lcm rotary table factory

Rotary tables, rotary-tilting tables, tilting heads equipped with electrospindle: these are some of the products that Lcm Precision Technology designs, produces and markets. Innovative and customized solutions in manifold geometries, with different sizes and various magnitudes, with which the company intends to represent a reliable and qualified partner in national and international ambit.

Headquartered at Castell’Alfero, in Asti province, Lcm Precision Technology is an engineering company that since 1986 has been designing, producing and marketing accessories for machine tools. Forefront components developed thanks to a team of skilled technicians able to comply with specific needs and to turn them into high quality added-value solutions. Result enabled by the precious contribution of around ninety employees, a dozen of whom working in the Research & Development Department, for a turnover that reaches about 15 million Euros (70% of which beyond the borders).

«A high-quality product – specifies Giorgio Panatero, sales executive of Lcm Precision Technology – that in most cases directly reaches machine tool manufacturers, that is to say OEM, and is also intended for OE applications».

Rotary tables, rotary-tilting tables, tilting heads equipped with electrospindle: they are some of the products designed, produced and marketed by the company.

«A production – adds Panaterpo –that includes both tables with conventional rotation system, that is to say mechanical, with worm screw and crown, or with direct-drive, torque motors. Flexibility with which we can satisfy the various market requirements».

The torque motor technology permits the company to manufacture tables with torque performances in operation resembling the tables with screw-crown system but very high rotation speeds. Another important advantage is the backlash absence and the consequent high dynamic response and precision, thanks to the quick bi-directional response.

The range developed by Lcm Precision Technology can be practically subdivided into three big families where innovation and competences converge. The first includes the rotary tables belonging to BRC and BRS series, solutions conceived for the application on 5-axis machining centres, equipped with rotary-tilting system directly integrated into the bed of the machine itself. They are executions implementable in the sizes of 200, 300, 400, 600, 800 mm (sizes of the rotary surface), up to the biggest one, with 1,200 mm plate and a loading capacity that can reach 2,000 kg.

The family called MD includes instead tilting milling heads (with +/- 100° for those with mechanical transmission and hydraulic clamping and +/-120 for the models with torque motor), the related milling electrospindles (belonging to the ELQ series) and the rotary tables to be integrated or fixed on the machine worktable (being part of TDE/M and TRB series).

The above-mentioned solutions are completed by the inserted rotary tables for machining centres, that is to say with 4th and 4th/5th axis, with rotary plate sizes from a minimum of 125 to a maximum of 350 mm.

«In other words – adds and ends Panatero –the possibility, which more and more often the manufacturers of milling machines are trying to supply to their customers, of executing also small turning operations on their machines. Concerning this, we are developing a series of targeted products, both rotary tables that can rotate with speeds consistent with turning, and we are speaking of 500 rpm on 800 mm of diameter and electrospindles and heads able not only to mill but also to manage, to grip and to clamp a turning tool».

... OptionsThe turntable machine R 703 is also available as an Atex version. 4-6-8-12 or 24 spindles are available as options; half of the selected spindles can be equipped with a directional rotation reverse function. The ...

The Heavy-Duty Manual Turntable maximizes workspace and minimizes wasteful motion. Bench top turntables allow workers to stay in one position and rotate items for access from all sides. ...

... impacts or forces while gear type or torque motor type rotary tables are not likely do. Its accuracy and rigidity obtained by zero-backlash technique that achieves high accurate positioning with the rotational ...

... acoustics Remote-operated Turntable HRT I is used for automated orientation-dependent acoustic measurements, allowing to rotate the device under test to specific angles in the measurement field.

The cumulative rotary table is an auxiliary device for the accumulation of packs before group packaging or other tasks. The storage disk made of stainless material, which allows the use of the table ...

This is the Hollow Rotary Table model number GSN60-05K-SV with table size 60mm gear ratio 1:5 for servo motor. GIGAGER Hollow Rotary Table also called ...

... Aerosol or Bag on Valve Stations. Our 36″ Rotary Index can accept a maximum of 6 stations, our 18″ Rotary Index can accept a maximum of 4 stations, and our 9″ Rotary Index can accept ...

... 40 inch diameter Rotary Bottle Loading Turntables are manufactured in 1/8″, 304 stainless steel. Power is provided for the TAU-4000 by a DC gear motor. Variable speed up to 150 containers per minute.

Job shops may believe that all CNC rotary and index tables are essentially alike. As a result, they often base their selection on price and hope they can use their machining creativity to maximize a rotary or index table.

However, to expand the capabilities of their machine tools when purchasing new ones or retrofitting existing equipment, considering the quality of a table’s sealing, braking and bearing systems and how those systems impact a shop’s current and projected applications can pay big dividends down the road. Shops are also wise to consider the effectiveness of a cable management system—which ensures a rotary table is always connected to the machine without operator intervention and extends connector life—when palletizing tables.

“The initial quality of the rotary table makes a big difference,” said Lee Flick, national sales manager for HPI-Pioneer, “especially at job shops.” The Elk Grove Village, Ill., company supplies CNC rotary and index tables from Yukiwa Seiko Inc., Japan.

Predictably, many end users—especially shops on limited budgets—push the limits of a rotary table’s weight capacity and capability. “Some of our customers will put a car on a little table and try to turn it,” Flick quipped. But by specifying the correct rotary table for the job, shops can extend equipment life while reducing maintenance issues and continuing to machine high-quality parts.

After 2 years of operation, the inside of a Yukiwa rotary table (left) with an automatic air-purge system and a competitor’s table without a purge system.

A table axis’ lack of durability and inadequate clamping power can cause out-of-tolerance features and rough surface finishes. One solution is a dual-bearing system that supports the table on the front and rear with large bearings, according to Flick. Even with an overhanging weight load, this design prevents the table from leaning, he added.

One of the key factors that determine the life span of a rotary table is how well it is sealed against potential contaminants, such as metalworking fluids. Flick noted the most common rotary table service is repairing electronics damage caused by coolant infiltration. “Within 20 years I believe the market will be dry cutting,” he said. “But as long as coolants are involved, sealing is extremely critical.”

Flick indicated that there are three basic sealing arrangements: sealing just the motor cavity, sealing the entire table and sealing the table and incorporating an automatic-purge system similar to check-valve pressure on an airplane. “You pressurize the cabin and if you were to get a leak, it blows outwards,” he said, adding that a rotary table with that type of seal typically lasts twice as long as one that doesn’t, whether it’s an entry-level or higher quality table.

HPI-Pioneer President Nobu Kiriyama explained that the Yukiwa air-purge system uses the 70-psi shop air that also supplies a table’s braking system and enables a table to effectively function when submerged for EDMing. For those applications, an optional nickel-plating is appropriate when the table is submerged in water-based dielectric fluid.

Of course, chips, swarf and other debris produced during cutting can abrade any seal material and provide a passageway for contaminants into a table’s inner mechanisms. Therefore, John Arnestad, tooling product manager for Koma Precision Inc., recommends against aiming a high-pressure coolant line at a seal or an area where a seal is located to reduce that risk. The East Windsor, Conn., company supplies rotary tables from Tsudakoma Corp., Japan, which have seals directly behind the faceplate. The tables also have a metal cover that shields the main seals to decrease the chance of debris abrasion.

For high-pressure coolant applications, Rotec Tools Ltd., Millwood, N.Y., recommends a labyrinth seal on the rotary table. Rotec distributes rotary tables from Peter Lehmann AG, Switzerland. Ivo Straessle, Rotec president, noted the air-supported labyrinth seal attaches to the spindle nose of the table, extending the standard spindle seal, and creates an air cushion underneath the seal to keep coolant out. “We prefer oil-based over water-based coolants because they’re not so aggressive on the rotary tables,” Straessle said. “Many water-based coolants attack seals, cables and electrical components.”

In addition, Lehmann rotary tables have an air-purge seal on the motor housing, and the gear housing has a positive oil pressure at all times. “That makes it very difficult for debris or coolant to penetrate the seal system from the outside,” Straessle said.

To ensure longevity of the rotary table and its sealing system, pressure is reduced to the internal components of the pressurization system during rotation on most of the table models offered by L.C.M. Srl, Italy, said Mike Bickham, president of distributor ITI Tooling Co. Inc., Ramsey, N.J. Then, the pressure increases when the table reaches the preprogrammed working positions.

Cutaway of a Lehmann rotary table: 1) The clamping ring applies 360° equal clamping force on the rotary axis; 2) the rotary axis; 3) the preloaded radial and axial needle bearings; 4) the gear train; and 5) the standard spindle seal, which can be extended with a labyrinth seal for high-pressure coolant application.

Unless it’s an older table, coolant infiltration behind the rotary table seals isn’t an issue in 99 percent of machining applications, according to Jamie Schwarz, national sales manager for CNC Indexing & Feeding Technologies, Mason, Ohio, which offers Taiwanese-made Ganro rotary tables. A combination of oil seals, O-ring seals and silicone caulking keeps contaminants out of the tables’ inner workings, and the company offers an air-purge system as an option.

When coolant penetrates a rotary table, it can short out a servomotor, and fine chips can wreak wear-related havoc on the brake, worm wheel, worm shaft and other parts. “That can get expensive when you start replacing internal components that are important to the table’s accuracy and repeatability,” Schwarz said.

Pressure also comes into play when selecting the appropriate braking system for a rotary table. According to HPI- Pioneer’s Flick, two basic variations exist: a disc brake system and a hydraulic version that provides higher braking pressure than a disc brake. Although hydraulic systems are prevalent, he pointed out that the company offers models with the less-typical air-over-hydraulic booster inside the table’s motor cover, eliminating the need for a hydraulic pump or other external hydraulic supply. Instead, 70-psi shop air does the trick. This is because the table clamp mounted inside the air-hydro structure boosts the hydraulic pressure and achieves higher clamping power simply by providing air pressure. (See image below.)

“The higher the braking pressure, the more aggressive machining you can perform on the rotary table,” Flick said. “Hydraulic boosters are becoming more common because people want to machine harder and harder on the table.”

He added that there’s no angular pressure on any braking system when using a rotary table to cut on-center, but the type of system makes a significant difference when machining off-center because the pressure created on the cutting location increases based on its distance from the center. Hydraulic systems permit more aggressive cuts, even when machining farther out on the table.

The heavy-duty, zero-backlash braking systems on the rotary tables from ITI Tooling can use hydraulic pressure up to 870 psi, according to Bickham, but 580 psi is more typical. In addition, the tables can use an air supply together with an air-over-oil intensifier, which provides benefits because shop air is generally more readily available and is restricted to a safer pressure than a hydraulic system. Bickham added that whether it’s an air- or a hydraulic-actuated brake, the brake operates in the same manner by expanding a 360° pressurized sleeve that wraps around the table’s center axle, holding it rigidly in place.

Cost considerations can play a prominent role when selecting a rotary table’s braking system. The disc brake is the most popular type because repairs are fairly inexpensive, according to CNC Indexing’s Schwarz. The repair is usually performed on tables 10 years and older used for heavy machining, he said. “We can get the repair done within a day for a few hundred dollars.”

With the air-over-hydraulic brake system in Yukiwa’s rotary tables, the increased hydraulic pressure can achieve stronger clamping power by providing air pressure.

Arnestad indicated that Koma offers several braking system options. Called the RNE series table, the pneumatic, dual-disc system is the most economical, while offering good accuracy and a good torque drive, he noted. The mid-range RNA series table has a dual-taper clamping system that uses a pressure intensifier, where a ring of ball bearings are captured between the clamping ring and the piston.

“The piston has an angular feature on it, as well as an angled member inside the braking system so, as the piston moves forward, it displaces that ring of ball bearings and triples the clamping force,” Arnestad said. This enables taking heavier off-center cuts without the fear of the rotary faceplate turning under force.

Arnestad added that the hydraulic, dual-disc clamping system, called the RBA series table, is the company’s most robust. “That’s targeted for high-volume production,” he said, “where they need to hold very close tolerances and want to machine at the fastest rate possible.”

According to Rotec’s Straessle, Leh-mann rotary tables have the same braking system for any application, using a built-in air-over-oil intensifier. This booster coverts 90-psi shop air into more than 4,000 psi of hydraulic pressure, he added, and a clamping ring equally applies 360° clamping force to the rotary axis. “A high clamping force allows high feed rates and high workpiece accuracy.”

End users can also increase machining parameters when a rotary table’s bearing configuration enhances table rigidity. For example, preloaded axial and radial needle bearings in front of the table next to the spindle nose and preloaded axial needle bearings in the rear of the spindle (all inside the gear housing) provide a high level of rigidity, Straessle explained. Preloading eliminates the undesirable “give” for the bearings in the axial and radial directions. “This design allows the customer to work with heavy workpieces and, at the same time, reduces overall vibration,” he said.

According to Arnestad, a cross-roller bearing construction provides the best rotary table support. “It gives better stiffness and less runout than, say, tapered roller bearings, which have a chance of losing their preload over time,” he said.

Yukiwa rotary tables from HPI-Pioneer have a dual-bearing system, where two sets of bearings at both ends of the body provide triple-contact support and the largest angular contact bearing is underneath the table face to enhance bearing support.

In terms of runout, HPI-Pioneer’s Kiriyama noted the bearings in Yukiwa’s rotary tables provide a 0.0001" runout and are the same grade as the ones machine tool builders use for their spindles. According to the company, the tables have a dual-bearing system, where two sets of bearings at both ends of the body provide triple-contact support, and the largest angular contact bearing is underneath the table face to maximize bearing support.

HPI-Pioneer repairs and replaces worn bearings from its rotary tables, as well as from its competitors. “A good table will go 5 to 10 years before it needs work, just like a machine,” Flick said. “With a low-end table, you’re doing it annually. It’s that dramatic of a difference.”

Similar to a braking system, a high-quality bearing configuration effectively supports the workpiece load and machining pressure in the axial and radial directions. This proves beneficial when machining on a rotary table that’s not adequately matched to the application. “Everyone wants to buy the least expensive table they can and push it to its limits rather than going the next size up,” said CNC Indexing’s Schwarz.

When high-volume manufacturers and those performing lights-out machining use rotary tables, they often palletize the tables. In this scenario, the main consideration is the cable management system, which enables a palletized table to shuttle in and out of the machine tool without disconnecting cables while keeping them clear of the machining process, according to Schwarz. It might involve running the cables through the middle of the pallet to some sort of track system or incorporating a spring-loaded arrangement that hangs from the upper sheet metal in a machine and allows cables to extend and retract.

Most end users are quite opposed to having to repeatedly plug in and unplug a rotary table, he said. As a result, the role of a cable management system, which machine tool builders and third-party installation companies provide, is critical.

Koma’s Arnestad added that a cable management system ensures a rotary table is always connected to the machine without operator intervention, which extends connector life. “If you don’t have good cable management, the connections can fail due to abrasion or having the cables flex too much,” he said. “How many times can you plug and unplug a multiple-pin connection before somebody gets a chip underneath the unit, tries to force it on and it leaks and you have problems?”

Going cheap across the board with rotary tables pays initial dividends, but part manufacturers that skimp on quality may miss enhancing the capabilities of their machine tools—even entry-level ones. “If you put the right options on your rotary table,” Frick said, “you can make an inexpensive machine perform as well as a midrange machine.” CTE

Because they don’t have gears and gear-related issues such as backlash, direct-drive rotary tables were expected to eventually replace worm gear-driven ones. For example, CTE’s April 2004 cover story stated, “Whatever the use, more direct-drive NC rotary tables will be purchased in the future, supplanting gear-driven units. These types of tables don’t have a gearbox, thereby eliminating the need to replace worm gears and belts, and are directly driven by the motor.”

That expectation didn’t quite materialize. Although they are quite accurate and rotate considerably faster than gear-driven rotary tables, reaching 250 rpm and higher compared to less than 50 rpm for a standard conventional table, direct-drive rotary tables lack the torque required for machining heavy parts and difficult-to-cut workpiece materials.

Therefore, the primary applications for direct-drive tables are high-volume ones that involve small, lightweight parts and light machining loads, according to Lee Flick at HPI-Pioneer, which offers direct-drive tables. In addition, the motor is essentially the brake. “To get the rpms, you give up torque and braking pressure,” Flick said.

HPI-Pioneer’s Nobu Kiriyama added that rotary table manufacturers have access to the same motors from motor manufacturers, which provide similar motor configurations and specifications. “Then, the various rotary table manufacturers are mostly assembling components and it’s harder to distinguish themselves,” he said. “Direct-drive technology is still evolving.”

Damaged direct-drive tables are also more costly to repair than gear-driven ones, because the components are more expensive than ones for standard servomotors, which can be rewound, said John Arnestad of Koma Precision Inc. “And if you get contamination inside a direct-drive rotary table, the motor is shot and the rotary table needs to be replaced.” Koma offers 5"- to 25"-dia. direct-drive tables.

Ganro also offers a direct-drive table, noted Jamie Schwarz of CNC Indexing & Feeding Technologies, but end users often view them as cost-prohibitive because direct-drive motors are expensive. “We quote it and then the customer says, ‘For that additional cost I think I can live with the standard table I have.’ ”

However, not all suppliers have a less-than-stellar outlook on direct-drive technology. ITI Tooling Co. Inc.’s Mike Bickham emphasized that for L.C.M.’s high-speed, torque-motor-driven tables, the company designs and manufactures many of the direct-drive motors it uses. He added that special direct-drive tables can be ordered that provide enhanced torque and, if needed, a wider range of speed. “There’s tremendous holding power for heavy-duty machining because the motor can be used as the brake,” Bickman said.

Fully Factory Rebuilt, Factory Refurbished Rotary Tables, to as new factory specifications: Horizontal, Weight approx 2100kg, Loading capacity approx 18,000kg/39,600lbs, .  Refurbished October 2017 by Rusach International.  Fanuc Alpha 30 motor, Heidenhain ROD800C +/-3.5 Arc Second encoder, Siemens hydraulic pump.  Table Top is set up for a pallet receiver.  Need it modified, please let us know!

in which order these two event/response pairs occur. However, this imposes an extra assumption on the device implementation, which is not made in the solution chosen here. A transition may also be labeled by a multiset of process names, which represents the interleaving of that many instances of those processes. This graphical technique is known as recursive process graphs and is de ned formally elsewhere 8]. The table starts in lower position with rotation zero. When a plate arrives, it moves upward and right to reach the position in which it can be unloaded by arm1. In order to ensure that the table will not collide with the feed belt when turning right, a delay can be added between moving upward and moving right; this has not been done in the example speci cation. If no such collision is possible, the table right can be made part of the response to plate on table, i.e. synchronous with table upward. After the table has reached the unload position, the robot is sent the message to turn to the table and arm1 is sent the message to extend to the length at which it can load the blank from the table. The controler therefore waits to to start robot movement until after the table has nished its movement. This is done in order to be able to prove the required safety property (that the table and robot do not collide). With a less restrictive safety property, the robot and arm1 could start their movement earlier. The table then waits until the blank is loaded from the table to arm1 and the robot turns away again. It then receives the message to return to its initial position again. This is assumed to nish before the other components return to their initial state. It is assumed that the speed with which blanks arrive from the feed belt is su ciently slow to allow the production cell to return to its initial state. Because there are only a few individual objects in the UoD, whose identi ers are known, there are no quanti cations in the axioms. The identi ers of the objects appear as constants in the axioms. In the formal speci cation, there is no distinction between events and responses and they are both declared as an event in the life of an object. Only the response of an event/response pair is declared in the event section of an object class speci cation. The event part of the pair is declared in the event section of the object who causes this event. For example, the life cycle of the table control starts with the plate on table/table upward pair. The plate on table event is declared as an event in the life of the table, the table upward is declared as an event in the life of the table control. The life cycle of the table control only contains the local events of the control. Table lower position has been allocated to TABLE because it describes a state of the table. The issue of the allocation of predicates (and attributes) to objects does not seem to be does not seem to be very important here. What is important to master is the synchronization of processes and the safety of the system, not the modularization of the few static properties that are around. Note that however Table lower position is allocated, there must be non-local updates of this predicate. We could avoid nonlocal e ects by introducing a local event which synchronizes with the event that wants to do the update. This added complexity would aggravate the real problem (mastering the synchronization problems) and solve a minor problem (nonlocality of e ects). The service speci cation only contains the communications between the control and the device it controls. Global communications between di erent controlers are speci ed in the production cell control service speci cation (section 2.9).

TABLE_CONTROL Exists start blank_drops_on_table table_stops_high table_stops_low table_stops_unload table_stops_load move_arm1_to_table remove_blank_from_table

where c is a constant determine by the upward speed of the table and the distance between the table and the feed belt. Alternatively, delayed responses could be de ned:

This is not very enlightening. First, the >> operator has no semantics above that of &. Second, in the above speci cation, events like table upper position are allocated to TABLE CONTROL, whereas it is really an event in the life of the table itself. In the solution that was nally chosen, the >> operator is modeled as synchronization. Only the actions of an object are allocated to the objects (and they are called events because this is what they are called in LCM). The environment (TABLE) has been added, and the events declared in the above speci cation have been speci ed to be events in the life of the table. By eliminating events from a class speci cation, the life cycle is considerable simpli ed. The penalty is that we must specify the synchronization elsewhere, i.e. in the service speci cation. This stays close to the informal model: the service speci cation corresponds to the context diagram for the controler, the control object speci cation corresponds to the class diagram and life cycle diagram. All responses of a control object are commands sent to the device that is controled by the object. This is not modeled in the speci cation, for it would not add any insight. To model the fact that a command like arm1 forward is a communication between the controler and arm1, we would have to allocate this action to arm1 and de ne a transaction

(table upper position / table stop v ) ; (table unload direction / table stop h) + (table unload direction / table stop h) ; (table upper position / table stop v )

events ready; table_left; table_right; table_stop_h; table_upward; table_downward; table_stop_v; start_unload; life cycle TABLE_CONTROL = start . table_upward . table_right . (table_stop_v || table_stop_h) . start_unload . (table_downward & table_left) . (table_stop_v) || table_stop_h) . TABLE_CONTROL; end object class TABLE_CONTROL; begin object class TABLE predicates Exist initially true; Table_lower_position initially true; Plate_on_table initially false; events plate_on_table; table_lower_position; table_upper_position; table_load_direction; table_unload-direction; life cycle TABLE = CELL_1 || TABLE_SWITCH || TABLE_POTMETER; CELL_1 = plate_on_table . CELL_1; TABLE_SWITCH = table_upper_position . table_lower_position . TABLE_SWITCH; TABLE_POTMETER = table_unload_direction . table_load_direction . TABLE_POTMETER; axioms plate_on_table(t)] Plate_on_table(t); arm1_mag_on(a1c)] not Plate_on_table(t); --- nonlocal effect table_lower_position(t)] Table_lower_position(t); table_upward(tc)] not Table_lower_position(t); --- nonlocal effect end object class TABLE; begin service TABLE_CONTROL_TRANSACTIONS

In the case of the table, the continuous variable v position is transformed into a discrete signal by hardware devices (the table switches). Transformation to a discrete signal may also have to be done by the software, such as in the case of the table rotation. The continuous signal from the potentiometer is transformed into discrete signals by an event recognizer, that signals the control system that a certain event has occurred. This could be done by a polling process such as shown in gure 3.1. The preconditions of events have been written in front of the events. In general, for each predicate P and closed term c that can appear as argument of P , we have an event P (c)@t which says that P becomes true of c at time t. Depending upon the observational powers of the sensors, the control system can observe some of these events. More generally, there are time intervals during whiuch a predicate is true, which we may write as c, P (c) t1 ; t2 ]. The event that the predicate becomes true of c could be written as P (c) " @t and the event that it becomes false could be written P (c) # @t. Conversely, for each event e there are predicates

3.6 Deontics : : : : : : : : : : : : : : : : : : : : : : : 3.7 Assumptions about the environment : : : : : : : 3.8 Safety conditions : : : : : : : : : : : : : : : : : : 3.8.1 Arm1 cannot collide with the rotary table 3.8.2 Arm 1 cannot collide with the press : : : 3.8.3 Arm 2 cannot collide with the press : : : 3.9 The role of formalization : : : : : : : : : : : : : :

begin value type TABLE functions t : TABLE; end value type TABLE; begin value type TABLE_CONTROL functions t : TABLE_CONTROL; end value type TABLE_CONTROL; begin value type ARM1 functions a1 : ARM1; end value type ARM1; begin value type ARM1_CONTROL functions a1c : ARM1_CONTROL; end value type ARM1_CONTROL; begin value type ARM2 functions a2 : ARM2; end value type ARM2; begin value type ARM2_CONTROL functions a2c : ARM2_CONTROL;

It is not clear what this would add to the speci cation other than unnecessary complexity. It is not even clear whether it would be a good idea to distinguish a stimulus from its response. Suppose we have two processes, X = x; a and Y = y; b and a and b are forced to synchronize. If X reaches a earlier than Y reaches b, then it has to wait for Y and b will be considered an event to which X responds with a. If Y reaches b earlier than X reaches a, then it has to wait for X and a is considered to be an event to which Y responds with b. In both cases, the logic is the same: two processes synchronize on a&b. It is even conceivable that X and Y reach this synchronization point in di erent orders in di erent runs. Thus, control is basically the speci cation of synchronization between control objects and controled devices and among the control objects themselves. It doesn"t matter very much who controls who. In a sense, it is the environment that controls the control system rather than the other way around. Let e = r&r. If the stimulus s occurs, the response r must occur. Contrast this with the attempt to perform a withdraw transaction on a bank account. If the precondition of withdraw is not satis ed, the bank account system may refuse to perform this transaction. By contrast, if a blank arrives at the table, this event cannot be undone by the controler. It must react, even when the preconditions are not satis ed (e.g. because there is already a blank on the table. It may for example produce another response, such as stop feed belt. A control system is under a hard obligation to always produce a response that makes sense under the circumstances. Data-intensive systems usually have a social environment in which people can always nd something else to do when the preconditions for a transaction are not satis ed. 32

There is essentially only one instance of each class. It would be much more natural in this application to specify the objects immediately. The reason to de ne object classes instead of objects is that we have many instances of the same class. Instead of duplicating an identical description for all these objects, we specify the object class. LCM can easily be extended to allow individual object speci cation:

This report discusses a solution of a case study put forward by Claus Lewerentz and Thomas Lindner of the Forschunszentrum Informatik of the University of Karlsruhe, Germany 7]. The case study was put forward in the KorSo project (Korrekte Software durch formale Methoden) as a means to show that formal methods can be applied to practical examples and that they are useful for the speci cation of safety-critical systems. The case consists of the speci cation of the control software of an production cell used in a metal processing factory. The production cell consists of movable parts, such as a rotary table, movable robot arms and a press, which process metal plates (called blanks). The control system must take care that the movable parts do not collide. Formal speci cations can be useful by allowing the speci er the means to prove, in advance of implementing the speci cation, that collissions cannot occur if the speci cation is implemented correctly. More in general, many formal speci cation languages allow proof of safety and liveness properties (which express events or states that one wants to avoid or to occur, respectively). The solution is written in LCM 3.0, a Language for Conceptual Modeling based on dynamic logic and process algebra and designed for the speci cation of conceptual models of observable system behavior 5, 10]. The language was designed with data-intensive systems in mind and contains constructs to express classi cation, taxonomic structures and aggregate objects. These constructs are useful if one wants to specify the behavior of large sets of similar objects, but are of less use in control systems, where there are usually a small number of di erent types of objects, and there is a small number of instance of each type (often only one instance per type). LCM 3.0 also contains constructs to specify object life cycles and communication between objects, and these are useful for the speci cation of control-intensive systems. The purpose of using LCM 3.0 in the speci cation of the production cell control system is therefore to see how far we can get with the constructs already available in LCM 3.0, and which constructs should be added in order to make the language more useful for the speci cation of control-intensive systems. The solution was found by using elements of the method MCM (Method for Conceptual Modeling), which is intended to be used together with LCM if it is applied to the speci cation of data-intensive systems 9, 10]. In addition to testing the extent to which LCM 3.0 can be used for the speci cation of control-intensive systems, the purpose of this report is also to test the extent to which MCM can be extended to a method for the speci cation of conceptual models of such systems. One feature of MCM that proved very useful in this case study is the emphasis on a coherent collection of representations, some of which are informal and consist of diagrams and accompanying documentation, and some of which is formal (speci ed in LCM). 1

The life cycle of arm1 control is shown in gure 2.9. The life cycle of the arm itself is trivial and is not shown. Arm1 starts with extension 0 and is moved forward when the rotary table has reached the unloading position. It the same time, the robot moves right (from angle 0) so that arm1 ends up in position needed to unload the rotary table. When the arm is in position, the magnet is switched on. The robot then turns left to unload the press with arm2 and take a blank from the press to the deposit belt. When arm2 takes a blank from the press, it is in lower position, and after arm2 has moved away from the press, the press moves to middle position. After arm2 has dropped a blank on the deposit belt, the robot turns further left, arm2 retreats to extension 0 and arm1 moves forward to the extension needed to drop a plate in the press (which is now in middle position). After arm1 has reached the proper extension and the robot has reached the proper angle, magnet1 is switched o . Arm1 then retreats to extension 0, the robot turns right to angle 0, the press moves to upper position to press the blank and then returns to lower position.

Because this can cause a collision with the feed belt, the table right command has been postponed. The current speci cation is incomplete, because it is not speci ed how long the control should wait before issuing a table right command. One way to handle this is to introduce a delay action:

There are a number of properties of the environment that change over time. The vertical position of the rotary table is such a property. There is however no attribute v position of the rotary table, because there is no way of knowing what the value of this attribute is. Instead, there are two sensors that inform the control system whether the table is in lower or upper position. The values of v position in between these two extremes are unobservable to the control system. Yet, the safety of the system depends upon the values of attributes like these. Instead of modeling the height of a table by an attribute v position with values, say, lower, upper, other, I used two predicates with two corresponding events: The predicate Table lower position is true if table is in lower position, false otherwise. The predicate Table upper position is true if table is on upper position, false otherwise. The event table lower position occurs if the lower sensor emits a signal. The event table upper position occurs if the upper sensor emits a signal. Note that causality is reversed in the control system. In the UoD, the above events occur if the corresponding predicate becomes true. In the control system, the predicate becomes true if the corresponding event occurs. This di erence corresponds to a di erence in meaning. In the control system, table lower position means \table reaches lower position according to sensor" and the predicate means \controler represents table as being at lower position". This makes clear that the predicate expresses a condition of the controler, not of the environment. It also makes clear that we are assuming correct sensor functioning in the speci cation. 33

plate_on_table table_upward table_right table_upper_position table_stop_v table_unload_direction table_stop_h start_unload arm1_forward arm1_safety_extension set_arm1_unsafe arm1_load_extension arm1_stop arm1_mag_on table_downward & table_left enable_arm1_mag_on robot_right arm1_to_table robot_stop

begin service PRODUCTION_CELL_CONTROL transactions start(TABLE_CONTROL, ARM1_CONTROL, ARM2_CONTROL, ROBOT_CONTROL, PRESS_CONTROL); start_unload_table(TABLE_CONTROL, ARM1_CONTROL, ROBOT_CONTROL); robot_enables_mag1(ROBOT_CONTROL, ARM1_CONTROL); move_away_from_table(TABLE_CONTROL, ARM1_CONTROL, ROBOT_CONTROL); robot_enables_mag2(ROBOT_CONTROL, ARM2_CONTROL); move_to_deposit_belt(ARM2_CONTROL, ROBOT_CONTROL); robot_triggers_press_to_middle(ROBOT_CONTROL, PRESS_CONTROL); robot_turns_arm1_to_press(ROBOT_CONTROL, ARM2_CONTROL, ARM1_CONTROL); robot_sets_arm1_mag_off(ROBOT_CONTROL, ARM1_CONTROL); turn_to_start_position(ROBOT_CONTROL, ARM1_CONTROL); robot_triggers_press_to_upper(ROBOT_CONTROL, PRESS_CONTROL); press_triggers_robot(PRESS_CONTROL, ROBOT_CONTROL, ROBOT); decompositions start(tc, a1c, a2c, rc, pc) = start(tc) & start(a1c) & start(a2c) & start(rc) & start(pc); start_unload_table(tc, a1c, rc) = start_unload(tc) & arm1_forward(a1c) & robot_right(rc); robot_enables_mag1(rc, a1c) = enable_mag1_on(rc) & arm1_mag_on(a1c); move_away_from_table(tc, a1c, rc) = table_downward(tc) & table_left(tc) & arm1_backward(a1c) & arm2_forward(a2c) & robot_left(rc); robot_enables_mag2(rc, a2c) = enable_arm2_mag_on(rc) & arm2_mag_on(a2c); move_to_deposit_belt(a2c, rc) = arm2_backward(a2c) & robot_left(rc); robot_triggers_press_to_middle(rc, pc) = stop_robot_unsafe_angle(rc, r) &

1.1 Motivation : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1.2 Description of the production cell : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1.3 Structure of the report : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : Event trace diagram : : : : : : : : : Object identi ers : : : : : : : : : : : Function decomposition tree : : : : : Table Control : : : : : : : : : : : : : 2.4.1 Class diagrams : : : : : : : : 2.4.2 The context diagram : : : : : 2.4.3 Device and control life cycles 2.4.4 The formal speci cation : : : Arm1 control : : : : : : : : : : : : : 2.5.1 The context diagram : : : : : 2.5.2 The control life cycle : : : : : 2.5.3 The formal speci cation : : : Arm2 control : : : : : : : : : : : : : 2.6.1 The context diagram : : : : : 2.6.2 The control life cycle : : : : : 2.6.3 The formal speci cation : : : Robot control : : : : : : : : : : : : : 2.7.1 The context diagram : : : : : 2.7.2 The control life cycle : : : : : 2.7.3 The formal speci cation : : : Press control : : : : : : : : : : : : : 2.8.1 The context diagram : : : : : 2.8.2 The control life cycle : : : : : 2.8.3 The formal speci cation : : : Production cell control : : : : : : : : Object classi cation : : : : : Transactions : : : : : : : : : Events and event recognition Real time : : : : : : : : : : : Real space : : : : : : : : : : :

The behavior of the crane has been ignored in the LCM speci cation, because it is trivial and does not add new insights to what is provided by the rest of the speci cation. The crane is not part of the real system anyway, and is part ofthe case description only to make the cell self-contained. The above division of the system into objects was not found immediately. Appendix A recounts the history of the search for the informal part of the model. Elaboration of the informal model into the formal model was mainly a bookkeeping exercise and is less interesting. 4

Most data-intensive systems are embedded in organizations, for which they have a function. The function of a database system for an organization can be conveniently represented by a function decomposition tree, whose root represents the overall function and whose leaves represent the atomic transactions between the system and its environment. This tree can be the basis for discussion with the customer about required system functionality. MCM recommends producing a function decomposition tree for the system. Figure 2.3 shows the function decomposition tree of the control system as speci ed in this report. The leaves are the transactions speci ed for the system, the immediate parents of the leaves are the services of the LCM 3.0 speci cation.

The syntax is not important here. The meaning of delay(table right, c) is that if delay(table right, c) occurs, then a timer is set that rings c time units later and then triggers the occurrence of table right. Note that in any case, table right is itself a response to a temporal event that has not been modeled in the example speci cation, and that has the meaning \it is now safe for the table to turn right".

stop_arm1_to_table(rc, r) stop_arm2_to_press(rc, r) stop_arm2_to_deposit_belt(rc, r) stop_arm1_to_press(rc, r) stop_robot_safe_angle(rc, r) stop_robot_zero_angle(rc, r) decompositions stop_arm1_to_table(rc, r) = arm1_to_table(r) & robot_stop(rc); stop_arm2_to_press(rc, r) = arm2_to_press(r) & robot_stop(rc); stop_robot_unsafe_angle(rc, r) = arm2_to_deposit_belt(r) & robot_stop(rc) & trigger_press_upward(rc); set_robot_unsafe_angle(rc); stop_arm1_to_press(rc, r) = arm1_to_press(r) & robot_stop(rc); stop_robot_safe_angle(rc, r) = robot_angle=-70(r) & robot_stop(rc) & trigger_press_upward(rc) & set_robot_safe_angle(rc); stop_robot_zero_angle(rc, r) = robot_zero_angle(r) & robot_stop(rc); end service ROBOT_CONTROL_TRANSACTIONS;

The life cycles of the table and the table control are represented as Mealy machines, i.e. the response to an event is produced in the transition caused by the event rather than in the state reached by the event. Each transition is labeled either by an event/response pair or by an action of the object. The event/response pair is represented in the context diagram as an incoming/outgoing arrow, which jointly form a system transaction. In the formal speci cation, the event/action pair is a synchronous communication between the object and its environment. In the formal speci cation, this is speci ed in process algebra using the synchronous communication operator & (often represented as j in process algebra). Since this operator is commutative, it does not represent the direction of causality. The representation of event/response pairs is discussed more in detail in chapter 3. A transition can also be labeled by a single action, which may or may not be part of a communication with another object. The assumption is that as long as any object can execute an action, it will perform it immediately. Synchronization enforced at certain points between di erent controlers or between controlers and the controled devices, may force a controler to wait upon other objects in the system. A transition can be labeled by a process. This may may be speci ed verbally along the transition, such as (table upper position / table stop v ) jj (table unload direction / table stop h). This represents the interleaving of the two event/response pairs, i.e.

Figure 2.12 contains the context diagram of the robot control. Note that the robot interfaces with all other controlers and plays a central role in the coordination of all control functions. Figure 2.13 shows the life cycle of the robot control. The robot starts from angle zero and rst turns right so that arm1 points to the rotary table (see gure 1.1 for the meaning of the directions left and right). The synchronization between arm1 mag on and enable arm1 mag on is needed to prevent arm1 from switching its magnet on too early. If it would be known that the robot reaches the direction arm1 to table earlier than arm1 reaches its load extension, then this synchronization would not be needed. This would involve an extra sssumption, and therefore an extra requirement, on the devices. After the magnet of arm1 is switched on, the robot swings to the left until arm2 points to the press. It then stops, enables arm2 to switch its magnet on, and continues turning left until the despot belt is reached. It then stops, tells the press to move to its middle position, and sets a ag that the robot now enters an unsafe angle. The predicates Robot zero angle and Robot safe angle are not needed to perform the control function but to be able to prove safety. After magnet 2 is switched o , the robot turns further left until arm1 points to the press. It synchronizes with arm1 mag off and then turns right to its starting position. Along the way, the unsafety ag is switched o and when this happens, the press is told to press the blank that it holds.

It is impossible to let the control system function properly under all possible circumstances and all possible behaviors of the production cell. For example, assuming that the control system responds in nitely fast to events (which is the synchrony hypothesis), the speed with which the devices move determines the speed with which blanks can arrive at the rotary table. A speci cation language should allow the designer to discover the boundaries within which the system will function properly. It should for example be able to relate the di erent speeds of the devices, and derive a guarantee of proper functioning from this.

of temporal variables), of transactions (stimulus/response pairs) and of deontic modalities. In addition to device failure, there are other kinds of exceptions. A blank may arrive at the rotary table before the system is ready to receive this event. In the current speci cation, this will lead to the system responding to the a plate on table event that occurs while there is already a plate on the table. This means that two or more blanks collide on the table. Again, the controler must be able to catch this event or else it must be clear that this situation falls outside the range of circumstances under which the control system is guaranteed to function.

production cell are called devices, the objects that are part of the control system are called control objects. Each object, whether it is a device or a control object, has an environment with which it may communicate. The environment of the object is the set of other objects (devices or control objects). A transaction of an object is an atomic interaction between the object and its environment. This means that the transaction either occurs or it does not occur; there is no intermediary state during the execution of the transaction. We are specifying a reactive system, i.e. a system whose response to an input may depend upon its internal state as well as on its input. Each transaction consists of a stimulus (also called an event of the object) and a response (also called an action of the object) . The synchrony hypothesis, borrowed from Esterel 3], says that the response is synchronous with the stimulus. The synchrony hypothesis may violate a principle of causality that requires that the response is uniquely determined by the event and the current system state. The computation of the response from the event and the system state should therefore terminate in a unique value. This suggests that each transaction can be formalized in process algebra as the synchronous occurrence of the stimulus r and the response r: s&r: However, this obliterates the distinction between s and r, because & is commutative. Another possible formalization, s; r, drops the atomicity property but does suggest a causal relationship from s to r. Note that this is only a suggestion, for s; r does not represent the initiative of the transaction. It merely says that if anything will happen after s, it will be r. I considered extending the language with an event calling operator >> like the one used in Troll 6] and representing a transaction by s >> r. The events section of a class speci cation is split into an events and an action section, to indicate whether the event is a stimulus or a response. Here is what TABLE CONTROL looks like when this is done:

Under the synchrony hypothesis, the production of a response from an event takes no time. The transaction made up by the event and its response does however take time, viz. one tick of the clock. Those transactions that (in the current speci cation) are modeled as a single action by the system are subject to the assumption that as long as an object is able to perform an action, it will perform this action as soon as possible. This implies a fairness of interleaving, i.e. no parallel process is kept waiting inde nitely long. After the response to an event is produced, the control system is always ready to receive the next event for any of its component processes. We allow transactions to occur synchronously, so that the control system can receive several event simultaneously. There is no facility in LCM that the system waits in a state for a certain time. One way to add this is to specify a time interval a; b] for each transition t, as in time Petri nets 4]. After the transition t is enabled (the system has reached a state from which t leaves), t can occur in a time window starting from a time units and ending with b time units. This ensures that the system waits at least a and at most b time units before executing t. In addition to this time window, there is of course the actual time that the transition occurs. The presence of real time makes reachability analysis substantially more complex 4]. What we would like is a a formalism that allows us to predict the time it would take for a metal blank to travel through the production cell. This time is in uenced by the speed with which the devices move, which is translated into the time that the control objects stay in one state, and it is in uenced by the behavior of the control system. We would like to explore the design space for the control system so as to nd a control system design that minimizes the time spent by a blank in the production cell, without violating the safety properties. In addition, it would be nice to have a system that can draw timing diagrams for the system and present system properties in terms of these diagrams. 34

Figure 2.11 shows the life cycle of arm2 control. Arm1 starts with extension 0 and moves forward immediately after arm1 has taken a blank from the rotary table. It then moves to the press. When it reaches the press, the magnet of arm2 is switched on and the arm retreats to the extension needed to drop a plate on the deposit belt. At the same time, the robot turns left. When the arm is in position, magnet 2 is switched o so that the plate is dropped on the deposit belt. Arm2 is then retreated to zero extension.

LCM speci es a system as a collection of objects, each of which have a globally unique identi er that is never reused. Each object has a set of local attributes and has a life cycle that consists of events that may change the local attributes, The state of an object is represented by the value of its attributes and the position of the object in its life cycle. Object communicate with each other by synchronizing on certain events. This abstract structure is used in MCM to specify observable database system behavior by making a model of the objects universe of discourse (UoD) of the database system rst. The behavior of UoD objects is then mimicked by the behavior of objects in the database system, each of which is a surrogate for the UoD object. Whenever a UoD object experiences or initiates an event, the corresponding database object su ers an update that corresponds with this event. To model observable database system behavior, one therefore models the behavior of the environment of the database system. This idea is borrowed from Jackson System Development, although it is taken to its logical conclusion by requiring all database system behavior except query-answering to correspond to UoD behavior. A model of a control system likewise must be a model of the behavior (desired of) its UoD. The UoD of a control system consists of the objects which it must control and the objects about which it must register the behavior (these are usually the same objects). The production cell model is accordingly divided into the following objects:

Chapter 2 presents the formal and informal speci cation of the production cell control system. To understand the speci cation, it is useful to specify the environment of the control system (the production cell itself) as well. This has been argued by Balzer and Goldman on the grounds that a simulation of the speci ed system requires a simulation of the environment in whiuch the system is to function 1, 2]. In addition, the environment speci cation can act as an interface agreement between the developer (or purchaser) of the production cell hardware and the developer (or purchaser) of the control system. Both speci cations are given in chapter 2, organized according to the component of the system. Chapter 2 strictly adheres to LCM 3.0 as de ned in 5], even where it is obvious that some language features are not suitable for the speci cation of control systems. Chapter 3 discusses problems with the speci cations and explores possible changes and extensions ot the language that would make it more suitable for the speci cation of control-intensive systems. Chapter 4 pulls together the results in a list of change proposals for LCM 3.0 and a list of subjects for further study. 2

begin object class ROBOT predicates Exists initially true; events arm1-to-table; arm1_to_press; arm2_to_press; arm2_to_deposit_belt; robot_angle=-70; robot_zero_angle; life cycle ROBOT = (arm1_to_table + arm1_to_press + arm2_to_press + arm2_to_deposit_belt + robot_angle=-70 + robot_zero_angle) . ROBOT; axioms robot_zero_angle(r)] Robot_zero_angle(r); robot_right(rc)] not Robot_zero_angle(r); --- nonlocal end object class ROBOT; begin service ROBOT_CONTROL_TRANSACTIONS transactions

begin object class TABLE_CONTROL events plate_on_table; table_lower_position; table_upper_position; table_load_direction; table_unload-direction; actions table_left; table_right; table_stop_h; table_upward; table_downward; table_stop_v; start_unload; life cycle TABLE_CONTROL = (plate_on_table >> table_upward) . table_right . ((table_upper_position >> table_stop_v) || (table_unload_direction >> table_stop_h)) . start_unload . (table_downward & table_left) . ((table_load_direction >> table_stop_v) || (table_lower-position >> table_stop_h)) .

The speci cation assumes normal device functioning. In general, there is a range of circumstances in which the control system is guaranteed to function properly, and this range should include device failure. For example, if no plate arrives on the table within a certain period of time, it must be assumed that the photoelectric cell on the feed belt is broken, and appropriate action should be taken, such as stopping the feed belt or the entire system. This can easily be speci ed by means of timeouts. However, adding these timeouts to the life cycle diagrams increases complexity considerably, for every state has such a timeout. One possibility for the appication of deontic logic is the speci cation of obligations on devices and of corrective actions that the system must take when these obligations are broken. Thus, one e ect of plate one table is plate on table@t] O(plate on table before t+d), i.e. when the plate arrives, a next one should arrive before time interval d has passed. This obligation expires either when the next plate arrives or when the time interval passes. Under normal functioning of the system a new obligation is created with the arrival of a new plate. When the obligation expires after the interval passes (i.e. a plate has not arrived), the system performs corrective action:

Even if data-intensive systems have an obligation to produce a sensible response in all circumstances, this response can often be kept simple, such as a message \transaction refused". There are two exceptions to the synchronicity principle in the example. table right is part of the response to the plate on table event. The synchronicity principle would require a transaction

The production cell control system is characterized by a number of features, which make it a hard system to specify. Like all control systems, the behavior of the components is simple. The intelligence and complexity of the system lies in the interaction between the components. The communication structure of the speci cation is represented in this case study by a traditional event trace diagram (also called a message sequence diagram). Real time plays a crucial role in the system. The actual time of occurrence of an event to which the system must respond is a given that cannot be coded in data, because it loses its relevance quickly after the time of occurrence; real time cannot be replaced by a representation of time. Put di erently, the system must respond to events before a hard deadline. A late but otherwise correct response is considered to be a system failure. All of this is not di erent from most other control systems. The system therefore contains the usual complexities of all control systems. However, what is important here is that the total time it takes for a metal blank to be processed by the system, say from the moment it leaves the feed belt to the moment it is dropped on the deposit belt, is important. The speci cation language should allow a time reachability analysis, which allows exploration of the total time it takes for an object to pass through the system. The capability to perform such analyses is not provided by LCM (nor is it provided by the languages used in the case studies presented by Lewerents and Lindner 7]. To complicate matters further, the production cell consists of movable parts. Building the production cell and its control system is an exercise in classical mechanics. In addition to real time, real space is important. Each event occurrence not only has a position in real time, but also in real space. What would make a speci cation language really useful is the capability to reason about the speed of objects in the system, so that di erent ways of con guring the system can be explored in a search for a con guration that optimizes both the speed of throughput and the safety of the system. Needless to say, real space is not provided by LCM 3.0.

transactions table_upward : TABLE_CONTROL x TABLE; table_right : TABLE_CONTROL x TABLE; table_upper_stop : TABLE_CONTROL x TABLE; table_unload_stop : TABLE_CONTROL x TABLE; start_unload : TABLE_CONTROL; table_return : TABLE_CONTROL x TABLE; table_load_stop : TABLE_CONTROL x TABLE; decompositions table_upward(tc, t) = plate_on_table(t) & table_upward(tc); table_right(tc, t) = table_right(tc); table_upper_stop(tc, t) = table_upper_position(t) & table_stop_v(tc); table_unload_stop(tc, t) = table_unload_direction(t) & table_stop_h(tc); start_unload(tc) = start_unload(tc); table_return(tc, t) = table_downward(tc) & table_left(tc); table_load_stop(tc, t) = table_load_direction(t) & table_stop_h(tc); end service TABLE_CONTROL_TRANSACTIONS;

O(plate on table before t+d)@t+d is the event that the predicate O(plate on table before t+d) is still true at time t+d. Working this out requires a proper treatment of time (binding and scoping

The class diagram of the table and its controler ( gure 2.4) is trivial and merely shows the attributes, predicates and events of the objects in the system. In contrast to data-intensive systems, the objects in the UoD of this system have no static relations that should be represented in the model. The class diagrams of the other devices and their controlers are similarly trivial and will not be shown. In the context diagram for the table control ( gure 2.5), the table is split into three subsystems: the cell, the switch and the potentiometer. These three subsystems are visible as three parallel processes in the table life cycle of the TABLE object class. The context diagram makes no distinction between control ows and data ows. The arrows do not represent ows, as they do in structured analysis, but interactions. A single-headed arrow into the system represents an event to which the system must respond and each single-headed arrow leaving the system represents an action by the system. The cause of an event lies in the environment, the cause of an action lies with the system. The transactions of the system are also atomic and may consist of an event together with an action, or of a single event or of a single action. We use Esterel"s synchrony hypothesis 3], which says that the response of the sy