-

zy
zyxwvutsr
Formal methods in PLC programming

zyxwvutsrqpon
Abstract A detailed generic model of the control design proc-
Georg Frey and Lothar Litz

ess is introduced and discussed. It is used for surveying different

formal approaches in the context of PLC-programming. The
survey focuses on formal methods for verification and validation
Although being a rather intuitive discipline for a long time.
industrial PLC programming will be more and more sup-
ported by formal methods. There are several reasons for the
application of formal methods with PLC programming:
(V&V). The varying works in this area are categorized using
three criteria: the general Approach to the task (model based, The growing complexity of the control problems, the
constrained based or without a model), the Formalism (Petri net, demand for reduced development time, and the possi-
automata,...) used to state the formal description, and the ble reuse of existing software modules result in the
Method (Model-Checking, Reachabilily Analysis, ...) used to need for a formal approach in PLC programming. The
analyze the properties. Based on these three criteria (A-F-M) a papers by Baresi et al. [7] and by Antoniadis and Leo-
three letter code for V&V approaches is introduced. Some works

zyxwvutsrqpon
from the multitude of V&V research are presented and catego-
rized using this new system.
Index terms-PLC, logic control, verification, validation, formal
methods.
I. INTRODUCTION
Since the 1970s PLC has been the primary workhorse of
industrial automation. For a long time it has provided a
distinct field of research, development and application,
mainly for Control Engineering. This area has produced its
poulus [8] primarily aim in this direction.
The demand for high quality solutions and especially
the application of PLC in safety-critical processes need
verification and validation procedures, i.e. formal
methods to prove specific static and dynamic properties
of the programs, as for example liveness, unambiguity
or response times. The papers by Canet et al. [9] and by
Mertke and Menzel [IO] deal with this aspect of formal
method application to PLC programming.
In Figure 2 a generic model of the logic control design
process is given [ 111. The presentation form is a Channel
Agency Net, see e.g. Reisig [ 121. Without the use of formal

zyxwvuts
own design methods and programming languages. Due to
its importance for industrial application a lot of these meth-
ods have been standardized internationally. Figure 1
(adapted from [l]) shows an overview of the standardiza-
tion. Currently the most influential standards are IEC 1131
[2], [31 and IEC 1499 [41, P I , E61.
methods the controller design process only consists of the
outer ring: The realization of the controller is derived from
the informal specification by direct implementation and
afterwards it is informally validated against the informal
specification.

zyxwvutsrqpon
NEMA Programmable Controllers Committee formed (USA)

ion Charts (Gemany)

zyxwvutsrqpo
-304. ProgrammableControllers (USA) T
Validation

zyxwvutsrqponm
W G 6 formed
19 239, Programmable Controller
)38,Programmable Controllers

SC65A(Sec)49, PC Languages
IEC SC65A(Sec)67

Figure 2. Design process for logic control systems /7].

zyxwvutsrqpon
Figure I : Standardization in PLC programming

Contact: Georg Frey, University of Kaiserslautem, Institute of Process

Automation, PO Box 3049, 67653 Kaiserslautem, Germany, tel.: +49 631
205 3652, fax: +49 631 205 4462, e-mail: [email protected].
In almost all cases, the designer of a logic control system
starts with a given informal specification of the control
problem. The term “informal” refers to everything that is
not based on a strictly composed, syntactically and semanti-
cally well-defined form. In addition to an ‘easy to under-

0-7803-6583-6/001$10.00 0 2000 IEEE 2431

 zyxwvuts
zyxwvutsrqp
stand’ verbal description this includes for instance timing
diagrams, sketches, P&ID (piping and instrumentation
diagram) according to ISA S5.1 [13], [14] or the combina-
tion of a set of equations describing the behavior of the
uncontrolled plant with a set of verbal requirements for the
controlled process. In general, the informal specification
consists of a description of the uncontrolled process and
In recent years, the PLC community realized the need for
formal methods in programming and validation. A lot of
interdisciplinary work has been done with the aim of ap-
plying formal methods. There are formal programming
methods from software engineering as well as formal veri-
fication methods developed for the design of VLSI and
communication protocols. Including formal methods the
requirements for the controlled system. Explicit require- middle path in Figure 2 is added1 to the generic model of the
ments for the control algorithm are also possible. However, design process: The formalization is the conversion of an
the different parts of the specification are not always clearly informal into a formal specification. This conversion can be
separated. The main problem with informal specifications is done with the aid of computers but not automatically. It is a
that they do not facilitate tests for completeness, unambi- human core capability, since it involves informal informa-
guity and consistency. tion.

The industrial standard approach to get the realization from Deriving the realization from the formal specification is
the informal specification is the direct implementation of called implementation. This process depends on the spe-
the controller using a PLC programming language. Of cial target-system. The ideal is automatic code generation
course, the realization includes hard- and software. With
standard hardware and well-defined PLC-functionality, the
realization consists of the programmed control algorithm.

The informal method of validation is the test of the imple-

mented controller against the informal specification. Today
this often used approach involves a team of control design-
ers and users. The problem with informal validation is that
it is never complete and it takes quite a lot of time and per-
zyxwv
by the design tool.

zyx
The different parts of the formal specification with its new

zyx
abilities in controller design are discussed in this paper: In
Section I1 a more detailed generic model of the logic con-
trol design process is introduced and the formal methods
associated with it are presented. Section 111 focuses on dif-
ferent approaches for verification and validation-the main
aim of formal methods in PLC programming today.
son-power.

Figure 3: Detailed Design Process with Formal Specification and the Methods.
2432
 11. THECONTROL DESIGN PROCESS
A. Formalization and Reinterpretation
zyx
zyxwvutsrqp
zyxwvutsrq
A more detailed model of the logic control design process is
given in Figure 3. The formalization of the informal speci-
zyxwvutsrq
fication consists of three different tasks:
Formalization of specific properties, resulting in a set
of properties to be fulfilled by the controller or the
controlled process. These control objectives are for-
malized using temporal logic [ 151, algebraic conditions
[16] or automata [17].
Formal modeling of the uncontrolled process re-
sulting in a process model that is needed in model
based approaches. This model may be discrete or hy-
brid, depending on the properties to check.
Direct formal modeling of the control algorithm can
be done if the control problem given by the informal
specification is clearly structured and not to volumi-
nous. It is some kind of manual synthesis. Semi-formal
synthesis approaches include the step-wise refinement
following strict rules that guarantee given properties in
the design process.
As Figure 3 shows, depending on the formal methods ap-
plied, not all of these tasks have to be done. Furthermore,
there are specification methods that combine several parts
of the formalization in one step, resulting in a combined
model. For instance the Process IPN (PIPN) presented in
[ 181 contains the model of the plant and the properties to be
fulfilled.
The formal specification of the control algorithm can be
derived in different ways. Either it is the result of the syn-
zyxwvutsrqp
thesis (manual or automatic). Or it is build via a reinterpre-
tation procedure from the already implemented PLC code.
There are two reasons for the reinterpretation (also called
translation, e.g. in [ 191) of existing PLC code into a formal
description:
0 Most PLC programmers have no formal background
and hence they stay with their programming tech-
niques.
0 There are millions of already existing PLC programs
that can not be formally treated in any other way.
Approaches for the reinterpretation of PLC programs writ-
ten in IEC 1131 Languages (IL = Instruction List, SFC =
zyxwvutsr
Sequential Function Chart, LD = Ladder Diagram, FBD =
Function Block Diagram, ST = Structured text) can be
found in the following papers:
0 Mertke and Menzel [IO] translate IL to Petri nets.
Canet et al. [9] use a transition system to reinterpret IL.
0 Hassapis et al. [20] translate SFC to hybrid automata.
2433
0
Kowalewski and PreuBig [21] reinterpret SFC by C E
(Condition/Event)-sy stems.
Volker and Kramer [22] represent ST, SFC and FBD
by, higher order logic, the latter two by representing
them in ST first.
0 Jimtnez-Fraustro and Rutten [23] use the synchronous
language SIGNAL to reinterpret ST.
B. Synthesis
The automatic synthesis of the control algorithm uses the
formal description of the process and the formal properties.
Methods for an automatic controller synthesis based on
Petri Nets are described e.g. by Holloway and Krogh [24].
Hanisch et al. use ConditionEvent systems [25] whercas
Moor et al. use automata [ 151. Dierks [26] developed a
synthesis method based on Duration Calculus. For formal
approaches, see also the works of Ramadge [27] and Li 1281
both with Wonham.
C. Implementation
Using one of the standardized PLC languages the formal
description of the control algorithm is implemented directly
(using a compiler) or indirectly (using an interprcter im-
plemented in the PLC). In the following papers direct im-
plementation methods are described:
Frey works out a direct implementation of Petri nets
using SFC [29] or IL [30].
Dierks shows in [31] a method to directly implement
automata using ST.
Cutts and Rattigan [32], Stanton et al. [33], and Uzam
and Jones [34], present different approaches for the im-
plementation of Petri nets in LD.
111. v & v VERIFICATION AND VALIDATION
Verification and Validation are the main areas for applying
formal methods in PLC programming. Nevertheless, the
notions are often confused. They answer, in fact, different
questions. This is pointed out by Boehm [35] as follows:
‘Validation: Are we building the right product’
‘Verification: Are we building the product right’
Roussel and Lesage state more precisely [36]: ‘The verifi-
cation is the proof that the internal semantics of a model is
correct, independently from the modeled system. The
searched properties of the models are stability, deadlock
existence, ... The validation determines if the model agrees
with the designer‘s purpose.’
Verification and Validation may use the same formal meth-
ods but the properties investigated in verification are stan-
dard and hence can be assumed as already formalized.
Therefore in principle, verification can be fully automated.
In validation specific properties of the controller have to be
formalized. Therefore the investigation of the informal
zyx
specification is necessary. Hence validation can not be fully
formal and not be fully automated.
zyxwvutsrq
The generic model shows different approaches for verifica-
tion and validation. These are discussed in detail in subsec-
tion A. The varying approaches often use the same model-
ing or description mechanisms. Hence, the formalisms are
presented separately in subsection B . Finally the methods
zyxwvutsrqpon
used to check properties are presented in subsection C.
Examples of verification and validation are presented in
subsection D. Each of the examples consists of a combina-
tion of approach, formalism, and method. Using the results
of sub-sections A to C a three-letter-code is assigned to
them.
A. Approach
Validation as well as Verification can be model based or
non model based.
M Model based: In model based approaches a model of
the process under control is included in the analysis.
The properties checked are statements on the con-
zyxwvutsrqp
trolled system.
N Non Model based: non model based approaches
analyze the formal description of the control algo-
rithm without taking the process into account. Con-
nections of the controller to its environment are
treated either as if they were not present or as if any-
thing could happen.
C Constrained based: Constrained based approaches
are typically non-model-based with the inclusion of
some very restricted knowledge about the process, for
instance that two binary input signals are always dis-
joint.
B. Fornialistn
The presented approaches and methods are based on formal
models. The following six formalisms are (among others)
used for the formal description of PLC programs:
P Petri nets: For an introduction of different Petri net
models see David and Alla [37].
C
A
Conditioflvent (C/E) Systems: C/E-Systems are
introduced by Sreenivas and Krogh [38]
Automata: Especially hybrid automata are used in
V&V of logic controllers, see Henzinger [39] for an
introduction to this formalism.
2434
L (Higher order) Logic: For an introduction to Higher
order Logic see [40].
S Synchronous Languages: the synchronous approach
is presented in [41]. A synchronous language used in
control applications is “SignaI”[42].
T General Transition Systems: See Ostroff [43] and
Canet et al. [9] for examples.
E (Algebraic) Equations: Gunnarson [ 161 presents an
approach using algebraic equations over finite fields.
(Max,+) algebra [44] approaches also fall in this cate-
gory.
c. Method
S Simulation is a widely used method for verification
and validation. Especially if there is a huge number of
input and output signals, simulation is very time-
consuming since every possible situation has to be
checked. Hence, in most cases simulation is restricted
to the direct application of input signals and compar-
ing the resulting output signals to the specification.
Hereby, the behavior of the process, i.e. its reaction to
the input signals, is neglected and - more critical -
only parts of the controller are tested. Simulation is
not considered in this survey.
R Reachability Analysis: Methods based on reachabil-
ity analysis build the complete state-space of the
modeled system and check properties by investigating
the structure and the components of this state-space.
The problem with reachability analysis is the state-
explosion in discrete systems: The number of states in
the system grows exponentially with the number of
discrete variables.
M Model checking: In model-checking, specifications
of the system behavior are checked automatically on a
finite model of the system. The specifications are
formulated in a temporal logic (see [45] and [46] for
an overview on temporal logic). The model is for-
malized using automata or Petri nets e.g.. Model-
checking does not avoid the problem of state-
explosion.
T Theorem Proving: In theorem proving methods the
system and its expected properties are formalized us-
ing some mathematical logic. Then the property for-
mulas have to be proofed from the axioms of the sys-
tem description using some interference rules. A
zy
Theorem Prover assists the user in formulating the
proof. Intelligent approaches using machine-reasoning
may avoid this drawback of needing a highly qualified
user. A great advantage of theorem proving is the
avoidance of the state-explosion problem.
 D. zyxwvutsrqpo
zyxwvutsrqpon
Examples
In the following some examples of verification and valida-
tion approaches are given. For further approaches including
zyxwvutsrqp
V&V for Grafcet see [19]. The presented methods are as-
signed a three-letter-code A-F-M indicating the used Ap-
proach, the Formalism to build the formal specification and
the Method for analysis.
M-P-R: Frey and Litz [ 1I] use a special Petri net as process
model and another one as model of the controller. The veri-
fication is done using reachability analysis of the combined
model.
M-P-M: Weng and Litz [47] present a model based verifi-
cation approach using model checking with LTL (linear
time temporal logic) as method and Petri nets as formal
description.
M-P-M: Mertke and Menzel [lo] present a model based
validation approach. Their process model is build as Petri
net and the PLC code is translated into another Petri net.
The aggregation of both nets is used as the basis for model
checking with LTL or CTL (computational tree logic). They
also propose the specification of properties in semi-formal
natural language with an automatic generation of the formal
zyx
zyxwvu
description.
M-A-M: Hassapis et al. [20] translate an SFC to an hybrid
automaton. The process is also modeled with a hybrid
zyxwvutsr
automaton. With the aggregated model of the controlled
process, model checking is performed using CTL and the
HyTech tool.
M-C-R: Kowalewski and PreuBig [21] translate SFC pro-
grams into C/E systems. Another C/E system is used to
model the uncontrolled plant. The composition of these CW
systems results in a model of the controlled plant. Reach-
ability analysis shows if the specifications (formalized in
terms of forbidden states) are fulfilled.
N-P-R: Frey and Litz [48] use a special Petri net model of
the controller. The verification is done using reachability
analysis of the Petri net.
N-T-M: The Carnegie Mellon research group around G.J.
Powers developed a method for the verification of given LD
programs [49], 1501, [51]. The L D is reinterpreted using a
Transition system and the properties to check are formal-
ized using CTL. The model-checker Symbolic Model Veri-
fier (SMV) takes the model and the properties and implic-
itly builds the state-automaton of the system and checks if
zyxwvutsrqpo
the properties hold. If this is not true a state-sequence lead-
ing to the contradiction is produced.
N/C-T-M: Canet et al. [9] present an approach for the vali-
dation of existing PLC programs written in Instruction List.
The PLC code is translated into a transition system. For this
system specific properties are investigated using model-
checking with LTL. The example presented in [9] shows
2435
that the results are of more practical value with the inclu-
sion of additional process knowledge (constraints).
N-L-T: The group of B.J. Kramer [22] use higher order
logic to represent ST programs. The requirements are speci-
fied in LTL. The model and the requirements are used in a
theorem prover.
IV. CONCLUSION
The paper gives an overview of the current state of the art
of formal methods in PLC design. It rather aims to present
examples then to be complete.
The presented generic model of the control design process
and the definition of related terms allows the categorization
of different approaches in the fast growing area of research
and application.
A three-letter-code for verification and validation methods
based on the describing triple Approach-Formalism-Method
is introduced and explained by some examples.
V. REFERENCES
[ l ] J.H. Christensen (Figure: International Language Standardi-
zation) in PLCopen Standard Presentation VI.0, 1998.
[2] International Electrotechnical Commission (IEC), bzterna-
tional Standard 61131: Programniable Logic Controllers.
Part 3: Languages, 1993.
131 R.W. Lewis, Programming industrial control systents using
IEC 1131-3’, IEE Publishing, London, United Kingdom,
1998.
[4] IEC 65/240/CD, Function blocks for industrial-process
measurement and control systenis - Part I : Architecture,
June 1999.
[5] IEC 61499-2 (2”dCommittee Draft, Ed. 1.O), Function blocks
for industrial-process measurenzertt and control systems -
Part 2: Engineering Task Support, April 2000.
[6] J.H. Christensen, ‘Basic Concepts of IEC 61499’, Proceed-
ings of Fachtagung Vertcilte Automatisierung, Magdeburg,
Germany, pp. 55-62.2000.
[7] L. Baresi, M. Mauri, A. Monti and M. Pezzk, ‘PLCTOOLS:
Design, formal validation, and code generation for program-
mable controllers’, Proc. of the IEEE SMC, 2000.
[8] LA. Antoniadis and V.I.N. Leopoulus: ‘A concept for the
integrated process description, PLC programming and simu-
lation using Petri nets: Application in a production process’
Proc. of the IEEE SMC, 2000.
191 G. Canet, S. Couffin, J.-J. Lesage, A. Petit and P. Schnoe-
belen, ‘Towards the automatic verification of PLC programs
written in instruction list’, Proc. of the IEEE SMC, 2000.
[ 101 Th. Mertke and Th. Menzel, ‘Methods and tools to the verifi-
cation of safety-related control software’, Proc. of the IEEE
SMC, 2000.
[113 G . Frey and L. Litz ‘Verification and Validation of Control
Algorithms by Coupling of Interpreted Petri Nets’, Proc. of
the IEEE SMC‘98, San Diego, Vol. 1, pp. 7-12, 1998.
[12] W. Reisig, A Primer in Petri Net Design, Berlin, Heidelberg,
New York, Springer, 1992.
[13] P.W. Mumll, Fundamentals of Process Control Theory, ISA
press, 3‘‘ ed., 2000.
 zyxwvutsrq
zyxwvutsrqp
zyxwvut
zyxwvutsrq
[ 141 Instrument Society of America (ISA), ANSI/ISA-Standard
zyxwvutsrqpo
S5.1: Instrumentation Symbols and ldentijkation, 1984, Re-
affirmed 1992.
[15] J.G. Thistle and W.M. Wonham, ‘Control Problems in a
Temporal Logic Framework’, International Joumal of Con-
trol, Vol. 44 (4), pp. 943-976, 1986.
[I 61 J. Gunnarson, ‘Algebraic Methods for Discrete Event Sys-
tems - A Tutorial’, Proc. of the IEE WODES’96, Edinburgh
(GB), pp. 18-30, 1996.
[ 171 T. Moor, J. Raisch, and S.D. O’Young ‘Supervisory Control
of Hybrid Systems via 1-Complete Approximations’. Proc.
IEE WODES‘98, Cagliari, Italy, pp. 426-431, 1998.
[ 181 C. Jorns, ‘Transparent Representation of Information Flow in
Automatic Control Systems for Verification Purposes’ Proc.
zyxwvutsrq
of the 1EE WODES’96, Edinburgh (GB), pp. 368-373, 1996.
[ 191 S. LampCrihe-Couffin, 0. Rossi, J.-M. Roussel and J.-J.
Lesage, ‘Formal validation of PLC programs: A survey’,
Proceedings of the ECC’99, 1999.
zyxwvutsrqp
[20] G. Hassapis, I. Kotini and Z. Doulgeri, ‘Validation of a SFC
software specification by using hybrid automata’, IN-
zyxwvutsrq
COM’98, Volume 11, pp. 65-70, 1998.
[21] S. Kowalewski and J. PreuRig, ‘Verification of sequential
controllers with timing functions for chemical processes’,
Proc. of the. 131hIFAC World Congress, San Francisco, Vol.
J, pp. 419-424, 1996.
[22] N. Volker and B.J. Kramer, ‘Modular Verification of Func-
tion Block Based Industrial Control Systems’, Proc. 24th
IFAC/lFIP Workshop on Real-Time Programming, May
1999.
zyxwvu
[23] F. JimCnez-Fraustro and E. Rutten, ‘A synchronous model of
the PLC programming language ST’Proceedings of the Work
In Progress session, 1st Euromicro Conference on Real-Time
Systems, ERTS’99, York (GB),June 9-11, pp. 21-24, 1999.
zyxwvutsrqp
[24] L.E. Holloway and B.H. Krogh, ‘Synthesis of feedback con-
trol logic for a class of controlled Petri nets’, IEEE Trans. on
Automatic Control, Vol. 35, No. 5, pp. 514-523, 1989.
1251 H.-M. Hanisch, A. Liider and J. Thieme ‘A Modular Plant
Modeling Technique and Related Controller Synthesis Prob-
lems’ Proceedings of the IEEE SMC’98, San Diego, pp. 686-
691, 1998.
[ 2 6 ] H. Dierks, ‘Synthesizing Controllers from Real-Time Speci-
fications’ IEEE Transactions on Computer-Aided Design of
lnregrnred Circuits and Systems, 18(1), pp. 33-43, 1999.
1271 P.J.G. Ramadge and W.M. Wonham, ‘The Control of Dis-
crete Event Systems’, Proc. of the IEEE, Vol. 77, pp. 81-97,
1989.
[28] Y. Li and W.M. Wonham, ‘Control of Vector Discrete-Event
Systems 1 - The Base Model’, IEEE Transactions on Auto-
matic Control, Vol. 38, NO.8, Aug. 1993, pp. 1214-1227.
[29] G. Frey, ‘PLC Programming for Hybrid Systems via Signal
lnterpreted Petri Nets’, Proceedings of the 4th International
Cor$c>rence on Automation of Mixed Processes ADPM,
Dortritund, Germany, September 2000.
[30] G. Frey, ‘Automatic Implementation of Petri net based Con-
trol Algorithms on PLC’, Proceedings of the American Con-
rrol Conference ACC2000, Chicago, June 2000.
[31] H. Dierks, ‘PLC-Automata: A New Class of Implementable
Real-Time Automata’, Transformation-Based Reactive Sys-
/enis Development (ARTS‘97),M. Bertrait and T. Rus, editors,
Springer LNCS 1231, pp. 1 I 1-125, 1997.
[32] G. Cutts and S. Rattigan, ‘Using Petri Nets to Develop Pro-
grams for PLC Systems.” Proc. of Application and Theory of
Petri Nets 1992, Springer LNCS 616, pp. 368-372, 1992.
[331 M.J. Stanton, W.F. Arnold and A.A. Buck, ‘Modelling and
Control of Manufacturing Systems using Petri Nets’, Pro-
ceedings of the 13” IFAC World Congress, pp. 329-334,
1996.
[34] M. Uzam and A. H. Jones, ‘Dmiscrete Event Control System
Design using Automation Petri Nets and their Ladder Dia-
gram Implementation’, lnt. Journal of Advanced Manufac-
turing Systems, special issue on Petri Nets Applications in
Manufacturing Systems, Vol. 14, No. 10, pp. 716-728, 1998.
[35] B. W. Boehm, ‘Software Engineering: R&D trends and de-
fense needs’, Research Direclions in Software Technology
(P. Wegner, Ed.), MIT Press, Cambridge, 1979.
[36] J.-M. Roussel and 3.-5. Lesage:, ‘Validation and Verification
of Grafcet using state machine’, Proceedings of IMACS-IEEE
CESA‘96,Lille (F), pp. 758-764.,July 1996.
[37] R. David and H. Alla, Petri Nets and Grafcet - Tools for
Modeling Discrete Event System, Prentice Hall, 1992.
[38] R.S. Sreenivas and B.H. Krogh, ‘On ConditionEvent Sys-
tems with Discrete State Realizations’, Discrete Event Dy-
namic Systems: Theory and Applications, Kluwer Academic
Publishers, Boston, USA, Vol. 1, pp. 209-236, 1991.
[39] T.A. Henzinger, ‘The Theory of Hybrid Automata’, Pro-
ceedings, 1I’hAnnual IEEE Symposium on Logic in Com-
puter Science, IEEE Computer Society Press, pp. 278-292,
July 1996.
[40] M.J.C Gordon. and T.F. Melham, Introduction to HOL.
Cambridge University Press, 1993.
[41] A. Benveniste and G. Berry, ‘The Synchronous Approach to
Reactive and Real-Time Syste:ms’,Proceedings of the IEEE,
Vol. 79, NO.9, pp. 1270-1282.,1991.
[42] A. Benveniste and P. Le Guernic, ‘Hybrid Dynamical Sys-
tems Theory and the SIGNAL Language’, IEEE Transactions
on Automatic Control, Vol. 35, No. 5 , pp. 525-546, 1990.
[43] J.S. Ostroff, ‘Automated verification of timed transition
models’, Int. Workshop on Automatic Verification Methods
for Finite State Systems (Springer LNCS 407), pp. 247-256,
1989.
[44] F. Bacelli, G. Cohen, G.J. Olsder and J.P. Quadrat, Synchro-
nization and Linearity (An algebbra for discrete event sys-
tems), John Wiley & Sons, 1932.
[45] R. Alur and T.A. Henzinger, ‘Logics and models of real time:
a survey’, Real Time: Theoiy in Practice, Springer LNCS
600, pp. 74-106, 1992.
[46] T.A. Henzinger, ‘It’s about time: real-time logics reviewed’,
Proceedings of the Ninth International Conference on
Concurrency Theory (CONCIJR 1998), Springer LNCS 1466,
pp. 439-454, 1998.
[47] X. Weng and L. Litz, ‘Verification of logic control design
using SIPN and model checking-methods and case study’
Proceedings of the American Control Conference ACC2000,
Chicago, 2000.
[48] G. Frey and L. Litz, ‘Correctness Analysis of Petri Net Based
Logic Controllers’, Proceedings of the American Control
Conference ACC2000, Chicago, 2000.
[49] I. Moon, ‘Modelling Programmable Logic Controllers for
Logic Verification’, IEEE Cmtrol Systems Magazine, pp. 53-
59, 1994.
[50] S.T. Probst, ‘Chemical Process Safety and Operability
Analysis Using Symbolic Model Checking’, Ph.D. Thesis,
Department of Chemical Eq;ineering, Carnegie Mellon Uni-
versity, 1996.
[51] I. Moon, G. Powers, J.R. Burch, and E.M. Clarke, ‘Automatic
Verification of Sequential Control Systems Using Temporal
Logic’, AiCHE Journal, Vol. 38 (l), pp.67-75, 1992.