Timed Automaton Models for Simple Programmable Logic Controllers by Mader, Angelika & Wupper, Hanno
Timed Automaton Models for Simple
Programmable Logic Controllers
Angelika Mader
Hanno Wupper
University of Nijmegen
Computing Science Institute
P.O. Box 9010, 6500 GL Nijmegen,
The Netherlands
mader wupper @cs.kun.nl
Abstract
We give timed automaton models for a class of Pro-
grammable Logic Controller (PLC) applications, that are
programmed in a simple fragment of the language Instruc-
tion Lists as defined in the standard IEC 1131-3. Two dif-
ferent approaches for modelling timers are suggested, that
lead to two different timed automaton models. The purpose
of this work is to provide a basis for verification and testing
of real-time properties of PLC applications. Our work can
be seen in broader context: it is a contribution to methodi-
cal development of provably correct programs. Even if the
present PLC hardware will be substituted by e.g. Personal
Computers, with a similar operationmode, the development
and verification method will remain useful.
1. Introduction
Programmable Logic Controllers (PLCs) are increas-
ingly being used for safety critical applications. Our goal
is verification and testing of PLC applications. We con-
sider timing aspects as an integral part of control as per-
formed by PLCs. Timed automata provide a usful class of
models, first, because they allow to model real time, and
second because of the availability of model checking tools
[11, 10, 8, 9, 4, 16]. We introduce two different models that
differ in the way of treating timers. Both models satisfy
the same specification for timing behaviour, which indicates
that they are interchangable.
Supported by a DAAD postdoc grant, and in the framework of the Eu-
ropeanCommunityEsprit-LTR Project 26270VHS (Verification of Hybrid
systems)
PLCs have evolved from very simple “Logic Con-
trollers” that used to control physical processes by feed-
ing the input from the sensors via a carefully designed net-
work of relays and timers to the actuators. PLCs are “pro-
grammable”: they contain a microprocessor so that a com-
puter program can perform the task of the switches and
timers of their forefathers. Althoughmodern PLCs can con-
tain the same processor chip as a usual desktop computer
they differ from, say, personal computers in a number of as-
pects.
Traditionally, they are programmed by means of lan-
guages and notations which are unfamiliar to most
computer scientists, while, vice versa, many useful
concepts that were developed in computer science are
unfamiliar to the engineers who program PLCs.
Real-time behaviour is ensured by the use of conceptu-
ally very simple “timers”. These can either be realised
as hardware components or be simulated by pieces of
software.
They have a robust operating system, which ensures
that “scan cycles” are executed again and again. In
each scan cycle the actual PLC program is executed,
input is “polled” and the output is updated once before
each program execution.
There are more complex PLCs, which support interruptsand
multi-tasking. Although some find them easier to program,
they are more difficult to verify. Formany applications these
“powerful” features are not strictly necessary. Therefore we
will concentrate on the simple PLCs characerized above.
A PLC program can read and change memory, but it can-
not perform any input or output operations. Just before its
execution starts, the PLC has polled all sensors and written
their actual state into a certain memory area which can be
read by the program. This area thus contains a “snapshot”
of the environment at the moment of polling. Anothermem-
ory area is used for output: after the PLC program has termi-
nated, the PLCwill map its contents to the actuators. Within
a fixed amount of time, the PLCwill then initiate the next cy-
cle, viz., poll the input and start the program again. The PLC
will not change memory outside the input memory area; so
the program can use memory to maintain state information
between two cycles. A well-formed PLC program does not
change the input memory area, in order to ensure that it al-
ways contains the latest snapshot of the environment.
A well-formed PLC program can be guaranteed to termi-
nate withina fixed amount of time, in order to ensure that the
duration of the PLC’s polling loop has a fixed upper bound.
It also has a fixed lower bound, due to the time the PLC
needs for the polling and possibly some self-checks.
A PLC program can set and check timers. If timers are
not realised by separate hardware, setting and checking con-
sists in the execution of small pieces of program that sim-
ulate the timers’ behaviour. A well-formed PLC program
executes such timer programs during each cycle and never
jumps across them. Only then their effect will approximate
the effect of hardware timers as close as the duration of one
cycle.
This paper is a contribution to the definition of formal se-
mantics for PLC programs with the emphasis on timers. Re-
lated work has been done at several places. From [22, 23,
6, 7, 15] our work differs in the explicit treatment of time.
In[12, 13] time is represented by a duration calculus seman-
tics, which to our mind is less intuitive than an operational
semantics. The work of [14] can be considered as a basis for
this paper.
2. A programming language for PLCs
The programming languagewewant to consider is a frag-
ment of Instruction Lists, the most basic, assembly-like lan-
guage from the standard IEC 1131-3 [1].
Instruction Lists provide more concepts, for example lo-
cal variables, function blocks, and bracketed expressions.
However useful in program development, they are not con-
sidered here because they can be dealt with by static pro-
gram analysis and substitution.
We restrict data types to Booleans. This is a reasonable
restriction. Many PLC applications control processes by
switching on and off actuators. There is a strong trend to
move complicated arithmetic operations to other parts of the
system (e.g. a PC) and not to perform them in the PLC itself,
such that they do not consume toomuch time and make scan
cycles too long. With this restriction we hope to get models
that are of a size still allowing to do model checking.
Let be a set Boolean variables and the set of
Boolean expressions over .
A program is a sequence of instructions, consecutively
numbered from to for . Formally, we consider
a program to be a function, mapping addresses to instruc-
tions , where is the set of
instructions. Furthermore, for each program there is an
initial valuation of the variables .
We will deal with the following classes of instructions,
where var is a Boolean variable, adr is
an addres. Their semantics is given in the timed automaton
model of figure 1
assignments: LD var, ST var, AND var, OR var,
XOR var, and each of these also with option N, and
S var, R var.
jumps: JMP adr, JMPC adr, JMPCN adr,
timer calls: CAL timer [timer.IN:=b, timer.PT:=t]
where is a Boolean constant and a time constant.
3. Timed Automaton Models
Timed automata are an automaton-based semantic model
for real-time systems. Although the basic concepts are very
similar various definitions of syntax and semantics are given
[2, 3, 17, 19, 20, 21]. We use a variant of timed automata that
is defined in [20].
Define the set of variables to be . This is one Boolean
variable for each program variable in use; special variables
are for the actual register, and are vectors of vari-
ables that represent the input and output area of the memory.
We will abbreviate the Boolean constants true and false by
tt and ff, resp..
Definition 1 Given a program as in defined section 2, we
define the timed automaton as follows:
A location consists of five components
IN OUT , where
– is tt, if data are transported between
memory and I/O-ports, and ff during the pro-
gram execution
– is the program counter
– is the valuation of all variables, thus
representing the memory.
– IN is the vector of values at the input ports,
– OUT is the vector of values at the output
ports.
There is a set of initial states defined
tt IN OUT , where is the initial valua-
tion of variables for this program.
The clock measures the cycle length. It is reset after
each program execution.
The invariant holds for locations, where
tt. is the upper time bound for the i/o-part of the
scan cycle.
The invariant holds for each location. is the
upper time bound for each whole scan cycle. Obviously
it is .
The edges have to be constructed along the structure of
as given in figure 1. If not specified, we assume
. Most edges are labeled with the internal
action , indicating that thsi is internal to the PLC and
not observable from outside.
2
(input) IN IN’
IN OUT IN’ IN’ OUT
(i/o) IN IN’
tt IN OUT
ff IN IN
(load 1) LD
ff IN OUT
ff IN OUT
(load 2) LDN
ff IN OUT
ff IN OUT
(store 1) ST
ff IN OUT
ff IN OUT
(store 2) STN
ff IN OUT
ff IN OUT
(and 1) AND
ff IN OUT
ff AND IN OUT
(and 2) ANDN
ff IN OUT
ff AND IN OUT
(or 1) OR
ff IN OUT
ff OR IN OUT
(or 2) ORN
ff IN OUT
ff OR IN OUT
(xor 1) XOR
ff IN OUT
ff XOR IN OUT
(xor 2) XORN
ff IN OUT
ff XOR IN OUT
(s) S
ff IN OUT
ff OR IN OUT
(r) R
ff IN OUT
ff AND IN OUT
(jump 1) JMP
ff IN OUT ff IN OUT
(jump 2a) JMPC and ff
ff IN OUT ff IN OUT
(jump 2b) JMPC and tt
ff IN OUT ff IN OUT
(jump 3a) JMPCN and tt
ff IN OUT ff IN OUT
(jump 3b) JMPCN and ff
ff IN OUT
ff IN OUT
(cycle end)
ff IN OUT tt IN OUT
Figure 1. Transitions of a timed automaton for
a simple Instruction List program
4. Adding Timers
In PLC programming a variety of timers is used to en-
sure real-time properties of PLC applications. For brevity
we shall treat only timers of type TON in this paper; the
other types could be treated similarly.
Timer TONIN
PT
Q
ET
Figure 2. Input IN and PT, output Q and ET of
a timer TON
Intuitively, a timer is a black box into which a Boolean
input signal IN is fed and which produces a Boolean out-
put signal Q and possibly an integer output signal ET. There
is an additional integer input PT, that we consider here as a
constant. What happens if PT were changed while the timer
is running is not defined.
The behaviour of timer TON is illustrated by the diagram
in figure 3.
Q
IN
timePT PT PT
PTET
Figure 3. Timer TON: Relation between IN and
outputs Q and ET
3
The relation between IN and Q can be specified formally
as follows:
(*)
In other words: the output signal is true whenever the in-
put signal has been true at least during a period of length PT;
it becomes false as soon as the input signal becomes false.
To allow the use of timers we extend our pro-
gramming language by the following instruction:
CAL timer ( timer.IN := var name, timer.PT := constant ).
Such a ’timer call’, updates the results timer.Q and timer.ET.
This ’timer call’ has to simulate the effect of the afore-
mentioned black box, which means that it will have to ap-
proximate specification (*) as closely as possible. The ex-
isting approximations, however, do not satisfy the specifica-
tion of an ideal timer as above. Reason is, that timers only
start to run resp. update their output, if they are called and
the additional error we get is the time distance between two
timer calls (see also section 4.3).
Programs are much more flexible than hardware boxes.
To avoid complications, we must restrict them to forbid that
they dynamically ”change the wiring of the box” or change
the timing constant while the timer is runningor let the timer
”die”.
A well-formed PLC program ensures that timer calls are
always issued with the same parameters, that the variables
timer.IN, timer.Q, and timer.ET are never changed except in
the course of a timer call, and that a call is issued during each
cycle of the PLC.
We shall now provide two different ways of modelling
timers for well-formed PLC programs. The first one corre-
sponds to the way timers are likely to be realized by means
of function blocks [1], i.e. it is oriented towards the veri-
fication of the implementation of a PLC language. The sec-
ondone corresponds to the intuitive idea of a black hardware
box; it is simpler and probably more useful for the verifica-
tion of PLC programs. It can be shown that they are inter-
changeabe in the sense that for well-formed PLC programs
bothmeet the same specification. The first model makes use
of integers and therefore gives in fact an infinite automaton.
The second one, instead, makes use of more clocks, and the
resulting automaton is a finite timed automaton.
4.1. Timers as symbolic function block calls
Timers are standard function blocks that are predefined
and available for the programmer. How they are realized
is left to the producer of the PLC hardware and the imple-
menter of the programming languages. We explicitly for-
mulated a function block for a timer of type TON, in figure
4 in Structured Text (for readability) and in figure 5 in In-
structionList (for our application). Note, that this is not nec-
essarily the way how TON is realized, but it very plausible
that realizations may be like this.
FUNCTION BLOCK TON
VAR INPUT
IN: BOOL;
PT: TIME;
END VAR
VAR OUTPUT
Q: BOOL;
ET: TIME;
END VAR
VAR
IN OLD: BOOL := false;
T0, T: TIME;
END VAR
T:=TIME();
IF NOT IN OLD AND IN
THEN T0:=T;
END IF;
IF IN AND T-T0 PT
THEN ET:=PT;
ELSIF IN
THEN ET:=T-T0;
ELSE ET:=0;
END IF;
Q:= (ET= PT) AND IN;
IN OLD:= IN;
END FUNCTION BLOCK
Figure 4. Symbolic function block for a timer
of type TON in Structured Text
For modelling we treat a timer call as a usual function
block call. Roughly, a function block is similar to a function,
but can preserve some of its history in local variables that
are not initialized at each function block call. Technically, a
timer call is substituted by the body of the function block ,
and (history-less) variables have to be initialized correctly.
For this way ofmodellingwe need some additional struc-
ture in the timed automaton of figure 1:
1. Each timer uses a global clock. The function block
TON in figure 4 is based on a function TIME() that has
the actual time as result. For that purposewe extend the
timed automaton by a simple time counter simulat-
ing a clock tick.
2. Points of time have to be memorized. For that purpose
we introduce integers and some basic operations on in-
tegers, which are subtraction and comparison.
Given a program we create a program . The set
Because recursion is not allowed by the standard functions and func-
tion blocks are not much more than macros.
4
of variables for is an extension of for . For
modelling the function TIME() we need an integer variable
time. For each instance timer of a timer we get three addi-
tional Booleans and two integer variables.
FUNCTION BLOCK TON
VAR INPUT
IN: BOOL;
PT: TIME;
END VAR
VAR OUTPUT
Q: BOOL;
ET: TIME;
END VAR
VAR
IN OLD: BOOL := false;
T0, T: TIME;
END VAR
CAL TIME();
ST T
LD IN OLD
JMPC further
LD IN
JMPCN further
LD T
ST T0
further: LD IN
JMPCN away2
LD T
SUB T0
GT PT
JMPCN away1
LD PT
ST ET
JMP away3
away1: LD T
SUB T0
ST ET
JMP away3
away2: LD 0
ST ET
away3: LD ET
GE PT
AND IN
ST Q
LD IN
ST IN OLD
END FUNCTION BLOCK
Figure 5. Symbolic function block for a timer
of type TON in Instruction List
time
timer.IN, timer.Q, timer.IN OLD,
timer.PT, timer.ET
timer is an instance of TON
In each timer call CAL timer is substituted
by the body of the instance timer of the function block TON
in the Instruction List version (see figure 5). Note that this
implies also a change of program addresses.
Definition 2 Given a program we define the automaton
as in definition 1 with the following extensions:
The valuation function is also applied to time vari-
ables and we get
For the initial locations tt IN OUT it is
ff for each timer
timer.name.
We need an additional clock tick in order to model
the function TIME().
The transitions of figure 1 are extended by those in fig-
ure 6. We need additionaltransitions for the operations
on time variables and an interpretation of the function
TIME().
(clock)
IN OUT tick tick
time time IN OUT
(real time) CAL TIME()
ff IN OUT
ff time IN OUT
(subtraction) SUB
ff IN OUT
ff IN OUT
(greater1) GE and time
ff IN OUT
ff tt IN OUT
(greater2) GE and
ff IN OUT
ff ff IN OUT
Figure 6. as extension of for timer calls
5
(timer1)
CAL timer.IN ff timer.PT
ff IN OUT CALff timer
ff timer.Q ff IN OUT
(timer2)
CAL timer.IN tt timer.PT
ff IN OUT CALtf timer
ff timer.Q ff IN OUT
(timer3)
CAL timer.IN tt timer.PT
ff IN OUT CALtt timer
ff timer.Q tt IN OUT
Figure 7. as extension of by timer calls
4.2. Timers as parallel automata
The second model for timers we suggest is to model each
instance timer of a timer as a timed automaton timer that runs
in parallel with an extension of the automaton of sec-
tion 3, and the automata synchronize on operations on timer
variables and on the timer call. This way of modelling re-
quires one extra clock timer for each instance of a timer, but
no integer variables are needed.
The timed automaton timer below models the bahaviour
of a timer of type TON. Here, we abstract away from the ad-
ditional output ET that contains the accumulated time since
timer start. As in the previous section we assume that each
instance of the timer TON has an individual name timer and
the variables of each instance are prefixed by this name, i.e.
we have the Booleans timer.IN and timer.Q and a clock timer.
Definition 3 The automaton timer is defined as follows:
The locations are idle, running and timeout.
Initial location is idle.
There is one clock timer in use.
For locationrunning the invariant timer , where
Time is the delay-time of the timer timer as
specified in the program. We assume that for each timer
instance there is a unique value for timer.PT which is
used in the guard of transition (timeout) in figure 8.
The transitions are described in figure 8. There are
three visible actions, on which program automaton
and a timer automaton timer should synchronize. The
actions model a timer call with additional informa-
tion encoded: first, the value of the input timer.IN, and
second, the value of the output timer.Q. For example,
idle CALff timer idle
idle CALtf timer running
running CALff timer idle
running CALtf timer running
running timeout
timeout CALff timer idle
timeout CALtt timer timeout
Figure 8. Timed automaton timer for a timer of
type TON
CALtf timer stands for a timer call with timer.IN=tt
as input and output timer.Q=ff.
Definition 4 Given a program we define the timed au-
tomaton as of definition 1, with the following exten-
sions:
For each instantiation timer of a timer of we need two
Booleans. The set of variables is:
timer.IN, timer.Q
timer is an instance of TON
For the initial valuation we have timer.IN
timer.Q ff
For the automaton a change of the output signal
timer.Q of a timer signal of the timer automaton, which
is
Altogether, the timed automaton modelling the be-
haviour of a Instruction List program is a parallel compo-
sition of automata below that synchronize over the actions
of set :
Definition 5 Given a program we define the automaton
as
def
timer 1 timer m
where timer 1, , timer m are the instances
of timer TON in the program , and
.
4.3. Correctness
Again, for a timer timer defined in a program we ab-
breviate inputs timer.IN and timer.PT by and , as well
as output timer.Q by .
6
The ideal timer TON is specified as follows: its output
is true if and only if the input was true since at least time
(see (*) in section 4).
A timer used in a PLC is not an ideal timer. This has two
reasons. Internally, timer are only started and update their
outputs when they are called. The additional error we get
here is the timedistance thatmay be between two timer calls.
Externally, from the users’ point of view, inputs for the PLC
that may cause a timer to start, reach the PLC with some de-
lay, as well as the timeout of a timer (possibly) causes the
output port to change with a delay. For now, we concentrate
on the internal error, and show that both timer models sat-
isfy the same specification and therefore can be substituted
by each other.
We need two restrictions that define well-formed pro-
grams.
1. The input variable IN of a timer is assigned only at
timer calls.
2. In each scan there is a timer call.
Recall, that a run of a timed automaton is a sequence
, and
.
We overload notation and assume that IN andQ are basic
predicates over states, i.e. Q(s) IN OUT
tt etc.. Furthermore, the predicate Q(t) is true for
a run, if there is a location with time stamp and a state ,
where Q(s), i.e. iff .
Proposition 1 Let be a well-formed program. Then for
each accepting run of the automata and it is:
and
For the proof of this proposition see the full version of the
article [18].
5. Conclusion
Our interest is to increase reliability of PLC applications,
where especially timing aspects seem to be important. In
order to apply verification and testing techniques, one first
needs formal models. Here, we suggested two timed au-
tomaton models for PLC applications with programs in a
reasonable fragment of the language Instruction Lists. The
first model is close to the way how timers are realized in ex-
isting PLCs: by a predefined function block. The models
we get from this approach uses integers and therefore results
in infinite automata. The second model tries to capture the
idea of timers and uses clocks instead of integers. The timed
automata resulting from this approach are finite. Formally,
they are equivalent the sense that they both satisfy the same
specification for timers. This indicates, that they are inter-
changable. More concrete, using the finite model for model
checking, we know that its behaviour is the same as of the
other model, which is closer to “reality”.
Our future work includes the following:
Case studies inmodel checkingwith e.g. UPPAAL and
KRONOS.
Extending the timed automaton semantics to programs
written in Structured Text.
Extending the notion of well-formed programs to
(classes of) guidlines for programs that are easier to
verify.
References
[1] IEC International Standard 1131-3, Programmable Con-
trollers, Part 3, Programming Languages, 1993.
[2] R. Alur, C. Courcoubetis, and D. Dill. Model-checking for
real-time systems. InProceedings Annual Symposiumon
Logic in Computer Science, Philadelphia, USA, pages 414–
425. IEEE Computer Society Press, 1990.
[3] R. Alur and D. Dill. A theory of timed automata. Theoretical
Computer Science, 126:183–235, 1994.
[4] R. Alur, T. Henzinger, and P.-H. Ho. Automatic symbolic
verification of embeddedsystems. In Proceedingsof the 14th
Annual Real-time Systems Symposium, pages 2–11. IEEE
Computer Society Press, 1993.
[5] R. Alur, T. Henzinger, and E. Sontag, editors. Hybrid Sys-
tems III, volume 1066of LectureNotes in ComputerScience.
Springer-Verlag, 1996.
[6] S. Anderson and K. Tourlas. Diagrams and programming
languages for programmable controllers. In Proceedings of
the FormalMethodsEuropeSymposium, LNCS, pages1–19.
Springer-Verlag, 1997.
[7] S. Anderson and K. Tourlas. Design for proof: An approach
to the design of domain specific languages. To appear in the
proceedings of the Third FMICS Workshop, May 1998.
[8] J. Bengtsson, W. Griffioen, K. Kristoffersen, K. Larsen,
F. Larsson, P. Pettersson, and W. Yi. Verification of an au-
dio protocol with bus collision using UPPAAL. In R. Alur
and T. Henzinger, editors, Proceedings of the 8th Inter-
national Conference on Computer Aided Verification, New
Brunswick,NJ, USA, volume 1102of LectureNotes in Com-
puter Science, pages 244–256.Springer-Verlag, July/August
1996.
[9] J. Bengtsson,K. Larsen, F. Larsson, P. Pettersson, andW. Yi.
UPPAAL: a tool suite for the automatic verification of real-
time systems. In Alur et al. [5], pages 232–243.
[10] C. Daws, A. Olivero, S. Tripakis, and S. Yovine. The tool
KRONOS. In Alur et al. [5], pages 208–219.
[11] C. Daws and S. Yovine. Two examples of verification of
multirate timed automata with KRONOS. In Proceedings
of the 16th IEEE Real-Time Systems Symposium (RTSS’95),
Pisa, Italy, pages66–75. IEEEComputer Society Press, Dec.
1995.
7
[12] H. Dierks. Synthesising controllers from real-time specifi-
cations. In M. Bertran and T. Rus, editors, Transformation-
Based Reactive Systems Development (ARTS’97), volume
1231 of LectureNotes in Computer Science, pages 111–125.
Springer-Verlag, 1997.
[13] H. Dierks. Synthesisingcontrollers from real-time specifica-
tions. In Proceedings of Tenth International Symposium on
System Synthesis, pages 126–133. IEEE CS Press, 1997.
[14] H. Dierks, A. Fehnker, A. Mader, and F. Vaandrager. Oper-
ational and logical semantics for polling real-time systems.
Technical report, University of Nijmegen, 1998.
[15] M. Heiner and T. Menzel. A petri net semantics for the
plc language instruction list. In Proceedings of WoDES’98,
pages 161–172. IEE Control, 1998.
[16] T. Henzinger and P.-H. Ho. HyTech: The Cornell HY-
brid TECHnology Tool. In U. Engberg, K. Larsen, and
A. Skou, editors, Proceedingsof the Workshopon Tools and
Algorithms for the Construction and Analysis of Systems,
Aarhus, Denmark, volume NS-95-2 of BRICS Notes Series,
pages 29–43. Department of Computer Science, University
of Aarhus, May 1995.
[17] T. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Sym-
bolicmodel checking for real-time systems. Information and
Computation, 111:193–244, 1994.
[18] A. Mader and H. Wupper. Timed automatonmodels for sim-
ple programmable logic controllers. Technical report, Uni-
versity of Nijmegen, 1999. to appear.
[19] O. Maler and A. Pnueli. Timing Analysis of Asynchronous
Circuits using Timed Automata. In Proc. CHARME’95, vol-
ume 987 of Lecture Notes in Computer Science, pages 189–
205. Springer-Verlag, 1995.
[20] O.Maler and S. Yovine. Hardware Timing Verification using
Kronos. In Proc. 7th Conf. on Computer-based Systems and
Software Engineering. IEEE Press, 1996.
[21] X. Nicollin, J. Sifakis, and S. Yovine. Compiling Real-Time
Specifications into Extended Automata. IEEE Transactions
on Software Engineering, 18(9):794–804, Sept. 1992.
[22] K. Tourlas. Semantic analysis and design of languages for
programmable logic controllers. Master’s thesis, Depart-
ment of Computer Science, The University of Edinburgh,
1996.
[23] K. Tourlas. An assessement of the IEC 1131-3 standard on
languagesfor programmable controllers. In P. Daniel, editor,
SafeComp’97, pages 210–219, 1997.
8
