How do PLC look like? What s special about PLC? What is a PLC? /50 2/50 5/50 6/50 3/ Splc main

Transcription

1 (public domain) How do PLC look like? Albert-Ludwigs-Universität Freiburg, Germany Dr. Bernd Westphal Lecture 09: PLC Automata Real-ime Systems 4/50 (CC nc-sa 2.5, Ulli1105) Sprelim Contents & Goals Last Lecture: DC Implementables. A conoller for the gas burner. his Lecture: Educational Objectives: Capabilities for following tasks/questions. What is the philosophy of PLC? What did we generalise/absact them to? What s an example for giving a DC semantics for a consuctive formalism? How does the proposed approach work, from requirements to a correct implementation with DC? Content: Programmable Logic Conollers (PLC) ( Speicherprogrammierbare Steuerungen (SPS)) PLC Automata An overapproximating DC semantics for PLCA An reaction time theorem for PLCA What s special about PLC? microprocessor, memory, timers digital (or analog) I/O ports possibly RS 232, fieldbuses, networking robust hardware reprogrammable standardised programming model (IEC ) 2/50 5/50 What is a PLC? Where are PLC employed? mostly process automatisation production lines packaging lines chemical plants power plants elecic motors, pneumatic or hydraulic cylinders... not so much: product automatisation, there tailored or OS conoller boards embedded conollers... 3/50 6/50

2 x y y How are PLC programmed? PLC have in common that they operate in a cyclic manner: read s compute write s Cyclic operation is repeated until external interruption (such as shutdown or reset). Cycle time: typically a few milliseconds. [?] Programming for PLC means providing the compute part. Input/ values are available via designated local variables. How are PLC programmed, practically? 1: PROGRAM PLC_PRG_FILER 2: VAR 3: : I := 0; (* 0:=, 1:=, 2:= *) 4: tmr : P; 5: EDVAR 6: 7: IF = 0 HE 8: % := ; 9: IF % = HE 10: := 1; 11: % := ; 12: ELSIF % = HE 13: := 2; 14: % := ; 15: EDIF 16: ELSIF = 1 HE 17: tmr( I := RUE, P := t#5.0s ); 18: IF (% = no_ AD O tmr.q) HE 19: := 0; 20: % := ; 21: tmr( I := FALSE, P := t#0.0s ); 22: ELSIF % = HE 23: := 2; 24: % := ; 25: tmr( I := FALSE, P := t#0.0s ); 26: EDIF 27: EDIF 7/50 10/ Splc 22/50 1: PROGRAM PLC_PRG_FILER 2: VAR 3: : I := 0; (* 0:=, 1:=, 2:= *) 4: tmr : P; 5: EDVAR 6: 7: IF = 0 HE 8: % := ; 9: IF % = HE 10: := 1; 11: % := ; 12: ELSIF % = HE 13: := 2; 14: % := ; 15: EDIF 16: ELSIF = 1 HE 17: tmr( I := RUE, P := t#5.0s ); 18: IF (% = no_ AD O tmr.q) HE 19: := 0; 20: % := ; 21: tmr( I := FALSE, P := t#0.0s ); 22: ELSIF % = HE 23: := 2; 24: % := ; 25: tmr( I := FALSE, P := t#0.0s ); 26: EDIF 27: EDIF How are PLC programmed, practically? 8/50 no Idea: a stutter filter with s and, for no ain and ain passing (and possibly, for error). After arrival of a ain, ignore no for 5 seconds. Problem: the sensor may stutter, i.e. oscillate between no and multiple times. Assume a ack-side sensor with s: no no passing ain a ain is passing Assume that a change from no to signals arrival of a ain. (o spurious sensor values.) Example: reliable, stutter-free ain sensor. How are PLC programmed, practically? 11/50 Figure 2.3: Elements of sequential function charts Unfortunate: deviations in semantics... [?] [?] g3 Sequential Function Charts (SFC) s2 R action1 ied together by S action1 s1 action block action2 2 action name g2 action qualifier Figure 2.2: Implementations of the operation x becomes y z s0 step (initial) ansition g1 ansition condition (guard) [?] (Relay) Ladder Diagram Function Block Diagram z ( ) x 1 z Insuction List Suctured ext LD x OR y S z z := x OR y Alternative Programming Languages by IEC / ime no Idea: After arrival of a ain, ignore no for 5 seconds. Example: Stutter Filter

3 Why study PLC? ote: the discussion here is not limited to PLC and IEC languages. Any programming language on an operating system with at least one real-time clock will do. (Where a real-time clock is a piece of hardware such that, we can program it to wait for t time units, we can query whether the set time has elapsed, if we program it to wait for t time units, it does so with negligible deviation.) And sictly speaking, we don t even need full blown operating systems. PLC are just a formalisation on a good level of absaction: there are s somehow available as local variables, there are s somehow available as local variables, somehow, s are polled and s updated atomically, there is some interface to a real-time clock. PLC Automata Example: Stuttering Filter A = (Q = {q0, q1}, Σ = {,no }, δ = {(q0,) q1, (q0,no ) q0, (q1,) q1, (q1,no ) q0}, q0 = q0, ε = 0.2, St = {q0 0, q1 5}, Se = {q0, q1 Σ}, Ω = {, }, ω = {q0, q1 }) no no 5 s q0 q1 12/50 15/50 PLC Automata PLC Automata Example: Stuttering Filter with Exception no no 5 s ue no, no 5 s, {no,}, ue 13/50 16/50 PLC Automata Definition 5.2. A PLC-Automaton is a sucture A = (Q, Σ, δ, q0, ε, St, Se, Ω, ω) where (q ) Q is a finite set of s, q0 Q is the initial, (σ ) Σ is a finite set of s, δ : Q Σ Q is the ansition function (!), St : Q R + 0 assigns a delay time to each, Se : Q 2 Σ assigns a set of delayed s to each, Ω is a finite, non-empty set of s, ω : Q Ω assigns an to each, ε is an upper time bound for the execution cycle. 14/50 PLC Automaton Semantics 1: PROGRAM PLC_PRG_FILER 2: VAR 3: : I := 0; (* 0:=, 1:=, 2:= *) 4: tmr : P; 5: EDVAR 6: 7: IF = 0 HE 8: % := ; 9: IF % = HE 10: := 1; 11: % := ; 12: ELSIF % = HE 13: := 2; 14: % := ; 15: EDIF 16: ELSIF = 1 HE 17: tmr( I := RUE, P := t#5.0s ); 18: IF (% = no_ AD O tmr.q) HE 19: := 0; 20: % := ; 21: tmr( I := FALSE, P := t#0.0s ); 22: ELSIF % = HE 23: := 2; 24: % := ; 25: tmr( I := FALSE, P := t#0.0s ); 26: EDIF 27: EDIF no, no, ue 5s, {no,} Recall: read s compute write s 17/50

4 21/50 (correct?) compiler S ÂAÃDC no q0 q1 by example today 5 s no =? Impl synthesis =? Des =? Req Full DC DC Implementables PLC-Automata IEC Binary Wait, what is the Plan? 18/50 no no no no ue ,, no 5 s, {no,} no PLCA Semantics: Examples 1: PROGRAM PLC_PRG_FILER 2: VAR 3: : I := 0; (* 0:=, 1:=, 2:= *) 4: tmr : P; 5: EDVAR 6: 7: IF = 0 HE 8: % := ; 9: IF % = HE 10: := 1; 11: % := ; 12: ELSIF % = HE 13: := 2; 14: % := ; 15: EDIF 16: ELSIF = 1 HE 17: tmr( I := RUE, P := t#5.0s ); 18: IF (% = no_ AD O tmr.q) HE 19: := 0; 20: % := ; 21: tmr( I := FALSE, P := t#0.0s ); 22: ELSIF % = HE 23: := 2; 24: % := ; 25: tmr( I := FALSE, P := t#0.0s ); 26: EDIF 27: EDIF We assess correctness in terms of cycle time......but where does the cycle time come from? First of all, S on the hardware has a cycle time so we can measure it if it is larger than ε, don t use this program on this conoller we can estimate (approximate) the WCE (worst case execution time) if it s larger than ε, don t use it, if it s smaller we re safe (Major obstacle: caches, out-of-order execution.) Some PLC have a watchdog: set it to ε, if the current computing cycle takes longer, then the watchdog forces the PLC into an error and signals the error condition 19/50 An Overapproximating DC Semantics for PLC Automata 22/50 And what does this have to with DC? Interesting Overall Approach Define PLC Automaton syntax (absact and concrete). Define PLC Automaton semantics by anslation tos (sucturedtext). Give DC over-approximation of PLC Automaton semantics. Assess correctness of over-approximation against DC requirements. In other words: we ll define ÂAÃDC such that I ÂAÃ = I = ÂAÃDC but not necessarily the other way round. In even other words: ÂAÃ {I I = ÂAÃDC }. 20/50 23/50

5 [t0, t1] A = {no } t1 {q1} {} [t0, t2] A = {no,} t2 {q1} {, } [t0, t3] A = {no,} t3 {q1, } {, } [t0, t4] A = {no,} t4 {q1, } {, } [t0, t5] A = {no,,} t5 {q1,, } {,, } [t0, t6] A = {no,,} t6 {q1,, } {,, } 27/50 q1 A holds in with After q ; q A q δ(q, A) (DC-2) t0 t1 t2 t3 t4 t5 t6 ue = ε = ε = ε = ε = ε ime, q1 no q1, 5s, {no,} no no no Effect of ransitions, untimed 24/50 OutA, D(OutA) = Ω values of the s StA, D(StA) = Q current local InA, D(InA) = Σ values of the s he DC formula ÂAÃDC we consuct ranges over the observables A = (Q, Σ, δ, q0, ε, St, Se, Ω, ω). Consider Observables 28/50 [t1, t2] A = {no,} t2 {q1, } {, } [t2, t3] A = {no,} t3 {q1, } {, } [t3, t4] A = {no } t4 {q1} {} [t4, t5] A = {no,} t5 {q1, } {, } [t5, t6] A = {} t6 {q1, } {, } q1 A holds in with After ε q A q δ(q, A) (DC-3) t0 t1 t2 t3 t4 t5 t6 ue = ε = ε = ε = ε = ε ime, q1 no q1, 5s, {no,} no no no Cycle ime 25/50 St(q) > 0 = q ; q ; q A ε St(q) q δ(q, A \ Se(q)) (DC-5) St(q) > 0 = q ; q A St(q) q δ(q, A \ Se(q)) (DC-4) Delays: ε q A q δ(q, A) (DC-3) Cycle time: q ; q A q δ(q, A) (DC-2) Effect of ransitions, untimed: q0 ; ue (DC-1) Initial State: A = (Q, Σ, δ, q0, ε, St, Se, Ω, ω) Overview q A abbreviates StA = q InA A, δ(q, A) abbreviates StA {δ(q, a) a A}. A arbiary with A Σ, 29/50 [t0, t1] A = {no } t1 {} { } [t0, t2] A = {no,} t2 {} { } [t0, t3] A = {no,,} t3 {, } {, } [t0, t4] A = {no,,} t4 {, } {, } [t0, t5] A = {no,,} t5 {, } {, } [t0, t6] A = {no,,} t6 {, } {, } q1 A holds in with After St(q) > 0 = q ; q A St(q) q δ(q, A \ Se(q)) (DC-4) t0 t1 t2 t3 t4 t5 t6 ue = ε = ε = ε = ε = ε ime, q1 no q1, 5s, {no,} no no no Delays 26/50 St(q) > 0 A Se(q) = q / δ(q, A) = q ; q A ε (DC-10) q St(q) > 0 A Se(q) = q / δ(q, A) (DC-9) = ( q A = l < 2ε) = ( q St(q) ; q A = l < St(q) + 2ε) (DC-8) St(q) > 0 q / δ(q, A) Progress from delayed s: St(q) = 0 q / δ(q, A) = q ; q A ε q (DC-7) St(q) = 0 q / δ(q, A) = ( q A = l < 2ε) (DC-6) Progress from non-delayed s: A = (Q, Σ, δ, q0, ε, St, Se, Ω, ω) Overview q A abbreviates StA = q InA A, δ(q, A) abbreviates StA {δ(q, a) a A}. A arbiary with A Σ,

6 33/50 St(q0) > 0 A Se(q0) = q0 / δ(q0, A) = q0 A ε 0 q0 (DC-10 ) St(q0) = 0 q0 / δ(q0, A) = q0 A ε 0 q0 (DC-7 ) St(q0) > 0 = q0 ; q0 A ε St(q0) 0 q0 δ(q0, A \Se(q0)) (DC-5 ) St(q0) > 0 = q0 A St(q0) 0 q0 δ(q0, A \ Se(q0)) (DC-4 ) q0 A 0 q0 δ(q0, A) (DC-2 ) ( q = ω(q) (DC-11) Behaviour of the Output and System Start 30/50 [t1, t2] A = {no,} t2 {} { } [t2, t3] A = {,} t3 {, } {, } [t3, t4] A = {no,} t4 {, } {, } [t4, t5] A = {no } t5 {} { } [t5, t6] A = {no,} t6 {, } {, } q1 A holds in with After St(q) > 0 = q ; q ; q A ε St(q) q δ(q, A \ Se(q)) (DC-5) t0 t1 t2 t3 t4 t5 t6 ue = ε = ε = ε = ε = ε ime, q1 no q1, 5s, {no,} no no no Delays 34/50 But not necessarily the other way round. hen Iπ = ÂAÃDC. Let Iπ be an encoding of π as an interpretation of InA, StA, and OutA. Let π be a recording over time of then s, local s, and s of a PLC device running PA. Let PA be the S program semantics of A. Claim: DC-5 DC-7 DC-10. q Q, A Σ ÂAÃDC := DC-1 DC-11 DC-2 DC-4 Definition 5.3. he Duration Calculus semantics of a PLC Automaton A is DC Semantics of PLC Automata 31/50 Due to (DC-6): t5 t4 < 2ε t3 t2 < 2ε Due to (DC-7): t1 t0 < ε St(q) = 0 q / δ(q, A) = q ; q A ε q (DC-7) St(q) = 0 q / δ(q, A) = ( q A = l < 2ε) (DC-6) t0 t1 t2 t3 t4 t5 ue ime, q1 no q1, 5s, {no,} no no no no Progress from non-delayed s 35/50 One Application: Reaction imes 32/50 Due to (DC-8): t5 t4 < 2ε Due to (DC-9): t3 t2 < 2ε Due to (DC-10): t1 t0 < ε = q ; q A ε q (DC-10) St(q) > 0 A Se(q) = q / δ(q, A) = ( q A = l < 2ε) (DC-9) St(q) > 0 A Se(q) = q / δ(q, A) = ( q St(q) ; q A = l < St(q) + 2ε) (DC-8) St(q) > 0 q / δ(q, A) t0 t1 t2 t3 t4 t5 ue ime, q1 no q1, 5s, {no,} no no no Progress from delayed s

7 One Application: Reaction imes Given a PLC-Automaton, one often wants to know whether it guarantees properties of the form StA Q InA = emergency signal 0.1 StA = motor off ( whenever the emergency signal is observed, the PLC Automaton switches the motor off within at most 0.1 seconds ) Which is (why?) for from obvious from the PLC Automaton in general. We will give a theorem, that allows us to compute an upper bound on such reaction times. hen in the above example, we could simply compare this upper bound one against the required 0.1 seconds. Premise Examples no 0s, no 5 s, {no,}, ue Examples: Π = {, }, A = {no } δ(π, A) = {} Π Π = {,, }, A = {} δ(π, A) = {} Π Π = { }, A = {no } δ(π, A) = {} Π 36/50 39/50 he Reaction ime Problem in General Let Π Q be a set of start s, A Σ be a set of s, c ime be a time bound, and Πtarget Q be a set of target s. hen we seek to establish properties of the form c StA Π InA A StA Πtarget, abbreviated as c Π A Πtarget. Reaction ime heorem (Special Case n = 1) heorem 5.6. Let A = (Q, Σ, δ, q0, ε, St, Se, Ω, ω), Π Q, and A Σ with δ(π, A) Π. hen where c Π A δ(π, A) }{{} =Πtarget c := ε + max({0} {s(π, A) π Π \ δ(π, A)}) and { St(π) + 2ε, if St(π) > 0 and A Se(π) s(π, A) := ε, otherwise. 37/50 40/50 Reaction ime heorem Premises Actually, the reaction time theorem addresses only the special case Π A cn δ n (Π, A) }{{} =Πtarget for PLC Automata with δ(π, A) Π. Where the ansition function is canonically extended to sets of start s and s: δ(π, A) := {δ(q, a) q Π a A}. Reaction ime heorem: Example 1 (1) {, } {no } 5+3ε : 38/50 41/50

8 Reaction ime heorem: Example 2 (2) {,, } {} 2ε : Reaction ime heorem (General Case) heorem 5.8. Let A = (Q, Σ, δ, q0, ε, St, Se, Ω, ω), Π Q, and A Σ with δ(π, A) Π. hen for all n 0, Π A cn δ n (Π, A) }{{} =Πtarget where cn := ε + max( 1 k n k π1,...,πk Π \ δ n (Π, A) {0} s(πi, A) j {1,...,k 1} : i=1 πj+1 δ(πj, A) and s(π, A) as before. 42/50 45/50 Monotonicity of Generalised ransition Function Define δ 0 (Π, A) := Π, δ n+1 (Π, A) := δ(δ n (Π, A), A). If we have δ(π, A) Π, then we have δ n+1 (Π, A) δ n (Π, A) δ(δ(π, A), A) δ(π, A) Π }{{} =δ 2 (Π,A) i.e. the sequence is a conaction. (Because the extended ansition function has the following (not so surprising) monotonicity property: Proposition 5.4. Π Π Q and A A Σ implies δ(π, A) δ(π, A ).) Proof Idea of Reaction ime heorem (by conadiction) Assume, we would not have Π A cn δ n (Π, A). his is equivalent to not having (ue ; Π A cn ; δ n (Π, A) ; ue) Which is equivalent to having ue ; Π A cn ; δ n (Π, A) ; ue. Using finite variability, (DC-2), (DC-3), (DC-6), (DC-7), (DC-8), (DC-9), and (DC-10) we can show that the duration of Π A is sictly smaller than cn. 43/50 46/50 Conaction Examples Examples: Π = {, }, A = {no } δ 0 (Π, A) = {, } no 0s, no, ue 5 s, {no,} δ(δ 0 (Π, A), A) = {} Π δ n (δ 0 (Π, A), A) = {} Π = {,, }, A = {} δ 0 (Π, A) = {,, } δ(δ 0 (Π, A), A) = {} Π δ n (δ 0 (Π, A), A) = {} Π = { }, A = {no } δ(π, A) = {} Π Methodology: Overview 44/50 47/50

9 Smeth 48/50 (correct?) compiler S ÂAÃDC no q0 q1 by example lecture 5 s no =? Impl synthesis =? Des What does help us? E.g.: What assumptions did we use? =? Req Full DC DC Implementables PLC-Automata IEC Binary Methodology References 49/50 50/50