Slaying the legacy beast in the PLC realm

Fearing hefty machine downtimes, the conservative PLC industry is highly reluctant to touch its legacy software. Building on Bas Beuting’s master’s thesis, Cordis and Axini have developed a combination of automatic code-to-model transformations and model-based testing that can take away the reservations. Capgemini Engineering is ready to put the integrated solution into practice.

Nieke Roos

“Many factories are struggling with obsolete machine components,” observes Matthijs van Doormaal, application engineer and PLC specialist at Capgemini Engineering. “They’re getting spare parts from everywhere just to keep their old systems up and running. We see them scouring the internet to build up a stockpile in case an old I/O module or PLC breaks down. They’re doing everything within their power to avoid having to integrate new control components because that would mean upgrading the existing control software, which for lack of knowledge would take a lot of effort and thus a lot of downtime.”

“We’re talking about systems that are twenty years old, sometimes even older,” continues Van Doormaal. “While the bare metal is solid, so generally still in good shape, the control software is outdated and no longer supported, so in urgent need of an upgrade. With all the changes over time and the original programmers usually no longer available, replacing 20-year-old PLC code is quite the challenge.”

“The PLC market is traditionally very conservative,” explains Floris Verstegen, solutions manager at Capgemini Engineering. “There’s a huge installed base with an equally huge amount of legacy, but there’s usually no testing infrastructure and the documentation is mostly lacking as well. All the knowledge about the systems is in the code. That’s the only truth they’ve got, which is why they’re so very reluctant to lay a finger on it.”

There’s also more to a system upgrade than just installing new software, adds Verstegen. “Once upgraded, the system needs to get a new CE marking, for example. As the safety requirements have become much more stringent since the nineties, that process typically is no less laborious, involving a lot of additional development effort.”

Through its partnership with Cordis, Capgemini Engineering already has a partial solution for the problem. Using the Cordis Suite low-code development environment, machine control applications can be captured in graphical models, from which error-free code can then be automatically generated for a host of hardware platforms. According to Verstegen, this solution is great for creating control software from scratch in greenfield projects and also for extending an existing codebase in brownfield situations. “You can take your legacy PLC code, put an interface layer around it and build new functionality on that.”

Taking on the legacy itself, however, requires something more. The conservative PLC industry wants to be absolutely sure that their systems exhibit the exact same behavior before and after the ‘code rejuvenation.’ Together with the model-based testing specialists from Axini, Cordis has developed a solution that can give that guarantee.

The idea for the solution was conceived by Bas Beuting (right), son of Cordis founder Benno (left).

Recurring patterns

The idea for the solution was conceived by Bas Beuting, son of Cordis founder Benno, when he was looking for a topic for his master’s thesis at Eindhoven University of Technology (TUE). He was inspired by a guest lecture from TNO-ESI about its Renaissance methodology and tooling to analyze and automatically refactor complex codebases. Being familiar with his father’s work, he saw an opportunity to translate the approach to Cordis and the PLC realm. His university professor, Mark van den Brand, was quickly taken by the idea, and so was Capgemini Engineering, TNO-ESI’s implementation partner tasked with the industrialization of the Renaissance research results.

“That’s how my research into PLC code rejuvenation was born,” recalls Beuting junior. “The basic idea is to make the software more future-proof and more easily maintainable by converting it into hardware-agnostic Cordis models, which then become the single source of truth. From these models, new code can be automatically generated that can be proven to behave in the same way as the legacy code using Axini’s model-based testing framework.”

As a first step, the younger Beuting narrowed down the playing field. “PLCs can be programmed in several languages. After some research, I decided to focus my work on the variant called Structured Text. Contrary to the graphical PLC formalisms, ST has a textual notation, much like traditional programming languages. Applications written in Structured Text often also have a state-based structure. These characteristics make the code relatively easy to parse and convert into Cordis models. Additionally, ST is one of the most widely used PLC languages.”

Next, Beuting set up a library containing frequently found code patterns and their corresponding representations in Cordis. “From companies like ASML and VDL, I obtained a sizable body of real-world PLC code in Structured Text. In an in-depth examination of this code, I identified a large set of recurring patterns, great and small. For each pattern, I analyzed its execution behavior on the PLC and mapped that onto state machines. As Cordis models are based on state machines as well, the final transformation was relatively straightforward.”

A Cordis class diagram (left) and a Cordis state machine diagram (right) modeling a cell in the demo production line.

Last but not least, Beuting was able to show that the PLC code was indeed correctly transferred to Cordis, ie that the original Structured Text and the resulting models exhibit the same behavior. “I turned to the verification specialists at TUE for advice, who gave me a couple of options. After crossing off the alternatives that were difficult to automate or too time-consuming to implement, only one option remained: model-based testing. After a chat with Axini’s Machiel van der Bijl, I gave it a go and found a way to verify the correctness of my transformations.”

“First, I converted the Cordis models into Axini models. This is quite straightforward because the models resulting from the transformation of Structured Text aren’t very complex,” Beuting goes on, explaining his solution. “From the Axini models, I had test cases generated automatically, which I ran against the PLC code generated from the Cordis models to double-check the tests’ validity for the generated code. I then ran the same test cases against the original PLC code and they all passed, indicating that the old and the new code exhibit identical behavior.”

Model-based testing

Axini’s approach to model-based testing (MBT) automates the entire testing process: it automatically generates, executes and evaluates tests. It’s a form of model-based software engineering. However, instead of generating code, it generates test cases. For manual testing, you need a specification, based on which you create tests predicting the outcome. You then execute the tests and evaluate the outcome. Scripting approaches, like behavior-driven development (BDD) and test-driven development (TDD), automate part of the test execution using programmed tests. MBT obviates the need to program test cases. Instead, you make a model of the system under test and automate all testing steps: test creation, prediction of the outcome, test execution and evaluation.

The Axini Modeling Platform (AMP) uses an adapter that envelops the system under test and makes it possible to independently send and receive messages over all the interfaces. The model defines the relation between inputs and outputs according to the specification. AMP reads the model and, armed with this information, experiments with the system under test to see if it conforms to the spec. The ability to send and observe messages simultaneously over all the interfaces allows for early testing during the development cycle without the need for simulators or the external system environment.

Undetected bugs

This first-of-a-kind combination of static code-to-model transformations and runtime verification closes the loop, from design to coding to testing back to design. “You can statically scan your brownfield environment and have your legacy software converted into models. From these models, you can then generate code for a wide range of PLCs. Finally, by having this code dynamically verified, you can check the correctness of the models,” elaborates Capgemini’s Verstegen. “You can do this in parallel to your operations, on a separate PLC or soft PLC, without the risk of downtime. As all the steps can be executed automatically, you can shift your engineering focus to adding real value.”

Bas Beuting reckons it’s already possible to automatically transform 70-80 percent of the PLC code written in Structured Text. “You still need to do some work by hand, but the bulk is being done for you. And since my pattern library is open source, new patterns can be included to further reduce the remaining manual labor.” Going forward, he himself is entertaining the option of extending his solution to other PLC dialects. “Ladder diagrams are also relatively widespread. They don’t really contain state machine behavior, but further research, perhaps as part of a PhD project, might find a way around that.”

Next to facilitating code rejuvenation, the approach can also help improve the software in the process. “The model-based testing step unveils the differences in behavior between the original code and its generated counterpart,” Verstegen goes on to explain. “Most deltas will be acceptably small. Occasionally, the new behavior is better or it may even turn out that the old behavior is flat-out wrong because of a previously undetected bug, for example in an exceptional situation the software hasn’t encountered yet. Model-based testing gets everywhere, also to places the system normally doesn’t go.”

“When such a bug comes to light, you can easily see where things are going wrong,” adds Beuting. “You can follow the test traces, from start to error, at which point you can go to the Cordis Suite Dashboard and get real-time and historical state information from all the relevant state machines in your Cordis models. This lets you precisely pinpoint where the system took a wrong turn and why. You can then make the appropriate changes to your Cordis and Axini models and run the tests again, repeating the cycle until all problems are fixed.”

An additional advantage of the transition to Cordis models is data availability. “To avoid having to touch the software, data analysts traditionally hook up all kinds of external sensors to the PLCs. Unfortunately, this data acquisition is far from hard real-time,” Verstegen notes. “When the control software is modeled in Cordis, you have hard real-time access to all the system data. This opens up a wealth of possibilities for data analysts.”

Axini’s Machiel van der Bijl, Benno and Bas Beuting from Cordis and Niels Brouwers, Thijs Geurts and Matthijs van Doormaal from Capgemini Engineering next to Festo’s demo production line at the Brainport Digital Factory.

Multi-headed monster

Bas Beuting’s solution has recently been integrated into Cordis Suite and the Axini Modeling Platform, says his father Benno. “Bas has come a lot further than we thought was possible, so far in fact that integration was relatively straightforward.” Outside the Cordis and Axini environments, only one small component remains: the open-source library that transforms PLC code patterns into Cordis models. Beuting senior expects the industrialized version of the solution to be available soon. He’s already in talks with parties who are eager to use it.

The experts at Capgemini Engineering are equally amazed by the rapid advances. “I’d expected there to be much more variation in the PLC code, making the pattern recognition a lot more work and reducing the level of automation. The variation turns out to be not so bad, allowing Bas to take the automation to a surprisingly high level,” acknowledges model-based re-engineering specialist Niels Brouwers, who is heavily involved in the industrialization of TNO-ESI’s Renaissance efforts. “While this is already a big achievement, the validation by verifying the transformation to Cordis is a huge bonus, quite possibly even the most valuable contribution. The ingredients aren’t new, but how Bas has combined them is a first.”

“What I like most about the approach is that it allows you to regain control,” Brouwers emphasizes. “There’s this completely elusive legacy application, all knowledge about which has been lost. With Bas’ approach, you’re able to get a grip on it again. You can take your out-of-control PLC code to a higher level of abstraction and make it resilient to changes, prolonging your software’s lifespan by decades.”

Axini is seeing a world of opportunities outside the PLC realm as well. “In the Eulynx project, for example, Prorail and other infrastructure managers are working on reusable object controllers for the European rail network. At present, these are being modeled in SysML, but I’m sure Bas’ approach could be extremely valuable there, too,” illustrates Machiel van der Bijl.

“Legacy is a multi-headed monster for many companies,” observes Capgemini’s Verstegen. “This approach is a great step toward slaying the beast. There’s still much to be done in terms of people and processes, but it’s a big piece of the puzzle and an enabler for much more.”

This article was written in close collaboration with Axini and Cordis.