SYSTEMS ENGINEERING FOR AUTOMATION
J. Jiang
D.Azzopardi
D.J. Holding
GI F. Ca rpenter
J.S.Sagoo
Indexing terms: Real-time control, Hybrid control, Discrete event systems, Synchronisation, SFC, Petri nets, Specijkution, Verijicution, High-speed machinery,
Manufacturing system
I derived from such an approach are: flexibility in
Abstract: The paper considers the co-ordination
and control of flexible, independently driven,
multiaxis, high-speed machinery in which
mechanical complexity has been exchanged for
sophistication in control. The control of such
machines is a hybrid control problem and the
paper addresses the specification and design of
the discrete event part of the controller. It focuses
on the design of synchronisation logic for the
event-driven real-time co-ordination and
synchronisation of the machine. For such time-
critical and system-critical applications, it is
imperative that system behaviour is fully
understood and unambiguous. The paper
proposes a method for inferring system behaviour
and performing formal verification of machine
systems specified using a subset of the industry
standard IEC 113 1 sequential function charts
(SFC). It shows how an SFC-based design can be
translated to an equivalent Petri net model,
thereby allowing Petri net theory and analysis
techniques to probe its behaviour and verify its
functionality. The approach is demonstrated by
considering the design of synchronisation logic
for a prototype six-axis high-speed packaging
machine which incorporates both time-critical
and system-critical functions.
I
1 lmt~odu~tion
Complex high-speed machines, such as packaging
machines, comprise sets of actuators which process a
product as it is moved through the machine. Major
advances in flexible machine design can be realised by
replacing the mechanical transmissions used to syn-
chronise actuator motions by sets of independently
driven actuators which collaborate under software con-
trol to provide the machine function. The benefits to be
0IEE, 1996
IEE Proceedings online no. 19960266
Paper frst received 24th July 1995 and in revised form 3rd January 1996
The authors are with Aston University, Aston Triangle, Birmingham
B4 7ET. UK
164
machine layout with drives placed at the point of use,
removal of many mechanical constraints, mechanical
complexity traded for sophistication in control, and
introduction of flexibility and adaptivity of machine
function through software co-ordination and control
VI.
This paper considers the specification, design and
verification of co-ordination logic for the real-time syn-
chronisation and control of flexible, modular, high-
speed machines comprising multiple, independent, soft-
ware-controlled drives. The co-ordination and control
of such machines is a hybrid control problem which
involves discrete-event co-ordination logic, continuous
drive systems and actuator mechanisms. Research on
the design of hybrid control systems has led to agree-
ment [2, 31 that the system behaviour should be repre-
sented as a piecewise-continuous function, where: (i)
the continuity intervals correspond to phases in which
the systems control is defined by a continuous control
law appropriate to the interval; and (ii) the points of
discontinuity correspond to discrete changes in the sys-
tems state which often involve a change of control. In
this paper this approach is applied to the design of the
synchronisation logic for multiaxis machinery. Specifi-
cally, the motion of each axis of such machines is con-
sidered to be asynchronous and to consist of a
sequence of clearly identified phases which are linked
directly to changes of state in the discrete-event part of
the system. The motions are abstracted and modelled
using the notation of IECll31 sequential function
charts (SFC) [4], which is widely used in industry.
The design problem is to synthesise synchronisation
logic which brings the asynchronous axes into intermit-
tent, real-time synchronisation. Following industrial
practice, SFC notation can also be used to define the
co-ordination and synchronisation logic which is
instantiated on an event-driven basis at the end of vari-
ous motion phases. Research undertaken as part of this
project showed that certain SFC constructs are loosely
defined [5]. Also, in the case of loosely coupled sys-
tems, such synchronisation logic cannot be modelled
explicitly in SFC and is enforced by placing conditions
on transitions, the conditions being implemented at a
lower level. The resulting inability to analyse and rea-
son about co-ordination and synchronisation logic in
IEE Proc.-Control Theory Appl., Vol. 143, No. 2, March 1996
SFC raises considerable problems, particularly when
the discrete-event decisions are system-critical or have
implications for safety.
To overcome these limitations, the paper proposes
limiting the use of SFC to a well defined subset. To
model and reason about such systems, the paper
reports research in which Petri net techniques [6] are
used to provide a tangible and unified framework for
modelling, analysing and verifying concurrent systems
defined using SFC. It is shown that the Petri net gener-
ated from the SFC synchronisation logic can be anal-
lysed using Petri net theory to determine behavioural
properties such as liveness (or freedom from deadlock),
and 1-boundedness (or the single instances of states);
and to show that the state space, state sequences anld
event sequences are consistent with the specification.
The paper also shows how techniques such as concur-
rency sets [7] can be used in a novel way to determine
the integrity and safety of potentially concurrent states
and events.
The approach is demonstrated by considering the
design and verification of synchronisation logic for ,a
prototype, industrial, high-speed machine comprising
six, loosely coupled, independently driven axes witlh
time-critical and system-critical interactions which have
implications for safety. The discrete event part of the
design covers 31 motion phases and involves six syn-
chronisation states, 26 transitions, and a reachablie
state space of 306 states.
2 Specification using sequential function charta
A sequential function chart is a graphical notation for
describing the functional and behavioural aspects of
discrete-event control systems. It has gained widespread
acceptance in the design of control and synchronisation
logic for process controllers used in industrial automa-
tion [8, 91.
The basic components of SFC are steps, transitions,
actions and conditions. In SFC, a system is described
as a sequence of interconnected steps X and transitionls
t as shown in Fig. 1. Each step represents a partial sys-
tem state which can be associated with an action A. At
a given instance, a step is either active or inactive; an
action is performed when its associated step is active.
The duration of a step is determined by the firing of
transitions to which it is connected. Each transition
acts as a guard passing control from one or more
predecessor steps to one or more successor steps. A
transition can be either enabled or disabled; a transi-
tion becomes enabled when all its immediate preceding
steps are active, otherwise it is disabled. The firing OF
an enabled transition is governed by its associated con-
dition c.
+c t1
action A
i---
tad
Fig. 1 SFC components
An SFC model evolves as steps complete their associ--
ated actions and the successor transitions fire, activat-.
ing the next steps. To describe and constrain the timing;
and duration of actions, SFC defines a set of qualifiers.,
IEE Proc.-Control Theory Appl., Vol. 143, No. 2, March 1996
which can be used in combinations to describe real-
time tasks. However, the loose definition of the time-
delayed D-qualifier and the time limited L-qualifier in
certain combinations of qualifier actions and condi-
tions leads to an ambiguous correspondence between
steps and actions and to proprietary interpretations of
the SFC notation [5]. In general, the lack of a direct
correspondence between step duration and the duration
of the associated action is undesirable because knowl-
edge of the current active steps is inadequate to reflect
the complete situation. In this paper, to avoid ambigu-
ity and interpretation, consideration of SFC qualifiers
is limited to the well defined P-qualifier which enforces
a direct correspondence between steps and actions.
The flow control structure of SFC, or the above
restricted subset of SFC, can be used to describe a rela-
tively complex set of sequential processes. However,
SFC does not model communications explicitly and
thus cannot be used to model directly synchronising
primitives such as those found in communicating
sequential processes (CSP) [lo]. To overcome this prob-
lem, interprocess synchronisation is implemented in
SFC by imposing conditions (with implicit data
dependency) on transitions. Thus, in SFC, explicit flow
control may be obscured by conditions and implicit
data dependencies which have to be implemented at a
lower level. For example, in many PLC implementa-
tions of SFC the conditions associated with transitions
and the actions associated with steps are programmed
in one of the lower-level languages defined in IECll31
such as structured text (ST) [3]. This means that both
the SFC model (for which formal analysis techniques
are not well developed) and the application-specific ST
programs must be analysed to determine the system
behaviour and timing dependencies. It follows that co-
ordination and synchronisation logic expressed in SFC
and implemented in a combination of SFC and lower-
level languages is not directly amenable to inspection
or analysis.
3 Translation of SFC specification t o Petri nets
To overcome this problem of implicit dependencies in
SFC models and facilitate the analysis of SFC models,
in this paper the restricted subset of SFC is translated
into a Petri net. Specifically, in the following, SFC is
formalised using the concepts and firing rules of Petri
nets [6, 111 and controlled Petri nets (CPN) [I21
because of the close correspondence between SFC and
CPN. The SFC constructs and their corresponding
CPN models, as developed in this research, are shown
in Figs. 2 and 3.
The execution models of SFC and CPN are some-
what different: the nature of the difference depends on
the particular interpretation of the CPN model. For the
purpose of exploring the potential behaviours of the
system, the simultaneous firing of enabled transitions
in SFC is translated into the interleaved firing of the
transitions in the CPN model. This has the disadvan-
tage of generating a larger state space; however, this
encompasses all reachable states of the SFC model.
The additional complexity is offset by the ability of the
interleaved CPN model to represent explicitly the
notion of nondeterministic choice which commonly
occurs in reactive systems.
165
 In general, large parts of an engineering functional
Construct 1 SFC CPN
requirement can be interpreted as liveness properties
and those parts of a functional requirement which refer
to constraints or things which should not happen can
be interpreted as safety properties. In Petri nets, live-
ness properties may be demonstrated by exhaustive
Transition
t f search techniques involving the generation of the state
coverability graph or reachability tree, a system can be
0 shown to be live by investigating the transition firing
sequences, and safety properties may be verified using
p1
t wpc P-invariants [15] or by exhaustive search techniques.
An engineering functional requirement defining the
synchronisation requirements of a multiaxis machine
will comprise both liveness properties and safety prop-
i I
erties. In such loosely coupled concurrent systems, the
reachable space or coverability graph is often large
Divergence because of all the possible combinations of states which
or sequence
selection may occur in the asynchronous subsystems. To inter-
pret such data and manage its complexity, this paper
(1) makes use of the notion of concurrency sets (which
were developed for analysing communication protocols
Fig.2 Controlled Petri nets representation of reduced set of SFC con- [7]) and applies them to the analysis of the semantics of
structs Petri net models. In the context of a Petri net, the con-
(i) Note: selection conditions must be mutually exclusive
currency set for place p z is the set of all places that are
potentially concurrent with place pi.Thus, the concur-
Construct SFC CPN rency set for place p z provides a concise and tangible
representation of what the rest of the system may be
5 doing while the local state p z is active. In the following,
Convergence
following concurrency sets are used to present a concise demon-
selection stration of certain safety properties.
The Petri net model of the SFC-defined synchronisa-
tion logic for a multiaxis machine system will typically
be large and somewhat complex. To analyse such sys-
Simultaneous
tems automated tools are required. The IT research
divergence group at Aston University have developed a software
or parallel workbench to analyse the behavioural properties of
SFC designs. The system specification is input in the
form of an SFC data file which is automatically trans-
lated into an equivalent Petri net. The design engineer
Convergence can then invoke tools to verify behavioural properties
following such as freedom from deadlock, boundedness, reacha-
simultaneous
divergence bility [6, 111, P- and T-invariants [15], concurrency sets
or parallel [7], quasi-liveness, home state and reversibility [16-1 XI.
p14 Tools in the workbench are implemented in object
I I I I oriented C++. They make use of the three analysis
Fig.3 Controlled Petri nets representation of reduced set of SFC con- techniques: (i) incidence matrix / invariant analysis of
structs
the structure of the Petri net; (ii) coverability graph
analysis to enumerate all the possible states; and (iii)
4 Design verification Petri net reduction to produce a reduced Petri net
which preserves the desirable properties of the original
Co-ordination and synchronisation logic defined in the Petri net, but is easier to analyse since it produces a
restricted subset of SFC can be translated into a CPN smaller coverability graph. Results of the Petri net
model using the component representations shown in analysis are fed back to the design engineer, either
Figs. 2 and 3. The resulting CPN model can be ana- directly or in terms of the original SFC, for system
lysed using well established Petri net theory. However, verification.
the design of concurrent real-time synchronisation logic
is a complex and subtle process, and detailed analysis 5 Design case study
and interpretation is necessary to determine whether a
design satisfies the system functional requirement. This approach is illustrated by considering the design
In this paper the term live will refer to freedom from of synchronisation logic for a prototype high-speed can
deadlock, and the term liveness properties will be used packaging machine, shown in Fig. 4. The machine
in its temporal logic sense to primarily define what the comprises six independent axes: feeder, drum 1, drum
system should do [13]. The terms safe and safety will be 2, conveyor, and sliderlactuators which transfer cans
used in the general control engineering sense [14]. (The from feeder to drum 1, drum 1 to drum 2, and drum 2
Petri net notion of a safe net will be avoided by refer- to conveyor. (For simplicity, the conveyor and feeder
ence to a l-bound net). The term safety properties will are connected directly, thus forming a single axis.) The
be used in its temporal logic sense to primarily define six axes have asynchronous motions unless forced into
what the system should not do [13]. local synchronisation by the synchronisation logic. The
166 IEE Proc -Control Theory Appl., Vol. 143, No. 2, March 1996
 Table 1: Semantics for SFC of Fig. 5

Step Entity Action/interpretation Terminating event

1 Drum 1 Rotate with can Rotate can complete
2 Drum 1 Wait at transfer position with can
3 Drum 1 Commited to drums transfer
4 Drum 1 At transfer, wait to rotate without can
5 Drum 1 Rotate without can Rotate nocan complete
6 Drum 1 Wait at feeder position without can
7 Drum 1 Committed to feeder transfer
8 Drum 1 At feeder, wait t o rotate with can
9 Drum 2 Rotate without can Rotate nocan complete
10 Drum 2 Wait at transfer position without can
11 Drum 2 Committed t o drums transfer
12 Drum 2 At transfer, wait t o rotate with can
13 Drum 2 Rotate with can Rotate can complete
14 Drum 2 Wait at conveyor with can
15 Drum 2 Committed t o conveyor transfer
16 Drum 2 At conveyor, wait without can
17 Conveyor Convey can
18 Feeder Feed can
19 Feeder Committed to feeder transfer
20 Feeder Feeder has ino can
21 Conveyor Conveyor hss no can
22 Conveyor Committed to conveyor transfer
23 Drum transfer Slider approach motion Approach complete
24 Drum transfer Slider decision point
25 Drum transfer Slider insert motion (drums I& 2) Insert complete
26 Drum transfer Slider abort motion
27 Drum transfer Slider return motion Motion complete
28 Feeder transfer Slider withdrawn
29 Feeder transfer Slider inserted in drum 1 Insert complete
30 Conveyor transfer Slider withdrawn
31 Conveyor transfer Slider inserted in drum 2 Insert complete

motion phases of the six independently driven axes are
defined in the SFC diagram, Fig. 5, and the semantics
of the SFC steps, transitions and events are shown in
Table 1.
feeder
transfer motions of the slider/actuators only takes place
when the appropriate drums are stationary and a can is
present at the source of the transfer and no can is
present at the destination. The transfer slider/actuator
between drum 1 and drum 2 is more complex: to
increase machine performance the slider is permitted to
move asynchronously towards the drums. On reaching
a decision point, a time-critical decision is made
whether to insert (if at that instant both drum 1 (with a
can) and drum 2 (with no can) are in position and sta-
tionary), or abort (if any insert condition is not satis-
fied).

i:i
if transferm
slider
~ IIJU I1 I"""vcy"'

tll

t4

t5
drum1
I
1 \ { \ drum2 7
t6 t32
Fig.4 Six axis prototype machine
t7

The transfer slider/actuators between the feeder and

drum 1, and drum 2 and conveyor have simple cyclic Fig.5 SFC models of motion phases for the six independently driven
motions. The main synchronisation requirement is: the axes

IEE Prac.-Control Theory Appl., Val. 143, No. 2, March 1996 167
 Table 2: Synchronising conditions for SFC of Fig. 5
Transition Associated condition Transition Associated condition
tl l S t e p 2 5 A Step10 t17 Step14
t2 Stepl 1 AT Step25 A-I Step26 t18 Step15 A-I Step31
t3 t19
t4 Druml-rotate-nocan-complete t20 Step6
t5 Step18 t21 Step7 AT Step29
t6 Step19 A-I Step29 t22
t7 t23 Step3 A Stepl 1
t8 Druml-rotate-can-complete t24 l S t e p 3 VT Stepl 1
t9 l S t e p 2 5 A Step2 t25 Step3 A Stepl 1
t10 Step3 AT Step25 A-I Step26 t26 Slider-insert-complete
tl1 t27 Slider-motion-complete
t12 Drum2-rotate-can-complete t28 Slider-approach-complete
t13 Step21 t29 Step7 A Step19
t14 Step22 AT Step31 130 Feeder-slider-insert-complete
t15 t31 Step15 A Step22
t16 Drum2-rotate-nocan-complete t32 Conv-slider-insert-complete

I r choice in the decision to either commit to a transfer or

abort, which arises during interdrum transfer, is mod-
elled as mutual exclusion using conditions on transi-
tions, Table 3 (due to the inability of SFC to model
nondeterministic constructs).

Table 3: Extended semantics and conditions for SFC of

Fig. 6
Step Entity Actionhnterpretation
32 Synch logic-SL Transfer slider insert inhibit
33 Synch logic-SL Drums rotate inhibit
34 Synch logic-D1 Feeder/D1 slider insert inhibit
35 Synch logic-D1 Drum 1 rotate inhibit
4-t7 I 36 Synch logic-D2 D2/conveyor slider insert inhibit
37 Synch logic-D2 Drum 2 rotate inhibit
Transition Condition Notes:
t13 C1 c1 and c2ensure mutual exclusion
t14 CZ between transitions on selection
t16 --C, A i Cs construct at Step 32
~

Using the transforms defined in Figs. 2 and 3, the

Fig.6 SFC model
The synchronisation logic is designed by interpreting
the synchronisation requirements as constraints on the
motion of the axes. By imposing the conditions (and
the implicit data dependencies) defined in Table 2 on
the designated transitions, appropriate sets of axes are
brought into the required local synchronisation. Most
of these conditions can be represented explicitly using
SFC to model states of the synchronisation logic, lead-
ing to the monolithic SFC model of Fig. 6. The seman-
tics of the SFC steps are shown in Tables 1 and 3.
However, it is of note that the transitions of the mono-
lithic SFC model, Fig. 6, have been renumbered to
accommodate the parallel sections, or atomic sections,
which occur when the transfer sliders interact with one
or more drums. In this design the nondeterministic
168
SFC model and all associated conditions are trans-
formed into a CPN model, Fig. 7, in which the nonde-
terministic choice is represented explicitly. In the CPN,
SFC events which form the interface between the con-
tinuous and discrete system are modelled using control
places. However, for the purpose of analysis the nine
control places are set to one and are omitted from
Fig. 7 to reduce complexity. The semantics of the Petri
net places and transitions correspond to those of the
equivalent numbered steps and transitions in Fig. 6.
The model has been analysed using the workbench and
is live (free from deadlock), 1-bound, and has a covera-
bility graph of 306 states from which the set of concur-
rency sets in Table 4 is automatically derived.
Inspection of Fig. 7 shows that the synchronisation
processes for the three transfer sliders: ~ 3 2p33;
, p34,p35;
and p36, p37 are autonomous and do not communicate
directly. Thus the synchronisation logic is decentral-
ised. To ensure that the complete or composite design
satisfies the specification it is necessary to verify the
design as a whole.
IEE Proc -Control Theory Appl, Vol 143, No 2,March 1996

..
I underlying physical system. Also, assuming an enabling
-
F I 7 Controlled Petri net model of SFC of Fig. 6
N : the nine control places are omitted to reduce complexity
The principal functional requirements of the overall
system can be expressed precisely and concisely using
the logic operators: (not), A (and), v (or); the tempo-
ral operators [19]: 0 (next), 0 (always), 0 (eventually);
and the places of the net. In the following, key require-
ments are demonstrated using Petri net theory.
Liveness property 1: Every time the slider reaches the
decision point, it will eventually insert into the drum:
OO(p24) a OOp25. Liveness property 1 has been dem-
onstrated using exhaustive search techniques.
Safety Property 1: A situation will never occur in which
the slider is at the decision point and no decision is
made: O ~ [ p ~ ~ ~ ~ ( pThis ~ ~ property
v p ~ ~ )has
] . been
demonstrated by a search of all states of the coverabil-
ity graph which include the local state pz4.
Safety Property 2: A situation will never occur in which
any drum rotates when an associated slider is inserted:
&[P25A(Pl VPSVP9VPI 3 ) 1 V O 4 P 2 9 4 P I V P 3 ) l V ~ 4 P , I4 P 9 V P l J
This property is demonstrated by inspection of the con-
currency set for ~25,p29 and ~ 3 1 .
Safety Property 3: A situation will never occur in which
any slider inserts when an associated drum is rotating:
O~[(P,VP5)~(P25VP29)l~~~[(P9VP13)~(P2SVP~l)l.
This property is demonstrated by inspection of the can-
currency set for pl, p5, p9 and PI3.
In the above, formally specified properties were demon-
strated using Petri net theory. They may also be proved
using temporal logic by setting the control places to
one, reducing the 1-bound CPN to a condition event
(CE) net which can be translated into temporal logic,
and using the temporal logic proof system [20, 211. For
the design engineer, equally interesting and tangible
results and insights can be gained from inspection of
IEE Proc -Control Theory A p p l , Vol 143, No 2, March 1996
the full set of concurrency sets, Table 4, which reveals
the true nature and extent of the concurrent behaviour
of the system.
Similarly, time-critical sections can be identified and
timing constraints evaluated by reducing the CPN
model to a CE net model as above and converting the
CE net to either a timed Petri net [22] or a time Petri
net [23] by assigning time parameters, or a range of
time parameters, to transitions. System performance
can then be explored by forming relational expressions
of relative timing [l]. Thus, in the high-speed machine
application, timing constraints on the default abort
transition t16 can be matched to parameters of the
event, relational expressions of timing can be computed
to ensure the responsiveness of the insert decision
mechanism.
6 Conclusions
The design of logic for the real-time synchronisation of
event-driven concurrent or distributed systems, such as
independently driven multiaxis machinery, is a complex
and subtle process. Without a means of probing the
possible behaviour of a system, the system designer
cannot determine whether a design satisfies functional
and performance requirements. The approach pre-
sented in this paper focuses on specifications and
designs captured using the IEC 1131 SFC notation
which forms an industry standard for PLC and special-
ist machine-drive control systems. The paper has
shown how designs expressed using a restricted subset
of SFC can be translated into a CPN model. This was
analysed using established and novel Petri net tech-
niques to determine generic aspects of behaviour such
as freedom from deadlock, boundedness, state reacha-
bility and concurrency sets. The concurrency set tech-
nique was shown to provide a relatively concise
summary of the potential concurrent behaviours of the
system. The set of concurrency sets can be accessed
directly by applications engineers who wish to examine
the juxtaposition of behaviours in a distributed or
decentralised system; they are particularly useful when
demonstrating certain types of safety property. The
overall approach is consistent with formal approaches
and proof systems. The method has been illustrated by
application to the design and verification of synchroni-
sation logic for a medium-scale prototype high-speed
manufacturing system comprising multiple, software-
controlled, independently driven axes or machine func-
I. tions.
7 Acknowledgments
This research was supported by EPSRC/DTI grants
GRlR60666 and GRlJ09352, and has been carried out
in conjunction with Eurotherm Controls Ltd, U.K.
8 References
1 HOLDING D.J., and SAGO0 J.S.: A formal approach to the
software control of high-speed machinery in IRWIN, G.W., and
FLEMING, P.J. (Eds.): Transputers in real-time control
(Research Studies Press. 1992). Chao. 9
2 GROSSMAN, R.L., NERODE: A., RAVN, A.P., and
RISCHEL, H. (Eds.): Hybrid systems, LNCS-vol. 736 (Springer
Verlag, 1993)
3 LANGMAACK, H., DE ROEVER, W.-P., and VYTOPIL, S.
(Eds.): Formal techniques in real-time and fault-tolerant sys-
tems, LNCS-vol. 863 (Springer Verlag, 1994)
169
 Table 4: Concurrency sets for Petri net of Fig. 7
State Concurrency set
1 2 3 ... ... 37
1 1 0 0 0 0 0 0 0 1 1 0 0 0 0 0 1 0 0 0 1 1 0 1 1 0 1 1 1 0 1 0 1 0 1 0 1 0
2 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 1 0 0 0 1 1 0 1 1 0 1 1 1 0 1 0 1 0 1 0 1 0
3 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 1 1 1 1 1 0 1 0 1 1 1 0 1 0
4 0 0 0 1 0 0 0 0 1 1 0 1 1 1 1 11 1 0 1 1 1 1 1 0 1 11011101011
5 0 0 0 0 1 0 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 0 1 11011101011
6 0 0 0 0 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 0 1 1 1 0 1 1 1 0 1 0 1 1
7 0 0 0 0 0 0 1 0 1 1 0 0 0 0 0 1 0 0 1 0 0 0 1 1 0 1 1 1 1 1 0 1 0 1 1 1 0
8 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 1 0 0 0 1 1 0 1 1 0 1 1 1 0 1 0 1 0 1 0 1 0
9 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 0 1 1 0 1 1 1 1 1 0 1 0 1 1 1 0
10 1 1 0 1 1 1 1 1 0 1 0 0 0 0 0 0 1 1 1 1 1 0 1 1 0 1 1 1 1 1 0 1 0 1 1 1 0
11 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 1 1 1 11010111010
12 0 0 0 1 1 1 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 1 1 0 1 1 1 0 1 0 1 0 1 0 1 0
13 0 0 011100000010000001101?0111010101010
14 00011100000001000001101lolll0111010101010
15 0 0 0 1 1 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 1 1 0 1 1 1 0 1 0 1 1
16 1 1 0 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 0 1 1 0 1 1 1 1 1 0 1 0 1 1 1 0
17 0 0 0 1 1 1 0 0 1 1 0 0 0 0 0 1 1 0 0 0 0 0 1 1 0 1 1 1 0 1 0 1 0 1 0 1 0
18 0 0 0 1 1 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 0 1 1 0 1 1 1 0 1 0 1 0 1 0 1 0
19 0 0 0 0 0 0 1 0 1 1 0 0 0 0 0 1 0 0 1 0 0 0 1 1 0 1 1 1 1 1 0 1 0 1 1 1 0
20 1 1 1 1 1 1 0 1 1 1 1 1 1 1 0 1 0 0 0 1 0 0 1 1 1 1 11010111010
21 1 1 1 1 1 1 0 1 1 1 1 1 1 1 0 1 0 0 0 0 1 0 1 1 1 1 11010111010
22 0 0 0 1 1 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 1 1 0 1 1 1 0 1 0 1 1
23 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11100001111111111
24 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 0 0 1 1 1 1 1 1 1 1 1 1
25 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 0 1 0 0 10 100 1 10 10
26 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 1 0 1 1 1 1 1 1 1 1 1 1
27 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1
28 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11011111111
29 0 0 0 0 0 0 1 0 1 1 0 0 0 0 0 1 0 0 1 0 0 0 1 1 0 1 1 0 1 1 0 1 0 0 1 1 0
30 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11110111111
31 0 0 0 1 1 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 1 1 0 0 1 1 0 1 0 0 1
32 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 11111101111
33 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 1 1 1 1 1 0 1 0 0 1 1 0 1 0
34 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11111011111011
35 0 0 0 0 0 0 1 0 1 1 0 0 0 0 0 1 0 0 1 0 0 0 1 1 0 1 1 1 1 1 0 1 0 0 1 1 0
36 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11110111110
37 0 0 0 1 1 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 1 1 0 1 1 1 0 1 0 0 1

4 IEC 1131, International Electrotechnical Commission: Interna-
tional standard for programmable controllers, programming lan-
guages, March 1993
5 JIANG, J., and HOLDING, D.J.: The formalisation and analy-
sis of sequential function charts using a Petri net approach, 13th
IFAC world congress, IFAC96, San Francisco, 1996, (in press)
6 PETERSON, J.L.: Petri net theory and the modelling of systems
(Prentice Hall. 19811
7 SKEEN, D., and STONEBRAKER, M.: A formal model of
crash recovery in a distributed system, IEEE Trans. Softw. Eng.,
1983, 9, (3), DD. 213-228
8 DAVID, R.:-Modelling of dynamic systems by Petri nets, ECC
91 European Control conference, 2-5 July 1991, Laboratoire
dAutomatique de Grenoble, Grenoble, France, pp. 136147
14 LEVENSON, N.G.: Safeware-system safety and computers
(Addison Wesley, 1995)
15 MURATA, T.: Petri nets: Properties, analysis and applications,
Proc. IEEE, 1989, 77, (4), pp. 541-580
16 DAVID, R., and ALLA, H.: Petri nets and Grafcet: Tools for
modelling discrete event systems (Prentice Hall, 1992)
17 ZURAWSKI, R., and ZHOU, M.C.: Petri nets and industrial
applications: A tutorial, IEEE Trans. Indust.Electron., 1994, 41,
(6), pp. 567-585
18 DESROCHERS, A.A., and AL-JAAR, R.Y.: Applications of
Petri nets in manufacturing systems (IEEE, New York, 1995)
19 SUZUKI, I., and LU, H.: Temporal Petri nets and their applica-
tion to modelling and analysis of a handshake daisy chain arbi-
ter. IEEE Trans. Comnut.. 1989. 38. (51.
I ,, DV. 641-704
\

9 MALLABAND, S.: Specification of real time control systems by
means of sequential function charts, International conference on
Software engineeringfor real-time systems, 16-18 September 1991,
pp. 57-61
10 HOARE, C.A.R.: Communicating sequential processes (Prentice
Hall, 1985)
11 REISIG, W.: Petri nets: an introduction (Springer Verlag, 1985)
12 HOLLOWAY, L.E., and KROGH, B.H.: Synthesis of feedback
control logic for a class of controlled Petri nets, IEEE Trans.
Autom. Control, 1990, 35, (5), pp. 516523
13 LAMPORT, L.: Proving the correctness of multiprocess pro-
grams, IEEE Trans. Softw. Eng., 1977, SE-3, (2), pp. 125-143
20 HE; X., and LEE, J.A.N.: Integrating predicate transition nets
with first order temporal logic in the specification and analysis of
concurrent systems, Form. Asp. Comput., 1990, 2, pp. 226-246
21 SAGOO, J.S., and HOLDING, D.J.: A comparison of temporal
Petri net based techniques in the specification and design of hard
real-time systems, Microprocess. Microprogr., 1991, 32, (1-5), pp.
111-118
22 MERLIN, P.M., and FARBER, D.J.: Recoverability of commu-
nication protocols, implications of a theoretical study, IEEE
Trans.. 1976. COM-24. VU. 1036-1043
23 LEVENSON, N.G., and STOLZY, J.L.: Safety analysis using
Petri nets, lEEE Trans. Softw. Eng., 1987, SE-13, (3), pp. 386-
397

170 IEE Proc.-Control Theory Appl., Vol. 143, No. 2, March I994