Hybrid Control Techniques for the Design of Industrial Controllers Sebastian Engell, Olaf Stursberg Process Control Laboratory (BCI-AST) University of Dortmund, 44221 Dortmund, Germany. Email: {s.engell | o.stursberg}@bci.uni-dortmund.de Abstract— This tutorial paper provides an overview of where techniques based on hybrid dynamic models are suitable or promising for designing controllers of industrial plants, in particular chemical processing systems. After summarizing the typical control tasks prevalent in the hierarchical automation structure of industrial plants, the paper focusses on two techniques employing hybrid models that recently have gained much attention by the research community: the algorithmic verification of safety-related discrete controls, and the optimal control of large transitions, like startup, shutdown, or product switch-over. Index Terms— Automation, Hybrid Dynamics, Optimal Con- trol, Safety, Supervisory Control, Verification. I. INTRODUCTION While continuous or quasi-continuous sampled data con- trol has been the main topic of control education and research for decades, in industrial practice discrete-event or logic control is at least as important for the correct and efficient functioning of production processes than continuous control. A badly chosen or ill-tuned continuous controller only leads to a degradation of performance and quality as long as the loop remains stable, but a wrong discrete input (e.g. switch- ing on a motor that drives a mass against a hard constraint or opening a valve at the wrong time) will most likely cause severe damage to the production equipment or even to the people on the shop floor, and to the environment. In addition, discrete and logic functions constitute the dominant part of the control software and are responsible for most of the effort spent on the engineering of control systems of industrial processes. Generally, several layers of industrial control systems can be distinguished (see Fig. 1). The first and lowest layer of the hierarchy realizes safety and protection related discrete controls. This layer is responsible for the prevention of damage to the production site including the personnel. For example, a robot is shut down if someone enters its workspace, or the fuel flow to a burner is switched off if no flame is detected within a short period after its start. Most of the safety-related control logic is consciously kept simple in order to enable inspection and testing of the correct function of the interlocks and safety-trips. This has the drawback that a part of the plant may be shut down if one or two of the sensors associated with an interlock system indicate a potentially critical situation while a consideration of the information provided by a larger set of sensors would have led to the conclusion that there was in fact no critical situation. As shutdowns cause significant losses of production, there is a tendency to install more sophisticated interlock systems which can no longer be verified by simply looking at the code or performing simple tests. In the sequel, we do not distinguish between strictly safety-related and emergency-shutdown systems (which have to be presented to and checked by the authorities outside the plant), and more general protection systems which prevent damage or degradation of the equipment or unwanted situations causing large additional costs or the loss of valuable products – from a design and verification point of view, there is no difference between the two. Clearly, the correct function of safety and protection related controls depends on the interaction of the discrete controller with the continuous and possibly complex plant dynamics. The second layer of the control system is constituted by continuous regulation loops, e.g. for temperatures, pressures, and the speeds of drives. These loops receive their set-points or trajectories from the third layer which is responsible for the sequence of operations required to process a part or a batch of material. On this layer, mostly discrete switchings between different modes of operation are controlled, but also continuous variables may be computed and passed to the lower-level continuous control loops. If these sequences are performed repeatedly in the same manner, they are usually realized by computer control. If there are a large variations of the sequence of operations or of the way in which the steps are performed, as in some chemical or biochemical batch processes, sequence control is mostly performed by the operators. The same is true for the start-up of production processes or for large transitions between operating regimes, which usually do not occur too often. On a fourth layer of the control hierarchy, the various production units are coordinated and scheduled to optimize the material flow. A major part of the control code (or of the task of the operators) on the sequential control layer is the handling of exceptions from the expected evolution of the produc- tion process: drills break, parts are not grasped correctly, controlled or supervised variables do not converge to their set-points, valves do not open or close, etc. While there usually is only one correct sequence, a possibly different recovery sequence must be implemented for each possible fault. Exception handling in fact also is responsible for a large fraction of the code in continuous controllers. Safety and protection related discrete controls and sequen- Proceedings of the 44th IEEE Conference on Decision and Control, and the European Control Conference 2005 Seville, Spain, December 12-15, 2005 WeC01.3 0-7803-9568-9/05/$20.00 ©2005 IEEE 5612