bayesian-network-based reliability analysis of plc...

IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 60, NO. 11, NOVEMBER 2013 5325

Bayesian-Network-Based ReliabilityAnalysis of PLC Systems

Yu Jiang, Hehua Zhang, Xiaoyu Song, Xun Jiao, William N. N. Hung, Ming Gu, and Jiaguang Sun

Abstract—Reliability analysis is an important part of safety crit-ical programmable logic controller (PLC) systems. The complexityof PLC system reliability analysis arises in handling the complexrelations among the hardware components and the embeddedsoftware. Different embedded software types will lead to differentarrangements of hardware executions and different system reli-ability quantities. In this paper, we propose a novel probabilisticmodel, called the hybrid relation model (HRM), for the reliabil-ity analysis of PLC systems. Its construction is based upon theexecution logic of the embedded software and the distribution ofthe hardware components. We prove the constructed HRM to bea Bayesian network (BN) that captures the execution logic of theembedded software. Then, we map the hardware components tothe corresponding HRM nodes and embed the failure probabilitiesof the hardware components into the well-defined conditionalprobability distribution tables of the HRM nodes. With the com-putational mechanism of the BN, the HRM handles the failureprobabilities of the hardware components as well as the complexrelations caused by the execution logic of the embedded software.Experiment results demonstrate the accuracy of our model.

Index Terms—Bayesian network (BN), hybrid relation model(HRM), programmable logic controller (PLC), reliability analysis.

I. INTRODUCTION

R ELIABILITY analysis has become an important part ofthe system life cycle. This is particularly true for systems

performing critical applications such as controlling nuclearpower plants and spaceport devices [1], [2]. The reliability of asystem is defined as the probability that the system will performits intended function for a specified time period when operating

Manuscript received January 7, 2012; revised March 29, 2012 andJune 29, 2012; accepted October 9, 2012. Date of publication October 18,2012; date of current version June 6, 2013. This work was supported inpart by the National Natural Science Foundation of China Programs underGrants 61202010 and 91218302, in part by the 973 Program of China underGrant 2010CB328003, and in part by the National Key Technologies R&DProgram (SQ2012BAJY4052).

Y. Jiang is with the Department of Computer Science and Technology,School of Software, Tsinghua National Laboratory for Information Scienceand Technology, Key Laboratory for Information System Security, Ministry ofEducation, China (e-mail: [email protected]).

H. Zhang, M. Gu, and J. Sun are with the School of Software, TsinghuaNational Laboratory for Information Science and Technology, Key Labora-tory for Information System Security, Ministry of Education, China (e-mail:[email protected]; [email protected]; [email protected]).

X. Song is with the Department of Electrical and Computer Engineer-ing, Portland State University, Portland, OR 97201 USA (e-mail: [email protected]).

X. Jiao is with the International School, Beijing University of Postsand Telecommunications, Beijing 102209, China (e-mail: [email protected]).

W. N. N. Hung is with the Synopsys, Inc., Mountain View, CA 94043 USA(e-mail: [email protected]).

Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TIE.2012.2225393

under stated environmental conditions [3], [4]. The reliabil-ity theory deals with the interdisciplinary use of probability,statistics, and stochastic modeling, combined with engineeringinsights into the scientific understanding of failure mechanisms.The typical task for the reliability analysis is to build a math-ematical reliability model representing the system through aset of random variables. Then, distributions of these variablesare fully specified to calculate a system-level reliability for theoutput parameters [5]–[8]. For programmable logic controller(PLC) systems, these random variables are the failure proba-bilities of the hardware components and of software executionscaused by the environment, design weakness, and mishandling.

Traditionally, the reliability analysis of PLC systems is usu-ally realized by combinatorial methods such as fault tree (FT)[9] and reliability block diagram (RBD) [10]. FT involves spec-ifying a top event to analyze, such as the failure of the system,followed by identifying all associated events that could lead tothe top event. It can be solved using techniques such as binarydecision diagrams [11]. Analysts extend the traditional FT byassociating a particular Markov process to the leaf node toimprove the modeling power [12]. RBD is a graphical depictionof the system components and connectors. It can be used todetermine the overall system reliability, when the reliability ofeach system component is given. Similar work for extendingthe traditional RBD with the Markov process is presented in[13]. Recently, a more flexible modeling framework, named theBayesian network (BN), has been applied in system reliability[14]. It is similar to the neural network [15], [16] and isbased on the graphical and probabilistic reasoning theory forhandling uncertain probabilistic events. System reliability canbe expressed as a joint probability function over some randomvariables and mapped onto a BN. If the qualitative part of theBN follows the logic connection of the system components,the causal dependences of the system are then thought to beunderstood. Some comparisons between BN and FT in termsof the modeling and analysis capabilities are presented in [17].Dynamic BN is a generalization of BN and is also used for thereliability analysis [18]–[20]. The generalization is introducedto deal with the temporal correlation between time slices of thesystem. Those methods are efficient and easy to use and are themost widely used models for reliability analysis.

However, those methods present the designers and analystswith a high-level abstraction of PLC systems, demonstratingthe distributions of the system components and events. They donot consider the complex relations among system componentscaused by the embedded software. For example, different typesof embedded software have different times of memory readingand processor writing, which will lead to different overall

0278-0046/$31.00 © 2012 IEEE

5326 IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 60, NO. 11, NOVEMBER 2013

reliability quantities. For those reasons, we propose a novelprobabilistic model, called the hybrid relation model (HRM), tohandle the distributions of the system components as well as thecomplex relations caused by the embedded software. The HRMconstruction is based on the translation of the embedded soft-ware. We prove the constructed HRM to be a BN that capturesthe execution logic of the embedded software. Each node of theHRM is mapped to a corresponding system component, and thefailure probability of the mapped component is used to initiatethe conditional probability distribution (CPD) table of the node.Then, the HRM handles the failure probability of each systemcomponent and the execution logic of the embedded software.In addition, the HRM supports both predictive and diagnosticinferences about the reliability properties of the PLC systemwith the inference algorithms used in BN.

Generally speaking, the main contributions of our work areas follows.

1) We present an approach to translate the embedded controlsoftware of PLC systems into an HRM and prove thatthe constructed HRM captures the execution logic of theembedded software.

2) We define some CPD tables for the HRM nodes, map thesystem components to the HRM nodes, and initialize theCPD tables of the nodes with the failure probabilities ofthe corresponding components.

3) It is the first time that a model including both the exe-cution logic of the embedded software and the hardwarecomponents in an automatic method can carry on reliabil-ity analysis.

This paper is organized as follows: Section II introducessome background on PLC systems and the BN, Section IIIpresents the proposed HRM construction and initialization,Section IV presents the computation mechanism for theHRM and the reliability characterization of the whole system,Section V presents the experiments on some real industry PLCsystems to illustrate the efficiency and validity of our work, andSection VII concludes this paper.

II. BACKGROUND

A. PLC System

A simple PLC system is composed of a microprocessor,some input devices, and some output actuators. Signals canbe received from input devices such as sensors and switches,processed by the microprocessor according to the arrangementof the embedded software, and sent to actuators [21], [22]. It isessentially an industrial control computer, which works by wayof a periodic scanning mechanism. Each cycle is composed ofthree stages, as shown in Fig. 1. The first stage is sampling:The system reads the input data into the corresponding I/O.The second stage is processing: The microprocessor appliesthe embedded software to the control circuit and refreshesthe state of the I/O image. The last stage is actuating: Themicroprocessor refreshes the output according to the state of theI/O image and actuates the peripherals via the output circuit.

The embedded software is used to control and combinethe signals of these system components together. The Inter-national Electrotechnical Commission has defined four stan-

Fig. 1. Three stages for PLC system cycle.

Fig. 2. Simple LD for the motor reversible control system.

dard programming languages for PLC [23]: ladder diagram(LD), instruction list (IL), functional block diagram (FBD), andstructured text (ST). LD has its roots in the U.S. It is basedon the graphical presentation of relay ladder logic. IL is theEuropean counterpart of LD. As a textual language, it resemblesassembler. FBD expresses the behavior of a controller as aset of interconnected graphical blocks, like in the electroniccircuit diagrams. ST is a very powerful high-level languagethat is close to Pascal. It is claimed that the four languagesare equivalent [23]. There are many existing works translatingamong the four languages [24]–[26].

In this paper, we focus on LD. Over the past 30 years, LDhas been modified in order to keep up with increasing demandsof the industry. The LD program appears in many PLC systemscurrently on the market. The LD program can be subdividedinto networks and rungs. The basic principle of the ladderlogic is the current flowing through the networks and rungs,from left to right and top to bottom. There are two types ofbasic instructions in LD. The first type consists of the regularinstructions representing the conditions of the ladder rung. It iscomposed of contacts and logic connections. The second typeconsists of some special instructions such as timer, counter,and coil. If a path can be traced through the asserted contacts,the rung is true, and the output storage bit will be assertedtrue. Fig. 2 shows a simple LD program. It is made up of twoladder rungs. The symbol −||− is a normally open contact,representing a primary input. When the value of X1 is 1, thecontact stays in the closed state, and the current flows throughthe trace. The symbol −|/|− is a normally closed contact.When the value of Y1 is 0, the contact stays in the closedstate, and the current flows through the trace. For more detailedinformation about the other instructions, check [23].

B. BN

BN [27] is a directed probabilistic graphical model. Eachnode in the graph represents a random variable, and the arcbetween two nodes expresses the conditional probabilistic de-pendence of the two random variables. The formal definition ofthe BN is the tuple 〈N,E, P 〉.

1) N is the set of nodes: N = {n1, n2, . . . , nn}, and ni isthe label of the node.

2) E is the set of arcs: E = {eij |there is an arc fromnode ni to nj}, and eij is the label of the arc.

JIANG et al.: BAYESIAN-NETWORK-BASED RELIABILITY ANALYSIS OF PLC SYSTEMS 5327

Fig. 3. Simple BN example for road state.

TABLE ICPD FOR THE STATE OF ROAD: WET OR DRY

3) P is the set of CPDs: P = {f(ni|parent(ni))}.parent(ni) denotes the parents of the node ni, andf(ni|parent(ni)) is the conditional distribution of vari-able ni given all its parents.

The first two items make up a directed acyclic graph (DAG),which is the qualitative part of the BN. The qualitative part isused to encode the conditional independence statements of amultivariate statistical distribution, representing that a variableis conditionally independent of its nondescendants given itsparents. All of these conditional independences can be extractedfrom a BN structure using the d-separation rules.

The third item is the quantitative part of the BN. Theconditional independences embedded among the random vari-ables are described through the CPD tables. The CPD tablesallow us to calculate the joint probability function in a sim-plified form (2) compared to the original form (1), wheref(n1, n2, . . . , nn) is the joint distribution of those variables andf(nn|nn−1 · · ·n1) is the distribution of nn given all the othervariables

f(n1, n2, . . . , nn) = f(nn|nn−1 · · ·n1)

· f(nn−1|nn−2 · · ·n1) · · · f(n1) (1)

f(n1, n2, . . . , nn) =

n∏

i=1

f (ni|parent(ni)) . (2)

A simple BN example is shown in Fig. 3. It captures therelations among the weather, sprinkler, and road. The weathercan be sunny or rainy, the road can be wet or dry, and thesprinkler can be on or off. There are some causal links amongthe three nodes. If it is rainy, it will make the road wet directly. Ifit is sunny for a long time, we can make the road wet indirectlyby turning on the sprinkler. Those causal correlations amongthe three objects are expressed with the directed arcs and theCPD table. The first line of the table represents the fact: Whenthe weather is sunny and the sprinkler is closed, the road is wetwith the probability of zero (Table I).

Fig. 4. Algorithm to translate the LD into a graph structure.

Based on the BN graphical structure and some CPD tablesthat reflect the reality of the three objects, both predictive anddiagnostic inferences can be performed.

III. HRM CONSTRUCTION

This section introduces a probabilistic modeling method ofthe PLC system embedded with the LD program. An algorithmis proposed to translate the LD program into the HRM, andthe constructed HRM is proved to be a BN that captures theunderlying dependence model of the execution logic of theLD program. Then, some CPD tables for the HRM nodes aredefined and initiated with the failure probabilities of the mappedsystem components.

A. Qualitative Part Structure Construction

The execution logic of the embedded LD program is ig-nored by the original component-based FT, RBD, and BNmethods. We intend to model the complex relation into theHRM with an automatical method. The key challenge tobuild the HRM is to organize these contacts, coils, specialinstructions, and connections in a structured way. Since themicroprocessor processes the input signals according to thearrangement of the ladder program from left to right andfrom top to bottom, we develop an iterative traversal algo-rithm for the translation. The translation algorithm is shownin Fig. 4. The algorithm makes use of a structure nodeStruct node {char∗ type;node∗ left;node∗right; }.Based on the structure node, the algorithm builds an undirectedgraph model. All the contacts, special instructions, and connec-tions are mapped to the nodes in the graph structure.

We will now examine the algorithm in detail. The coil ofeach ladder rung is ignored and will be processed in the nextprocedure. In the first case, the ladder2 is the minimal ladderblock that is serially connected to the rest of the ladder logicblock. We traverse the contacts of the ladder rung to find the


Fig. 5. Graph structure result from the algorithm.

Fig. 6. HRM for the PLC system controlled by LD shown in Fig. 2.

last contact I or the last parallel-connected structure IS, whereI or IS is serially connected with the proceeding contacts. Theladder2 consists of the ladder block I or IS, and the ladder1consists of the rest of the ladder rung. The original ladderrung is translated into an Sconnection node, with two subgraphstructure construction tasks. In the second case, the ladder1 andladder2 are the maximal ladder logic blocks that are in parallelconnection, which can be processed similarly to the first case.The atomic instructions of a ladder rung must be one of thelast three cases, including the regular instructions such as logiccontacts and special instructions such as timer. The result of thetranslation algorithm for the first ladder rung in Fig. 2 is a graphstructure shown in Fig. 5.

When we get the undirected graph structure with the pro-posed algorithm, we can accomplish the construction processby the following three actions: adding a coil node to the rootof the graph structure, rotating the graph structure, and addingall the arcs with direction from the top to bottom. The finalgraph structure in Fig. 6 is the HRM corresponding to the firstladder rung in Fig. 2. It is obvious that the execution logic ofthe LD program, processing from the left to right, is captured inthis DAG. We present more formal proof process hereinafter.If we apply this translation framework from the first ladderrung to the final ladder rung repeatedly, the execution logic

of the LD program, processing from the top to bottom, is alsocaptured.

Then, we prove that the constructed HRM is a minimal repre-sentation of the underlying dependence model of the executionlogic of the LD program and is a BN. The proof process is basedon the description in [28] and [29]. We start by introducingsome basic concepts such as conditional independence and dseparation. Then, we prove that all dependences among theLD program can be captured in the HRM. The followingfundamental definitions have been defined in [28].

Definition 1: Let M be a dependence model, which con-sists of a set of random variables V = {v1, v2, . . . , vn} and aprobability function P over these variables. V1, V2, and V3 arethe subsets of V . Then, V1 and V2 are said to be conditionalindependent given V3, if the joint probability function P overthese three subsets satisfies

P (V1|V2, V3) = P (V1|V3) or P (V2|V1, V3) = P (V2|V3).

The conditional independence between V1 and V2 given V3 isdenoted by the notation I(V1, V3, V2).

Definition 2: A subset V1 of V is called a Markov blanketof element vi, if I(vi, Vi;V − Vi − vi) holds. Furthermore, thesubset Vi is called a Markov boundary of vi, if none of its propersubset satisfies the triple independence relation.

Definition 3: Let d = {vd1, vd2, . . . , vdn} be a reordering ofthe random variables {v1, v2, . . . , vn} of the dependence modelM . The boundary strata of M relative to d are an ordered set{Vd1, Vd2, . . . , Vdn}, where Vdi is a Markov boundary of vdiwith respect to the set {vd1, vd2, . . . , vd(i−1)}. The DAG D,created by designating each Vdi as the parents of the corre-sponding vertex vdi, is called a boundary DAG of M relativeto the ordering d.

Definition 4: Let D be a DAG, which consists of a set ofnodes N = {n1, n2, . . . , nn} and arcs among them. N1, N2,and N3 are the subsets of N . N1 and N2 are said to be dseparated given N3, if there is no path between any node in N1

and N2 satisfying the following two properties: 1) Every nodeon the path with converging arrows is in N3 or has a descendantin N3, and 2) every node on the path without converging arrowsis outside N3. The d-separated relation between N1 and N2

given N3 is denoted by the notation 〈N1|N3|N2〉.Definition 5: A DAG D is said to be an I-map of a depen-

dence model M , if every d-separation condition displayed inD corresponds to a valid conditional independence relation inM . Furthermore, D is a minimal I-map of M , if none of thearc can be deleted without destroying its implied dependencemodel M .

Based on the dependence model M , the DAG D, and thosedefinitions of joint probability functions on the dependencemodel M and the DAG D, the following definition proved in[28] shows the equivalence between DAG and BN.

Definition 6: If the DAG D is a boundary DAG of thedependence model M relative to an ordering d, D is a minimalI-map of M . Furthermore, if the DAG D is a minimum I-mapof the dependence model M , D is called a BN of M .

Finally, we draw the conclusion that shows the equivalencebetween the HRM and BN as follows.


Theorem 1: The constructed HRM is a minimal I-map ofthe underlying execution logic dependence model of the LDprogram used to control PLC system and is a BN.

Proof: Let {vi} denote the signal flowing through the lad-der rung from the left to right, including the signals generatedby the input sensors (contacts) and the result generated by theexecution of the PLC microprocessor (special instructions andconnections between contacts). It is a one-to-one mapping toHRM node {ni}. We give a reordering d over the randomsignal variables {vi}. The ordering d satisfies the property:For two random variables vi and vj , vi must appear beforevj if vi is on the left side of vj . That means that signal vi isthe input signal of the connection logic execution of the PLCmicroprocessor while signal vj is the output of the execution.With this ordering, we derive the Markov boundary of a vari-able according to the dependence model with the followingtwo principles: 1) If vj represents the output signal of PLCmicroprocessor logic execution, its Markov boundary is thesignal variables {vi} that are used to generate vj , and 2) ifvi represents the signal generated by a contact and a specialinstruction execution, then its Markov boundary is null. Then,the parents of each node variable are its Markov boundary inthe HRM. This is an important and useful feature captured bythe translation algorithm and the direction arcs on the translatedgraph structure. By Definition 6, the HRM is a boundary DAG,a minimal I-map of execution logic dependence model M ofthe ladder program, and, thus, a BN. �

According to the theorem, the constructed HRM in Fig. 6 isa minimal I-map of the underlying dependence model of thefirst ladder rung shown in Fig. 2. The execution logic of the LDprogram can be mapped into the HRM nodes through the trans-lation algorithm and the arcs of the translated graph structure.The contacts, special instructions, coils, and connections of theLD program can be mapped to the PLC system components.For example, the contacts can be mapped to input devices suchas sensors, the coils can be mapped to actuators such as motors,and the connections and special instructions can be mapped tothe execution of the PLC microprocessor. We harmonize thesystem components and the embedded software through thismapping process.

B. Quantitative Part Structure Construction

As described in Section II, the quantitative part of the BN isa set of CPD tables. Each CPD table is driven by the core distri-bution function P = {f(nt

i|parent(nti))}. The joint probability

distribution can be expressed by the product of each conditionalprobability. In the HRM, we have four types of nodes: the coilnode, contact node, special node, and connection node. Eachnode can be mapped to a corresponding hardware component.We need to incorporate the failure probabilities of the corre-sponding hardware components into these variables by well-defined CPD tables. Those CPD tables are listed in Tables II–V.

Table II is the CPD table of the contact node. Becausethe contact node is mapped to the input devices such as thesensor and switch, we must use the failure probabilities of thesecomponents to initialize the table. In the table, x represents thecorrect input of the PLC system, and εs represents the failure

TABLE IICPD FOR CONTACT NODE

TABLE IIICPD FOR SPECIAL INSTRUCTION NODE

TABLE IVCPD TABLE FOR CONNECTION NODE THAT REPRESENTS THE

SERIAL LOGIC EXECUTION OF PLC MICROPROCESSOR

TABLE VCPD FOR CONNECTION NODE THAT REPRESENTS THE PARALLEL

LOGIC EXECUTION OF PLC MICROPROCESSOR

probability of the input devices. The contact node Os has fourpossible values: 1) “10” represents that the correct input shouldbe one but the actual sampling value of the component turns outto be zero; 2) “01” represents that the correct input should bezero but the actual sampling value of the component turns outto be one; 3) “00” represents that the correct input should bezero and the actual sampling value of the component is zero;and 4) “11” represents that the correct input should be one andthe actual sampling value of the component is one.

The special node mapped to special instructions such astimer and counter can be regarded as an execution of the PLCmicroprocessor, just like an input sampling of the sensor. It is


translated as a leaf node with the proposed algorithm, just likethe contact node, as shown in Fig. 5. Hence, the CPD tablefor the special node has the same structure as Table II. εp isthe failure probability of the PLC microprocessor, denoting theprobability that the processor generates an error output of theinstruction execution.

Then, let us consider the CPD table of the connection node.The CPD table for the serial logic connection is presentedin Table IV. The table is coincident to those of the contactnode and special node. The connection between atomic instruc-tions can be regarded as parallel and serial logic executionsof the PLC microprocessor. Each connection node (Oe) hastwo parent nodes (O1, O2). The connection node also hasfour possible values. “10” represents that the correct outputof this logic execution should be one but the microprocessorgenerates actual output of zero due to some uncertain errors.The uncertain errors include the errors inheriting from its parentnodes and the errors caused by the current logic execution of thePLC microprocessor. The other three values can be explained inthe same way.

Take Fig. 6 as an example. We map the contact node Y1 toO1 and the parallel connection node P1 to O2 and generate thevalue of the serial connection node S1. The value of (Y1, P1)is (11, 01). It means that the correct output of the two nodesshould be (1, 0) but the actual output of the two nodes is(1, 1). The error of P1 may be caused by the sampling errorinheriting from X1 and Y0 or by the logic execution of thePLC microprocessor. The error will be propagated to the serialconnection node S1. When S1 inherits this error, the actualoutput will turn out to be one while the correct output should bezero. Furthermore, when the PLC microprocessor happens tobe in error at the same time, the wrong output, due to the errorinheriting from P1, will be inverted. The error will be canceledout. Hence, the values of S1 are “10” with probability of 1− εpand “11” with probability of εp. Detailed information about thiscase is presented in the 14th line of Table IV. The other linescan be explained in the same way.

The CPD table for the parallel connection node is presentedin Table V. The structure and the probability of each value aredefined in the same manner with that of the serial connectionnode. Take Fig. 6 as an example. We map the contact node X1

to O1 and the contact node Y0 to O2 and generate the valueof the first connection node P1. The value of (X1, Y0) is (11,01). It means that the correct output of the two nodes shouldbe (1, 0) but the actual output of the two nodes is (1, 1). Theerror of Y0 may be caused by the sampling error and will bepropagated to the connection node P1. When P1 inherits thiserror and the PLC microprocessor happens to be in error at thesame time, the actual output will turn out to be zero while thecorrect output should be one. Furthermore, when P1 inheritsthis error only, the error will be canceled out. Hence, the valuesof P1 are “10” with probability of εp and “11” with probabilityof 1− εp. Detailed information about this case is presented inthe 14th line of Table V.

Finally, we initiate the CPD table for the coil node. It ispresented in Table VI. The coil node can be mapped to theactuator device of the PLC system. The actuator device is justcontrolled by the output signal of the PLC system. Hence, the

TABLE VICPD TABLE FOR THE COIL NODE

coil node cannot cancel out the errors inheriting from its parentnode. When the values of its parent node are “01” and “10,”the actuator will be in error with probability of one. Whenthe values of its parent are “00” and “11,” the coil node willbe in error with the probability of εa. εa is the reliability ofthe actuator, denoting the probability that the actuator fails toaccomplish the task.

We have incorporated the reliability of the PLC input de-vices, PLC microprocessor, and actuators into these CPD ta-bles. What we need is to change the values of εs, εp, and εaaccording to the stated operation environment. We can performpredictive and diagnostic inferences to study the behavior of thewhole system or a single component.

IV. HRM COMPUTATION

A. Inference Algorithm

Given the HRM graphical model and the corresponding CPDtables, we can evaluate all possible predictive and diagnosticinferences efficiently. A number of algorithms have been in-vented to solve the inference problems. One of the most popularalgorithms is the message passing algorithm, which is an exactinference algorithm. It is based on the local message passingon a junction-tree structure, the nodes of which are subsets ofthe original random variables. All the approximate inferencemethods are based on sampling techniques. Based on thosealgorithms, many software tools such as Netica [30] have beenimplemented.

Before we perform the inference algorithms, we must firstcompile the HRM to get the final junction tree. The compilingprocess to get the nodes of the junction tree named as clique andthe connections among the cliques is divided into the followingthree steps.

1) Graph moralization: We must check every node in theHRM. If the node has more than one parent and theparents have not been connected by arcs, we add undi-rected edges among those parents to ensure that everyparent–child set is a complete graph. Then, we delete thedirection of arcs in the HRM to get the moral graph.

2) Graph triangulation: We look for the cycles longer thanthree nodes in the moral graph and break them into thecycles of three nodes by additional edges. The purpose isto transform the moral graph into a complete graph. Wecan triangulate the moral graph by more than one way.Some heuristic schemas are adopted to make the moralgraph triangulated by adding a minimum number of edges[29], [31].

3) Tree formation: The node of the junction tree namedclique is a maximal set of nodes where all nodes in theset are connected. Global consistency is automatically


preserved by constructing the junction tree in the follow-ing manner: 1) Between any two cliques Ci and Cj , thereis a unique path, and 2) the variables in the set Ci ∩ Cj

must be contained in all the cliques along the path. Atree can be constructed according to heuristic schemaspresented in the previous step to meet the two properties.

Then, inference is performed by maintaining functions re-lated to the joint distributions of all variables in the clique.Let us take an information flow example in two neighboringcliques to understand the key feature of the message passing.Let clique C1 = {Ni}, clique C2 = {Nj}, and node set S12 =C1 ∩ C2 = {Ns} which is the intersection of the two cliques.Then, the probabilities of them are defined as follows:

P (C1) =∏

ni∈C1

f (ni|parent(ni)) (3)

P (C1, C2) =P (C1)P (C2)

P (S12). (4)

Equation (3) is about the conditional distribution of the variableC1 in the junction tree. It is expressed by the conditional proba-bilities of the variables in the original HRM. The expressionsfor variables C2 and S12 are in the same manner. Equation(4) is the joint probability function over the cliques C1 andC2. They must agree on the probability of the node set S12.When there is new evidence for the clique C1, the CPD forthe clique C2 must also be changed to adapt to the agreementon S12. Thus, we need to compute the marginal probability ofS12 from probability potential of the clique C1 and use thisprobability scaling factor to scale the probability potential ofC2. This transmission process is called message passing, andevery new piece of evidence is added to the network by thistype of local message passing.

B. System Reliability

We have presented the computational mechanism to analyzethe reliability characterization of the PLC system correspond-ing to each independent ladder rung. The LD program iscomposed of many ladder rungs, which may relate with eachother. For example, the output of a ladder rung may work as aninput of another ladder rung. As a result, we have to consider theeffect of this relation as well as how to combine the independentfailure probability of each ladder rung to get the reliabilitycharacterization of the whole PLC system.

First, we have to find out how the relation will affect thefailure probability of another ladder rung. We take the programin Fig. 2 as an example to illustrate the relation and its effects.As to the motor reversible control program, the output O(Y0) ofthe first ladder rung is an input I(Y0) of the second ladder rung.We must calculate the reliability characterization of O(Y1) withthe consideration of the input I(Y0). As we can see, when wetranslate the second ladder rung with the proposed algorithm,the contact I(Y0) will be translated as a leaf node similar to theother primary inputs. We need to initiate the CPD of this nodein the form of Table II. The first method is to set the εs with avalue of zero and cascade the translated graph structure of thefirst ladder rung (Fig. 5) to the node corresponding to I(Y0).

The second method is to set the εs with the failure probabilityof the first ladder rung, because the error probability of I(Y0)is the error probability of O(Y0) of the first ladder rung. Therelation can be captured with either of the two methods. If theLD program is considerably large and has high connectivitybetween ladder rungs, the size of the cascaded HRM becomeslarge. This results in large number of CPD tables and complexcalculation with limited memory resources. In our work, weprefer to use the second method.

Second, we need to know how to combine the independentfailure probability of each ladder rung. After the failure proba-bility of each ladder rung is obtained by applying the inferencealgorithm, we can get the final reliability characterization func-tion for the whole PLC system as follows.

Theorem 2: The reliability characterization function of aPLC system is

f = 1−i≤n∏

i=1

(f(Oi))

where f(Oi) is the failure probability of the ith ladder rung andn is the total number of the ladder rungs.

Proof: The formula (1− f(Oi)) denotes the probabilitythat the ith ladder rung is not in failure, and

∏i≤ni=1(1− f(Oi))

denotes the probability that all the ladder rungs are not infailure. The failure probability of a PLC system is the sum of allthe combinations that there is at least one ladder rung in failure.It equals to one minus the probability that none of the ladderrungs is in failure. �

V. EXPERIMENT RESULT

In this section, we illustrate our method with a small ex-ample. Then, we validate our method through more com-plex industry applications. For those applications, the HRM isconstructed with the proposed algorithm, and the conditionalprobabilities are assigned by the well-defined CPD tables. Weuse Netica for compiling the junction tree and propagating theprobabilities in order to compute the reliability characterizationof these systems. We also calculate the reliability characteriza-tion of those systems with the original component-based RBDand BN methods. Finally, we devise some random simulationsto confirm the correctness of the reliability characterization.The simulations run on a computer with 3.06-GHz CPU and2 GB of memory. The Monte Carlo simulation framework forthe reliability analysis is based on fault injection. We embedthe error probabilities of the system components into the MonteCarlo simulator.

A. Small Example

Let us calculate the PLC system that controls the motorto move forward and stop. It consists of some sensors tosample the inputs of buttons, a processor to process those inputsaccording to the embedded LD program shown in Fig. 2, andthe actuator motor. The HRM of the system corresponding tothe first ladder rung is shown in Fig. 6. The HRM correspondingto the second rung is similar. We set ε for each component


TABLE VIICPD FOR NODE P1

TABLE VIIIRELIABILITY FOR MOTOR CONTROL SYSTEM

as follows: 0.05 for the sensor, 0.02 for the processor, and0.01 for the motor. Then, we use these failure probabilities ofcomponents to initiate the quantitative part of the HRM. Forexample, the CPD table of node P1 that represents the reliabilityof the processor output signal is an instance of Table V, shownin Table VII.

The reliability characterization of the motor control systemwith the HRM-based methods is 0.83%. If we do not considerthe execution logic of the embedded LD program, the reliabilitycharacterization for hardware-component-based BN and RBDmethods is 0.67%, while the failure probability of the systemsimulation is 0.91%. We change the failure probability ofthe processor and keep the others the same. The results arepresented in Table VIII. As can be observed in those results,in comparison to the original component-based RBD and BNmethods, the HRM-based reliability analysis is more close tothe simulation results.

B. Complex Applications

The first complex application is an actual industrial PLCsystem, which was originally published in [32]. The hardwarecomponent distribution of the system is shown in Fig. 7. Itconsists of four pistons (A, B, C, and D) which are operatedby four solenoid valves (V1, V2, V3, and V4). Each piston hastwo corresponding normally open limit sensor contacts. Threepush buttons are provided to start the system, stop the systemnormally, and stop the system immediately in emergency. Ina manufacturing facility, such piston systems can be used to

Fig. 7. Component distribution of the industrial automated system.

Fig. 8. First diagram used to control the piston system in Fig. 7.

load/unload parts from a machine table and extend/retract acutting tool spindle.

There are four embedded LD programs used to control theaforementioned hardware component deployment. The four LDprograms are shown in Figs. 8–11. The functions of the fourprograms are presented in [32]. They accomplish different ser-vices by actuating those pistons in different sequences. We setthe failure probabilities of the system components in Table IX.We can also change the failure probability of the processor andkeep the others the same. Then, the failure probabilities of thesystem corresponding to the four LD programs are listed inTables X–XIII, respectively.

As can be observed from the simulation results presented inthe fifth column of Tables X–XIII, the final failure probabilityof the piston system is different when it is controlled bydifferent LD programs. With the same PLC processor failureprobability, more complex LD programs will lead to higherfailure probability. This is due to the fact that a more complexLD program will engender more complex arrangements ofthe logic executions of the system components. On the otherhand, the reliability characterizations obtained by the originalcomponent-based BN and RBD methods, as presented in thesecond and third columns of the four tables, are the same.The values are not close to the simulation results. This is dueto the fact that they mainly consider the distribution of the


Fig. 9. Second diagram used to control the piston system in Fig. 7.

Fig. 10. Third diagram used to control the piston system in Fig. 7.

system components, the signal dependences among them, andthe complex relations caused by the execution logic of theLD program being ignored. The HRM-based method is moreaccurate. As shown in the fourth column of each table, theerror between the HRM results and the simulation results is lessthan 3%. The results gathered by way of the HRM are moreclose to the run time station, because the failure probability ofthe single system component and the complex execution logic

Fig. 11. Fourth diagram used to control the piston system in Fig. 7.

TABLE IXSTATIC FAILURE PROBABILITY OF EACH COMPONENT

TABLE XRELIABILITY FOR THE PISTON SYSTEM CONTROLLED BY THE LADDER 1

of the control program are captured by the HRM and CPDtables. Furthermore, for the four LD programs, the total timefor the HRM construction of our algorithm and the evidencepropagation in Netica is within 0.1 s.

The other three more complex industry applications are in-troduced in detail in the papers [33]–[35], including the systemcomponent distributions and the embedded LD programs. Thedetailed LD programs are also presented in the website [36].The first is a PLC control system for a secondary clarifier scumremoval that is installed in the Deer Island Water PollutionTreatment Facility near Boston, MA. The second is a discretemanufacturing PLC system, representing a component sorting,


TABLE XIRELIABILITY FOR THE PISTON SYSTEM CONTROLLED BY THE LADDER 2

TABLE XIIRELIABILITY FOR THE PISTON SYSTEM CONTROLLED BY THE LADDER 3

TABLE XIIIRELIABILITY FOR THE PISTON SYSTEM CONTROLLED BY THE LADDER 4

TABLE XIVRELIABILITY FOR THE DOUBLE-DOOR CONTROL SYSTEM

assembly, and inspection process. The third is a double-doorcontrol PLC system in the Lingshan stage control system inChina. We set the failure probability of the system componentssimilar to that of the piston system in Fig. 1. All failure proba-bilities of the system components are set to be 0.05. Then, thereliability characterizations of the three systems are presentedin Table XIV–XVI, respectively. From the three tables, wecan see that the HRM is accurate, even with these complexapplications, that the error between the simulations results andthe HRM-based results is also within 0.3, and that the total timeis also within 0.1 s.

TABLE XVRELIABILITY FOR DISCRETE MANUFACTURING PLC SYSTEM

TABLE XVIRELIABILITY FOR CLARIFIER SCUM REMOVAL SYSTEM

VI. EXPERIMENT ANALYSIS

The experiment results demonstrate the accuracy of ourmodel. Now, we give a mathematical time complexity analysisof our model to demonstrate the efficiency and scalability ofour model. The time complexity of the translation algorithm isO(m · nmax), where m is the number of ladder rungs in theLD program and nmax is the number of contacts in the longestladder rung. The time complexity of the exact inference inNetica is O(m · cn · 4|cmax|), where cn is the number of cliquesin the compiled junction tree of the original HRM and |cmax| isthe number of contacts in the largest clique.

From the aforementioned complexity analysis, we can drawthe conclusion that the proposed HRM is more close to thesimulation results than the original component-based BN andRBD framework and that the calculation time consumption isnot expensive. Moreover, the flexibility of the HRM is alsouseful, because, for different samples of failures, only thefailure probability of the component changes. The constructedHRM of the system will not change, and the CPD table for eachnode needs to be adapted only once. It makes the HRM-basedreliability analysis very efficient for large PLC systems withcomplex LD programs.

VII. CONCLUSION

In this paper, we have proposed an HRM for the reliabilityanalysis of the PLC system. The model is constructed basedon the embedded LD program. The execution logic of theembedded program is mapped to the HRM through the pro-posed translation algorithm. The model consists of four kinds ofnodes and some arcs among those nodes. The HRM is formallyproved to be a BN. Then, we have defined some CPD tablesfor the nodes according to the semantic of each kind of node.


All the nodes can be mapped to some corresponding hardwarecomponents through the CPD table initialization. Throughthese two mapping processes, both the execution logic of theembedded control software and the hardware components arecaptured. Then, it provides us a convenient way to carry onpredictive inferences about the reliability properties of the PLCsystem.

REFERENCES

[1] M. Villani, M. Tursini, G. Fabri, and L. Castellini, “High reliability perma-nent magnet brushless motor drive for aircraft application,” IEEE Trans.Ind. Electron., vol. 59, no. 5, pp. 2073–2081, May 2012.

[2] J. Wang, M. Chen, X. Wan, and C. Wei, “Ant-colony-optimization-basedscheduling algorithm for uplink CDMA nonreal-time data,” IEEE Trans.Veh. Technol., vol. 58, no. 1, pp. 231–241, Jan. 2009.

[3] W. Blischke and D. Murthy, Reliability: Modeling, Prediction, and Opti-mization. New York: Wiley, 2011, ser. Wiley Series in Probability andStatistics.

[4] U. S. Dept. Defense, Reliability Modeling and Prediction, MilitaryStandard, Washington, DC, U.S. Dept. Defense, 1981.

[5] X. Yu and A. Khambadkone, “Reliability analysis and cost optimizationof parallel inverter system,” IEEE Trans. Ind. Electron., vol. 59, no. 10,pp. 3881–3889, Oct. 2011.

[6] F. Chan and H. Calleja, “Reliability estimation of three single-phasetopologies in grid-connected PV systems,” IEEE Trans. Ind. Electron.,vol. 58, no. 7, pp. 2683–2689, Jul. 2011.

[7] G. Petrone, G. Spagnuolo, R. Teodorescu, M. Veerachary, and M. Vitelli,“Reliability issues in photovoltaic power processing systems,” IEEETrans. Ind. Electron., vol. 55, no. 7, pp. 2569–2580, Jul. 2008.

[8] J. Wang, M. Chen, and J. Wang, “Adaptive channel and power alloca-tion of downlink multi-user MC-CDMA systems,” Comput. Elect. Eng.,vol. 35, no. 5, pp. 622–633, Sep. 2009.

[9] W. Lee, D. Grosh, and F. Tillman, “Fault tree analysis, methods, andapplications—A review,” IEEE Trans. Rel., vol. R-34, no. 3, pp. 194–203,Aug. 1985.

[10] H. Guo and X. Yang, “A simple reliability block diagram method forsafety integrity verification,” Reliab. Eng. Syst. Saf., vol. 92, no. 9,pp. 1267–1273, Sep. 2007.

[11] X. Zang, H. Sun, and K. Trivedi, “A BDD-based algorithm for reliabilityevaluation of phased mission systems,” IEEE Trans. Rel., vol. 48, no. 1,pp. 50–60, Mar. 1999.

[12] M. Bouissou and J. Bon, “A new formalism that combines advantages offault-trees and Markov models: Boolean logic driven Markov processes,”Reliab. Eng. Syst. Saf., vol. 82, no. 2, pp. 149–163, Nov. 2003.

[13] S. Distefano and L. Xing, “A new approach to modeling the system relia-bility: Dynamic reliability block diagrams,” in Proc. IEEE Annu. RAMS,2006, pp. 189–195.

[14] C. Bai, Q. Hu, M. Xie, and S. Ng, “Software failure prediction based on aMarkov Bayesian network model,” J. Syst. Softw., vol. 74, no. 3, pp. 275–282, Feb. 2005.

[15] B. Ayhan, M. Chow, and M. Song, “Multiple discriminant analysis andneural-network-based monolith and partition fault-detection schemes forbroken rotor bar in induction motors,” IEEE Trans. Ind. Electron., vol. 53,no. 4, pp. 1298–1308, Jun. 2006.

[16] B. Li, M. Chow, Y. Tipsuwan, and J. Hung, “Neural-network-based motorrolling bearing fault diagnosis,” IEEE Trans. Ind. Electron., vol. 47, no. 5,pp. 1060–1069, Oct. 2000.

[17] A. Bobbio, L. Portinale, M. Minichino, and E. Ciancamerla, “Improv-ing the analysis of dependable systems by mapping fault trees intoBayesian networks,” Reliab. Eng. Syst. Saf., vol. 71, no. 3, pp. 249–260,Mar. 2001.

[18] “Complex system reliability modelling with dynamic object orientedBayesian networks (DOOBN),” Reliab. Eng. Syst. Saf., vol. 91, no. 2,pp. 149–162, Feb. 2006.

[19] D. Bruckner and R. Velik, “Behavior learning in dwelling environmentswith hidden Markov models,” IEEE Trans. Ind. Electron., vol. 57, no. 11,pp. 3653–3660, Nov. 2010.

[20] J. Wang and X. Xie, “Optimal odd-periodic complementary sequences fordiffuse wireless optical communications,” Opt. Eng., vol. 51, no. 9, p. 095002-1, Sep. 2012.

[21] W. Bolton, Programmable Logic Controllers. Burlington, MA: Newnes,2009.

[22] G. Dunning and Dunning, Introduction to Programmable Logic Con-trollers. Albany, NY: Delmar, Thomson Learning, 2002.

[23] PLC Programming Languages, IEC 61131-3 Std., Int. Electrotech. Com-mission (IEC), 2003, 2nd ed.

[24] Y. Yan and H. Zhang, “Compiling ladder diagram into instruction list tocomply with IEC 61131-3,” Comput. Ind., vol. 61, no. 5, pp. 448–462,Jun. 2010.

[25] R. Sun, J. Zhu, and J. Teng, “Transformation algorithm from PLC in-struction list to ladder diagram based on block-growth,” Comput. Knowl.Technol., vol. 33, pp. 36–43, 2008.

[26] L. Huang and W. Liu, “Algorithm of transformation from PLC ladderdiagram to structured text,” in Proc. IEEE 9th Int. Conf. Electron. Meas.Instrum., 2009, pp. 4-778–4-782.

[27] J. Pearl, “Fusion, propagation, and structuring in belief networks ∗ 1,”Artif. Intell., vol. 29, no. 3, pp. 241–288, Sep. 1986.

[28] J. Pearl, Probabilistic Reasoning in Intelligent Systems: Networks of Plau-sible Inference. San Francisco, CA: Morgan Kaufmann, 1988.

[29] R. Cowell, A. Dawid, S. Lauritzen, and D. Spiegelhalter, “Probabilisticnetworks and expert systems,” in Statistics for Engineering and Informa-tion Science. New York: Springer-Verlag, 1999.

[30] N. Manual, Netica V1.05, Norsys Software Corp., 1997.[31] U. Kjærulff, Triangulation of Graphs—Algorithms Giving Small Total

State Space, Aalborg, Denmark, Univ. Aalborg, Mar. 1990.[32] K. Venkatesh, M. Zhou, and R. J. Caudill, “Comparing ladder logic

diagrams and Petri nets for sequence controller design through a dis-crete manufacturing system,” IEEE Trans. Ind. Electron., vol. 41, no. 6,pp. 611–619, Dec. 1994.

[33] M. Zhou and E. Twiss, “Design of industrial automated systems viarelay ladder logic programming and Petri nets,” IEEE Trans. Syst., Man,Cybern. C, Appl. Rev., vol. 28, no. 1, pp. 137–150, Feb. 1998.

[34] M. Uzam and A. Jones, “Discrete event control system design usingautomation Petri nets and their ladder diagram implementation,” Int. J.Adv. Manuf. Technol., vol. 14, no. 10, pp. 716–728, 1998.

[35] R. Wang, X. Song, J. Zhu, and M. Gu, “Formal modeling and synthesis ofprogrammable logic controllers,” Comput. Ind., vol. 62, no. 1, pp. 23–31,Jan. 2011.

[36] PLC System Ladder Program for the Three Complex Applications.[Online]. Available: https://sites.google.com/site/jiangyu198964

Yu Jiang received the B.S. degree in softwareengineering from Beijing University of Posts andTelecommunications, Beijing, China, in 2010. Heis currently working toward the Ph.D. degree incomputer science at Tsinghua University, Beijing.

His current research interests include domain spe-cific modeling, formal verification, and their applica-tions in embedded systems.

Hehua Zhang received the B.S. and M.S. degrees incomputer science from Jilin University, Changchun,China, in 2001 and 2004, respectively, and the Ph.D.degree in computer science from Tsinghua Univer-sity, Beijing, China, in 2010.

She is currently a Lecturer with the School ofSoftware, Tsinghua National Laboratory for Infor-mation Science and Technology, Tsinghua Univer-sity. Her current research interests include domainspecific modeling, formal verification, and their ap-plications in embedded systems.


Xiaoyu Song received the Ph.D. degree from theUniversity of Pisa, Pisa, Italy, 1991.

From 1992 to 1999, he was a Faculty Member withthe University of Montreal, QC, Canada. In 1998, hewas a Senior Technical Staff with Cadence DesignSystems, San Jose, CA. Since 1999, he has beenwith Portland State University, Portland, OR, wherehe is currently a Professor with the Department ofElectrical and Computer Engineering. His currentresearch interests include formal methods, designautomation, embedded system design, and emerging

technologies.Dr. Song was a recipient of the Intel Faculty Fellowship Program during

2000–2005. He served as an Associate Editor of the IEEE TRANSACTIONS ON

CIRCUITS AND SYSTEMS and the IEEE TRANSACTIONS ON VERY LARGE

SCALE INTEGRATION (VLSI) SYSTEMS.

Xun Jiao is currently working toward the B.S. de-gree in telecommunication engineering and manage-ment in the International School, Beijing Universityof Posts and Telecommunications, Beijing, China.

His current research interests include wirelesscommunication, wireless sensor network, formalverification, and their applications in embeddedsystems.

William N. N. Hung received the B.S. and M.S.degrees in electrical and computer engineering fromThe University of Texas, Austin, in 1994 and 1997,respectively, and the Ph.D. degree in electrical andcomputer engineering from Portland State Univer-sity, Portland, OR, in 2002.

From 1997 to 2004, he was a Senior Engineerwith Intel Corporation, Hillsboro, OR. From 2004 to2007, he was a Senior Staff Engineer and a Directorwith Synplicity, Sunnyvale, CA. Since November2007, he has been a Senior Staff R&D Engineer

and a Senior R&D Manager with Synopsys, Inc., Mountain View, CA. Hisresearch interests include constraint solving, logic synthesis, physical design,formal methods, combinatorial optimization, nanotechnology, and quantumcomputing.

Dr. Hung is currently the Chair of the Quantum Computing Task Force forthe Emergent Technologies Technical Committee of the IEEE ComputationalIntelligence Society. He served as the Session Chair for the Design AutomationConference and World Congress on Computational Intelligence and as thePublications Chair for the Formal Methods in Computer-Aided Design. Heserved as the Cochair of the Logic and Circuit Track in the Technical ProgramCommittee of the International Conference on Computer Design. He was also amember in the Technical Program Committees of various conferences, includ-ing Design, Automation and Test in Europe, Computer-Aided Verification, andCongress on Evolutionary Computation.

Ming Gu received the B.S. degree in computerscience from the National University of DefenseTechnology, Changsha, China, in 1984 and the M.S.degree in computer science from the ChineseAcademy of Sciences, Shenyang, China, in 1986.

Since 1993, she has been a Lecturer, an AssociateProfessor, and a Researcher with Tsinghua Univer-sity, Beijing, China, where she is also the Vice Deanof the School of Software. Her research interestsinclude formal methods, middleware technology, anddistributed applications.

Jiaguang Sun received the B.S. degree in au-tomation science from Tsinghua University, Beijing,China, in 1970.

He is currently a Professor with Tsinghua Univer-sity, where he is also currently the Director of theSchool of Information Science and Technology andof the Tsinghua National Laboratory for Informa-tion Science and Technology, School of Software.He is dedicated in teaching and R&D activities incomputer graphics, computer-aided design, formalverification of software, and system architecture.

Prof. Sun has been a member of the Chinese Academy of Engineering since1999.

bayesian-network-based reliability analysis of plc...

Documents