Int J Adv Manuf Technol (2017) 88:1393–1405

DOI 10.1007/s00170-016-8638-9

ORIGINAL ARTICLE

Simulation and validation of diagram ladder—petri nets

J. C. Quezada1 · J. Medina2 · E. Flores1 · J. C. Seck Tuoh2 · A. E. Solı́s1 · V. Quezada1

Received: 11 December 2015 / Accepted: 20 March 2016 / Published online: 14 May 2016
© Springer-Verlag London 2016

Abstract Automated systems based on programmable Keywords Control algorithms · Discrete event systems ·
logic controllers (PLC) are still applied in discrete event Ladder diagram · Petri nets · Programmable logic
systems (DES) for controlling and monitoring of industrial controller · Simulation · Validation
processes signals. PLC-based control systems are charac-
terized for having physical input and output signals coming 1 Introduction
from and going to sensors and actuators, respectively, which
they are in direct contact with the production or manu- Control based on programmable logic controllers (PLC) still
facturing process. The input subsystem to PLC consists of remains being used in a large variety of production or man-
sensor-wiring-physical inputs module, and it can present ufacturing processes. PLCs can be programmed through
two kinds of faults: short circuit or open circuit, in one or different programming languages, namely structured text
more signals of the process physical inputs, which it causes (ST), instruction list (IL), function block diagram (FBD),
faults in the control and/or in the control algorithms behav- sequential function chart (SFC), and ladder diagram (LD),
ior. Ladder diagram (LD) is one of the five programming which they are the five languages considered in the IEC-
languages supported by the International Electrotechnical 61131-3 standard (International Electrotechnical Commis-
Commission (IEC) through the IEC-61131-3 standard, and sion) [1]. This standard establishes the syntax and semantics
it remains being used at industry for control algorithm of these programming languages, but not the verification
design of PLC-based systems. This paper proposes the sim- and/or validation of the control algorithms, which they have
ulation and validation of control algorithms developed in been and they are still developed based on the experience of
LD by using Petri Nets (PN) in order to deal with the pos- those responsible for controlling the systems. The problem
sible fault options (short circuit and/or open circuit) in the of guaranteeing safe control algorithms has been treated in
physical inputs subsystem of a PLC-based control system. theory through different approaches having as main basis
One control algorithms in LD have been analyzed in order the formal specifications of the system being controlled,
to show the advantages of the proposed approach. and its validation or verification is based mainly on theoret-
ical concepts. Approaches recently proposed are mentioned
below.
 J. C. Quezada Conversion of control algorithms into machines B for
[email protected] their formal analysis of security limitations is presented in
[2]. Generating the machine B is based on the project’s spec-
1 Escuela Superior de Tizayuca, Universidad Autónoma del ifications. The informal specifications or non-explicit limi-
Estado de Hidalgo, Ext. 5700 km 2.5 Carretera Federal tations are “manually” incorporated to the control algorithm
Tizayuca-Pachuca, Hidalgo, México
refinement.
2 Centro de Investigación Avanzada en Ingenieria Industrial, In [3], it is shown the modeling and validation of a PLC-
Universidad Autónoma del Estado de Hidalgo, Hidalgo, Mexico based control system by using the behavior, interaction, and
1394 Int J Adv Manuf Technol (2017) 88:1393–1405

priority (BIP) component framework. The authors propose a tify each fault that may occur in the system. Their approach,
monitor per each of the properties being validated; then they FDS-PLC (Fault Diagnosis System-Programmable Logic
integrate all the monitors in order to yield the global system Controller), executes in “parallel” both the control system
for its respective simulation. If a requirement is violated, in the PLC and the diagnosis system based on a finite state
the corresponding monitor will change an error state. This machine, and it runs in a personal computer connected to the
approach was applied to a real system where “errors” are PLC. The diagnosis approach proposes an initial state of the
presented in the system’s global design. system based on the specifications, the input signals’ state
A formal verifying method, based on the user’s spec- is copied, the copied input is compared to that of the initial
ifications, is presented in [4]. Firstly, it is implemented state; if there is no correspondence to the specifications, it
in Unified Modeling Language (UML), and then it trans- is reported as “fault or unknown status”; otherwise, the sys-
formed into a Petri Net (PN) for its validation. The verifying tem state is updated, and the reading of input signals as well
process is accomplished through a tool Symbolic Model as the comparison of their state is periodically continued.
Checker (NuSMV), where the checker is based on the spec- In [10], it is considered that the main causes of faults in
ifications and properties of the system, and it uses the input signals are short circuit and open circuit due to damage
temporal logic for defining the properties. at the connection lines from sensors to PLCs; or due to faults
System’s specifications are divided into operating predic- in the mechanical contacts of switches, or by damage in the
tions, operating behavior, exception conditions, exception electronic sensors. For the reliability of the input signals,
behavior, and invariants. Temporal logic is the basis for the authors propose that various sensors have high reliability
sequencing the system states. All the previous introduces the and to remove the “causes” in order to avoid short circuit,
concept of Reusable Automation Components (RAC) for a open circuit or connection line to PLC. The reliability of the
scanning of PLC, and the semantics for updating the system input signal from the PLC production site can be estimated
signals state, considering the system as valid if all of the according to the control system characteristics, as well as
behavior operations are successfully completed before the the relationship between signals.
update and all the operating preconditions are not exception An example of sequence in LD is considered in [11],
conditions, as well as each of exception behavior and each showing the “vulnerability” of the control algorithm. The
invariant must be successfully completed for each updating [5]. system opens a door with the sequence of pushing four
In [6], the authors mention software for validating control pushbuttons, a sensor detecting the door state (closed-open),
algorithms developed in Instruction List language; however, as well as a button to reset the system conditions. It is con-
they consider that they are limited by being focused on theo- sidered that by pushing all the buttons at one time and in the
retical attributes (security, liveliness, and reachability). The same PLC scans the door would open because the control
authors’ proposal is to develop an environment that enables algorithm is executed each cycle from the left to right and
the visual verification of the control algorithms through a from the top to bottom. The proposal of pushing all the but-
3D graphical environment of the system to be controlled tons at one time is equivalent to the extreme case of short
which it is based on a mapping from the state of the physical circuit fault for all input sensors to PLC; however, for this
inputs and outputs of the PLC-based system. example, the door would not open, since the control algo-
An approach on verification and validation off-line of rithm in the PLC is executed each cycle based on the copy of
control algorithms is presented in [7]. This proposal is based the states of the input signals of a same “moment” (reading
on the III phase V & V method, which it involves tests stage of input signals in the scan). The language Cadence
on manual, model checker, and virtual commissioning for SMV is used for validating control algorithms developed
the system specifications. The authors consider that after in LD. The modeling basis is the conversion of the control
fulfilling these proofs, the code may be implemented in a algorithm into LD, in logic AND, OR, and NOT.
PLC-based system. The operation and states of sensors and actuators are
Approaches focused on detection and/or locations of continuously monitored through Framework OPC Server
faults in control algorithms of PLC-based systems have also connected to the PLC. A vector of normal operating values
been proposed. of signals is compared to the real-time observed values; if
In [8], the authors present a new method which it treats a discrepancy exists, it will be indicated through an alarm
sensor fault as state variable to enforce fault diagnosis, it [12]. A fault condition can coincide with the corresponding
based in the builder of model of sensor fault into state state at this moment of the process, which it would allow a
equation to evaluate the control algorithm. sequence more in the process.
In [9], a diagnosis system for improving the reliability of The use of real-time PN allows reading the states of
PLC-based systems is proposed. The authors consider that process inputs and outputs, which they are compared to pre-
system developers and programmers are not able to iden- determined values; if a difference exists, the information
Int J Adv Manuf Technol (2017) 88:1393–1405 1395

will be treated with fuzzy PN in order to diagnose and find

the root cause of fault. For the state equation, it is added an
equalization between the possible values mapping of the set
of inputs and outputs, and the reachable markings from an Fig. 1 PLC-based control system
initial marking [13].
A general procedure for fault detecting in PLC-based
systems is presented in [14]. The authors consider some types of machines or processes. Both the PLC and its asso-
hardware and software problems for determining a generic ciated peripherals are designed so that they can be easily
fault, supported by light indicators at the modules inte- integrated into an industrial control system and easily used
grating the PLC. It is important to highlight that a better in all their intended functions” and PLC-based system is
understanding of the system allows an effective and efficient a “user-built configuration, consisting of a programmable
solution of faults. controller and associated peripherals, that is necessary for
In general, as far as we know, the proposed approaches on the intended automated system. It consists of units inter-
validation do not take into account physical faults of short connected by cables or plug-in connections for permanent
circuit and open circuit in the input subsystems (sensor- installation and by cables or other means for portable and
wiring-physical input module) in the PLC-based systems. In transportable peripherals” [16].
the present work, the concept of validation proposed in [15] PLC-based systems for DES are characterized by hav-
it is considered, establishing that “the process of evaluating ing physical input signals coming from the process (sensors,
a model, simulation, or federation of models and simula- switches, selectors, among others), connected to the PLC
tions throughout the development and execution process input modules. Based on the state of these signals, the con-
to determine how well it satisfies the acceptability criteria trol algorithm is executed, and its results are reflected in
within the context of the referent; the process of determining the modules of physical output signals which they are con-
the degree to which a model is an accurate representation of nected to the process actuators (relays, contactors, electro-
the problem space from the perspective of the intended uses valves or solenoid valves, among others). Figure 1 shows a
of the model”. PLC-based control system.
In this paper, we show the simulation of control algo-
rithms considering the behavior of scan of the PLC, besides, 2.1 Ladder diagram
a method for validating control algorithms developed in
LD in fault conditions in the physical inputs subsystem LD is one of the five programming language supported by
in a PLC-based control system is proposed. The proposed the standard IEC-61131-3 for developing PLC control algo-
validation has been evaluated in a real application control rithms. LD is considered a graphic-type language having
algorithm, and it has allowed obtaining safety results about as functioning basis the behavior of an electromechani-
what conditions must be included in the LD in order to avoid cal relay. In [17], it is defined like “modeling networks of
they occur in case of fault. simultaneous functioning electromechanical elements, such
This work has been organized as following. Sections 2 as relay contacts and coils, timers, counters, etc.”.
and 3 introduce concepts about PLC- and PN-based sys- A contact can be normally close (NC) or normally open
tems, respectively. Section 4 explains the faults of short (NO). For a PLC-based system, a NO and/or NC contact
circuit and open circuit, the signals characterization in PN may come from a mechanical or electrical sensor, which it
elements, and their considerations in incidence matrix as closes or opens the electrical circuit, to the physical inputs
well as the validation proposal of control algorithms devel- module, which it detects voltage presence or absence for the
oped in LD. Section 5 shows the validation in two real cases state (0 or 1) of the corresponding variable. Both the voltage
and the obtained results. level and signal type (direct or alternating) are in function of
the input module. Also, a NO and/or NC contact may be a
memory internal signal that is linked to a coil, internal too.
2 PLC-based control systems A physical input signal might be considered as many times
as necessary in the control algorithm through NO and/or NC
PLC is a “digitally operating electronic system, designed contacts.
for use in an industrial environment, which it uses a pro-
grammable memory for the internal storage of user-oriented 2.2 Scan of a program
instructions for implementing specific functions such as
logic, sequencing, timing, counting and arithmetic, to con- The periodic or cyclic execution of a control algorithm is
trol, through digital or analogue inputs and outputs, various the operating basis of the PLC-based systems. Figure 2 [18]
1396 Int J Adv Manuf Technol (2017) 88:1393–1405

3.1 Coverability tree

The coverability tree allows finding the possible markings

of a PN from an initial marking M0 . The PN will have
Mk markings depending on which transitions are enabled,
which ones are being enabled, and in which sequence each
enabled transition is fired. The result of the firings sequence
may be represented by means of a tree, where the root is
the initial marking M0 , and depending on the transitions’
firing sequence, the tree branches with their respective new
markings are generated [19].

3.2 Incidence matrix

In order to represent the dynamic behavior of the PNs, the

incidence matrix is used, which relates the weightings of
the input and output arcs from transitions to places and vice
Fig. 2 Cyclic running of a PLC control algorithm versa. For a PN with n transitions and m places, its incidence
matrix A = [aij ] is an integer numbers matrix representing
shows, in a general way, the scan of the control algorithms, the weighting of the input and output arcs; aij + represents
standing out the image of the states of physical input signals, the weighting of output arcs from transitions, and aij − rep-
with which the control algorithm is evaluated. resents input arcs to transitions. Equation 1 represents how
Ideally, during the evaluation time of the control algo- the incidence matrix values are obtained.
rithm at the scan period, a change in the state of the physical
input signals does not affect the control execution, but until aij = aij + − aij − (1)
the new image of the states of input signals is updated. This
allows evaluating, in an independent way, the control algo- 3.3 State equation
rithm in function of possible states of the physical input
signals. The state equation shows the marking in a sequence state
through the relationship between the vector of a preceding
state with certain system marking Mk−1 , the transpose of the
3 Petri nets incidence matrix A and a firing vector uk determining the
process firing sequence. Equation 2 shows the relationship
PNs are a graphic and mathematical tool for modeling the between them.
DES behavior. From [19], Table 1 considers the formal def-
inition of a PN in its basic form, as well as its analysis tools, Mk = Mk−1 + AT uk (2)
which they are subsequently described.

As part of their formal definition, PNs offer tools for car- 4 Simulation control algorithms in LD with PN
rying out the analysis of the modeled system. Some of them
are described following. In this section, we propose the mathematics equations to
simulate the dynamic behavior of control algorithms devel-
Table 1 Formal definition of a PN opment in LD with PN.

A Petri net is a 5-tuple, P N = (P , T , F, W, M) where: 4.1 Characterization of signals

P = {p1 , p2 , ..., pm } is a finite set of places,
T = {t1 , t2 , ..., tn } is a finite set of transitions,
LD has as basis the behavior of an electromechanical relay,
so contains NO and NC contacts and coils. A signal (of
F ⊆ (P × T ) ∪ (T × P ) is a set of arcs,
physical input and/or output or of memory) in a LD may
W : F → {1, 2, 3, ...} is a weight function,
have elements at diverse lines. In [18], a signal distribu-
M0 : P → {0, 1, 2, ...} is an initial marking, and
tion based on the relay behavior is proposed; that is to say,
P ∩ T = ∅ and P ∪ T = ∅
if the signal is activated, the NO contacts close, and those
Int J Adv Manuf Technol (2017) 88:1393–1405 1397

Table 2 Representation of a physical input by PN elements 2. Only one transition from Ioi or Ici of a signal may be
activated at a time, and its marking fulfills for Eqs. 4a–
Signal Contact distribution
4c,
   
0 M(Iio ) = 0 and M(Iic ) = 1
M(Ii ) = then
1 M(Iio ) = 1 and M(Iic ) = 0
(4a)

   
0 M(Ooo ) = 0 and M(Ooc ) = 1
M(Oo ) = then
1 M(Ooo ) = 1 and M(Ooc ) = 0
(4b)

   
0 M(Bbo ) = 0 and M(Bbc ) = 1
M(Bb ) = then
1 M(Bbo ) = 1 and M(Bbc ) = 0
(4c)

NC open. Also, we consider the definition of the net LDPN

5 Accumulation tokens problems
(Ladder Diagram Red de Petri).
Table 2 shows the distribution of a physical input signal
Propose of this investigation to the accumulation tokens
by employing PN elements. Where Ii is a place representing
problems, it is set logical functions to enable marking for
a physical input signal, and Iio and Iic are places represent-
places Oo and Bb . In Eqs. 5a and 5b, they are to enable
ing the NO and NC contacts of the signal, respectively. The
marking in the output place Oo y Bb respectively, when
use of the inhibitor arc allows that only one of transitions,
input structure PN is logical, and if input structure PN is log-
Ioi or Ici , are enabled, modeling the behavior of that only
ical OR, then the equations 6a y 6b will be enable marking
one type of contact of a same signal can be activated in a
for places Oo y Bb ; however, if input structure PN has both
scanning. Such a distribution is analogue for physical out-
logicals AND and OR, the Eqs. 7a and 7b will be enable
put signals Oo as well as of internal memory Bb of the PLC.
marking for places Oo y Bb .
In general, the types of contacts of a signal are represented 
by the Eqs. 3a–3f. O(t )rAND = M(rt) = 1 AND O(t )r = 0 (5a)

Iio = # contacts NO of physical inputs signals (3a) 

B(t )r AND = M(rt) = 1 AND B(t )r = 0 (5b)

Iic = # contacts NC of physical inputs signals (3b) O(t )r OR = M(rt) = 1 AND O(t )r = 0 (6a)

B(t )r OR = M(rt) = 1 AND B(t )r = 0 (6b)
Ooo = # contacts NO of physical outputs signals (3c)
  
O(t q))ANDOR = (M( qt )L1 = 1)), ..., ( (M( qt )Ll = 1)
Ooc = # contacts NC of physical outputs signals (3d) = 1 AN D O(t q) = 0 (7a)

  
Bbo = # contacts NO of memory signals (3e) B(t q))ANDOR = (M( qt)L1 = 1)), ..., ( (M( qt)Ll = 1)
= 1 AN D B(t q) = 0 (7b)

Bbc = # contacts NC of memory signals (3f)

The signals distribution must fulfill the following char-
acteristics:
6 Reset places problems

1. PN is binary, only may have as maximum, one token in The Eqs. 4a–4b to model the behavior of energize or de-
each place, W : F −→ 0, 1, energize contacts NO and/or NC of one coil, when this is
1398 Int J Adv Manuf Technol (2017) 88:1393–1405

energize or de-energize in control algorithm in LD. G = G(T1 ), G(T2 ), G(T3 ), ..., G(Tg ) is a finite set of
To consume the mark of outputs places Oo y Bb in one places to reset outputs places and its marking it in
structure PN is considered the marking of inputs places and function of the Eqs. 8a, 8b, 9a, 9b, 10a y 10b.
logical type. The Eqs. 8a and 8b are to reset outputs places T = Ic|o ∪ Oc|o ∪ Bc|o ∪ L ∪ R is a finite set of
Oo y Bb , respectively, with logical and in the structure PN. If transitions, where:
c|o c|o c|o c|o
structure PN is logical or, then the Eqs. 9a and 9b are to reset Ic|o = I1 , I2 , I2 , ..., Ii is a finite set of transitions
outputs places Oo y Bb , respectively; however, the Eqs. 10a c|o c|o
that have inputs places I , where I1 = Ic1 ∪ Io1 , I2 =
and 10b are to reset outputs places Oo y Bb , respectively, c|o c|o
when structure has both logical AND and OR. Ic2 ∪ Io2 , I3 = Ic3 ∪ Io3 , ..., Ii = Ici ∪ Ioi are
 transitions with inputs places Ii and Iio taht represent
c
G(L )r AND = M(rt) = 0 AND O(t )r = 1 (8a) contacts NC and NO respectively.
c|o c|o c|o
O = O1 , O2 , ..., Oo
c|o is a finite set of transitions

G(t )r AND = M(rt) = 1 AND B(t )r = 0 (8b) c|o
that have inputs places O, where O1 = Oc1 ∪ Oo1 ,
c|o c|o c|o
O2 = Oc2 ∪ Oo2 , O3 = Ic3 ∪ Oo3 , ..., Oo =

G(t )r OR = M(rt) = 0 AND O(t )r = 1 Oo ∪ Oo are transitions with inputs places Oo y Ooo
c o c
(9a)
that represent contacts NC and NO, respectively.
 c|o c|o
B = B1 , B2 , ..., Bb
c|o c|o
is a finite set of transitions
G(t )r OR = M(rt) = 0 AND B(t )r = 1 (9b)
c|o
that have both inputs and outputs places B, where B1 =
   c|o c|o
Bc1 ∪ Bo1 , B2 = Bc2 ∪ Bo2 , B3 = Bc3 ∪ Bo3 , ...,
G(t q)))ANDOR = (M( qt)L1 = 1)), ..., ( (M( qt)Ll = 1) c|o
Bb = Bci ∪ Bob are transitions with inputs places Bbc y
= 0 AN D O(t q) = 1 (10a)
Bbo that represent contacts NC and NO, respectively.
L = {L1 , L2 , ..., Ll } is a finite set of auxiliary transitions
  
G(t q)))ANDOR = (M( qt )L1 = 1)), ..., ( (M( qt )Ll = 1) that may have both inputs an outputs places I, O, y B.
R = {R1 , R2 , ..., Rr } is a finite set of transitions that have
= 0 AN D B(t q) = 1 (10b)
input place G to reset outputs places.
F ⊆ (P × T ) ∪ (T × P ) is a set of arcs.
W : F → {1} all weights of the arcs are equal to 1. and,
M0 = P → {0, 1} initial marking.
7 Ordinary ladder diagram petri net
7.1 Marking of the LDPN
The formal definition of the Ladder Diagram Petri Net is:
The Eqs. 4a–4c to characterization of signals, Eqs. 5a, 5b,
Ordinary LDPN is 5-tuple (P, T, W, F, M0 ), where: 6a, 6b, 7a and 7b to problem of accumulation tokens and
P = {I ∪ O ∪ B ∪ G} is a finite set of places, where: Eqs. 8a, 8b, 9a, 9b, 10a and 10b to reset outputs places, these
I = {I1 , I2 , I3 , ..., Ii } is a finite set of places that rep- should be evaluated after of each evaluation Mk+1 of the
resent physical inputs signals, and by Eqs. 3a and 3b: state matrix to update marking of the LDPN and simulate
I1 = I1o ∪ I1c , I2 = I2o ∪ I2c , I3 = I3o ∪ I3c , ... , the dynamic behavior of the cycle PLC-based system. The
Ii = Iio ∪ Iic are places that represent contacts NO and Fig. 3 shows the relation between places and equations.
NC of each physical input signal and its marking it in The marking of I places this in function of the physical
function of the Eq. 4a. inputs signal (sensors).
O = {O1 , O2 , O3 , ..., Oo } is a finite set of places that The obtained LDPN of the control algorithm in LD,
represent physical outputs signals, and by Eqs. 3c and 3d: graphically is ordinary because it has the unit weight in all
O1 = O1o ∪ O1c , O2 = O2o ∪ O2c , O3 = O3o ∪ O3c , its arcs, and all its places can only have one token for each
... , Oo = Ooo ∪ Ooc are places that represent con- scan in the PLC. In the incidence matrix, the number of out-
tacts NO and NC of each physical output signal and its put places for physical inputs signal transitions correspond
marking it in function pf the Eq. 4b. to NO and/or NC contacts.
B = {B1 , B2 , B3 , ..., Bb } is a finite set of places that rep-
resent memory signals, and by Eqs. 3e and 3f: B1 = 7.2 Rules to simulation of the LDPN
B1o ∪ B1c , B2 = B2o ∪ B2c , B3 = B3o ∪ B3c , ... ,
Bb = Bbo ∪ Bbc are places that represent contacts NO y Contacts NC allow energy flow in a control algorithm in
NC of each memory signal and its marking it function of LD, therefore, places Iic , Ooc , Bbc have token initial. Add a
the Eq. 4c. this marking token in places of protections of system is
Int J Adv Manuf Technol (2017) 88:1393–1405 1399

Fig. 3 Equations to simulate the LDPN

obtained initial marking M0 of the LDPN. Next marking is Graphically, the reduction is not possible since each place
in function of inputs places, which they are in function of Iino e Iinc it is independent and it has relationship with dif-
the activation o de-activation process sensors. ferent transitions in the PN. Two or more places Iino y/o Iinc
To describe and simulate the dynamic behavior of a con- as input to a same transition are equivalent to have two con-
trol algorithm in LD through LDPN are considered the tacts NO and/or NC of the same signal in a same control
following transition firing rules: line, which it is an inoperative redundancy.
The reduced incidence matrix arij can validate the con-
a) A transition T = {Ic|o , Oc|o , Bc|o , L, R} is enable if
trol algorithm’s behavior in fault conditions of short circuit
each input place P = (I, O, B, G) de T has token, i.e.,
and/or open circuit in the input subsystem of the PLC-
M(P) = W(P , T ) = 1.
based control system. The following section describes the
b) All transitions enabled should be fired in one same
proposed validation algorithm.
evaluation.
c) LDPN is binary, so that one enabled transition fired T
consumes unique token W(P , T ) = 1 of each input
8 Validation approach
place P of T, and put one token W(T , P ) = 1 to each
output place P of T.
For control algorithms design in LD, two types of specifi-
d) To update marking of the LDPN should be consid-
cations, formal and informal, they are mainly considered.
ered Eqs. 4a–4c to drain tokens of signal distribution
c|o c|o c|o Formal specifications include the process safety and oper-
(Ii , Oo , Bb ), the Eqs. 5a, 5b, 6a, 6b, 7a and 7b to
ation signals. Informal specifications are proposed by the
resolver problem of accumulation tokens and Eqs. 8a,
designer who analyzes the process and develops the corre-
8b, 9a, 9b, 10a and 10b to problem of reset places.
sponding control algorithm, for later testing it in the com-
missioning of the production system. Therefore, designing
7.3 Analysis of the incidence matrix for signal
control algorithms in LD is developed heuristically based on
distribution
the experience of the programmer or responsible for the pro-
cess control [20]. Figure 4 presents the context for control
Based on the above described conditions, the inhibitor arc
algorithms design in LD for DES.
may be treated as an ordinary arc in the incidence matrix
All system has the possibility of faults in the inputs sub-
and in the state equation. The generalized incidence matrix,
system, it includes sensors-wire-inputs module, the faults
for the signals distribution from Table 2, is shown in Eq. 11,
may be short-circuit or open-circuit on one signal. We con-
which it is analogue for the signals of physical output O,
sider that a risk condition is the unwanted drive of one
and of memory B.
⎡ ⎤ actuator in process industrial. In control algorithm risk con-
Ii I1o I2o . . . Iino I1c I2c . . . Iinc dition is an energized coil, which it is connect with an
aij = ⎣ Ioi −1 1 1 . . . 1 0 0 . . . 0 ⎦ (11) actuator.
Ici −1 0 0 . . . 0 1 1 . . . 1
where Iino y Iinc represent the number of contacts NO and
NC of the signal Ii , which allows reducing the incidence
matrix, as shown in Eq. 12.
⎡ ⎤
Ii Iio Iic
arij = ⎣ Ioi −1 NO 0 ⎦ (12)
Ici −1 0 NC
where:
i(o) = 0, 1, 2, ..., #NO

i(c) = 0, 1, 2, ..., #NC Fig. 4 Context to design control algorithms in LD

1400 Int J Adv Manuf Technol (2017) 88:1393–1405

Proposed approach includes both failures in two situ- 8.1.2 Open circuit fault
ations, independents faults, and combination of faults in
inputs signals. The LDPN is evaluated with a marking of Open circuit fault at the input subsystem may also occur
fault, if there is token in any output place Oo is will be at a sensor, at wiring, or at one of the input module sec-
necessary to verify the fault condition that originates this tions, causing that the corresponding physical input signal
and decide whether it should be considered in the control remains disabled to the control algorithm, which produces
algorithm. that the NO contacts will always be open, and the NC
In the PLC-based systems, sensors and their connections always closed.
to input modules, and output modules and their connections In the case of open circuit fault at the output subsystem,
to actuators, can mainly represent two fault types, which regardless of where it occurs, output module section, wiring,
they are analyzed in the following section. or actuator, the corresponding action in the process will
never be accomplished, since the actuator will never ener-
8.1 Physical failures in PLC-based control systems gize. Figure 6 shows the open circuit fault for both cases.
Based on the described analysis about the effects caus-
Regardless of the operating principle of sensors and actu- ing faults, it may be determined that the affectation on the
ators, subsystems sensor-wiring-physical input module and control algorithm behavior (not in the process) is mainly at
physical output module-wiring-actuator may represent two the inputs subsystem, for both fault conditions. Thus, the
types of faults: short circuit or open circuit, for each of present research proposes the validation of control algo-
sensors and/or actuators of the process. rithms considering only short-circuit and open-circuit faults
at the input subsystem to PLCs.
8.1.1 Short circuit fault
8.2 Validation of control algorithms
Short circuit fault at the input subsystem may occur at a
sensor, at wiring, or at one of the input module sections. A control algorithm has N-number of physical inputs, which
The fault causes that the corresponding physical input signal may present fault of open circuit and/or short circuit. An
remains activated to the control algorithm; that is to say, in input signal can only present one fault at a time. Various sig-
each scan of the PLC, the short-circuited signal will always nals may present the same fault at a time, or some they are
be 1 for its NO contacts, and 0 for those NC. shorted, and the remaining be open-circuited. Equation 13
In case the fault occurs at the output subsystem, if the determines the number of fault possibilities F t that may
fault is at wiring, then the actuators would not energize, the occur at the inputs subsystem of the PLC-based control,
fault produces an overload at the corresponding output of considering that the operating signal or signals may have
the module; however, if the short circuit is in an output mod- value of 1 for active signals, and 0 for those non-active.
ule section, then the output in fault would always be active
and consequently the corresponding actuator also. Figure 5 
n−1
shows the short circuit fault for both cases. Ft = [(2NI )n] + 2NI (13)
1
where
n = 1, 2, ..., NI
NI = number of physical input signals.
However, if it was considered that either the short cir-
cuit or open circuit fault may be presented in the input

Fig. 5 Short circuit fault in subsystems of a inputs and b outputs Fig. 6 Open circuit fault in subsystems of (a) inputs and (b) outputs
physical signals. physical signals
Int J Adv Manuf Technol (2017) 88:1393–1405 1401

signals, regardless the state it has, then the possible fault process programmer. The flowchart in Fig. 6 shows the
combination is incremented, as shown in Eq. 14. markings generation in terms of LDPN, considering the
possible fault conditions of short circuit (sc) and/or open
circuit (oc) of the physical input signals of a PLC-based
F t = 4NI − 2NI (14)
system.
Each fault option is a situation to evaluate. Consider- The initial markings of the physical output signals
ing MF t k as an initial marking, by using the state equation M0 [O] and of memory M0 [B] are not affected and should
of PN a marking in fault condition MF t k+1 is obtained be considered together with each of the fault markings Ft
(Eq. 15), with which a set of markings in fault conditions for the system global evaluation.
MF t can be generated. The next section is analyzed an example to show the
efficiency of the approach proposed.
MF t k+1 = MF t k + arijT ∗ uk (15)
where arij is the reduced incidence matrix, and uk is the 9 Case study 1: carwash system
firing vector, whit k = 1, 2, ..., F t.
From the formal operating specifications of control algo- From [21], it is taken the example of an automatic control
rithms, of their periodic execution, and of their evaluation for a carwash train, as shown in Figs. 7 and 8. The system is
with the image of the states of physical input signals, the composed of:
valid markings Mv of system operation can be obtained
by using the coverability tree. If a marking Mv is within a) Reversible main motor, for moving the washing
the set MF t , this must be excluded from the validation machine along the rail. MP1 for displacement from
in fault conditions. For the validation, it should be veri- right to left, and MP2 vice versa.
fied if the PNs places have mark and the fault conditions b) Brush motor (MC), for car washing.
causing it, that is to say, which sensors are shorted, and c) Fan motor (MV), for car drying.
which ones are open-circuited; if this is a risk condition, d) Electro-valve (XV), for wash liquid applying.
it should be included line or lines of control in the algo- e) Presence sensor (S3), for car detecting.
rithm in order to prevent that combination of faults arises f) Limit switches (S1 and S2), for stopping the machine
in system operation. It is noteworthy that, in the proposal, at the rail endings.
the risk condition and its corresponding proposed solu- g) Two pushbuttons (M and P), for machine starting and
tion are based on the proficiency and knowledge of the stopping.

Fig. 7 Carwash system

1402 Int J Adv Manuf Technol (2017) 88:1393–1405

Fig. 8 Control algorithm of the carwash system

The machine formal specifications are: Mf t to be evaluated. The carwash system at initial con-
ditions only has mark in the place I1 , corresponding to
1. The machine initial state is in the right limit (S2 acti-
sensor S2 activated, indicating the machine is in the right
vated),
limit. Based on the transforming approach LDPN, the
2. Car in washing position (S3 activated), push the push-
corresponding networkof the control algorithm of the car-
button M to start operation,
wash system is obtained, as Fig. 9 shows, from which
3. Machine must accomplish a go-and-back trip with the
the reduced incidence matrix arij of the system can be
electro-valves XV and the brush motor MC in opera-
tion,
4. When the machine goes back to the right limit (S2 is
activated again), it must accomplish another go-and- Table 3 Addressing of physical input and output signals
back trip in which only the fan motor MV is running.
After the trip, the machine stays in its initial state, Signal Address Description LDPN
5. If the stop pushbutton P is activated, the machine must
S1 E0.0 left limit switch I0
automatically go back to its initial position.
S2 E0.1 right limit switch I1
S3 E0.2 vehicle detection sensor I2
Table 3 shows the variable assignation for physical input
M E0.3 start pushbutton I3
and output signals of the washing system. Variables of the
P E0.4 stop pushbutton I4
LDPN definition are included.
MP1 A1.0 main engine left turn O0
The carwash system has five physical input signals,
MP2 A1.1 main engine right turn O1
so that, based on Eq. 13, the possible fault number is
MV A1.2 drying fan O2
F t = 132, and by Eq. 14 it would be of F t = 992.
MC A1.3 engine of the brushes O3
Combinations that, when summed to the initial markings
XV A1.4 solenoid of the atomizer O4
M0 of the places Bb and Oo , are the fault markings
Int J Adv Manuf Technol (2017) 88:1393–1405 1403

Fig. 9 LDPN control algorithm

of carwash system
1404 Int J Adv Manuf Technol (2017) 88:1393–1405

obtained, which is not presented by reasons of size and or even if these are already implemented on the PLC-based
space. systems.
Based on the results from the fault conditions evaluation, As far as we know, control algorithms validation is
matrix from Eq. 16 shows the risk conditions. The open cir- mainly carried out based on theoretical concepts, such as,
cuit fault does not generate marking at places Oo of system liveliness, coverability, among others. The presented valida-
output. tion approach is based on the possibility of that real faults
(short circuit and/or open circuit) occur at the subsystem
⎡ ⎤ sensor-wiring-input module, of PLC-based systems, which
I0 I1 I2 I3 I4 ... O0 O1 O2 O3 O4
⎢ 0/1 0/1 0/1 0/1 sc ... 0 1 0 0 0 ⎥ allows predicting risk or danger conditions in industrial
⎢ sc
⎢ 0/1 0/1 0/1 sc ... 0 1 0 0 0 ⎥⎥ machines and processes.
⎢ 0/1
⎢ 0/1 sc 0/1 sc ... 0 1 0 0 0 ⎥⎥ Furthermore, it is important to evaluate the formal speci-
⎢ 0/1
⎢ 0/1 0/1 sc sc ... 0 1 0 0 0 ⎥⎥ (16) fications of the processes in order to take security measures
⎢ sc sc 0/1 0/1 sc ... 0 1 0 0 0 ⎥
⎢ ⎥ in fault conditions of the physical input signals, even though
⎢ sc 0/1 0/1 sc sc ... 0 1 0 0 0 ⎥
⎣ sc 0/1 sc sc sc ... 0 1 0 0 0 ⎦ this could represent an additional cost due to having to
sc sc sc sc 0/1 ... 1 0 0 1 1 consider more sensors.

Where sc represents the short circuit fault. It can be References

observed that the place I4 , regardless of if other places have
mark either by fault or normal system operation, it sets mark 1. International Electrotechnical Commision IEC61131-3 (2003)
in the place O1 corresponding to actuating the motor MP2 Programmable Controllers: Programming Languages, Interna-
moving the machine toward the right side, which it is a haz- tional standard, segunda edición
ardous condition for both people and for the system. The 2. Barbosa H, Déharbe D (2012) Formal verification of PLC pro-
grams using the B method, Lecture Notes Computer Science,
stop signal P must completely stop the machine and not vol 7316, pp 353–356
starting the motor toward the right side, which it will not 3. Wang R, Zhou M, Yin L, Zhang L, Sun J, Ming G (2012) Mod-
stop if S2 has short circuit fault. eling and validation of PLC-controlled systems: a case study.
Furthermore, if places I0 , I1 , I2 e I3 , they are in short cir- In: IEEE 6th international symposium on theoretical aspects of
software engineering, pp 161–166
cuit fault, a mark will be placed at the output places O0 , O3 , 4. Grobelna I, Grobelny M, Adamski M (2010) Petri nets and activ-
and O4 corresponding to actuating the motor MP1 moving ity diagrams in logic controller specification - transformation and
the machine toward the left side, as well as the brush motor verification. In: 607–612
5. Ljungkrantz O, Akesson K, Fabian M, Yuan C (2010) Formal
MC and of the energizing of the electro-valve XV , which specification and verification of industrial control logic compo-
it is also a hazardous condition for both people and for the nents. IEEE Trans Autom Sci Eng 7(3):538–548
system. 6. Park SC, Park CM, Wang G (2008) PLCStudio: simulation based
PLC code verification. In: Winter simulation conference, pp 222-
228
7. Thapa D, Park CM, Dangol S, Wang G (2006) III-phase verifica-
10 Conclusions tion and validation of IEC standard programmable logic controller.
In: International conference on computational intelligence for
modelling control and automation,and international conference on
Having safe control algorithms for people as well as for intelligent agents, web technologies and internet commerce
the industrial machines or processes still remains a problem 8. Hou Y, Cheng Q, Qiu A, Jin Y (2015) A new method of
addressed by researchers from universities and research cen- sensor fault diagnosis for under-measurement system based on
space geometry approach. Int J Control Autom Syst 13(1):39–
ters of proprietary firms related to the development of PLCs 44
and their programming interfaces. Semantics and syntax of 9. Bao J, Wu H, Yan Y (2014) A fault diagnosis system-PLC design
the interfaces cover the security aspects so that the con- for system reliability improvement. Int J Adv Manuf Technol
10. Huai L, Cheng C (2013) Reliability design of PLC-based con-
trol algorithm is executed on PLC; however, it still remains
trol system. In: IEEE 9th international conference on natural
indispensable an updated and experienced knowledge of the computation, pp 1671–1675
responsible of designing the control algorithms in order to 11. Kuzmin EV, Sokolov VA (2013) On construction and verification
ensure the processes safety. of PLC programs. Autom Control Comput Sci 47(7):443–451
12. Qin S, Wang G (2012) A study of fault detection and diagnosis
The validation proposal allows evaluating the behavior for PLC controlled manufacturing system. In: IEEE international
of the control algorithm in possible fault conditions of short conference semantic computating, Part I, pp 373–382
circuit and/or open circuit in the physical input signals (sen- 13. Wu Z, Hsieh S (2012) A realtime fuzzy Petri net diagnoser for
sors) in order to determine risk and/or danger conditions detecting progressive faults in PLC based discrete manufacturing
system. Int J Adv Manuf Technol 61:405–421
that may occur in the industrial process, and thus take the 14. Malik AH, Mehmood T, Choudhry MA, Hanif A (2010) A generic
appropriate security measures before their implementation, procedure for troubleshooting of PLC based control systems. In:
Int J Adv Manuf Technol (2017) 88:1393–1405 1405

IEEE 11th international conference control, automation, robotics 18. Quezada JC, Medina J, Flores E, Seck Tuoh JC, Hernández
and vision, pp 732–737 N (2014) Formal desing methodology for transforming ladder
15. IEEE Recommended Practice for Validation of Computational diagram to Petri nets. Int J Adv Manuf Technol 73:821–836
Electromagnetics Computer Modeling and Simulations, IEEE Std 19. Murata T (1989) Petri nets: properties, analysis and applications.
1597.2-2010,pp 1,124 (2011) Proc IEEE 77(4):541–580
16. International Electrotechnical Commision IEC61131-1 (2003) 20. Lee J, Lee JS (2009) Conversion of ladder diagram to petri
General Information, International standard, segunda edición net using module synthesis technique. Int J Model Simul 29
17. International Electrotechnical Commision IEC61131- (1)
8:ProgrammableControllers (2003) Guidelines for the application 21. Mandado E, Acevedo JM, Fernández C, Armesto JI Autómatas
and implementation of programming languages, international Programables y Sistemas de Automatización, Segunda edición,
standard, segunda edición Alfaomega, ISBN: 978-607-7686-73-6
Reproduced with permission of copyright owner. Further reproduction
prohibited without permission.