Hybrid Sequential Function Charts Johanna Nellen RWTH Aachen University Germany johanna.nellen@cs.rwth-aachen.de Erika Ábrahám RWTH Aachen University Germany abraham@cs.rwth-aachen.de Abstract Sequential function charts are a popular formalism to specify programmable logic con- trollers. However, in the absence of the controlled system, verification of sequential function charts can only consider the controller’s behavior, but cannot tell anything about the controlled system. In this paper we propose an extension of the language to additionally model the continuous dynamics of the controlled system. We give syntax and semantics of this hybrid extension for sequential function charts and define a reachability-preserving transformation to hybrid automata. 1. Introduction In automation programmable logic controllers (PLCs) are widely used to control the behavior of a plant. In the industry standard IEC 61131-3 [Int03] several languages are specified which can be used for the programming of a PLC. Commonly used in process control are sequential function charts (SFCs), a graphical language which allows the structuring of control sequences into several steps or into branches that are executed in parallel. Since PLC-controlled plants are often safety-critical, SFC verification has been extensively stud- ied [FL00]. There are several approaches which consider either an SFC in isolation or the combi- nation of an SFC with a model of the plant [HKD98, BCMP]. The latter approaches usually define a timed or hybrid automaton that specifies the SFC, and a hybrid automaton that specifies the plant. Building the composition of these two models gives a hybrid model of the controller acting in the plant. Existing tools for hybrid automata analysis can be used for verification. Since the models are in general too large to analyze, also some CEGAR-based abstraction techniques were proposed in, e.g. [ELS05]. That work builds the composition of the SFC and the plant models, but abstracts away from parts of the continuous dynamics. However, modeling a whole plant by a single hybrid automaton is a complex and erroneous pro- cedure. Furthermore, the resulting hybrid automaton does not allow to extract behaviors of single plant components, which would be very helpful for abstraction and its refinement. Instead of this global modeling approach, we propose to specify the dynamic behavior of plant components by sets of conditional ordinary differential equation (ODE) systems. Each conditional ODE system specifies the behavior of plant components by the ODE system in case its condition holds. The condition expresses assumptions about the current state of the system. For example, the dynamic change of the water level in a tank can be given as the sum of the flows through the