【正文】 ive languages specified by the global standard: Sequential Function Chart, Function Block Diagram, Ladder Diagram, Structured Text, and Instruction List. This allows for multivendor patibility and multilanguage programming. SFC is a graphical language that provides coordination of program sequences, supporting alternative sequence selections and parallel sequences. FBD uses a broad function library to build plex procedures in a graphical format. Standard math and logic functions may be coordinated with customizable munication and interface functions. LD is a graphic language for discrete control and interlocking logic. It is pletely patible with FBD for discrete function control. ST is a text language used for plex mathematical procedures and calculations less well suited to graphical languages. IL is a lowlevel language similar to assembly. code. It is used in relatively simple logic instructions. Relay Ladder Logic (RLL), or ladder diagrams, is the primary programming language for programmable logic controllers (PLCs). Ladder logic programming is a graphical representation of the program designed to look like relay logic. Flow Chart is a graphical language that describes sequential operations in a controller sequence or application. It is used to build modular, reusable function libraries. C is a high level programming language suited to handle the most plex putation, sequential, and data logging tasks. It is typically developed and debugged on a PC. BASIC is a high level language used to handle mathematical, sequential, data capturing and interface functions. Programmable logic controllers can also be specified with a number of puter interface options, work specifications and features. PLC power options, mounting options and environmental operating conditions are all also important to consider. 2 INTRODUCTION For simple programming the relay model of the PLC is sufficient. As more plex functions are used the more plex VonNeuman model of the PLC must be used. A VonNeuman puter processes one instruction at a time. Most puters operate this way, although they appear to be doing many things at once. Consider the puter ponents shown in Figure 1. Figure1 Simplified Personal Computer Architecture Input is obtained from the keyboard and mouse, output is sent to the screen, and the disk and memory are used for both input and output for storage. (Note: the directions of these arrows are very important to engineers, always pay attention to indicate where information is flowing.) This figure can be redrawn as in Figure 2 to clarify the role of inputs and outputs. Figure2 An InputOutput Oriented Architecture In this figure the data enters the left side through the inputs. (Note: most engineering diagrams have inputs on the left and outputs on the right.) It travels through buffering circuits before it enters the CPU. The CPU outputs data through other circuits. Memory and disks are used for storage of data that is not destined for output. If we look at a personal puter as a controller, it is controlling the user by outputting stimuli on the screen, and inputting responses from the mouse and the keyboard. A PLC is also a puter controlling a process. When fully integrated into an application the analogies bee。 for the scheduling we implemented in Promela a socalled variable time advance procedure [15]. For this case study these techniques proved sufficient to verify the design of the controller and derive (time) optimal schedules with very reasonable time and space requirements. A first report on our experiences has been published as [5], whose findings are further extended and elaborated in this article. One of the conclusions of our initial experiments as reported in the initial publication [5] was that “. . . it would be useful to be able to influence the search strategy of the model checker more directly and guide the search first into those parts . . . where counterexamples are likely to be found.” Since this publication a new version of the realtime model checking tool UPPAAL has bee available that employs a costguided evaluation strategy for statespace exploration, viz., costoptimal UPPAAL [4]. This tool is a natural candidate to support the derivation of optimal control schedules in a realtime environment. This motivated us to carry out the optimization part of the case study again with costoptimal UPPAAL, both as an interesting exercise in its own right, and to collect data to interpret and pare with the results obtained with SPIN. The rest of this paper is anized as follows: Sect. 2 gives a description of the batch plant, the nature of PLC, and a description of the control program that was systematically designed in previous work [13]. Section 3 describes the Promela models for the plant and the control process, and their use for its formal verification and optimization. Section 4 then introduces a costoptimal UPPAAL model of the same processes, and presents the optimization results that were obtained using it. Section 5, finally, evaluates the work and presents our conclusions. 7 SOFTWARE BASED PLCS The dropping cost of personal puters is increasing their use in control, including the replacement of PLCs. Software is installed that allows the personal puter to solve ladder logic, read inputs from sensors and update outputs to actuators. These are important to mention here because they don’t obey the