Anda di halaman 1dari 7

ISA Transactions 48 (2009) 3–9

Contents lists available at ScienceDirect

ISA Transactions
journal homepage: www.elsevier.com/locate/isatrans

A new proposal for the behaviour model of batch phases


Giovanni Godena ∗
J. Stefan Institute, Department of Systems and Control, Jamova 39, 1000 Ljubljana, Slovenia

article info a b s t r a c t

Article history: There is a problem with managing the complexity and meeting the high-quality requirements of batch-
Received 30 May 2008 process control software in the environment of the modern tools for batch-process control according
Received in revised form to the ISA 88.00.01 standard. The problem stems from the insufficient abstraction level of the phase-
6 August 2008
behaviour model consisting of only five active sequences. A solution to this problem is proposed, based
Accepted 12 August 2008
Available online 11 September 2008
on increasing the level of abstraction of the phase-behaviour model by adding to it the nested states and in
defining an increased number of finer-granularity activities. The new concept, together with its elements,
Keywords:
is described, and its use is illustrated by means of the specification of a phase from a real batch-control
Batch control project.
Batch phases © 2008 ISA. Published by Elsevier Ltd. All rights reserved.
Behaviour model
State machine

1. Introduction the development of a batch-control tool for the PLC platform with
a near-to-ISA 88.00.01 functionality [1].
There is a broad consensus among the manufacturers of In the remainder of this paper we present an approach to
automation equipment, service providers in this field and end solving the problem of an insufficient abstraction level of the
users of the need to comply with the ISA 88.00.01 standard [5] in phase-behaviour model. The approach is based on the definition
batch-process control, regardless of the level of automation of this of a new, enlarged and more complex phase-behaviour model.
control. However, there are also certain problems concerning the The paper is structured in the following manner. Section 2
application of the standard and the batch tools that are based on it. describes the phase-behaviour model recommended by the
These problems include: standard ISA 88.00.01. Section 3 describes a new proposal for the
1. The unsatisfactory reliability of the personal computer (PC) phase-behaviour model.
platform and the real-time communication loop,
2. The poor compatibility of the existing tools, 2. The phase-behaviour model according to the standard ISA
3. The unsatisfactory behaviour of PCs with regard to execution 88.00.01
speed and time determinism, and
4. The insufficient expressive power of the phase-behaviour The standard ISA 88.00.01 recommends a phase-behaviour
model, which is shown in the generally complicated logic of model based on the abstraction of state machines, which is widely
the individual states and particularly as a frequent need to accepted as a very appropriate notation for describing reactive
memorize the current step on the state transition in order to systems in general [2]. In our opinion, as well as in the opinion
return to the same step, which is a non-transparent low-level
of the vast majority of the batch-control-software community,
concept, and per se a frequent source of errors.
the state-machine abstraction also deals very well in describing
The first three of the above-mentioned problems are usually the behaviour of the procedural control entities in the domain
tackled with the development of simplified batch-control tools, for of batch-process control. The phase-behaviour model proposed in
the PC or the PLC platform, which are more or less compliant with ISA 88.00.01 is shown in Fig. 1 (the only difference between the
the ISA 88.00.01 standard. These tools are mostly over simplified presented model and the model given in ISA 88.00.01 is that the
and therefore lose most of the expressive power offered by the model presented in Fig. 1 is based on the consistent use of nested
S88.01-based tools. In some cases the recipe control system is states, with the positive consequence of avoiding the repetition of
even embodied in the application code, which as a rule has a very the transitions).
negative impact on the quality. In our recent paper we described The model defines ten elementary (lowest-level) states (shown
as dark blue in Fig. 1). Among these ten states there are
∗ Tel.: +386 1 477 36 19; fax: +386 1 477 39 94. five quiescent states (without any processing) and five active
E-mail address: giovanni.godena@ijs.si. states. The quiescent states are Idle, Complete, Held, Stopped,
0019-0578/$ – see front matter © 2008 ISA. Published by Elsevier Ltd. All rights reserved.
doi:10.1016/j.isatra.2008.08.002
4 G. Godena / ISA Transactions 48 (2009) 3–9

complete behaviour, given in the table. And what is the reason for
choosing the table instead of the diagram as the main notation?
Probably, the reason lies in the fact that describing the complete
phase behaviour using a simple state diagram without superstates
would result in a messy network of multi-repeated transitions,
which would seriously hinder the ease of understanding of the
behaviour model. The table, on the other hand, is crammed with
information repetition: the transition to the state Aborted appears
eight times, and the transition to the state Stopped six times, while
in a properly conceived state diagram, as presented in Fig. 1, each
transition would appear only once.
As a second example we consider the reference manual of one
of the batch tools. In this manual the state model is represented by
a diagram including superstates, whose higher expressive power
is obvious. On the other hand, in this case the diagram is not
completely correct, as again certain transitions appear more than
once: for example, the transition to the state Aborting appears
twice (once from the superstate Executing, and once from the
state Stopping). It is clear that there is a missing level in the state
hierarchy.
In order to illustrate that the inappropriate abstraction with its
repetition of information is a potential source of errors, we will
point out some weaknesses that can be found in both the standard
Fig. 1. Phase-behaviour model according to S88.01.
and the batch-tool documentation.
and Aborted. The active states are Running, Holding, Restarting, In the table of the standard there is a superfluous transition
Stopping, and Aborting; thus, these five states contain the whole from Stopped to Aborting. There is also a missing transition from
logic of each phase. Held to Holding. This does not need to be unequivocally considered
The operation of the batch-control system, behaving in as a deficiency, since this transition is not mandatory, although all
accordance with the above-mentioned model, is as follows. The the batch tools that we know contain it.
control program on the PLC is divided into two parts: the system In the diagram of the batch-tool documentation there are two
part and the application part. missing transitions: from Restarting to Holding, and from Held to
The system part is the so-called Phase Logic Interface (PLI); Holding. It should be pointed out that both transitions are also
this executes the state-machine algorithm of each phase, including mentioned in other points of the documentation.
evaluating and carrying out the state transitions, and controlling The above-mentioned weaknesses occurred even though both
(enabling and disabling) the execution of the processing sequences documents must have been carefully written and checked. In our
belonging to the active states. opinion, the main cause of the weaknesses is in the lack of, or in
The application part is composed of distinct blocks of code, with the inconsistent use of, an appropriate phase-behaviour notation.
each block belonging to a particular active state of a particular If the deficiencies of the phase-behaviour model and their
phase. Since these blocks are unconnected, it follows that there consequences can be observed in the above-mentioned, carefully
does not exist an integrated code entity for each phase—only the checked documents, then the impact of the inappropriate model
PLI perceives each phase as a whole, which is as a conceptual entity. on the application software can only be worse. The problem is most
In spite of the basic appropriateness of the phase-behaviour obvious in the state Running, since it assumes different behaviours
model described above, there are some problems connected with depending on the source state. For instance, the phase Dosing
its practical use, mainly caused by the too coarse granularity has to reset the dosing counter after its entry from the Idle state,
of the application-code modules. Most of us would probably
whereas after its entry from the Restarting state the dosing counter
agree that among the best strategies for developing high-quality
has to remain unchanged. Similar cases can also be found in other
batch-process control software is in keeping it as simple and as
states.
understandable as possible. On the other hand, the basic building
People are aware of these problems, and a number of solutions
blocks of the application code are the state sequences, which are
often rather complex, instead of being simple-to-manage linear have been proposed; however, most of them, unfortunately, are
sequences. The main source of their complexity is that the number inappropriate. As an illustration, let us consider once again the
of basic-code building blocks is too low, and, as a consequence, documentation of the batch-control tool, where two paradigms
each of these blocks implements more than one type of behaviour, are mentioned for phase programming using the SFC notation:
which often results in the block complexity being considerably the sequential paradigm and the state-machine paradigm. Each of
higher than that which is desirable. these paradigms has its benefits and shortcomings:
The problem lies in the abstraction used for describing the
• the sequential paradigm is more intuitive and easier to
phases behaving as simple state machines, without the nesting
understand, but it has too little expressive power due to the
of states and with a single sequence per active state as the only
low level of its abstraction, which causes difficulties with more
possible form of processing. To illustrate the unsuitability of this
complex behaviours, for example, exceptions;
abstraction, let us consider certain details of the ISA 88.00.01
standard and of the documentation of one of the commercial batch • the state-machine paradigm is on a higher level of abstraction
tools. In the standard the complete phase-behaviour model is and, therefore, has greater expressive power, facilitating the
not, as one would expect, given as a high-abstraction-level state managing of complex behaviour scenarios, but, on the other
diagram; instead, it is given as a state table. In addition, there hand, it is harder to understand and carries the risk of over-
is only a partial state diagram, covering about one-third of the complicating the application program.
G. Godena / ISA Transactions 48 (2009) 3–9 5

The essence of the problem lies in the distribution of the


functionality between the PLI and the application program. The
entire behaviour has a given complexity level, which depends
mostly on the inherent complexity of the problem to be solved
by the application. Like the functionality, the complexity is also
distributed between the PLI and the application program. The
current situation in most batch-control tools is that the phase-
behaviour model implemented in, and executed by, the PLI is
relatively simple. This leads to an increased complexity of the
application program, which often incurs difficulties, particularly
in the case of more demanding application functionalities. The
problem is that too great a part of the complexity is left to the
particular application programmer, which in many cases – and
unpredictably – leads to difficulties in managing the complexity
of the project.
A possible solution to the problem described above would be to
increase the level of the abstraction and the resulting expressive
power of the phase-behaviour model, in order to ensure that the
application program will only consist of simple sequences. Thus,
we intend to ‘‘complicate’’ the system phase-behaviour model,
executed by the PLI and being developed only once, in order to
keep the application sequences, which have to be developed again
in each project (although we always strive to achieve as high a level
of reuse as possible), simple.
The difficulties mentioned above could be alleviated by Fig. 2. A new phase-behaviour model.
introducing a phase-behaviour model with finer granularity. The
most appropriate option seems to be a model that would differ 3.1. Phase behaviour
from the current model, mainly in terms of two important features.
The first proposed feature is the nested states (superstates, In order to attain phase-logic building blocks that are as simple
substates), whose aim is to avoid the repetition of information, as possible, it is essential to build a model where the phase building
which is one of the notoriously worst attributes of the software. blocks will be, as far as is possible, merely simple sequences,
Superstates include all the common behaviour (the activities and without any internal states or threading, and without the need to
transitions) of their substates.
memorize the entry point of the sequence (for example, whether
The second feature is the finer granularity of the activities.
we came to the Running.ENTRY sequence from the state Idle or
Instead of using only five active sequences belonging to five
from the state Held, as the actions in these two cases differ). In
transient states, as defined by ISA 88.00.01 and implemented in
compliance with this and arising from the behaviour model of
various batch tools, we consider widening the set of active states
the procedural control entities in our domain-specific modelling
and defining different types of action, such as Entry, Loop, Exit and
Always actions of the states or actions of the transitions. Thus, by language ProcGraph [4], we defined the phase-behaviour model,
introducing a phase-behaviour model of finer granularity, we will which is an extended state-machine model and is shown in
achieve a better modularization of the application software and Fig. 2. The differences in comparison with the ISA 88.00.01 phase-
possibly approach the goal of having software built just of simple behaviour model are as follows:
sequences.
1. The elimination of the state Restarting, since this state’s
As an example of a higher-level notation based on the
processing can be placed into other elements of the model.
abstraction of state machines, let us first mention the Statechart
2. The introduction of nested states (elementary states and a
notation [2], which is also one of the nine notations used in the
frame of the Unified Modelling Language (UML) [3]. Statechart number of superstates).
includes both nested states and fine granularity of the processing. 3. The introduction of a very fine granularity of the processing
On the other hand, it also has, in our opinion, some drawbacks, (action) structure:
the most important of them, in the context of batch-control (a) State sequences of actions, five different possible sequences
software, being the separation of the processing (activities) and for each state:
the state model. In fact, its actions of states and transitions do not • ENTRY actions, which are executed only once on entry to
include processing; they are just triggering the activities, which a given state (in Fig. 2 the states having ENTRY actions are
are separated from the state model, resulting in difficulties in the marked with an E),
synchronization of sequential/concurrent activities. • LOOP actions, which are executed cyclically all the time
As a second example of a higher-level notation based on a state- the phase is in a given state (in Fig. 2 the states having
machine abstraction, let us mention the domain-specific modelling LOOP actions are marked with an L),
language ProcGraph [4], where the activities are an integral part of
• EXIT actions, which are executed only once at the exit
the state model.
from a given state (in Fig. 2 the states having EXIT actions
are marked with an X ),
3. Proposed extensions of the phase-behaviour model
• ALWAYS actions, which are executed during the state
The phase states arise from the behaviour model, as it is defined activity and during transitions entering this state (in Fig. 2
by the ISA 88.00.01 standard. The model is extended by introducing the states having ALWAYS actions are marked with an A),
nested states and fine-grained processing in order to attain better • TRANSIENT actions, which are executed only once at
properties, especially with regard to the simplicity, transparency, transient states (in Fig. 2 the states having TRANSIENT
ease of understanding and reliability of the application software. actions are marked with a T );
6 G. Godena / ISA Transactions 48 (2009) 3–9

(b) Transition actions, which are basically specific ENTRY starting a phase in the state Idle, or the operator starting (stand
actions of the target state; therefore, they are a part of this alone, i.e., not in a recipe) a phase in the state Terminated. The
state, but they are executed before the ENTRY actions of this complex transition begins at the quiescent state Inactive and
state (in Fig. 2 the transitions having actions are marked terminates into the durative active state Running.
with an A). 2. The complex transition from the active durative state Running
At this point it is very important to mention that the actions of to the active durative state Held, which occurs after a Hold
all the sequences have duration, i.e., they are not instantaneous. command has been issued to a phase, or on the occurrence
This applies not only to ALWAYS actions and LOOP actions, as is of an exception while the phase’s state was in a guarded
the case in the Statechart notation, but also to ENTRY, EXIT and region, i.e., in one of the sequences in which the occurrence of
TRANSIENT state actions and transition actions. The advantage of exceptions is checked. These sequences are all the sequences
this is that there is no problem with synchronizing the individual concurrent with the sequence RunningALWAYS, comprising
sequential/concurrent activities. the three sequences of the state Running plus the sequences
As a particular detail, let us mention at this point that ENTRY of both transitions into the state Running—from Inactive and
and LOOP actions are not executed if at the entry to a state the from Held. Thus, being in a guarded region is equivalent to
condition for termination is satisfied; however, EXIT actions are the sequence RunningALWAYS being active. Note that the
executed in every case. application programmer’s task regarding exceptions handling
and phase holding is just to fill a certain sequence (depending
3.2. State and transition types on the scope of the exception) with logical expressions, one
for each of this phase’s exceptions (failures). Based on the
Our phase-behaviour model comprises different state types, current value of ANDing these logical expressions, performed in
which are classified according to two criteria. According to the each cycle, the PLI starts the complex transition from Running
processing criteria the states are divided in the following way: to Held. Specifically, the logical expressions dealing with the
exceptions can be placed into the following sequences:
• Quiescent states are states without any processing (left part of • the logical expressions dealing with the exceptions of
Fig. 2).
broadest scope (always active when a phase is active) are
• Active states are states that contain certain processing (right
placed into the sequence ALWAYS of the state Running,
part of Fig. 2).
• the logical expressions dealing with phase’s starting condi-
According to the duration criteria the states are divided in the tions are placed into the sequence of the transition from In-
following way: active to Running,
• Transient states are those states that contain only one sequence, • the logical expressions dealing with phase’s restarting
and when it is executed, a transition to another state occurs. conditions are placed into the sequence of the transition from
Each active transient state contains one TRANSIENT sequence. Held to Running,
• Durative states are those states in which a phase normally • the expressions dealing with phase’s conditions common
remains for a longer time. The processing of active durative to starting and the restarting transition are placed into the
states is divided into several sequences, which can be of the ENTRY sequence of the state Running,
ENTRY, LOOP, EXIT and/or ALWAYS type. • the expressions dealing with exceptions of the scope limited
to the phase’s steady-state processing are placed into the
Quiescent states (all of which are also durative states) are Idle,
LOOP sequence of the state Running.
Complete, Stopped, Aborted, Terminated and Inactive. 3. The complex transition from the state Held through the state
Active durative states are Running, Held, Executing and Operat-
Holding back to the state Held, which occurs after the failure
ing, and active transient states are Holding, Stopping and Aborting.
increase of a held phase has been detected by the PLI. The
Transitions are divided into active and inactive transitions.
failure increase occurs on increasing an exception of the failure
Active transitions contain certain processing. These transitions
level higher than the failure level that caused the last holding.
are:
The logical expressions dealing with the phase’s higher-level
• from Inactive to Running, failures are placed into the LOOP sequence of the state Held, if
• from Running to Holding, they were not placed into the LOOP sequence of the superstate
• from Held to Holding, Executing, which is equivalent to being in LOOP sequences of
• from Held to Running. both the Running and Held states.
Each active transition contains one sequence of transition 4. The complex transition from the active durative state Held to
actions. the state Running, which occurs after a Restart command has
been issued to a phase in the state Held.
3.3. Complex transitions 5. The complex transition from the state Running to the state
Complete, which occurs after the phase has successfully
Complex transitions are series of state and transition sequences completed its function.
between two durative states. In other words, complex transitions 6. The complex transition from the state Terminated to the state
are integrated processing wholes (composed of a number of Idle, which occurs after a Reset command has been issued to a
sequences) during the execution of a phase-state machine. The phase in one of the substates of the superstate Terminated. The
execution of a phase-state machine is performed by the Phase phase in the state Idle waits for the PLI’s command Start. This
Logic Interface (PLI), which checks the need for activating one of complex transition does not include any active sequence.
the complex transitions that are provided for each active durative 7. The complex transition from the state Executing to the state
state. When the conditions (or causes) for the occurrence of a Stopped, which occurs after a Stop command has been issued
complex transition are met, the PLI executes a complex transition to a phase in any elementary (durative or transient) state that
by consecutively activating all the sequences of this complex is a substate of the superstate Executing.
transition. We defined the following complex transitions: 8. The complex transition from the state Operating to the state
1. The complex transition from the state Inactive to the state Aborted, which occurs after an Abort command has been issued
Running, which occurs after the Start command has been issued to a phase in any elementary (durative or transient) state that
to a phase. The source of the Start command can be the PLI is a substate of the superstate Operating.
G. Godena / ISA Transactions 48 (2009) 3–9 7

3.4. Phase-logic sequences may contain exception checking for this phase and sets the
corresponding logical variables (the interfaces between the
Phase-logic sequences present a framework for the modulariza- phase logic and the PLI) carrying the information on the phase’s
tion of batch-control software. Considering the phase-behaviour individual failures, which is then used by the PLI to determine
model shown in Fig. 2, the theoretical number of sequences for the ‘‘failure increase’’. This sequence may also perform some
each phase is 54, i.e., four sequences for each durative state, and reduced functionality or alarming specific to the Held state.
there are 10 durative states (elementary states or superstates), one 12. HeldEXIT sequence, which contains the code to be executed
once, immediately before the phase exits the state Held.
sequence for each transient state, and there are three transient
13. StoppingTRANSIENT sequence, which contains the code of the
states, and one sequence for each transition, and there are 11 tran-
transient state Stopping, i.e., the processing needed to bring
sitions. It is clear that many sequences are not needed and thus
the process to the state Stopped. This sequence typically has
their number can be reduced significantly. duration, since it waits at certain points of the execution for
The first, trivial level of sequence reductions refers to all the feedback on successfully terminated subsequences.
sequences of the quiescent states and the transitions between two 14. AbortingTRANSIENT sequence, which contains the code of the
quiescent states. However, none of these sequences is needed in transient state Aborting, i.e., the processing needed to bring the
the model and so they were all excluded. The second level of process to the state Aborted. This sequence typically has no
sequence reduction is performed in the following way: all the duration, i.e., it does not wait for any feedback. The purpose
sequences that appear together in a complex transition, and only of this sequence is to bring the phase to a terminated state
in this transition, can be replaced with a single sequence. After in cases when the Stopping sequence cannot be executed
performing both these mentioned reductions of the behaviour successfully due to missing feedback.
model, the phase contains 18 sequences: 14 in states and 4 in 15. ACT_TR_Held-Running sequence, which contains the code to
transitions. These are the following sequences: be executed on the transition from the state Held to the state
Running.
1. OperatingENTRY sequence, which contains the code to be 16. ACT_TR_Running-Holding sequence, which contains the code
executed once, on the starting of the phase, for example, to be executed on the transition from the state Running to the
starting a counter of the total duration of the phase. state Holding.
2. OperatingLOOP sequence, which contains the code to be 17. ACT_TR_Inactive-Running sequence, which contains the code
executed cyclically during the whole activity of a phase to be executed on the transition from the state Inactive to the
instance. state Running.
3. OperatingEXIT sequence, which contains the code to be 18. ACT_TR_Held-Holding sequence, which contains the code to
executed once, immediately before the transition of the phase be executed on the transition from the state Held to the state
to the Terminated superstate (i.e., one of its substates), for Holding.
example, stopping a counter of the total duration of the phase. For an illustration of the processing (PLI actions) occurring
4. ExecutingENTRY sequence, which contains the code to be during complex transitions, let us consider, step by step, the events
executed once, on the effective starting of the phase, for during the (successful) starting of a phase, i.e., executing the
example, resetting the dosing totalizer. complex transition from Inactive to Running. During these two
5. ExecutingLOOP sequence, which contains the code to be complex transitions the PLI performs the following sequence of
executed cyclically during the effective execution of the actions:
phase, which includes the states Running, Holding, Held and 1. Execution (enabling and waiting for completion) of the
EvaluatingRC, and the transitions between them, for example, sequence OperatingENTRY.
alarming. 2. Enabling the sequence OperatingLOOP.
6. ExecutingEXIT sequence, which contains the code to be 3. Execution of the sequence ExecutingENTRY.
executed once, immediately before the phase exits from the 4. Enabling the sequence ExecutingLOOP.
5. Enabling the sequence RunningALWAYS (thus activating the
effective execution, for example, saving the value of the dosing
phase-failure detection).
totalizer.
6. Execution of the sequence ACT_TR_EvaluatingSC-Running.
7. RunningENTRY sequence, which contains the code to be 7. Execution of the sequence RunningENTRY.
executed once, on the entry to the state Running, regardless 8. Enabling the sequence RunningLOOP.
of the source state, for example, starting physical equipment.
At this point there are four concurrently active sequences: Operat-
8. RunningLOOP sequence, which contains the code to be
ingLOOP, ExecutingLOOP, RunningAlways, and RunningLOOP.
executed cyclically during the activity of the state Running,
for example, checking the phase-completion conditions or
3.5. Further reduction of the phase-behaviour model
performing the alarming specific to the Running state.
9. RunningALWAYS sequence, which is executed cyclically and
The described phase-behaviour model with 18 sequences
concurrently with all three internal sequences of the state
represents the maximum possible range of elements or sequences,
Running (Entry, Loop, and Exit), plus the actions of the i.e., the minimum possible granularity of the execution of phases.
transitions to the state Running (i.e., its specific Entry actions). In the case that a certain programmer (organization) thinks that
This is an important sequence, which encompasses the phase’s the above-mentioned 18 sequences are too many, as he/she has
guarded region, i.e., the scope of the exception checking for built a simpler phase-behaviour model (with a smaller number
this phase, and sets the corresponding logical variables (the of sequences), he/she should only configure the sequences that
interfaces between the phase logic and the PLI) carrying the he/she does not want to use to be inactive. The PLI ignores (i.e., does
information on the phase’s individual failures. not activate) sequences configured in this manner. Theoretically,
10. HoldingTRANSIENT sequence, which contains the code of the the programmer can also program applications by using only
transient state Holding, i.e., the processing needed to bring the one sequence, although in most cases this would look more like
process to a safe state. ‘‘hacking’’ than programming. He/she can also use exactly the
11. HeldLOOP sequence, which contains the code to be executed same five active sequences as the currently available batch-process
cyclically during the activity of the state Held. This sequence control tools use according to the ISA 88.00.01 standard.
8 G. Godena / ISA Transactions 48 (2009) 3–9

if NonEmptying then
3.6. An example
if the phase instance is dominant and the level is near to
the target low-level value then terminate
As an example of modelling phase behaviour by means of the elsif the level is higher than or equal to the target high-
level value or the phase instance is dominant then
abstraction introduced in this paper, let us consider one very
if there is basic-control power-supply failure, then
simple phase from a recent project of developing a control system set phase failure
for a resin-synthesis plant in a paint factory. The process cell else
consists of six production lines, each of them consisting of two wait and allocate the collecting vessel
perform NonEmptying2Emptying transition basic-control
units—the reactor and the thinning tank. The phase we consider
sequence
deals with transporting the reaction water from the line’s reaction set internal machine state to Emptying
water vessel to the process cell’s reaction-water collecting vessel. endif
We will call the phase EmptyRWV (Empty Reaction Water Vessel). endif
else (* Emptying *)
During the system analysis, the following requirements were calculate the current transferred amount
stated for the EmptyRWV phase: if basic-control power-supply failure of certain duration,
The phase has two possible behaviour modes. In its first mode then set phase failure
the phase acts as a dominant phase: it empties the reaction- elsif level is lower than or equal to target low level then
perform Emptying2NonEmptying transition basic-control
water vessel to the target low-level value, given by a phase-recipe sequence
parameter, and then terminates. In its second mode the phase acts as set internal machine state to NonEmptying
a dependent phase: it passes between two internal states, Emptying de-allocate the collecting vessel
if phase instance is dominant then terminate endif
and NonEmptying, in order to maintain the level in the reaction-water
endif
vessel between the upper-level and lower-level values, where the low- endif
level value is given by the same recipe parameter as in the first mode,
and the high-level value is given by another recipe parameter. 7. Sequence RunningALWAYS
The phase may or may not record the amount of transported water, Compute logical expressions for phase failures
depending on another recipe parameter. (causes of holding):
The phase performs its basic function by means of two elements of • FirstScan,
basic control: the pump P1 and the ON–OFF valve V1. In the transfer • P1 or V1 unavailability (the expression for each
starting (stopping) sequence there must be a delay between opening is ‘‘NOT remote-auto mode OR failure’’) while
the valve and turning on the pump (turning off the pump and closing the internal state is Emptying,
the valve). The failures of P1 and V1 are causes of holding of the phase. • the state of the phase Vacuuming is not Inactive.
The failure of the basic-control power supply causes an immediate 8. Sequence HoldingTRANSIENT
holding of the phase during the transition from NonEmptying to If Emptying, then perform Emptying2NonEmptying
Emptying, while during Emptying this failure causes holding of transition basic-control sequence endif.
the phase with a delay (we allow power-supply failures of short 9. Sequence StoppingTRANSIENT
duration). If Emptying, then perform Emptying2NonEmptying
The six EmptyRWV phases of the corresponding six lines are transition basic-control sequence endif.
mutually exclusive (i.e., the collecting vessel is a single-use common 10. Sequence AbortingTRANSIENT
resource). The arbitration is performed by means of a first-come-first- If Emptying, then perform Emptying2NonEmptying
served rule (i.e., non-pre-emptive). transition basic-control sequence endif.
The EmptyRWV phase and the Vacuuming phase on the same
reactor unit are mutually exclusive. In this case the arbitration is 4. Discussion
performed by means of a pre-emptive priority-based policy with
Vacuuming having the higher priority. In other words, the phase We are well aware that it is unlikely to be possible to change a
EmptyRWV is pushed into the held state in the case it was running standard that has been established for many years, particularly one
when the Vacuuming is started or it is started while Vacuuming is so well conceived and of such value as ISA 88.00.01. Nevertheless,
running. we decided to present our new concept to the batch-control
community, encouraged by our extremely positive experiences
In the implementation, the requirements given above were
with the use of the proposed phase-behaviour model in real
mapped to 10 of the above-mentioned 18 sequences, as follows:
projects. In our experience the approach has led to a significant
1. Sequence OperatingENTRY:
shift towards the ‘‘right first time, every time’’ or ‘‘correct by
Initialize the totalizer of the transported construction’’ goals in software development. This statement
amount of reaction water. stems from our recent experience in the development of a control
2. Sequence OperatingLOOP: system for a medium-sized (200 + phases) resin-synthesis plant in
If the parameters changed, then read the new a paint factory, mentioned in the above example, where we have
parameter values endif. come very close to the described goals in the development of the
3. Sequence ExecutingENTRY: software.
Activate the generating exceptions in the V1 and
P1 basic-control modules. 5. Conclusion
4. Sequence ExecutingEXIT
A new, batch-phase behaviour model was presented, which
Deactivate the generating exceptions in the V1 has great potential to improve the quality and the complexity
and P1 basic-control modules. management of batch-control software. The phase-behaviour
5. Sequence RunningENTRY model presented may seem relatively complex, but that only
Initialize the RunningLOOP internal state means that a part of the complexity has been moved from
machine to NonEmptying. the application program to the system program PLI, giving
6. Sequence RunningLOOP the application programmer the opportunity to achieve better
G. Godena / ISA Transactions 48 (2009) 3–9 9

modularization and through it better quality of the application References


software. The proposed concept was successfully applied in a
newly developed tool, PLCbatch, for batch-process control on a PLC [1] Godena G, Steiner I, Tancek J, Svetina M. Batch process automation executed on
the PLC platform. In: WBF 2008 North American conference.
platform and validated in a real industrial project.
[2] Harel D. Statecharts: A visual formalism for complex systems. Scientific
Computer Programming 1987;8:231–74.
Acknowledgement [3] Booch G, Jacobson I, Rumbaugh J. The unified modelling language user guide.
New York: Addison-Wesley Publishing Company; 1999.
The financial support of the Slovenian Ministry of Higher Ed- [4] Godena G. ProcGraph: A procedure-oriented graphical notation for process-
ucation, Science and Technology (P2-0001) is gratefully acknowl- control software specification. Control Engineering Practice 2004;12:99–111.
edged. [5] ISA 88.00.01-1995, Batch Control, Part 1: Models and Terminology.