Here is the translation of an article published on software PLC Checker by Itris Automation Square, in the French journal "Mesures" : "La qualité des programmes vérifiée par leurs concepteurs".
Enjoy the reading!
Find us at http://www.itris-automation.com/
Contact us at commercial@itris-automation.com for more information.
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
[EN] Mesures article: "PLC programs quality checked by their designers"
1. Mesures Magazine n°826 - June 2010
Report on Industrial Automation Equipment: As seen in PSA Peugeot Citroën
PLC programs quality checked by their designers
In order to standardize and optimize its production line, PSA Peugeot Citroën (PSA) has
launched an ambitious project: to integrate in its development process a method to
analyze PLC programs. This innovative technique has been developed by Itris Automation
Square, a French company based in Grenoble, which included it into PLC Checker, its
flagship software. Today, the use of PLC Checker is imposed to all PSA’s subcontractors.
The main beneficiaries are maintenance workers who benefit from programs that are
more homogeneous, more readable and stripped of most of their bugs.
One hundred and fifty new PLCs are installed annually in PSA Peugeot Citroën manufacturing
plants. At the same time, a little less than a hundred machines are modified or upgraded.
This represents a lot of programs, most of which are designed by subcontractors integrators.
Of course, PLC managers at PSA verify when receiving a program that it meets their
expectations. But apart from functional aspects, ease of maintenance of a PLC program is
essential for the manufacturer.
Indeed, the lifespan of PLCs can exceed ten years. The intervention of maintenance workers
will be required during this period. To debug a program, the engineer must clearly
understand it - which depends strongly on how the program was implemented.
“Maintenance workers are under high pressure, says Laurent Mauguy, Automation Standards
Manager at PSA Peugeot Citroën. On a production line that produces one car per minute,
downtime is very expensive. Waiting for downtimes to begin studying unknown programs is
not an option. Hence the importance of having programs that are well-structured and well-
written, and which are consistent from one production line to another.”
Because of an increasing outsourced production,
PSA Peugeot Citroën managers had to find a solution
to standardize the quality of PLC programs.
2. To facilitate its maintenance process, PSA Peugeot Citroën had to find a way for outsourced
programs to follow the same model and to use the same coding rules. The solution was
identified by managers through Itris Automation Square. The Grenoble-based company has
developed a “PLC code static analysis” software. What is it? Eric Pierrel, CEO of the company,
explains: “Static analysis is used to verify that a program satisfies a number of rules without
executing the program - only by studying how it was written. Static analysis is already widely
used in the field of embedded software; our software tool PLC Checker is the first one to
implement this technology for automation engineers.”
Key takeaways
Itris Automation Square has developed an innovative technology for the
analysis of PLC code.
PSA wanted a common reference format for all its PLC programs, to
facilitate maintenance.
Now, all integrators who develop programs for PSA have to submit their
code to the PLC Checker tool.
PLC Checker highlights flaws in the code and verifies compliance with PSA
coding rules.
PLC Checker finds its origins in the GLIPS language. This pivot language, developed by the
founders of Itris Automation Square, translates programs developed by the following
development environments: Siemens (Step 7), Schneider Electric (Unity Pro and PL7 Pro) and
Rockwell Automation (RSLogix5000). Based on this GLIPS code, PLC Checker performs the
actual analysis. Once the analysis is completed, the program shows a compliance rate with
the target PLC (each manufacturer has its specificities) - an important indication when
attempting to reduce the deployment time of a program. Above all, PLC Checker validates
the compatibility of the program with respect to a number of coding rules. There are generic
rules (e.g. avoiding division by zero, or having too many loops nested into each other), but
also specific rules. In the case of PSA Peugeot Citroën, specific rules were generated by good
practices identified by the group’s automation managers. The manufacturer has developed
its own rules regarding the names and types of variables, and the level of comments that
should be inserted into the program.
The tool also performs reliability tests, particularly to eliminate any "dead code". For
example, functions that are never called, or loops in which it is impossible to enter. For each
part of the program, PLC Checker ensures that all entries are read (and are useful to the
function at hand), and that all outputs are well written. Finally, it can detect commented
code that remains in final code. All developers indeed write, at one time or another, lines of
code as comments for testing purpose. When compiling, it may happen that these lines are
left mistakingly as comments.
3. Example of dashboard analysis provided by PLC Checker.
Errors are distributed by type of coding rules.
PLC code verification: benefits shared by all
The systematic use of PLC Checker on all new PLC programs has benefited both
engineers and subcontractors from PSA. Here is how each team benefits from
the static analysis of programs:
For "Quality and Methods" engineers:
- The coding rules are more clearly defined and formalized;
- The specifications are easier to achieve because the coding rules are delivered
independently from functional aspects.
For PLC program designers:
- Verification of compliance with coding rules has become automatic;
- The testing phase is significantly reduced, allowing developers to focus on the
functional aspects;
- The client can verify the conformity of a program upon reception and take over
more quickly;
- The analysis being performed remotely via the Internet, there is no software to
install or maintain.
Engineers responsible for assessing programs:
- Acceptance testing can now be made based on objective criteria;
- Verification of the quality of the code is simple, fast and efficient.
For maintenance workers:
- Programs that are more readable are also easier to debug and to improve;
- In case of bugs, interruptions are shorter than before.
4. Verification imposed to all subcontractors
By default, PLC Checker contains twenty coding rules. For this specific project, the engineers
at PSA collaborated with Itris Automation Square to define specific coding rules. They
created a set of 70 rules. These come in different files, because rules can be added or
removed depending on the project. But this is only the beginning: engineers have started
with the most important rules (and those that were simple to program in GLIPS); it is
expected to bring the total to 100. In comparison, the MISRA standard for embedded C code
in the automotive industry has 170 coding rules. The ultimate goal is to achieve the same
level of verification for PLCs controlling the production lines as for embedded controllers in
vehicles’ ECUs.
It is still necessary to ensure that these rules are followed. If one subcontractor only does
not use PLC Checker, then all efforts are unnecessary.
"In fact, says Laurent Mauguy (PSA Peugeot Citroën), even if this innovative technology
improves the quality of PLC code, not all subcontractors are necessarily willing to pay the cost
of analysis (a few hundred euros). This is why we’ve decided to impose its use to all of our
programs and factories."
Each PLC is identified through a datasheet which is sent to
Itris Automation Square and accessible by subcontractors.
5. A collaborative platform
This major project is also a boon for Itris Automation Square, which solution was used mainly
in France until then. It has now been adopted by integrators throughout Europe. Indeed,
according to the established procedure, sub-contractors directly deal with Itris Automation
Square, so as to provide PSA with programs that respect the rules and are usable quickly.
PLC Checker works remotely. Developers send their programs via the Internet on Itris
Automation Square servers. The analysis starts, and the results are published immediately.
"Each PLC from PSA is identified through a data sheet. To be sure to check each program with
the right coding rules, developers work in a part of the website dedicated to a specific PLC,
says Eric Pierrel (Itris Automation Square). Once the analysis is complete, the PSA project
manager retrieves the test reports to validate a program or grant exceptions if necessary
(when a rule has not been followed, but was justified by the context of the project). End users
and developers have a secure access to the data. Information is centralized and stored on our
servers to ensure traceability. PLC Checker is truly a collaborative platform."
In addition to the issues related to maintenance, the use of this platform meets many of PSA
Peugeot Citroën’s needs. Starting with the faster launch of new production lines. Much of
the fine-tuning work, usually executed when receiving the program, is reduced thanks to a
code free of most bugs. In addition, PLC Checker solves the problem of shared responsibility
in case of malfunction. Indeed, programs used to come under the responsibility of PSA as
soon as they were accepted. "Until now, the PSA staff conducted a manual check before
accepting programs. Tests were conducted by sampling, but some bugs could get through
this first check", says Marcel Tedesco, CTO of INEO Terville agency. In addition, it may
happen that a program performs well during the first tests but will prove defective once the
production rate rises. For all these bugs detected too late, the necessary changes will have to
be made by the integrator. Now, with this tool, PSA can no longer tell us "your program is not
consistent” - we can support our decisions. PLC Checker somehow acts as a judge. Thanks to
this tool, our customer-supplier relationships are less ambiguous." All programs for new PLCs
supplied by subcontractors are now delivered with a 'certificate' attesting to their quality
according to the PSA rules. The contractor has to provide the PLC Checker analysis report in
order to be paid. And once a program has been approved, it becomes the responsibility of
PSA.
Change for subcontractors
The first uses of PLC Checker did not fail to spark reactions from the subcontractors. Team
managers, in particular, were concerned that the software gave different results depending
on the person in charge of programing. “But this is quite normal, assures Eric Pierrel, because
there are no two engineers who code exactly the same way. Previously it was invisible,
because we sometimes measured the performance of a team of programmers, but we never
compared them with one another.” Challenging established development processes
therefore had a strong impact on sub-contractors and integrators. “Now, PLC Checker has
been included in the tool chain of our company, says Marcel Tedesco (INEO Terville agency).
For each PSA project, we keep a record of all test results. Surely, measuring the quality of a
program based on the programmer was new to us, and it took some time getting used to it.
But today, all developers feel more involved, and the quality of their work has improved.”
6. Let’s keep in mind that the role of PLC Checker is limited to highlighting all the “danger
zones” in programs. Obviously, a developer who executes the analysis for the first time may
be surprised by the amount of alerts generated by the software (sometimes more than one
thousand). It is true that the rules defined by PSA are deliberately strict, and that the choice
has been for PLC Checker to produce too many alerts rather than too few. “We do not take
delivery of any program with zero warning, says Laurent Mauguy (PSA Peugeot Citroën).
With the set of rules we’ve set up, we consider that below twenty warnings, it is a good
program. And even if studying each alert may take time, the overall verification time is
considerably shorter: our subcontractors and our engineers have fewer discussions to reach
consistent programs.”
To ensure compliance of the programs, developers must of course be familiar with the PSA
rules. But above all, they must perform incremental analysis, as the program progresses.
When the use of PLC Checker has been imposed, the subcontractors had the choice between
a single audit (pre-delivery) and a package with unlimited analysis. But both Itris Automation
Square and PSA managers agreed that the first option did not provide satisfactory results.
They now favor the latter, the only way for subcontractors to truly understand the coding
rules and to be involved in the quality of their programs.
The integrator turned editor
Itris started in 1995 as an integrator: the Grenoble-based company became
known for developing PLC programs for various industries. The founding
members quickly realized how much time was lost to check the programs.
Similarly, they regretted how difficult it was to deploy a single program on PLCs
from different manufacturers. This is why they developed the GLIPS language:
abstract enough to look beyond the type of PLC targeted, and complete enough
to be able to study independently the synchronous and asynchronous parts of a
program and to apply testing methods from the computing world (static
analysis, formal methods, etc.).
At first, the language was reserved for internal use by the company. Itris then
decided to commercialize this knowledge. In 2008, the company changed its
name to Itris Automation Square and also transformed its activity: from service
provider, it became a software vendor.
The innovative nature of this technology has enabled the company to grow
quickly and to welcome in its clients large industrial groups from the automotive
industry (such as PSA Peugeot Citroën) but also from the field of energy (with
Schneider Electric and GDF Suez) and defense (with Snecma or DCNS).
In addition to PLC Checker, its products include more software tools: PLC
Converter (translation of a program to a new PLC) and PLC DocGen (translation
of a program into a flowchart for ease of maintenance).
7. A rules file is published for each project.
It shows all aspects of the code to be verified by PLC Checker.
PLC Checker is integrated into an overall quality process
PLC Checker has been used by PSA Peugeot Citroën for a year and a half. Group managers
believe they’ll be able to produce statistics on their vendors’ performance by the end of
2010. As it is often the case with this type of quality improvement software, financial gain is
relatively difficult to assess. The fact is that, for the manufacturer and his subcontractors, the
results are positive from all standpoints. First, because running these comprehensive and
automatic controls can only reduce the risk of failure during production (and even in case of
failure, maintenance workers can take action more quickly since all programs have a
common structure). Also, because developers are more involved in the quality of the code
they produce. They have more responsibility, as the delivery of a program comes with an
obligation of results.
8. Today at PSA, the systematic use of PLC Checker is part of a more comprehensive approach
to improve the quality and maintainability of automated systems. This vast project called
ACTIF (ASSET) consists of a number of standards common to the Group regarding safety, the
production of human-machine interfaces, electrical wiring and methods of programs’
functional analysis, as well as other transversal aspects. It is under this last objective that PLC
Checker has been integrated.
Over thirty subcontractors have been using PLC Checker since the beginning of the project.
Statistics kept by Itris Automation Square indicate that on average, twelve analyses are
necessary to meet the quality standards required by PSA Peugeot Citroën. There is still some
way to go before developing programs that meet requirements from the start, but things
will improve gradually as subcontractors incorporate the principles of coding earlier in their
development process.
A way towards consistency
Deployed two years ago (therefore a few months before using PLC Checker),
the ACTIF (ASSET) method is a standard developed by the PSA group. It defines
an overall framework for all aspects of automation within the group and among
its subcontractors. It includes seven basic standards related to the safety,
transversal activities, programs’ functional analysis, electrical design,
programing, terminal operators and electrical work. The systematic use of PLC
Checker is now included in one of the paragraphs of the standards of
transversal activities. In a context where more and more functions are
performed by third parties, the purpose of the ACTIF approach is to bring more
coherence between the different deliverables. This is to provide a common
framework for all subcontractors, facilitate the launch of new facilities, and
reduce the number of unplanned shutdowns. The implementation of ACTIF has
an impact on the maintenance workers, but also on workers who can move
from one production line to another without being disoriented, and in some
cases start a line on their own without calling upon a maintenance worker.
PSA involved in the adoption of new technologies
What we will remember from this project is primarily the role of the French manufacturer in
the use of the new technology that is static code analysis of PLC programs. "We’re applying
the same strategy than the one we’ve implemented in 1996 - 1998 when promoting the use
of simulation in the design of control systems. It had never really been exploited until we
imposed it to all our subcontractors, says Laurent Mauguy (PSA Peugeot Citroën). Today, the
use of simulation is systematic, not just for automotive. We would like to meet the same
success with PLC Checker, to further improve the quality of PLC programs in all sectors."
Frédéric Parisot