A SIMPLE METHOD FOR PLC PROGRAMMING

Krzysztof Sacha
Institute of Control and Computation Engineering, Warsaw University of Technology,
ul. Nowowiejska 15/19, 00-665 Warszawa, Poland, k.sacha@ia.pw.edu.pl

Abstract: The paper describes a simple method for the development of programs for PLC
controllers. A specification of the program behaviour is defined using a formal model of
finite state machine. The model is formal, unambiguous, language-independent, yet
readable. The model can be verified against the behavioural and safety requirements.
After the specification phase, the model can be converted directly into a program written
in the form of a ladder diagram. Because the implementation of the graph is direct, no
further verification of the target program is necessary. Copyright 2002 IFAC
Keywords: Programmable logic controllers, programming, finite state machines, software
engineering, real-time systems.

1. INTRODUCTION
The goal of this paper is to describe a simple, yet
formal method for PLC programming. Unlike more
advanced and complex methods, like Grafcet (Bossy
et al., 1979) or IsaGraf, which are based on Petri net
theory, the method introduced in this paper relays on
a classical finite state machine (FSM) model of the
reality. An advantage of this approach is that FSM
models are recognized by the majority of software
specification and design methods and languages,
including UML (Douglass, 1998). Therefore the
described method can easily be interfaced to the
general development process of systems consisting
of computer-based and PLC-based objects.
The method described in this paper starts from the
state transition graph of a FSM, and leads towards
the target program for a PLC, written in the language
of ladder diagrams. Because the implementation of
the graph is direct, no further verification of the
target program is necessary.
The method consists of seven phases:
1. Problem analysis and specification in the form of
a state transition graph.
2. Coding of states.

3. Defining Boolean functions to implement the

state changes.
4. Defining output functions.
5. Optimization of functions.
6. Filling up the state space.
7. Converting the functions into the lines of the
target ladder diagram.
The description of the method will be presented
using a case study of a bottling line controller. The
plant (Figure 1) consists of a bottle supply with a
gate, a conveyor system, a scale platform and a bottle
filling pipe with a valve. Bottles to be filled are
drawn one by one from the supply of bottles and
moved to the scale platform by the conveyor. As
soon as the bottle is at required position, a contact
sensor attached to the platform is depressed and the
bottle-filling valve is opened. The scale platform
measures the weight of the bottle with its contents.
When the bottle is full, the bottle-filling valve is shut
off, and the bottle is manually removed from the line
by an operator. Removing the bottle releases the
contact sensor, thus enabling the next bottle to be
drawn from the bottle supply.
The two-state output signals from the line, which are
issued by the plant sensors, can be listed as follows:

Stopped
S
Set M, T
bottle supply gate

S
line
start

conveyor

Gate Open

scale platform

open

out

go

ready

full

open

Fig. 1. Bottling line.

F

bottle out of the gate: it has been drawn out of

the supply and travels towards the scale platform
W bottle in position: a signal from the electrical
contact of the platform sensor
P bottle full: a signal issued by the scale
S start of the line: a manual signal to switch the
line on or off.
The output signals describe the line operation, and
can be used by a controller to yield control signals:
T start of the conveyor
M opening the gate of the supply of bottles
Z opening the bottle-filling valve.
The paper is divided into nine sections. Sections 2
through 8 describe the details of all seven phases of
the method. The remarks related to the use of the
method and plans for future work are discussed in
Conclusions.
2. PROBLEM ANALYSIS AND SPECIFICATION
The desired behaviour of the controlled plant can be
described in terms of states and transitions between
states. A transition from a given state to another state
of the system, is caused by the occurrence of an input
signal, or a combination of input signals, and it can
change the value of an output signal, or a set of
output signals.
The first step of the analysis consists in defining the
states of the system. Bottling line, described in the
Introduction, is always in one of the following states:
Stopped

the line has been switched off (it

can be started by the signal S);
Gate Open a bottle is leaving the supply of
bottles, and is expected on the
conveyor;
Moving
the bottle is transported by the
conveyor, and is expected on the
scale platform;
Bottle Filling the bottle is positioned on the scale
platform, and the filling-valve is
open;
Bottle Full the bottle is full, and it waits for
being removed by an operator.

W
Set M, T

F
Reset M

Moving
W
Set Z, Reset T
Bottle Filling
P
Reset Z
Bottle Full

Fig. 2. Preliminary state transition graph.

In the second step all possible transitions between the
states are defined, and specified in the form of a state
transition graph (Figure 2). The nodes of the graph
are states of the system, and the arcs are transitions
between states. A transition is labelled by two
expressions: A combination of input signals which
enables the transition (the expression written above a
bar) and a combination of output signals, which are
set or reset during the transition (the expression
below the bar).
In the third step the state transition graph is verified
against the behavioural and safety requirements. In
particular, the improper behaviour and the results of
exceptions which can arise within the plant, should
be studied.
Consider, for example, the scenario of stopping and
starting the bottle line. When the line is being
stopped, the last bottle filled on the platform should
be removed by an operator. What happens if it still
remains on the platform when the line is switched
on? In such a case, the controller should prevent the
line being started. And another question: What
happens if the bottle being filled breaks? Clearly, the
controller should notice the accident and close the
valve immediately.
The implementation of the above safety features
requires a few modification to the graph. in Figure 2.
First, the enabling condition of the transition from
state Stopped to Gate Open should be modified.
Second, a new transition from state Bottle Filling to
Stopped should be added. The modified state
transition graph is shown in Figure 3.
It is important to notice, that state transition graph is
formal and unambiguous, yet readable specification
of the plant controller. It is language-independent but
can be converted into a program.

transition, and set in the target state of this transition.

Similarly, a flip-flop is reset by a transition if is was
set in the source state, and not set in the target state
of this transition.

Stopped
SW
Set M, T
Gate Open
F
Reset M

W
Set M , T

S
Reset M

Moving
W
Set Z, Reset T

Set M1 = S W M1 M2 M3

M1 can be reset by the transition from Bottle Filling

to Stopped or from Bottle Full to Stopped. This can
be noted as:

Bottle Filling
W
Reset Z

Consider the transition from Stopped to Gate Open in

Figure 3. This transition is implemented by setting
M1 flip-flop. In other words, M1 is set if M1=0 and
M2=0 and M3=0 and S=1 and W=0. This can be
noted in the usual form of Boolean function:

Reset Z
Bottle Full
Fig. 3 Modified state transition graph

Res M1 = W M1 M2 M3 + S M1 M2 M3

The functions to set and reset the other flip flops can
be defined similarly. This way, the behaviour of
control program can be described by the following
six Boolean functions:
(1) Set M1 = S W M1 M2 M3
( 2) Res M1 = W M1 M2 M3 + S M1 M2 M 3

3. CODING OF STATES
The states identified in the previous phase must be
stored within the controller as states of flip-flops
used by the control program. The minimum number
of flip-flops results from the number of states using
n flip-flops one can store at most 2n individual states.
For example, there are five states in the bottling line
system, which require at least three flip-flops. The
mapping of system states into the states of flip-flops
(the coding) is ambiguous, and can be chosen as
result of a design decision. Usually, it is reasonable
to select such a mapping, in which as many
transitions change the state of a single flip-flop only,
as possible. This can help in keeping the transition
functions simple.
The selected coding of states of the bottling line
controller is presented in Table 1.
Table 1. The coding of states
M1
0
1
1
1
1

Flip-flops
M2
0
0
0
1
1

Line state
M3
0
0
1
1
0

Stopped
Gate Open
Moving
Bottle Filling
Bottle Full

4. DEFINING THE TRANSITION FUNCTIONS

Transitions in the state transition graph are
implemented within the controller as changes of
states of flip-flops defined in the previous phase. The
functions to set or reset the flip-flops can be derived
directly from the graph. A flip-flop is set by a
transition if it was not set in the source state of this

( 3) Set M2 = W M1 M2 M3
( 4) Res M2 = W M1 M2 M3 + W M1 M2 M3 + S M1 M2 M3
(5) Set M3 = F M1 M2 M3
( 6) Res M3 = P M1 M2 M3 + W M1 M2 M3

A very basic assumption of the finite state machine

model is that the transitions are atomic: All flip-flops
should change their state during a transition
simultaneously. Unfortunately, PLC executes a
program sequentially, function by function (Halang
and Sacha, 1992). When a function is computed, the
respective flip-flop is set or reset immediately. This
violates the requirement for atomicity of transitions.
Therefore, a correction of functions is needed.
Consider, for example, the functions for resetting
flip-flops M2 and M3, written in lines (4) and (6)
above. Both functions include the sub-expression:
W M1 M2 M3 . Each of the functions is correct it
describes the action which should be done if signal W
occurs in state Bottle Filling. However, the functions
are executed sequentially, and when the function
Res M2 (4) has been executed, flip-flop M2 becomes
reset. Function Res M3 (6) is then false, and flip-flop
M3 will remain unchanged.
The cause of the problem described above lies in that
a change to the state of flip-flop M2 hence, a
transition in the state transition graph took place
while the computation of the sequence of functions
was still in progress. If W=0 and the computation
began in state M1=1, M2=1, M3=1, then functions
(1), (2), (3), (4) were computed in this particular
state, while the following functions (5), (6) in another
state M1=1, M2=0, M3=1. The results of the
computation are thus inconsistent.
In order to solve the problem it is necessary to
prevent any changes of state, until the computation of

the entire sequence of functions has been finished.

This can be implemented by means of secondary
flip-flops, assigned on the one-to-one basis to the
primary flip-flops, i.e. to the flip-flops that are used
to encode the states of the system. The auxiliary flipflops will store the next state of the system,
calculated by the computation of transition functions,
until the entire computation is finished. The next
state of the system is then converted into the current
state by copying the state of secondary flip-flops to
the primary flip-flops.
There are three primary flip-flops: M1, M2, M3 in
the bottling line example. Denote the secondary flipflops by M11, M12, M13, respectively. The modified
sequence of functions can now be written as follows:

are reset as well. Similarly, if M2 or M3 are set, then

M1 is set as well. Using such dependencies one can
reduce the transition functions to the form:
(1) Set M11 = S W M1
( 2) Res M11 = W M2 M3 + S M2 M3
(3) Set M12 = W M2 M3
( 4) Res M12 = W M1 M2 M3 + W M2 M3 + S M2 M3
(5) Set M13 = F M1 M2 M3
(6) Res M13 = P M2 M3 + W M1 M2 M3

In the second step the functions can be subject to

factoring. For example:

( 2) Res M11 = M2 W M3 + S M3

( 4) Res M12 = W M1 M2 M3 + M2 M3 W + S

(1) Set M11 = S W M1 M 2 M 3

( 2) Res M11 = W M 1 M2 M3 + S M 1 M2 M3

7. FILLING UP THE STATE SPACE

( 3) Set M12 = W M 1 M2 M3
( 4) Res M12 = W M 1 M2 M3 + W M 1 M2 M3 + S M 1 M2 M3
(5) Set M13 = F M1 M2 M3
( 6) Res M13 = P M 1 M2 M3 + W M 1 M2 M3

( ) M1 = M11
( ) M2 = M12
( ) M3 = M13

5. DEFINING THE OUTPUT FUNCTIONS

Output functions define the values of output signals
in relation to the state of the automaton and the
values of input signals. These functions can be
derived directly from the state transition graph
output signals can change their values during the
transitions only, and the new value is given by the
action defined by the label of the transition.
In the bottling line example, the values of output
signals depend on states only (Moore automaton):
signal M is true in state Gate Open, signal Z is true in
state Bottle Filling, and signal T is true in states Gate
Open and Moving. This behaviour is described by the
following three functions:
(7) M = M1 M2 M3
(8) Z = M1 M2 M3
(9) T = M + M1 M2 M3

Output functions must be computed before copying

the state of secondary flip-flops to the primary flipflops this way the outputs are always consistent
with the current state of the system. However, output
functions need not follow transition functions but can
be placed anywhere within the sequence.
6. OPTIMIZATION OF FUNCTIONS
In the first step one can take advantage of the
incompleteness of coding not all combinations of
states of flip-flops are used. In the bottling line
example, always when M1 is reset, then M2 and M3

The sequence of transition and output functions,

developed so far, implements the state transition
graph which describes the desired behaviour of the
controlled plant. The sequence is correct, and can be
a basis for designing a program for a PLC. However,
PLC controllers are used in many application areas in
which a malfunction of the system can cause
significant loses or even endanger the environment or
human life. The requirements for dependability of
control programs in such areas examples are air
and railway transport, process control and medical
devices are very high. To fulfil these requirements
it is necessary to plan a reaction to an error which
can arise during the computation.
One of the most important sources of errors is the
incomplete use of the space, created by all possible
states of flip-flops used to encode the states of the
system. Consider, for example, the coding of states
defined in Table 1. Only 5 of 8 possible states of
three flip-flops are used in the system. The behaviour
in each of these 5 states is defined by the sequence of
transition and output functions. But what happens if
for any reason (a fault) one of the other 3 states, e.g.
M1=0, M2=0, M3=1, is entered? The behaviour of
the system in such an invalid state has not been
defined.
A policy of state recovery retuning the system to a
valid and safe state must exist. In many case the most
obvious choice of such a recovery state is Stop. To
implement this fail-stop policy, it needs an auxiliary
flip-flop which is set if an erroneous next state was
observed. The primary flip-flops are reset to Stop,
instead of being set to the erroneous next state, if the
new flip-flop has been set.
In the bottling line example this protective action can
be described by the functions:
(10) M14 = M11 ( M12 + M13)
(11) M1 = M11 M14
(12) M2 = M12 M14
(13) M3 = M13 M14

8. PROGRAMMING

9. CONCLUSION

A sequence of Boolean functions can be written in

the form of a ladder diagram directly. Each function
is converted into a single line of the program. The
disjunction is represented by parallel branches within
a line, and conjunction is represented by serial
elements within a given branch (Siemens, 1998).
Negation is implemented by a normally closed
contact The example program of a bottling line
controller, which implements the functions (1)
(13) is shown in Figure 4.

PLC controllers are used in many application areas in

which a malfunction of the control system can cause
significant losses to the environment or endanger
human life. The systems which are used in such
application areas are expected to exhibit always an
acceptable behaviour. This property of a system is
often referred to as dependability. Various measures
can be applied in order to increase the dependability
of software. Many of these measures attempt to make
the development process as formal as possible. The
reason is that formal models and formulas can be
subject to analysis and automated evaluation. It is
important, that the process of adding rigor and
formality could start from the very beginning, i.e.
from the requirements specification phase.

M11
S

M1

M2

M3

M3

M11
R
1

M2

M3

M12

(1)

(2)

W
(3)

(4)

S
1
M3

M1

M2

M2

M3

M12

R
1

M1

M2

M3

(5)
W
(6)

M1

M2

M3

M13
S
1
M13
R
1

This paper describes a method for the specification

and design of programs for PLC controllers. The
method relies on a mathematical formalism based on
a finite state machine model. The advantages of the
method are as follows:
The method is formal, yet simple and intuitive.
FSM model can easily be derived from industry
standard UML models.
The method covers the entire development cycle
from requirements specification to the program.
The roots of the method are in practical experience.
However, the method has been devised mainly for
didactic purposes and is extensively used within the
control systems lab. The method helps the students to
bridge the gap between their math knowledge and C
programming skills at one side and the reality of
industrial controllers. The plans for future work
include the use of timers the feature which exists in
real programs, but does not fit well to FSM theory.

M2

M3

M1

M2

M3

M1

M2

M3

ACKNOWLEDGEMENTS

M3

I wish to thank the anonymous reviewers who

provided comments that improved this paper.

(7)
(8)
M1
(9)

(10)

M2

M
M11

M12

M14

The work has been supported in part by a Warsaw

University of Technology statutory grant 504/036.
REFERENCES

M13
M11

M14

M1

M12

M14

M2

M13

M14

M3

(11)
(12)
(13)

Fig. 4. The program of the bottling line controller.

Bossy, J., P. Brard and C. Merland (1979): Le

Grafcet, sa pratique et ses applications,
Educalivre, Paris.
Douglass, B.P. (1998): Real-Time UML, AddisonWesley, Reading, Massachusetts.
Halang, W.A. and K.M. Sacha (1992): Real-Time
Systems, World Scientific, Singapore.
Siemens (1998): SIMATIC S7-200 Programmable
Controller, System manual, Siemens.