2011 6th International Conference on Industrial and Information Systems, ICIIS 2011, Aug.

16-19, 2011, Sri Lanka

Statechart Based Modeling and Controller

Implementation of Complex Reactive Systems
A.C. Vidanapathirana, Member, IEEE, S.D. Dewasurendra, and S.G. Abeyratne, Member, IEEE

Abstract- Statechart formalism has been a preferred choice
for modeling complex reactive systems (CRS) in recent years. It
has inbuilt powerful features of orthogonality, hierarchy, inter-
modular communication and history. Once statechart based
system modeling is done the next issues to be addressed are (1)
modular verification of the system for failsafe operation under
all possible working conditions (2) progressive controller
implementation together with the supervisory control while
maintaining traceability and re-configurability and (3)
facilitation of controller adaptation for progressive
incorporation of security features and supervisory specifications.
An elevator system was designed and built to reflect exigencies
of a typical CRS hardware/software platform. A controller was
designed to meet the above requirements and tested on the
platform to validate the feasibility of model-based control
design/verification methodology for real scale systems.
Modularity was achieved by developing the statechart model of
the plant into a tree of communicating language generators.
Progresively verified modules were then translated into
sequential function charts (SFC) which were finally integrated
to form a complete flat SFC. The SFC was then implemented on
a PLC platform (Telemechanique). The program was first
validated in simulation using Telemechanique “Twidosuite” for
different operating conditions and finally tested on the elevator
system.
Index Terms— Complex Reactive Systems, Elevator, Grafcet,
Statecharts, Supervisory control, Verification
I. INTRODUCTION
Finite State machines (FSM’s) are inadequate for modeling
modern complex reactive systems (CRS) with safety critical
aspects that need continued verification and validation
throughout the design and implementation process. They
suffer from being flat and unstructured, inherently sequential
and give rise to exponential state space explosion. These
problems have been largely overcome in statecharts [1]
through a multilevel AND-OR decomposition of states
supported by an instantaneous broadcasting mechanism for
communication across hierarchical levels. A great deal has
been published about these aspects [3].
In this paper we report research work carried out to (1) set
up a passenger elevator prototype conforming to industry
standards to serve as a test bed for design and control of
complex reactive systems, (2) implement model-based design
of the elevator control system using statecharts, (3)
demonstrate the application of a modular verification and
validation methodology developed for CRS on a real-scale
system and do (4) hardware /software implementation of the
controller and (5) modular integration of supervisory control.
The elevator controller has been implemented on a PLC
platform and currently being ported to Field Programmable
Gate Array (FPGA) for reconfigurability.
II. SETTING UP OF A PASSENGER ELEVATOR
PROTOTYPE
In a passenger elevator system there are key performance
parameters and critical safety requirements that have to be
met. The elevator specifications and performance parameters
mainly depend on the behavior of its electro-mechanical
system. In order to achieve such objectives the plant sensors,
drives, actuators and control hardware were selected
accordingly. Car and door travel speed profiles were
regulated to meet floor landing accuracy and passenger
comfort. Speed drives were fixed for the car and door
together with proximity sensors for appropriate speed
regulation. As main safety equipment electro-mechanical
brake system, over speed governor, over travel limit switches,
car and motor overload sensors and passenger door safety
sensors were incorporated to the plant. The laboratory
prototype elevator was built to carry 150 Kg. of pay load.

A.C. Vidanapathirana , Ceylon Chocolates Ltd., Kundasale, Sri

Lanka.(phone: 0812-236084, fax:0812 -2420995,
e-mail –ajithv@ccl.upali.lk)

Dr. S.D. Dewasurendra, MIMechE, Department of Computer Engineering,

Faculty of Engineering, University of Peradeniya (phone: 0812-
393478, e-mail devapriyad@pdn.ac.lk)
STATECHARTS FOR MODELING CONTROLLERS
Dr. S.G.Abeyaratne, Department of Electrcal and Electronic Engineering,
Faculty of Engineering, University of Peradeniya (phone: 0812-393415,
Fig. 1. Laboratory elevator research facility
e-mail: sunil@ee.pdn.ac.lk)

978-1-61284-0035-4/11/$26.00 ©2011 IEEE

493

Authorized licensed use limited to: Universidad de los Andes. Downloaded on June 10,2020 at 21:37:50 UTC from IEEE Xplore. Restrictions apply.
 2011 6th International Conference on Industrial and Information Systems, ICIIS 2011, Aug. 16-19, 2011, Sri Lanka

The elevator controller was modeled using the statechart There are temporary variables and parameters defined in
formalism. The controller model was divided in to three addition to the inputs and outputs of the system. These state
main parallel segments called PLANT, INPUTS, and variables are updated within the statechart when the system
DISPLAY as shown in Fig. 2. These parallel states represent enters a state, during a state or exits a given state.
AND operation in statechart formalism. These AND states
are then further sub divided using AND, and exclusive OR T ABLE 1
states representing parallel and sequential counterparts in the EVENTS DESCRIPTION OF THE STATECHART MODEL
model. This process is called progressive refinement in
statechart terminology. Modeling process was started with the N Description No Description
o
“PLANT” super state of the elevator statechart shown in Fig. 1 entered PLANT 41 left UP
3. This super state was divided into exclusive OR states 2 left PLANT 42 up_dir stop request is
called the “ID”, “DIR”, “DOOR” and “OVERLOAD” [4]. above immediate upper
These hierarchical sub divisions were made after considering floor ( o)
3 up_req (a) 43 up_direction arrived
the physical behaviour and the evolution of the system in requested floor (s)
response to various input conditions. 4 down_req (b) 44 up_dir there is stop
The DIR and the DOOR super states were further request at immediate
subdivided in to UP, DOWN, OPEN, CLOSE, and WAIT floor (c)
exclusive “OR” states. Input and output events were 5 leave DOOR. b (q) 45 entered DOWN_ON
6 leave DOOR. c (r) 46 left DOWN_ON
incorporated to the statechart model of the plant as shown in 7 leave DIR. a ( s) 47 door closed and there are
in Fig. 3. more up –req (q )
8 leave DIR. b (t) 48 door closed and there are
more down – req ( r )
ELEVATOR 9 Enter OPEN 49 Leave CLOSE . c ( r )
10 leave DOOR. a (I) 50 entered WAIT
PLANT INPUTS DISPLAY
11 enter UP. a (a) 51 left WAIT
ID
12 enter UP .b (q) 52 entered OVERLOAD
BUTTON
BUTTONS
LIGHTS 13 enter DOWN . a (b) 53 left OVERLOAD
DIR 14 enter DOWN . b (r) 54 leave OPEN
15 entered OPEN 55 entered DOWN
16 Left OPEN 56 left DOWN
DOOR
17 wait_over 57 down_dir there is stop
SENSORS
CAR request at immediate
POSITION
OVERLOAD floor ( d )
18 press_open (l) 58 down- direction arrived
requested floor ( t )
19 press _close (m) 59 down_dir stop request is
below immediate down
Fig. 2. Statechart for the elevator controller floor
20 entered DIR 60
21 left DIR 61 overload (j)
22 leave UP 62 overload cleared (k)
PLANT
ID 18 23 leave CLOSE . a (I) 63 entered DOWN
24 Leave CLOSE . b ( q ) 64 left DOWN
25 leave DOWN 65 entered DOWN_OFF
4

34
26 entered UP_OFF 66 left DOWN_OFF
3

OVERLOAD
27 left UP_OFF 67 Entered ID
61
62
28 entered UP 68 left ID
DIR DOOR
WAIT
29 left UP 69 entered UP_ON
UP 10 seconds
30 entered DOOR 70 left UP_ON
31 left DOOR 71 entered OP_OFF
U_ON
36
42 44 32 more up_req are left 72 left OP_OFF
35

WT_EDN

(q)
U_OFF
19
32

33 more down_req are left 73 leave DOOR . d (j)

36

DOWN CLOSE OPEN (r)

19
DN_ON 43 CL_ON OP_ON 34 no more req ( I ) 74 enter WAIT (k)
59
57 37 35
35 open_over ( v ) 75 entered OVERLOAD
58
DN_OFF CL_OFF 18 OP_OFF
36 wait_over (time_out) ( 76 left OVERLOAD
33 u)
37 close – over ( w ) 77 entered OP_ON
38 entered CLOSE 78 left OP_ON
39 left CLOSE 79 entered CL_ON
Fig. 3. Statechart for”PLANT” superstate of the controller 40 entered UP 80 left CL_ON

494

Authorized licensed use limited to: Universidad de los Andes. Downloaded on June 10,2020 at 21:37:50 UTC from IEEE Xplore. Restrictions apply.
 2011 6th International Conference on Industrial and Information Systems, ICIIS 2011, Aug. 16-19, 2011, Sri Lanka

III. DECOMPOSITION OF TSTATECHART MODEL

INTO LANGUAGE GENERATORS Idle
0
Here the methodology proposed in [5] was put to test in a 31
real scale application. As the first step of the proposed 1 68 76 16
2
methodology, the statechart was translated into a tree of 21 2 3 16

2 OVERLOAD
interconnected finite state machines (FSM’ S). Each state at 15
67
2 31 ∩ 75
ID
each non atomic level of the statechart hierarchy was 3
4 18
9
18
17
2
represented by a machine implementing the FSM 5
4
∩ 68
62
31 ∩ 67 30

`
19
corresponding to its sub states on the next immediate level. 20
6
10 76 ∩ 74∩ 30
This is illustrated in Fig. 4 for the statechart given in Fig. 3 20 ∩ 13 11
10 73
[2]. For the PLANT statechart, ten FSM’s and another ten 30 ∩ 21
7
trivial machines can be constructed by addressing the four 8 12
30 ∩ 21
7 8
hierarchical layers and their corresponding atomic states. . 13
20 31 ∩ 5 DOOR
The next step was to introduce virtual events, and an Idle DIR
state for each FSM, in order to develop the statechart into an 20 ∩ 14 14
31 ∩ 6
integrated set of FSM’s: for each module i, we introduced
virtual events, from the set ∑ ivir = { entered X, left X, leave
X, enter X) . Fig. 6. The Language generator of the PLANT FSM
The FSM and language generator corresponding to the
Processor Connection Diagram PLANT statechart and corresponding language generator of
Fig. 3 after introducing the Idle state and virtual events are
PLANT
10, 5, 6, 73, 74 , ,30,31 shown in Fig. 5 and Fig. 6, respectively. This procedure was
7, 8,13 14 ,20, 21
followed for all the nodes in Fig. 4. The process was
67, 68 75, ,76 nontrivial because the safety and control hardware choices
went hand-in-hand with model-based design of the control
logic.
ID DIR DOOR OVERLOAD

22, 28, 29 25, 55, 56 IV. VERIFICATION OF CONTROLLER MODEL USING

COMMUNICATING LG – PS PAIRS
42,43,44 UP 58,59,49 DOWN 60 OPEN 37 CLOSE 36 WAIT

The modular verification strategy of [5] requires the

interpretation of interaction protocol between adjacent nodes
UP_ON UP_OFF DN_ON DN_OFF
OP_
ON
OP_
OFF
CL_
ON
CL_
OFF
WT_
ON
WT_
OFF (modules) of the FSM tree as language specifications for
node automata. Since the joint behavior of the module-
protocol pair is achieved by prioritised synchronous
composition (PSC) of the module and specification
Fig. 4. Tree of interconnected FSMs of the PLANT statechart languages, the modular verification amounts to controllability
check for the latter on the corresponding module. The
protocol specifications are represented by port automata that
generate them. For details of this verification method the
PLANT FSM reader is referred to [5]. For illustration purposes, the port
IDLE
2
automaton between the plant module and door module is
2 given in Fig. 7. Their priority sets (in the sense of PSC), Δ
and ∏ are given in (1) and (2) below. The controllable events
1

OVERLOAD
entry: 75
(computed as the intersection the two priority sets) for
ID
entry: 67
exit:: 76
prioritised synchronous composition of plant and door
73

exit:: 68
18
62 languages is given just for academic purposes: they do not
/7
3
10. 4 come into the picture when the controllability check under
4 / 13 PSC is done [6]. The non-conflicting nature of each module
2

7
DIR DOOR (LG) against its port structure (supervisor module) is verified
entry: 20 8
exit:: 21
entry: 30
exit:: 31 using the standard test for non-conflicting languages [6].
5
Δ = { 1,2,3,4,5,6,7,8,10,18, 62,73} (1)
6 / 14 PLANT

∏ = { 5, 6, 10, 30, 31,73,74} (2)

plant_door

Δ ∩ ∏ = { 5,6,10,73} (3)
Fig. 5. The PLANT FSM of the ELEVATOR statechart PLANT plant _ door

495

Authorized licensed use limited to: Universidad de los Andes. Downloaded on June 10,2020 at 21:37:50 UTC from IEEE Xplore. Restrictions apply.
 2011 6th International Conference on Industrial and Information Systems, ICIIS 2011, Aug. 16-19, 2011, Sri Lanka

30
73
10
5 U 6 U 10
U 31 U 73
74 U 30
5
0 1
6
74
31
Fig. 7. Port structure between PLANT and DOOR modules.
Once the tests for controllability and non-conflicting
property are done for the each LG-PS pair we can consider
the overall controller as verified.
V. HARDWARE/SOFTWARE IMPLEMENTATION
Once the verification process is completed the controller is
ready for safe implementation with a suitable hardware and
software platform.
The verification described above being for the
unsupervised plant, we need to extend the procedure to cover
the specification, implementation and integration of
supervisory control. First we consider the construction of
software code for the elevator PLANT statechart model for
implementation on a PLC platform. Starting from the
language generators, the required sequential function charts
(SFC, grafcet was the original name used by the French
developers of the language and currently used synonymously
with SFC in automation industry) were developed for the
PLC platform. The SFC is a flat model of the PLANT
statechart which can be directly fed in to the PLC.
Telemechanique PLCs of Schnider Electric have the “grafcet”
facility and “SIEMENS” have “GRAPH” facility inbuilt for
SFC based programming. If a particular brand of PLC does
not support the SFC formalism we can easily translate the
“grafcet” into more familiar ladder logic or STL (both IEC
61131-3 languages, like SFC).
very significant, and hence the lengths of corresponding PLC
codes. Under the hypothesis that this was possible, we then
developed the following procedure for masking virtual
events, which we eventually validated on the plant.
In the proposed method bottom-most layer states and
physical events (eg., event 43) are considered.
In the SFC construction process, starting and destination
states at the bottom-most atomic stage are merged by
removing the virtual events associated with a unique physical
event triggered in the plant model.
Then search through the rest of the language generators for
virtual events which are generated starting from the physical
events mentioned above. The process is continued until
another bottom-most atomic level destination state is reached.
Then connect the respective bottom-most atomic states of the
statechart. The above process is continued for the complete
set of physical events. When this process is completed the
reduced grafcet for the statechart can be derived.
In order to validate the hypothesis and the corresponding
masking process, grafcets were developed for plant models
before and after applying the above mask. Their reachability
graphs were then compared to verify whether the effective
command sequences generated were in fact the same. The
command sequences being the same, we adopted the
reduction strategy as a general rule. The SFC obtained for the
PLANT statechart by following the above procedure is shown
in Fig. 8. The SFC can directly be implemented in the PLC.
The SFC implementation for the PLANT statechart on a
Telemechanique PLC is shows in Fig. 9.
In the next phase of the experiment, supervisory control
specifications for safety-critical operations and performance
criteria were developed and implemented. Given below is
how a typical performance specification was implemented.
Specification: “while the door is closing, if repetitive door-
open requests are made for more than five times, the system
stops responding to the door-open request”. This specification
was then formalized by first obtaining the corresponding
regular language and then designing a finite state automaton
that accepts the language.

VI. SFC CONSTRUCTION PROCESS AND 1 ID

SUPERVISOR INTEGRATION 4
3
18

DIR DOOR
Virtual events were introduced in the process of controller UP
OPEN
decomposition and in constructing language generators. They 2 UP_ON 6 OP_ON

are in effect, updates of state variables (e.g., entered X 42 44

7
35
OP_OFF
records the activation of the state X) that facilitate sequencing 43
3 UP_OFF
19 19
35

of commands and signals across module boundaries. Then we DOWN WAIT

conjectured that we might be able to mask them in the 4 DOWN_ON WT_ON 8
61
9

development of the PLC program (since, seemingly, they do

62
59 57 17
DOWN_OFF
10 OVERLOAD
WT_OFF
not need to have any real plant counterparts in a PLC 58
5
19 19
17

program) so long as the sequencing imposed by them is CLOSE

respected. To this effect we posed the following question: 11 CL_ON

once they have served the purpose of facilitating the modular 12

37
CL_OFF
18
verification and communication among individual automata,
18
47 48
34

is there a way in which they can be removed without

affecting the system behavior? This is important because the
resulting reduction in the size of individual automata can be Fig. 8. The SFC derived for the PLANT statechart

496

Authorized licensed use limited to: Universidad de los Andes. Downloaded on June 10,2020 at 21:37:50 UTC from IEEE Xplore. Restrictions apply.
 2011 6th International Conference on Industrial and Information Systems, ICIIS 2011, Aug. 16-19, 2011, Sri Lanka

Supervisor Specification
WT_OFF 10
17

11
CLOSE
CL_ON
18
1 ID 37

4 2 6

CL_OFF 12
DOWN_ON UP_ON OP_ON

48
47 34

15
MO
(# pressed < 5 )
# pressed > 5
19 18
37
Fig. 9. The SFC derived for the PLANT statechart 16 17
18 37 37

VII. SUPERVISOR CONSTRUCTION AND INTEGRATION 18

CLOSE
SUPERVISOR

The specification given here refers to the DOOR sub Supervisor Specification - When door is closing if repetitive door open
module of the elevator controller. By using the DOOR requests are made more than five times the system does not respond to the
DOOR open request
language generator and the specification language the Event definition - DOOR open request counter < 5, M0 = 1 else MO = 0;
supremal controllable sub-language (SCSL) can be derived.
The TCT (Toronto Control Technology) software
Fig. 11. The SFC derived for the PLANT statechart
automatically generates the SCSL. The Fig.10 shows the
resulting plant (D), specification language (SD) and the The DES, SUPD obtained from the TCT software generates
optimal controllable sub language using the TCT software. the supremal controllable sub-language for the given
The derived supervisor can be implemented using the SFC specification.
shown in Fig.11. The same SFC can be implemented in PLC using the ladder
In the DOOR discrete event system (DES) shown in Fig. diagram shown below.
10 the uncontrollable events 5 and 7 exiting from state 3 refer
to the door-request-counter values “less than five” and %M17
11
“greater than five”, respectively. But the specification DES, .*. 10 ( #)
SD allows only the path with the event 5.
%M18
19
.*. 11 ( #)

15
( #)
%M0
16
.*. 15 ( #)

%M18 18
.*. 16 ( #)

%M18 %X18
18
.*. 19 (#D)

6
( #)

%M18 %X19
19
.*. 18 ((#D)

6
( #)

Fig. 10. TCT supervisor obtained for the DOOR specification Fig. 12. The ladder diagram for implementing the specification

497

Authorized licensed use limited to: Universidad de los Andes. Downloaded on June 10,2020 at 21:37:50 UTC from IEEE Xplore. Restrictions apply.
 2011 6th International Conference on Industrial and Information Systems, ICIIS 2011, Aug. 16-19, 2011, Sri Lanka

RESULTS & DISCUSSION [5] S. D. Dewasurendra, “Statecharts for Reconfigurable Modular Control
of Complex Reactive Systems: a new formal verification
methodology,” in Proceedings of ICIIS 2006, Peradeniya, Sri Lanka,
An integrated laboratory research facility (elevator system) 09-11 August, 2006.
[6] S. D. Dewasurendra, “Statecharts for Reconfigurable Modular Control
has been set up for model-based design, verification and
of Complex Reactive Systems: need for formal verification and
validation of controllers for large scale safety critical systems. associated problems,” in Proceedings of ICIIS 2006, Peradeniya, Sri
Lanka, 09-11 August, 2006.
Model based design and modular verification of elevator
controller was demonstrated: statechart based control
specification was developed into a tree of communicating
regular language generators (modules) where the
communication between adjacent modules was implemented
through port automata under prioritized synchronous
composition.

The design was modularly translated into a Sequential

Function Chart for implementation on a PLC platform.

We also tested automated translation of the modules from

the structured statechart model into a flat SFC. The SFC
programs were validated by testing them on the elevator
system.

We have demonstrated how supervisory specifications

could be progressively integrated to the controller both in
SFC form and ladder logic.

Validation of control design methodology with respect to

reconfigurability and formal verification has thus been done
at a few levels and continues.

The implementation of reconfigurable elevator controllers on

FPGA (Xilinx FPGA) platform is being carried out as a
separate axis of this research programme.

ACKNOWLEDGEMENTS

We acknowledge with gratitude the Peradeniya University

Research Grant RG/2006/32/E awarded by University of
Peradeniya as seed money, the help received from Electrical
& Electronic Engineering staff and Sub-warden of
Ramanathan Hall of Residence, the numerous helps extended
by colleagues from CECB and Schneider Electric Co. Ltd.

REFERENCES

[1] D. Harel “ Statecharts: A visual formalism for complex systems”, in

Sci. Comput. Prog. Vol. 8 pp. 231 -274, 1987. (Preliminary version
appeared in Cs 84-05, Weizmann Institute of Science, Rehovot, Israel,
Feb. 1984).
[2] D. Drunskey and D. Harel, “using Statecharts for Hardware description
and Synthesis,” in IEEE Transactions on Computer–Aided Design. 8(7)
July 1989.
[3] Lam, Vitus S.W. and Julian Padget. “Symbolic Model Checking of
UML Statechart Diagrams with an Integrated Approach”, Proc. of the
11th IEEE International Conference and Workshop on the Engineering
of Computer-Based Systems (ECBS’04). 2004.
[4] Yi-Sheng Huang, Sheng-Luen Chung and MuDer Jeng “Modeling and
control of elevators by statecharts”. Asian Journal of Control, Vol.6
No. 2, pp 281-292, June 2004.

498

Authorized licensed use limited to: Universidad de los Andes. Downloaded on June 10,2020 at 21:37:50 UTC from IEEE Xplore. Restrictions apply.