et al., 1998) . Technical problems of this procedure arise from the subtle details which the following examples may illustrate:
• In TCESs, an input event "t = T" from a timer can force a transition to occur. In TAs, a guard of the kind "t = T" only is a necessary condition for the occurence of the transition at time T. This problem can be solved by invariants, which are logical propositions on the clock variables and have to be true in the assigned location. The location must be left, if the invariant becomes false. However, a location cannot be entered if the invariant is false. So, if the above behavior of the TCES is modeled by an invariant "t ≤ T" in the corresponding location of the TA, an additional location with the invariant "t>T" has to be introduced to express that the TCES state may be reached again after the clock has crossed its threshold.
• For a transition in a TCES at time t, the condition input signal from a C/E timer is evaluated at time t − , whereas the constraints in TAs are relevant for the time of the transition. Consequently, "<"-relations in TCESs have to be mapped into ≤-relations in TAs.
We applied the analysis approach to both an approximated model and a model which was built as a TCES model from the outset. In the latter case, we used the waiting time variant of the evaporator example (Fig. 2, left part) . The model consists of 4 TCESs, one for the evaporator, one for the condenser, one for the post-processing tank, and one for the controller.
Due to space limitations it cannot be presented here in detail. The sizes of the subsystems vary between 5 and 11 discrete states and 1 to 3 clocks. The requirements are formulated locally as forbidden states for the three subsystems of the plant: "pressure is above a critical value" in the condenser, "material has crystallized" in the evaporator, and "overflow" in the postprocessing tank. The four TCESs and their interconnection were translated to TAs with corresponding synchronizations. When fed into HyTech, it first builds the product of the TAs and then performs the above described reachability analysis. Choosing waiting time = 3 (minutes), the result is that the forbidden location "material has crystallized" in the TA for the evaporator is reachable. If the waiting time is increased to 7, the analysis will reveal that the location "pressure is above a critical value" in the condenser TA can be reached. Instead of trying different settings of the parameter waiting time, it is possible to perform a parametric analysis. In this case, the values of timing constraints and switching points can be left unspecified and HyTech will determine the range of these values for which a given set of states is reachable or not. If waiting time is declared as a parameter, the result is that for 4 ≤ waiting time ≤ 5 none of the three forbidden locations is reachable.
CONCLUSIONS
An approach to the formal verification of logic controllers for continuous processes was presented which addresses several problems of practical relevance:
• It is based on a clear distinction between the plant and the controller which permits a transparent, process specific formulation of the requirements.
• The underlying framework is modular and signal oriented which helps to build complex models.
• It permits the formulation of real-time constraints which addresses the fact that most industrial logic control programs contain timers and that dynamical processes can often be described sufficiently well by real-time models.
• Continuous models are approximated automatically by timed discrete event models. This provides a systematic procedure to develop verifiable models of continuous systems.
• The approach takes advantage of existing techniques and tools for the verification of realtime and hybrid systems.
On the other hand, it has to be noted that the application scope of the method is limited by the computational cost of the analysis and model building effort. Whereas the complexity of reachability analysis in purely discrete systems grows exponentially with the number of interacting subsystems, in the case of TCESs and TAs the number of timers and clocks, respectively, is critical, too. Additionally, the approximation procedure is exponential in the number of discrete values of u(t) and the granularity of the discretization. To make things worse, the numerical robustness of HyTech is unsatisfactory. Due to the use of exact integer arithmetics for the polyhedra operations, overflow errors occur already for quite simple examples. For these reasons, the described approach up to now has only been applied to problems of a size comparable to the evaporator system from Sec. 2.
Consequently, our current reseach is concerned with techniques which will help us to treat more complex systems by this method. The most promising approach seems to utilize the structure of the underlying model. One example is the concept of compositional analysis. This means that local properties of subsystems are verified first, from which the fulfilment of global properties can be infered. Current investigations deal with the question of how the modular structure of C/E models can be used to derive a meaningful partition of the global properties into local ones. 
FIGURES

