PLC applications

GianinaGabor,DoinaZmaranda

UniversityofOradea

Abstract

AlowcomplexityfaultdetectingcomputerarchitectureforutilisationinPLCs(programmablelogicalcontrollers)tobeemployedinsafetyrelatedprocesscontrolapplicationispresented.Fortheproposedarchitecture,thecyclicoperatingmodeofPLC’sandaspecificlevel,graphicalprogrammingparadigmbasedontheinterconnectionofapplicationorientedstandardsoftwarefunctionblocksaresupportedintheformofPLC’s.Becauseofthemanageablecomplexityoftheapplications,itisdemonstratedthatthearchitecturefeaturesfulltemporalpredictability,determinismandsupportsformalmethodsforthesoftware.Finallyablockdiagramofthesafetyorientedarchitectureusingmaster-slavePLCsispresented.

Keywords:ProgrammableLogicalController(PLC),predictability,determinism,safety-relatedcontrol1.INTRODUCTION

Economicalconsiderationsimposestringentboundaryconditionsonthedevelopmentandutilizationoftechnicalsystems.Thisholdsforsafetyrelatedsystemsthatneedtobehighlyflexible.Inotherwordssafetyrelatedsystemsmustbeprogramcontrolled.Thustheuseofhardwiredsafetysystemswilldiminishinfavorofcomputerbasedones.

Computerbasedtechnicalsystemshavethespecialpropertythattheyconsistofhardwareandsoftware.Thesecondoneknowsnofaultscausedbywearandenvironmentalevents.Inthiscaseallerrorsaredesignerrorsofsystematicnatureandtheircausesarelatentlypresent.Hencedependabilityofsoftwarecannotbeachievedbyreducingthenumberoferrorscontainedbytesting,checksorotherheuristicmethodstoalowlevel,whichisgenerallygreaterthanzero,butonlybyrigorouslyprovingthatiserror-free.Takingthehighcomplexityofsoftwareintoaccountonlyinexceptionalcasesthisobjectivecanbereached.Thatisthereasonwhythelicensingauthoritiesarereluctanttoapprovesafety-relatedsystemswhosebehaviorisexclusivelyprogramcontrolled.Ingeneralsafetylicensingisstilldeniedforhighlysafetycriticalsystemsrelyingonsoftwarewithnon-trivialcomplexity.

Toprovidearemedyforthissituationarchitectureofacustomizedreal-timecomputercontrolsystemis

developedthatcancarryoutrelatedfunctionswithintheframeworkofdistributedprocesscontrolsystemsorprogrammablelogiccontrollers.ItsupportssequencecontrolsasdefinedinthestandardIEC1131-31(R-1992)andrequiredbymanyautomationprogramsincludingsafetyrelatedones.Thearchitecturecanbesafetylicensedbyexploitingtheintrinsicpropertiesofaspecialbutnotuntypicalcasethathasbeenidentifiedinindustrialcontrol.HerethecomplexityismanageablebecausetheattentionisrestrictedtosimplecomputingsystemsintheformofPLC’s[8].Sinceapplicationdomainsexist,onlydemandingsoftwareoflimitedvariabilitymaybeimplementedinawell-structuredwaybyinterconnectingcarefullydesignedandrigorouslyverifiedsoftware.Thearchitecturefeaturesfulltemporalpredictability,determinismandsupervisionofprogramexecutionandofallotheractivitiesofcomputersystemandsupportthesoftwareverificationmethodofdiversebacktranslationasdevisedbyKrebsandHaspel[3].

1.1Thesoftwareengineeringparadigm

ThestandardizationdefinedinVDI/VDERichtlinie3696[5]identifiesasetof67applicationspecificfunctionmodulessuitabletoformulate–onaveryhighlevelemployingthegraphical“FunctionBlockDiagram”and“SequentialFunctionChart”languagesdefinedbytheIECInternationalStandard1131-3(R-1992)-thelargemajorityoftheoccurringautomationproblems.WrittenintheIEC1131-3highlevel“Structuredtext”language,thesourcecodeusingsoftwaremodulesdoesnotexceedtwopagesinlength.Thereforetheircorrectnesscanbeformallyprovenusingpredicatecalculusbutalsosymbolicexecutionorinsomecasesevencompletetest.

Analysisofprocessautomationsuggeststointroduceanewprogrammingparadigmthatistographicallycomposesoftwareoutofhighleveluserorientedbuildingblocksinsteadoflowmachineorientedones.Essentiallyforanyapplicationareatherearespecificsetsofbasicfunctionmodules.Fortheformulationofautomationapplicationwithsafetyproperties,basicmodulefunctionsareinterconnectedwitheachother–singlebasicfunctionsareinvokedoneafteranotherandinthecourseofthistheypassparameters.Besidestheprovisionforconstantsasexternalinputparameters,thebasicfunctions’instancesandtheparameterflow

167

aretheonlylanguageelementsusedonthisprogramminglevel.Owingtothesimplestructure,thislogicisonlyabletoassumethecorrespondingobjectcodedoesnotcontainotherfeaturesthansequencesofprocedurecallsandsomeinternalmovesofdata.

Manyautomationprogramsincludingsafetyrelatedoneshavetheformofsequencecontrolscomposedofstepsandtransitions.LinearsequencesofstepsandalternativebranchesofsuchsequencesasshowninFigure1needtobearchitecturallysupported.

Figure1:Asequentialfunctionchart

Parallelbranchesinsequentialfunctionchartsshouldeitherbeimplementedbyhardwareparallelismoralreadyresolvedbytheapplicationprogrammerinexplicitserializationform.Whileinastep,anassociatedprogram,calledaction,developedaccordingtotheaboveparadigmisbeingexecuted.Alsoforpurposesofaclearconcept,foreasycomprehensionandverification,weonlypermittheutilizationofnon-storedactions.AllotheractionsasdefinedintheIEC1131-3[2]canbeexpressedintermsofnon-storedonesandre-formulatedsequentialcontrollogic.

1.2Thesafetyorientedarchitecture

TofacilitatetheunderstandabilityofimplementedsoftwareanditsexecutionprocesswecanusethearchitectureshowninFigure2withconceptuallytwodifferentprocessorsacontrolflowprocessor(master)andabasicfunctionblockprocessor(slave).Thesetwoprocessorsareimplementedusingseparatephysicalunits.

Application - program PROMMaster ProcessorDataRAMFunction blockoutputparametersinputandparametersand statesstatesFunction - Block - Firmware ROM(verification only once)Slave ProcessorDataRAMFigure2:Architectureofaprogrammablesystemfor

safetyrelatedcontrol

Withthisarchitectureweachieveaclearandphysicalseparationofconcerns:executionofthebasicmodulesintheslaveprocessorandallothertasks–executioncontrol,sequentialfunctionchartprocessing,functionmoduleinvocation-inthemaster.Thisconceptimpliesthattheapplicationcodeisrestrictedtothecontrolflowprocessor.ToenablethedetectionoffaultsinthehardwareadualchannelconfigurationischosenasshowninFigure3,whichalsosupportsdiversityinformofdifferentmaterprocessorsanddifferentslaveprocessors.

PROMRAMPROMRAMMaster processor 1Master processor 2Fail safeFail safecomparatorcomparatorinputoutputparametersparameters(tate)(state)PROMPROMSlave Processor 1Slave Processor 2RAMRAMFail safecomparatorsensor inputsactuator outputsFigure3:Blockdiagramoffaultdetectingmaster-slavePLC

168

Thebasicprocessorsperformalldatamanipulationsandtakecareofthecommunicationwiththeenvironment.ThenmasterandtheslaveprocessorscommunicatewitheachotherthroughFIFO-queues.Themasters’andslaves’programsevencoordinatedviacommunicationcanbeseparated.Thisseparationenablestotransferdataaccessanddataprotectionissuesfromsoftwaretohardware,thusincreasingthecontroller’sdependability.

Themasterandtheslaveprocessorsexecuteprogramsincoordinationwitheachotherasfollows.Themasterprocessorsrequesttheslavetoexecuteafunctionblockbysendingthelatter’sidentificationandthecorrespondingparametersandalsotheblock’sinternalstatevalue–ifneeded-viaoneoftheFIFO-queuestotheslaveprocessors.HeretheobjectprogramimplementingthefunctionblockisperformedandthegeneratedresultsandnewinternalstatesaresenttothemasterprocessorsthroughtheotherFIFO-queue.TheelaborationofthefunctionblockendswithfetchingthesedatafromtheoutputFIFO-queueandstoringtheminthemasters’RAMmemories.Theresultsandinternalstatesarestoredinthemasters’memories.Theslaves’memories-ifneeded-areusedonlytemporarilywhileelaboratingfunctionblocks.Sotheslavesmaybeviewedasmemorylessfunctioncoprocessorsordedicatedcalculators.Anumberoffailsafecomparatorscheckingtheoutputsfromthemasterprocessorsbeforetheyreachtheslaveandviceversacompletesthefault-detectingtwo-channelconfiguration.Anyinequalitydetectedbythecomparatorsgeneratesanerrorsignalthatstopsthecontrollerandsetstheoutputstosafestatesprovidedbyfailsafehardware.

Topreventanymodificationbymalfunctions,thereisnoprograminRAM;alltheprogramsareprovidedinreadonlymemories(ROM’s).ThecodeofthebasicfunctionmodulesresidesinmaskprogrammedROMsproducedundersupervision.Theuserwritesthesequencesofmoduleinvocationstogetherwiththecorrespondingparameterpassingrepresentingtheapplicationprogramsatarchitecturallevelinthe(E)PROMs.Thispartofthesoftwareissubjecttoprojectspecificverification,whichfinallyneedtoinstallandsealthe(E)PROMsinthetargetprocesscontrolcomputers.Themaster/slaveconfigurationwaschosentoseparatetwosystemparts:onewhosesoftwareneedstobeverifiedonlyonceandtheotheroneperformingapplicationspecificsoftware.

Besidesprogrammemorythemasters’addressspacesalsocompriseROMmemoryandFIFOinput/outputregisters,commandregisters,twostepregisterseach–stepidentifierandstepinitialaddress-andtransitionconditionregisters.Therearealsoprogramcountersandsinglebitstep-clock-occurredregistersthatarenotprogrammeraccessible.Additionallyinthemasters’addressspaces,otherunitsarememorymappedtocreateandreceivecontrolsignalsfortheaccessofROM,RAMandFIFO-queues.Themastercanbe

implementedusingaFieldProgrammableGateArray(FPGA)[6].

Fortheabovementionedpurposestwoinstructionsarerequired:MOVEandSTEP.TheMOVEinstructionhastwooperands,whichdirectlypointtolocationsinaddressspace.Sothememoriesandthementionedregisterscanbereadandwritten.AreadfromFIFO-inputregisterimpliesthattheprocessorhastowaitwhentheinputFIFO-queueregisterisempty.IncaseofwritingintoanoutputFIFO-queueregistertheprocessoralsohastowaitwhentheregisterisfull.ExecutionofaMOVEimpliesprogramcounterincrementation.

Theprogramexecutedbythemasterprocessorsconsistsofsequenceofsteps.BehindtheprogramsegmentofeachstepaSTEPinstructionwithanext-step-addressasoperandisneeded.Itchecksifthesegmentwasexecutedwithinastepcycleframeornot.ThestepcycleisaperiodicsignalgeneratedbythesystemclockestablishingthebasictimereferenceforthePLCoperation.Thelengthofthecycleisselectedinawayastoaccommodateduringitsdurationtheexecutionofthemosttimeconsumingstepoccurringinanapplication.Iftheexecutionofasegmentdoesnotterminatewithinastepcycleanerrorsignalisgeneratedandindicatesanoverloadsituationorruntimeerror.Theprogramexecutionisstoppedimmediatelyandsuitableerrorhandlingiscarriedthroughexternalfailsafehardware.Normallysegmentexecutionterminatesbeforetheinstantofthenextstepcyclesignal.Thentheprocessorwaitsuntiltheendofthepresentcycleperiod.Whentheclocksignalfinallyoccursthestep-clock-occurredregistersisset.Accordingtothecontentsofthetransitionconditionregistersitisdecidedwhetherthestepsegmentisexecutedoncemoreorwhethertheprogramcountersarereloadedfromthestep-initial-addressregistersorifanothersegment’sinitialprogramaddressisloadedfromtheSTEPinstruction’soperandcallednest-step-address.SinceonlyonestepisactiveatanygiventimeandsinceprogrambranchingisonlypossibleinthisrestrictedformwithintheframeworkofexecutingSTEPinstructions,thismechanismveryeffectivelypreventserroneousaccesstocodeofother(inactive)stepsaswellastoprogramlocationsotherthanthebeginningsofstepsegments.

ThedesignobjectiveforprovidingFIFOsistoimplementeasysynchronisableandunderstandablecommunicationlinksthatdecouplethemasterandslaveprocessorswithrespecttotheirexecutionspeeds.TheFIFO-queuescanbeimplementedusingafall-throughmemoryandtwosinglebitregisterseachtoindicatetheFULLorEMPTYstateoftheFIFOs.Thestatusregisterscan’tbeuseraccessibleandtheyhavebesetandresetbytheFIFOcontrolhardware.Thecomparisonforequalityoftheoutputsfromthetwomasterprocessorsandtheinputsfromthetwoslavesprocessors,hastobecarriedoutbythetwofastcomparatorsplacedintotheFIFO-queue.Becausethecomparatorshavetheresponsibilitytodetecttheerrors,

169

theyneedtomeethighdependabilityrequirementsandtheyhavetobeimplementedinfailsafetechnology[4].WecanconnectacomparatortotwoFIFOs’outputs.Thefirstdataelementsfromeachinputqueuearethenlatchedandcompared.Ifbothlatchesdonotholdthesamevalue,anerrorsignalcanbegeneratedstoppingtheoperationoftheentiresystem;otherwisethevaluecanbetransferredintobothoutputFIFOs.

Communicationwithexternaltechnicalprocessescantakeplacethroughfaultdetectinginput/outputdriverunitsattachedtotheslaveprocessors.Outputdatawordsgeneratedbythetwoslavesarefirstcheckedforqualityinafail-safecomparator[1]andthentheyarelatchedinanoutputport.Ifoutputdataarenotidenticalanerrorsignalisgeneratedleadingtoasystemstop.Apreciselypredictabletimingisimportantonlyforinputandoutputoperations.Soatemporalpredictabilitycanbeachievedasfollows[7].DigitalinputdataarereadbythedriversatthebeginningofeachcycleandstoredtogetherintwoindependentRAMbuffersassignedtoeachslave.Thestep-clock-occurredregistersignalsthecyclestart.Afterthatthedataaremadeavailableforfurtherprocessing,soprovidingthetimingpredictability.IfitfollowsaSTEPcommandfromthemasters,theslavesmayaccessthedataatanytimeduringthecycle.Theinputdriverforallthesesignalscanbeimplementedusingjustasforthemasters[6].

Theoutputdrivercanhavetwoindependent8-bitregistersassignedtotheslaves.Outputdatabytesgeneratedbytheslavesarelatchedattheendofeverycycle.Thedataarefirstcheckedforqualityinafail-safecomparatorandthenlatchedinanoutputportbecomingeffectivetoenvironment.Iftheoutputbytesarenotidenticalanerrorsignalisgeneratedleadingtoasystemstop.

TheFIFO-queueandtheoutputcomparatorsmentionedabovecanbeconsideredasthecomponentsofaglobalcomparatorunitthatalsoreceivesoperationmonitoringsignalsformprocessorwatch-dogtimersandsomecorrectnesssignalsformotherunits.Inthesecircumstancesaglobalerrorsignal(anegatedone)isgeneratedandfeedbacktoallunitsofthecontroller.Everyunitcanoperateifthissignalindicatesthatthereisnoerror.Otherwisetheunitsstopandthecontrolleroutputsaresettosafestates.Theglobalerrorsignalisalsooutput.

1.31.3Safety

SafetylicensingFirsttheelementsofanemployedfunctionblockarerigorouslyverifiedwithappropriateformalmethods.Thistakesplacetogetherwiththesafetylicensingofthehardwarebeforeanysuchsystemisputintoservice.Thedetailsofthefunctionblocks’implementationontheslaveprocessorarepartofthearchitectureandremaininvisiblefromtheapplicationpointofview.Applicationsoftwareissafetylicensedbysubjectingtheobjectcodeloadedintothemasterprocessortodiversebacktranslationaverificationmethod

developedbyKrebsandHaspel[3].Thistechniqueconsistsofreadingmachineprogramsoutofcomputermemoryandgivingthemanumberofteamsworkingwithoutanymutualcontact.Theseteamsdisassembleanddecompilethecodefromwhichtheytrytoregainthespecification.Asafetylicenseingrantedtosoftwareifitsoriginalspecificationagreeswiththeinverselyobtainedre-specifications.Generallythismethodisextremelytimeconsumingandexpensiveduetothesemanticgapbetweenaspecificationformulatedintermsofuserfunctionandtheusualmachineinstructions.Applyingtheprogrammingparadigmofbasicfunctionmodulesaspecificationisdirectlymappedontosequencesofprocedureinvocationsandparameterpassing.Ittakesaminimumefforttoverifyaprogrambyinterpretingsuchacode,whichjustimplementsaparticularmoduleinterconnectionpatternandredrawingthecorrespondinggraphicalprogramspecification.Diversebacktranslationisespeciallywellsuitedfortheverificationofthecorrectimplementationofgraphicallyspecifiedprogramsonthearchitecturepresentedandthisduetothefollowingreasons:

-themethodisessentiallyinformal,easilycomprehensibeandimmediatelyapplicablesoitiswellsuitedtobeusedontheapplicationprogramminglevelbypeoplewithmostheterogeneouseducationalbackgrounds

-theeffectsofhighcomplexityutilitywhosecorrectnesscannotbeestablishedrigorouslyareverifiedtoo

-graphicalprogrammingbasedonapplicationorientedfunctionblockshasthequalityofspecificationlevelproblemdescriptionandbecausebydesignthereisnosemanticgapinthepresentedarchitecturebetweenthelevelsinterfacingtohumansandtothemachine,diversebacktranslationleadsbackinoneeasystepfrommachinecodetoproblemspecification

-forthisarchitecturetheeffortrequiredtoutilizediversebacktranslationforthesafetylicensingofapplicationprogramsissmallerthanforNeumannarchitecture

2.CONCLUSIONS

Thispaperaddressesapressingproblem.Asolutiontoallopenquestionsinsafetyrelatedcomputingisnotpresentedbutapracticallyusefulbeginningismadebeingapplicabletoawideclassofindustrialcontrolproblems.

Inaconstructivewayandusingavailablemethodsandhardwaretechnologyonly,acomputerarchitecturewaspresented.Theconceptsmainachievementisthattheexpensivesoftwareverificationmethodofdiversebacktransitionbecamefeasibleforarchitecturesupport.Wehopethattheapproachwillultimatelyleadtothereplacementofdiscreteandrelaylogicbyprogrammablesystemsexecutinglicensedsoftwaretoimplementsafetycriticalfunctionsinprocesscontrol.Thepaperpresentsapossiblesolutionofagoal-170

orientedapproachtocreatealowcomplexityfaultdetectingarchitectureforutilisationinPLC,basedontheircyclicoperation.HerethecomplexityismanageablebecausetheattentionisrestrictedtosimplecomputingsystemsintheformofPLC’s.Becauseitssimplicity,theproposedarchitecturefeaturesfulltemporalpredictabilityanddeterminism.Moreover,itsupportssoftwareverificationformalmethodsofdiversebacktranslationasdevisedbyKrebsandHaspel[3].

3.REFERENCES

[1]P.Hildebrandt,GmbHCoKG-FailsafeElectronicControls,Tech.Info.92.08,1992[2]

IECInternationalStandard1131-3-ProgrammableControllers,Part3:ProgrammingLanguage,InternationalElectrotechnicalCommission,1992

[3]

H.Krebs,U.Haspel-EinVerfahrenzurSoftware-verifikation,RegelungstechnischePraxis26,73-78,1984

[4]

H.Schuck-\"AnalogerFensterkomparatorinFail-Safe-Technik\TechnischeUniversitatBraunschweig,1987

[5]

VDI/VDERightlinie3696-Vendor

independentconfigurationofdistributedprocesscontrolsystems,BeuthVerlag,Berlin,1995[6]

E.A.Parr-ProgrammableControllers.AnEngineer'sGuide,Newnws.AnimprintofButterworthHeinemannLtd.,325pp.,1995[7]

W.A.Halang,A.D.Stoyenko-ConstructingPredictableReal-TimeSystems,KluwerAcademicPublishers,1991

[8]A.Crispin-ProgrammablelogicControllersand

TheirEngineeringApplications,McGrawHill,1990

Authors:

GaborGianina,UniversityofOradea.5ArmateiRomaneSt.,3700,Oradea,Romania.E-mail:gianina@rdsor.roZmarandaDoina,UniversityofOradea.5ArmateiRomaneSt.,3700,Oradea,Romania.E-mail:zdoina@univ.uoradea.ro171