IFAC PapersOnLine 50-1 (2017) 6952–6957 ScienceDirect Available online at www.sciencedirect.com 2405-8963 © 2017, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Peer review under responsibility of International Federation of Automatic Control. 10.1016/j.ifacol.2017.08.1335 © 2017, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Keywords: Action sequences generation, Iterative refinement, Reachability analysis, Model checking, Timed automata. 1. INTRODUCTION Industrial processes involving field devices (transmitters and actuators) manually controlled and monitored by hu- man field or control room operators, automated reflex control system, and plant operation control, are complex systems to control. For safety critical systems, safe opera- tion is often based on predefined and qualified procedures. Procedures are ordered sequences of control and monitor- ing tasks, aiming to control process state evolution. For procedure qualification purposes, the demonstration of safety requirements satisfaction may be performed us- ing formal synthesis (Yeh and Chang, 2012), generation or verification approaches. Focusing on action sequences, which are part of operating procedures, (Cochard et al., 2015) showed the usability of reachability analysis to auto- matically generate safe sequences, but put also in evidence some limitations in regards to scalability, mainly due to combinatorial explosion. The considered action sequences consist in sets of ordered actions, inducing a change in the state or the status of a device, which may be performed manually by an operator (locally by a field operator or remotely by a control room operator) or automatically by control devices. These sequences lead the system from an initial situation to a goal situation, characterized by the state (such as functioning features) and the status (such as availability) of the system components and by a set of process physical values. This article addresses the highlighted scalability issue, by proposing an iterative modelling and generation approach of safe action sequences based on: • a bottom-up iterative system modelling framework, based on ISA-88 hierarchical levels (ISA, 1998), • a top-down iterative action sequence generation, us- ing reachability analysis techniques (supported by model-checking tools) to generate execution traces. Section 2 of this article presents existing approaches for procedure modelling and generation. Section 3 proposes an iterative system modelling and action sequence generation approach, applied on a lab case study in Section 4. 2. EXISTING APPROACHES FOR ITERATIVE PROCEDURE MODELLING AND GENERATION Control of complex industrial systems has been formalized in ISA88 (ISA, 1998) and IEC 61512 (IEC, 1997) stan- dards. It combines automated control remotely operated from a control room, and manual control locally operated on the process via human actions. For critical processes, the ordered execution of control actions primarily depends on qualified operating procedures. A procedure is com- posed of two main types of operations: actions, to operate on devices in order to control the global process, and observations, to verify that the view the operator has of the process agrees with the state the system is in. The field of procedure modelling (Viswanathan et al., 1998a,b), generation (Wang et al., 2005) and verification (Li et al., 2014) is an active research domain since the work of J. Rivas in (Rivas and Rudd, 1974) which highlighted its interest for process control. Among the languages used in operation modelling and synthesis (Arzen and Johnsson, 1996; Viswanathan et al., 1998a; Wang et al., 2005; Lind et al., 2011), timed automata (Alur and Dill, 1994) have been chosen by Li et al. (2014) and Cochard et al. (2015) for their formal definition. ∗ Universit´e de Lorraine, CRAN, UMR 7039, Campus Sciences, BP 70239, Vandœuvre-l`es-Nancy Cedex, 54506, France ∗∗ CNRS, CRAN, UMR 7039, France Abstract: Operation procedure engineering for complex and critical systems aims to provide action sequences satisfying safety requirements specifications. If automatic generation of procedure seems to be interesting for this purpose, the limit of the use of formal generation approaches is classically the combinatorial explosion induced by the size and the number of required models. This article addresses this issue by proposing an iterative approach for the generation of safe operation sequences, using timed automata, and based on reachability analysis. The originality of this approach is to combine a bottom-up framework to build progressively system models by abstraction, and a top-down iterative action sequence generation. Thomas Cochard ∗,∗∗ David Gouyon ∗,∗∗ Jean-Fran¸cois P´etin ∗,∗∗ Safe operation sequences: a generation approach based on iterative refinements and abstractions of timed automata