13.1.1 Flowcharts and Pseudocode

Figure 13.1a shows the symbols used in flowcharts. Each step of an algorithm is represented by one or more of these symbols and linked by lines to represent the program flow (Figure 13.1b). Pseudocode is a way of describing the steps in an algorithm in an informal way.

Consider how the following program operations can be represented by flowcharts and pseudocode and then programmed using ladder and sequential function chart programming:

• Sequential. Consider a sequence in which event A has to be followed by event B. Figure 13.2a shows how this can be represented by a flowchart. In pseudocode this is written as:

BEGIN A
 DO A
END A
BEGIN B
 DO B
END B

A sequence can be translated into a ladder program in the way shown in Figure 13.2b. When the start input occurs, output A happens. When action A happens, it operates the output A relay and results in output B occurring. Figure 13.2c shows the sequential function chart representation of a sequence.

• Conditional. Figure 13.3a shows the flowchart for when A or B is to happen if a particular condition X being YES or NO occurs. The pseudocode to describe this situation involves the words IF-THEN-ELSE-ENDIF.

IF X
THEN
 BEGIN A
 DO A
 END A
ELSE
 BEGIN B
 DO B
 END B
ENDIF X

Such a condition can be represented by the ladder diagram shown in Figure 13.3b. When the start input occurs, the output will be A if there is an input to X; otherwise the output is B. Figure 13.3c shows the sequential function chart for such selective branching.

• Looping. A loop is a repetition of some element of a program that is repeated as long as some condition prevails. Figure 13.4a shows how this repetition can be represented by a flowchart. As long as condition X is realized, sequence A followed by B occurs and is repeated. When X is no longer realized, the program continues and the looping through A and B ceases. In pseudocode, this can be represented using the words WHILE-DO-ENDWHILE:

WHILE X
 BEGIN A
 DO A
 END A
 BEGIN B
 DO B
 END B
ENDWHILE X

Figure 13.4b shows how this idea can be represented by a ladder diagram with an internal relay. Figure 13.4c shows the sequential flowchart.

Where a loop has to be repeated a particular number of times, a counter can be used, receiving an input pulse each time a loop occurs and switching out of the loop sequence when the required number of loops has been completed (Figure 13.5).

13.2.1 PLC Systems and Safety

Safety must be a priority in the design of a PLC system. Thus, emergency stop buttons and safety guard switches must be hardwired and not depend on the PLC software for implementation, so that, in a situation where there is a failure of the stop switch or PLC, the system is automatically safe. The system must be fail-safe. Thus if failure occurs, the outputs must revert to a fail-safe mode so that no harm can come to anyone. For example, the guards on a machine must not be open or be capable of being opened if the PLC fails.

With a PLC system, a stop signal can be provided by a switch as shown in Figure 13.6. This arrangement is unsafe as an emergency stop because if there is a fault and the switch cannot be operated, then no stop signal can be provided. Thus to start we momentarily close the push-button start switch and the motor control internal relay then latches this closure and the output remains on. To stop we have to momentarily open the stop switch; this unlatches the start switch. However, if the stop switch cannot be operated, we cannot stop the system. What we require is a system that will still stop if a failure occurs in the stop switch.

We can achieve this by the arrangement shown in Figure 13.7. The program has the stop switch as open contacts. However, because the hardwired stop switch has normally closed contacts, the program has the signal to close the program contacts. Pressing the stop switch opens the program contacts and stops the system.

For a safe emergency stop system, we need one that will provide a stop signal if there is a fault and the switch cannot be operated. Because there might be problems with a PLC, we also need the emergency stop to operate independently of the PLC. Putting the emergency stop in the input to the PLC gives an unsafe system (Figure 13.8).

Figure 13.9 shows a safer system where the emergency stop switch is hardwired in the output. Pressing the emergency stop button switch stops, say, a running motor. When we release the stop button, the motor will not restart again, because the internal relay contacts have come unlatched.

13.2.2 Emergency Stop Relays

Emergency stop relays are widely used for emergency stop arrangements, such as the PNOZ p1p from Pilz GmbH & Co. This device has LEDs for indicating the status of input and output circuits, the reset circuit and power supply, and faults. However, the base unit can be connected via an interface module so that its status can be read by a PLC. This interface isolates the output from the emergency stop relay from the signal conditioning and input to the PLC by means of optoisolators (refer back to Figure 1.8). Thus, though the emergency stop operates independently of the PLC, it can provide signals that a PLC can use to, say, initiate safe closing-down procedures. Figure 13.10 illustrates this idea.

A simple emergency stop relay in which operation of the emergency stop button breaks the control circuit to the relay, causing it to deenergize and switch off the power (Figure 13.11a), has the problem that if the relay contacts weld together, the emergency stop will not operate. This can be overcome using a dual-channel mode of operation in which there are two normally closed contacts in series and both are broken by the action of the relay deenergizing (Figure 13.11b). Safety can be increased yet further if three contacts in series are used, one using normally closed contacts and the others normally open contacts. Then one set of contacts has to be deenergized and the other two energized.

13.2.3 Safety Functions

In designing control systems, it is essential that personnel are prevented from coming into contact with machinery while it is active. This might involve:

• Two-handed engaging so that both hands must be on switches all the time and the machine will switch off if only one of the switches is being engaged.

• Protective door monitoring to prevent access to a machine while it is operating. This can be achieved by the use of safety interlocks such as doors and gates. Limit switches positioned on door and gate latches can be used so that when the door or gate is unlatched, the limit switch is opened and closes down the machinery. However, it is relatively simple for operatives to defeat such limit switches by sticking a device such as a screwdriver in the contacts to force a machine to operate. More sophisticated safety interlocks have thus been devised, such as proximity switches and key locks.

• Light curtains to prevent any person getting close to machinery. A danger zone, such as a packaging machine, can use infrared beams to protect people from getting too close. If a light beam is broken, it immediately triggers a safe shutdown command.

• Safety mats are another way of detecting when someone is too close to a machine. They are placed round a machine and when someone steps on the mat, a contact is closed, causing the machine to stop.

• Emergency stop relays, to enable machinery to be stopped in the event of an emergency (see Section 13.2.2).

Thus a safe-operating system for a work cell might use gated entry systems, such as guards on machines that activate stop relays if they are not in place, light curtains, and emergency stop relays.

13.2.4 Safety PLCs

Safety PLCs are specially designed to enable safety functions to be realized. In a safety PLC there can be two or three microprocessors that perform exactly the same logic, check against each other, and give outputs only if there is agreement. One method that is used is a two-channel system with two identical subsystems that communicate with each other via a fiber-optic cable link. The inputs from the sensors are fed simultaneously to both subsystems. During operation, data is passed between the two subsystems via the fiber-optic cable. They operate in synchronism with the same program and compare input and output signals, the results of logic operations, counters, and the like, and automatically go into a safe-stop condition if there are different outputs or internal faults or failures. For safety-related digital outputs, actuators are switched on or off from both subsystems. This means that one subsystem alone can shut down equipment.

13.3.1 Testing Inputs and Outputs

Input devices, such as switches, can be manipulated to give the open and closed contact conditions and the corresponding LED on the input module observed. It should be illuminated when the input is closed and not illuminated when it is open. Failure of an LED to illuminate could be because the input device is not correctly operating, there are incorrect wiring connections to the input module, the input device is not correctly powered, or the LED or input module is defective. For output devices that can be safely started, push buttons might have been installed so that each output could be tested.

Another method that can be used to test inputs and outputs is forcing. This involves software, rather than mechanical switching on or off, being used with instructions from the display on the screen being used to turn off or on inputs/outputs. Forcing thus overwrites an input or output condition. This permits the operation of inputs and outputs to be tested, also whether the inputs and outputs are correctly wired to the PLC.

For example, with the Siemens S7-1200 system, under the Watch and Force menu, the Force Table entry is clicked and then the address of the item being forced is entered and then the Force value of TRUE or FALSE. With the Mitsubishi FX PLC keys are pressed to select the Forced I/O facility and within the resulting Set/Reset window the Input/Output address to be forced is entered and the value of on or off entered. Thus an output or an input is forced to the selected forced value and the consequences of that action observed. Figure 13.12(a) illustrates this when an output Q0.1 is forced on. As a consequence output Q0.3 is switched on. Figure 13.12(b) shows the effects of an input I0.1 being forced on. Forcing can only be stopped by clicking the Stop Forcing icon or using a stop forcing instruction. Figure 13.13 shows how forcing can be used with a sequential function chart program. A transition can be forced and will override the conditions of the transition each time the program reaches that transition. If a transition is forced in a simultaneous branch to be false (Figure 13.13(a)) the program stays in that branch as long as the forcing is active, being prevented from reaching the last step of that branch. Another forcing option is to force a simultaneous path (Figure 13.13(b)). This prevents the execution of a path and thus one or more paths of a simultaneous branch. Great care and precautions must be taken during the use of forcing because arbitrary inputs and outputs are being assigned to the process. As a consequence it can damage machinery or harm people also when forcing is removed items may still be left in the forced state.

13.3.2 Testing Software

Most PLCs contain some software-checking program. This checks through the installed program for incorrect device addresses and provides a list on a screen or as a printout of all the input/output points used, counter and timer settings, and so on, with any errors detected. For example, there might be a message that an output address is being used more than once in a program, a timer or counter is being used without a preset value, a counter is being used without a reset, or the like.

13.3.3 Simulation

Many PLCs are fitted with a simulation unit that reads and writes information directly into the input/output memory and so simulates the actions of the inputs and outputs. The installed program can thus be run and inputs and outputs simulated so that they, and all preset values, can be checked. To carry out this type of operation, the terminal has to be placed in the correct mode. For Mitsubishi this is termed the monitor mode, for Siemens the test mode, and for Telemecanique the debug mode.

With a Mitsubishi in monitor mode, Figure 13.14 shows how inputs appear when open and closed and how output looks when not energized and energized. The display shows a selected part of the ladder program and what happens as the program proceeds. Thus at some stage in a program the screen might appear in the form shown in Figure 13.15a. For rung 12, with inputs to X400, X401, and X402 but not M100, there is no output from Y430. For rung 13, the timer T450 contacts are closed, the display at the bottom of the screen indicating that there is no time left to run on T450. Because Y430 is not energized, the Y430 contacts are open, so there is no output from Y431. If we now force an input to M100, the screen display changes to that shown in Figure 13.5b. Now Y430, and consequently Y431, come on.

13.4.1 Fault Detection Techniques

The following are some common fault detection techniques:

• Timing checks. The term watchdog is used for a timing check that is carried out by the PLC to check that some function has been carried out within the normal time. If the function is not carried out within the normal time, a fault is assumed to have occurred and the watchdog timer trips, setting off an alarm and perhaps closing down the PLC. As part of the internal diagnostics of PLCs, watchdog timers are used to detect faults. The watchdog timer is preset to a time slightly longer than the scan time would normally be. It is then set at the beginning of each program scan and, if the cycle time is normal, it does not time out and is reset at the end of a cycle, ready for the next cycle. However, if the cycle time is longer than it would normally be, the watchdog timer times out and indicates that the system has a fault.
Within a program, additional ladder rungs are often included so that when a function starts, a timer is started. If the function is completed before the time runs out, the program continues, but if not, the program uses the jump command to move to a special set of rungs, which triggers an alarm and perhaps stops the system. Figure 13.16 shows an example of a watchdog timer that might be used with the movement of a piston in a cylinder. When the start switch is closed, the solenoid of a valve is energized and causes the piston in the cylinder to start moving. It also starts the timer. When the piston is fully extended, it opens a limit switch and stops the timer. If the time taken for the piston to move and switch off the timer is greater than the preset value used for the timer, the timer sets off the alarm.

• Last output set. This technique involves the use of status lamps to indicate the last output that has been set during a process that has come to a halt. Such lamps are built into the program so that as each output occurs, a lamp comes on. The lamps that are on thus indicate which outputs are occurring. The program has to be designed to turn off previous status lamps and turn on a new status lamp as each new output is turned on. Figure 13.17 illustrates this concept.
Such a technique can be cumbersome in a large system with many outputs. In such a case, the outputs might be grouped into sets and a status lamp used for each set. A selector switch can then be used within a group to select each output in turn to determine whether it is on. Figure 13.18 illustrates this idea.
As an illustration of the use of this program to indicate which action occurred last, Figure 13.19 shows the program that might be used with a pneumatic system operating cylinders in a sequence. The program indicates at which point in the sequence a fault occurred, such as a piston sticking, and would be added to the main program used to sequence the cylinders. Each of the cylinder movements has a light-emitting diode associated with it, with the last cylinder movement indicated by its LED being illuminated.

• Replication. Where there is concern regarding safety in the case of a fault developing, checks may be constantly used to detect faults. One technique is replication checks, which involve duplicating, that is, replicating, the PLC system. This could mean that the system repeats every operation twice and, if it gets the same result, it is assumed that there is no fault. This procedure can detect transient faults. A more expensive alternative is to have duplicate PLC systems and compare the results given by the two systems. In the absence of a fault, the two results should be the same.

• Expected value checks. Software errors can be detected by checking whether an expected value is obtained when a specific input occurs. If the expected value is not obtained, a fault is assumed to be occurring.

13.4.2 Program Storage

Applications programs may be loaded into battery-backed RAM in a PLC. A failure of the battery supply means a complete loss of the stored programs. An alternative to storing applications programs in battery-backed RAM is to use EPROM. This form of memory is secure against the loss of power. Against the possibility of memory failure occurring in the PLC and loss of the stored application program, a backup copy of each application program should be kept. If the program has been developed using a computer, the backup may be on a CD or a hard disk. Otherwise the backup may be on an EPROM cartridge. The program can then again be downloaded into the PLC without it having to be rewritten.

13.5.1 Example of an Industrial Program

The following is an example of the way a program might appear for a real plant controlled by an Allen-Bradley PLC5; I am grateful to Andrew Parr for supplying it. It illustrates the way a program file is documented to aid in clarification and the safety and fault indication procedures that are used. Note that the right-hand power rail has been omitted, which is allowable in IEC 61131-3.

The program is one of about 40 program files in the complete program, each file controlling one area of operation and separated by a page break from the next file. The file that follows controls a bundle-cutting band saw and involves motor controls, desk lamps, and a small state transition sequence.

Note the rung cross-references, such as [38], below B3/497 in rung 2. These are used to show that B3/497 originates, for example, in rung 38 in the current program file. Also note that all instructions are tagged with descriptions and the file is broken down into page sections. The software allows you to go straight to a function via the page titles.

All the motor starter rungs work in the same way. The PLC energizes the contactor and then one second later looks for the auxiliary relay (labeled as Aux in the program file) coming back to say the contactor has energized. If there is a fault that causes the contactor to deenergize, such as a loss of supply, or a trip or open circuit coil, it causes the PLC to signal a fault and deenergize the contactor output so that the machine does not spring into life when the fault is cleared.

The saw normally sits raised clear of the bundle. To cut the bundle, the blade motor has to be started and the lower push-button pressed (at rung 8). The saw falls under gravity at a fast or slow speed that is set by hydraulic valves. To raise the saw, a hydraulic pump is started to pump oil into the saw support cylinders. At any time the saw can be raised, such as to clear swarf, to what is termed the pause state. Otherwise, cutting continues until the bottom limit is reached. The saw then is raised to the top limit for the next bundle. A cut can be aborted by pressing the raise button for two seconds. While a bundle is being cut, it is held by clamp solenoids.

The final three rungs of the program set the length to be cut. There are two photocells about 20 mm apart on a moveable carriage. These are positioned at the required length. The operator runs the bundle in until the first is blocked and the second is clear. These control the long/correct/short desk lamps.