[EN] Mesures article: "PLC programs quality checked by their designers"
Here is the translation of an article published on software PLC Checker by Itris Automation Square, in the French journal "Mesures" : "La qualité des programmes vérifiée par leurs concepteurs".
Enjoy the reading!
Find us at http://www.itris-automation.com/
Contact us at email@example.com for more information.
[EN] Mesures article: "PLC programs quality checked by their designers"
Mesures Magazine n°826 - June 2010 Report on Industrial Automation Equipment: As seen in PSA Peugeot Citroën PLC programs quality checked by their designersIn order to standardize and optimize its production line, PSA Peugeot Citroën (PSA) haslaunched an ambitious project: to integrate in its development process a method toanalyze PLC programs. This innovative technique has been developed by Itris AutomationSquare, a French company based in Grenoble, which included it into PLC Checker, itsflagship software. Today, the use of PLC Checker is imposed to all PSA’s subcontractors.The main beneficiaries are maintenance workers who benefit from programs that aremore homogeneous, more readable and stripped of most of their bugs.One hundred and fifty new PLCs are installed annually in PSA Peugeot Citroën manufacturingplants. At the same time, a little less than a hundred machines are modified or upgraded.This represents a lot of programs, most of which are designed by subcontractors integrators.Of course, PLC managers at PSA verify when receiving a program that it meets theirexpectations. But apart from functional aspects, ease of maintenance of a PLC program isessential for the manufacturer.Indeed, the lifespan of PLCs can exceed ten years. The intervention of maintenance workerswill be required during this period. To debug a program, the engineer must clearlyunderstand it - which depends strongly on how the program was implemented.“Maintenance workers are under high pressure, says Laurent Mauguy, Automation StandardsManager at PSA Peugeot Citroën. On a production line that produces one car per minute,downtime is very expensive. Waiting for downtimes to begin studying unknown programs isnot an option. Hence the importance of having programs that are well-structured and well-written, and which are consistent from one production line to another.” Because of an increasing outsourced production, PSA Peugeot Citroën managers had to find a solution to standardize the quality of PLC programs.
To facilitate its maintenance process, PSA Peugeot Citroën had to find a way for outsourcedprograms to follow the same model and to use the same coding rules. The solution wasidentified by managers through Itris Automation Square. The Grenoble-based company hasdeveloped a “PLC code static analysis” software. What is it? Eric Pierrel, CEO of the company,explains: “Static analysis is used to verify that a program satisfies a number of rules withoutexecuting the program - only by studying how it was written. Static analysis is already widelyused in the field of embedded software; our software tool PLC Checker is the first one toimplement this technology for automation engineers.” Key takeaways Itris Automation Square has developed an innovative technology for the analysis of PLC code. PSA wanted a common reference format for all its PLC programs, to facilitate maintenance. Now, all integrators who develop programs for PSA have to submit their code to the PLC Checker tool. PLC Checker highlights flaws in the code and verifies compliance with PSA coding rules.PLC Checker finds its origins in the GLIPS language. This pivot language, developed by thefounders of Itris Automation Square, translates programs developed by the followingdevelopment environments: Siemens (Step 7), Schneider Electric (Unity Pro and PL7 Pro) andRockwell Automation (RSLogix5000). Based on this GLIPS code, PLC Checker performs theactual analysis. Once the analysis is completed, the program shows a compliance rate withthe target PLC (each manufacturer has its specificities) - an important indication whenattempting to reduce the deployment time of a program. Above all, PLC Checker validatesthe compatibility of the program with respect to a number of coding rules. There are genericrules (e.g. avoiding division by zero, or having too many loops nested into each other), butalso specific rules. In the case of PSA Peugeot Citroën, specific rules were generated by goodpractices identified by the group’s automation managers. The manufacturer has developedits own rules regarding the names and types of variables, and the level of comments thatshould be inserted into the program.The tool also performs reliability tests, particularly to eliminate any "dead code". Forexample, functions that are never called, or loops in which it is impossible to enter. For eachpart of the program, PLC Checker ensures that all entries are read (and are useful to thefunction at hand), and that all outputs are well written. Finally, it can detect commentedcode that remains in final code. All developers indeed write, at one time or another, lines ofcode as comments for testing purpose. When compiling, it may happen that these lines areleft mistakingly as comments.
Example of dashboard analysis provided by PLC Checker. Errors are distributed by type of coding rules. PLC code verification: benefits shared by allThe systematic use of PLC Checker on all new PLC programs has benefited bothengineers and subcontractors from PSA. Here is how each team benefits fromthe static analysis of programs:For "Quality and Methods" engineers:- The coding rules are more clearly defined and formalized;- The specifications are easier to achieve because the coding rules are deliveredindependently from functional aspects.For PLC program designers:- Verification of compliance with coding rules has become automatic;- The testing phase is significantly reduced, allowing developers to focus on thefunctional aspects;- The client can verify the conformity of a program upon reception and take overmore quickly;- The analysis being performed remotely via the Internet, there is no software toinstall or maintain.Engineers responsible for assessing programs:- Acceptance testing can now be made based on objective criteria;- Verification of the quality of the code is simple, fast and efficient.For maintenance workers:- Programs that are more readable are also easier to debug and to improve;- In case of bugs, interruptions are shorter than before.
Verification imposed to all subcontractorsBy default, PLC Checker contains twenty coding rules. For this specific project, the engineersat PSA collaborated with Itris Automation Square to define specific coding rules. Theycreated a set of 70 rules. These come in different files, because rules can be added orremoved depending on the project. But this is only the beginning: engineers have startedwith the most important rules (and those that were simple to program in GLIPS); it isexpected to bring the total to 100. In comparison, the MISRA standard for embedded C codein the automotive industry has 170 coding rules. The ultimate goal is to achieve the samelevel of verification for PLCs controlling the production lines as for embedded controllers invehicles’ ECUs.It is still necessary to ensure that these rules are followed. If one subcontractor only doesnot use PLC Checker, then all efforts are unnecessary."In fact, says Laurent Mauguy (PSA Peugeot Citroën), even if this innovative technologyimproves the quality of PLC code, not all subcontractors are necessarily willing to pay the costof analysis (a few hundred euros). This is why we’ve decided to impose its use to all of ourprograms and factories." Each PLC is identified through a datasheet which is sent to Itris Automation Square and accessible by subcontractors.
A collaborative platformThis major project is also a boon for Itris Automation Square, which solution was used mainlyin France until then. It has now been adopted by integrators throughout Europe. Indeed,according to the established procedure, sub-contractors directly deal with Itris AutomationSquare, so as to provide PSA with programs that respect the rules and are usable quickly.PLC Checker works remotely. Developers send their programs via the Internet on ItrisAutomation Square servers. The analysis starts, and the results are published immediately."Each PLC from PSA is identified through a data sheet. To be sure to check each program withthe right coding rules, developers work in a part of the website dedicated to a specific PLC,says Eric Pierrel (Itris Automation Square). Once the analysis is complete, the PSA projectmanager retrieves the test reports to validate a program or grant exceptions if necessary(when a rule has not been followed, but was justified by the context of the project). End usersand developers have a secure access to the data. Information is centralized and stored on ourservers to ensure traceability. PLC Checker is truly a collaborative platform."In addition to the issues related to maintenance, the use of this platform meets many of PSAPeugeot Citroën’s needs. Starting with the faster launch of new production lines. Much ofthe fine-tuning work, usually executed when receiving the program, is reduced thanks to acode free of most bugs. In addition, PLC Checker solves the problem of shared responsibilityin case of malfunction. Indeed, programs used to come under the responsibility of PSA assoon as they were accepted. "Until now, the PSA staff conducted a manual check beforeaccepting programs. Tests were conducted by sampling, but some bugs could get throughthis first check", says Marcel Tedesco, CTO of INEO Terville agency. In addition, it mayhappen that a program performs well during the first tests but will prove defective once theproduction rate rises. For all these bugs detected too late, the necessary changes will have tobe made by the integrator. Now, with this tool, PSA can no longer tell us "your program is notconsistent” - we can support our decisions. PLC Checker somehow acts as a judge. Thanks tothis tool, our customer-supplier relationships are less ambiguous." All programs for new PLCssupplied by subcontractors are now delivered with a certificate attesting to their qualityaccording to the PSA rules. The contractor has to provide the PLC Checker analysis report inorder to be paid. And once a program has been approved, it becomes the responsibility ofPSA.Change for subcontractorsThe first uses of PLC Checker did not fail to spark reactions from the subcontractors. Teammanagers, in particular, were concerned that the software gave different results dependingon the person in charge of programing. “But this is quite normal, assures Eric Pierrel, becausethere are no two engineers who code exactly the same way. Previously it was invisible,because we sometimes measured the performance of a team of programmers, but we nevercompared them with one another.” Challenging established development processestherefore had a strong impact on sub-contractors and integrators. “Now, PLC Checker hasbeen included in the tool chain of our company, says Marcel Tedesco (INEO Terville agency).For each PSA project, we keep a record of all test results. Surely, measuring the quality of aprogram based on the programmer was new to us, and it took some time getting used to it.But today, all developers feel more involved, and the quality of their work has improved.”
Let’s keep in mind that the role of PLC Checker is limited to highlighting all the “dangerzones” in programs. Obviously, a developer who executes the analysis for the first time maybe surprised by the amount of alerts generated by the software (sometimes more than onethousand). It is true that the rules defined by PSA are deliberately strict, and that the choicehas been for PLC Checker to produce too many alerts rather than too few. “We do not takedelivery of any program with zero warning, says Laurent Mauguy (PSA Peugeot Citroën).With the set of rules we’ve set up, we consider that below twenty warnings, it is a goodprogram. And even if studying each alert may take time, the overall verification time isconsiderably shorter: our subcontractors and our engineers have fewer discussions to reachconsistent programs.”To ensure compliance of the programs, developers must of course be familiar with the PSArules. But above all, they must perform incremental analysis, as the program progresses.When the use of PLC Checker has been imposed, the subcontractors had the choice betweena single audit (pre-delivery) and a package with unlimited analysis. But both Itris AutomationSquare and PSA managers agreed that the first option did not provide satisfactory results.They now favor the latter, the only way for subcontractors to truly understand the codingrules and to be involved in the quality of their programs. The integrator turned editor Itris started in 1995 as an integrator: the Grenoble-based company became known for developing PLC programs for various industries. The founding members quickly realized how much time was lost to check the programs. Similarly, they regretted how difficult it was to deploy a single program on PLCs from different manufacturers. This is why they developed the GLIPS language: abstract enough to look beyond the type of PLC targeted, and complete enough to be able to study independently the synchronous and asynchronous parts of a program and to apply testing methods from the computing world (static analysis, formal methods, etc.). At first, the language was reserved for internal use by the company. Itris then decided to commercialize this knowledge. In 2008, the company changed its name to Itris Automation Square and also transformed its activity: from service provider, it became a software vendor. The innovative nature of this technology has enabled the company to grow quickly and to welcome in its clients large industrial groups from the automotive industry (such as PSA Peugeot Citroën) but also from the field of energy (with Schneider Electric and GDF Suez) and defense (with Snecma or DCNS). In addition to PLC Checker, its products include more software tools: PLC Converter (translation of a program to a new PLC) and PLC DocGen (translation of a program into a flowchart for ease of maintenance).
A rules file is published for each project. It shows all aspects of the code to be verified by PLC Checker.PLC Checker is integrated into an overall quality processPLC Checker has been used by PSA Peugeot Citroën for a year and a half. Group managersbelieve they’ll be able to produce statistics on their vendors’ performance by the end of2010. As it is often the case with this type of quality improvement software, financial gain isrelatively difficult to assess. The fact is that, for the manufacturer and his subcontractors, theresults are positive from all standpoints. First, because running these comprehensive andautomatic controls can only reduce the risk of failure during production (and even in case offailure, maintenance workers can take action more quickly since all programs have acommon structure). Also, because developers are more involved in the quality of the codethey produce. They have more responsibility, as the delivery of a program comes with anobligation of results.
Today at PSA, the systematic use of PLC Checker is part of a more comprehensive approachto improve the quality and maintainability of automated systems. This vast project calledACTIF (ASSET) consists of a number of standards common to the Group regarding safety, theproduction of human-machine interfaces, electrical wiring and methods of programs’functional analysis, as well as other transversal aspects. It is under this last objective that PLCChecker has been integrated.Over thirty subcontractors have been using PLC Checker since the beginning of the project.Statistics kept by Itris Automation Square indicate that on average, twelve analyses arenecessary to meet the quality standards required by PSA Peugeot Citroën. There is still someway to go before developing programs that meet requirements from the start, but thingswill improve gradually as subcontractors incorporate the principles of coding earlier in theirdevelopment process. A way towards consistency Deployed two years ago (therefore a few months before using PLC Checker), the ACTIF (ASSET) method is a standard developed by the PSA group. It defines an overall framework for all aspects of automation within the group and among its subcontractors. It includes seven basic standards related to the safety, transversal activities, programs’ functional analysis, electrical design, programing, terminal operators and electrical work. The systematic use of PLC Checker is now included in one of the paragraphs of the standards of transversal activities. In a context where more and more functions are performed by third parties, the purpose of the ACTIF approach is to bring more coherence between the different deliverables. This is to provide a common framework for all subcontractors, facilitate the launch of new facilities, and reduce the number of unplanned shutdowns. The implementation of ACTIF has an impact on the maintenance workers, but also on workers who can move from one production line to another without being disoriented, and in some cases start a line on their own without calling upon a maintenance worker.PSA involved in the adoption of new technologiesWhat we will remember from this project is primarily the role of the French manufacturer inthe use of the new technology that is static code analysis of PLC programs. "We’re applyingthe same strategy than the one we’ve implemented in 1996 - 1998 when promoting the useof simulation in the design of control systems. It had never really been exploited until weimposed it to all our subcontractors, says Laurent Mauguy (PSA Peugeot Citroën). Today, theuse of simulation is systematic, not just for automotive. We would like to meet the samesuccess with PLC Checker, to further improve the quality of PLC programs in all sectors."Frédéric Parisot