ABSTRACT

Supervisory control and data acquisition (SCADA) allows a utility operator to

monitor and control processes that are distributed among various remote sites.
SCADA, is a system for gathering real time data, controlling processes, and
monitoring equipment from remote locations. As more companies are
implementing an open SCADA architecture through the Internet to monitor
critical infrastructure components such as power plants, oil and gas pipelines,
chemical refineries, flood control dams, and waste and water systems, vital
systems are becoming increasingly open to attack. This report provides an
overview of SCADA, outlines several vulnerabilities of SCADA systems,
presents data on known and possible threats, and provides particular
remediation strategies for protecting these systems.
PLCs are used in many different industries and machines such as packaging
and semiconductor machines. Programs to control machine operation are
typically stored in battery-backed or non-volatile memory. A programmable
logic controller (PLC) or programmable controller is a digital computer used
for automation of electromechanical processes, such as control of machinery
on factory assembly lines, amusement rides, or lighting fixtures. PLCs are
used in many industries and machines. Unlike general-purpose computers, the
PLC is designed for multiple inputs and output arrangements, extended
temperature ranges, immunity to electrical noise, and resistance to vibration
and impact.

1
 CHAPTER – 1

BASICS OF AUTOMATION

1.1 WHAT IS AUTOMATION?

Automation is a delegation of human control functions to technical equipment

for increasing productivity, reduced cost & increased in safety working
conditions.
Automation is basically the use of control systems (such as numerical
control, programmable logic control, and other industrial control systems), in
concert with other applications of information technology (such as computer-
aided technologies [CAD, CAM, CAx]), to control industrial machinery and
processes, reducing the need for human intervention. In the scope of
industrialization, automation is a step beyond mechanization. Whereas
mechanization provided human operators with machinery to assist them with
the muscular requirements of work, automation greatly reduces the need for
human sensory and mental requirements as well. Processes and systems can
also be automated[1].
Automation plays an increasingly important role in the global economy
and in daily experience. Engineers strive to combine automated devices with
mathematical and organizational tools to create complex systems for a rapidly
expanding range of applications and human activities. Specialized hardened
computers, referred to as programmable logic controllers (PLCs), are
frequently used to synchronize the flow of inputs from (physical) sensors and
events with the flow of outputs to actuators and events. This leads to precisely
controlled actions that permit a tight control of almost any industrial process.
Human-machine interfaces (HMI) or computer human interfaces (CHI),

2
formerly known as man-machine interfaces, are usually employed to
communicate with PLCs and other computers, such as entering and monitoring
temperatures or pressures for further automated control or emergency
response.

1.2 IMPACT OF AUTOMATION

Automation has had a notable impact in a wide range of highly visible

industries beyond manufacturing.
Once-ubiquitous telephone operators have been replaced largely by
automated telephone switchboards and answering machines. Medical
processes such as primary screening in electrocardiography or radiography and
laboratory analysis of human genes, sera, cells, and tissues are carried out at
much greater speed and accuracy by automated systems. Automated teller
machines have reduced the need for bank visits to obtain cash and carry out
transactions. In general, automation has been responsible for the shift in the
world economy from agrarian to industrial in the 19th century and from
industrial to services in the 20th century.
The widespread impact of industrial automation raises social issues,
among them is impact on employment. Historical concerns about the effects of
automation date back to the beginning of the industrial revolution, when a
social movement of English textile machine operators in the early 1800s
known as the Luddites protested against Jacquard's automated weaving looms
often by destroying such textile machines— that they felt threatened their jobs.
One author made the following case. When automation was first introduced, it
caused widespread fear. It was thought that the displacement of human
operators by computerized systems would lead to severe unemployment.
At first glance, automation might appear to devalue labor through its
replacement with less-expensive machines; however, the overall effect of this

3
on the workforce as a whole remains unclear. Today automation of the
workforce is quite advanced, and continues to advance increasingly more
rapidly throughout the world and is encroaching on ever more skilled jobs, yet
during the same period the general well-being and quality of life of most
people in the world (where political factors have not muddied the picture) have
improved dramatically.

1.3 TYPES OF AUTOMATION

Automation can be divided in four parts:

1.3.1 HOME AUTOMATION

As the world gets more and more technologically advanced, we find new
technology coming in deeper and deeper into our personal lives even at home.
Home automation is becoming more and more popular around the world and is
becoming a common practice.

1.3.2 OFFICE AUTOMATION

Office automation refers to the varied computer machinery and software used
to digitally create, collect, store, manipulate, and relay office information
needed for accomplishing basic tasks and goals. Raw data storage, electronic
transfer, and the management of electronic business information comprise the
basic activities of an office automation system. Office automation helps in
optimizing or automating existing office procedures. The backbone of office
automation is a LAN, which allows users to transmit data, mail and even voice
across the network.

1.3.3 BUILDING AUTOMATION

4
Building automation describes the functionality provided by the control system
of a building. A building automation system (BAS) is an example of a
distributed control system. The control system is a computerized, intelligent
network of electronic devices, designed to monitor and control the mechanical
and lighting systems in a building.
1.3.4 INDUSTRIAL AUTOMATION

Industrial automation is the use of robotic devices to complete manufacturing

tasks. In this day and age of computers, industrial automation is becoming
increasingly important in the manufacturing process because computerized or
robotic machines are capable of handling repetitive tasks quickly and
efficiently. Machines used in industrial automation are also capable of
completing mundane tasks that are not desirable to workers.

1.3.5 ADVANTAGES & DISADVANTAGES OF AUTOMATION

The main advantages of automation are:

Replacing human operators in tasks that involve hard physical or
monotonous work..Replacing humans in tasks that should be done in
dangerous environments (i.e. fire, space, volcanoes, nuclear facilities, under
the water, etc)
Making tasks that are beyond the human capabilities such as handling
too heavy loads, too large objects, too hot or too cold substances or the
requirement to make things too fast or too slow.
Economy improvement. Sometimes and some kinds of automation
implies improves in economy of enterprises, society or most of humankind.
The main disadvantages of automation are:
1. Technology limits. Nowadays technology is not able to automate all the
desired tasks.

5
2. Unpredictable development costs. The research and development cost of
automating a process is difficult to predict accurately beforehand.
3. Initial costs are relatively high. The automation of a new product
required a huge initial investment in comparison with the unit cost of the
product, although the cost of automation is spread in many product
batches.

6
 CHAPTER – 2
CONTROLLERS

2.1. WHAT ARE CONTROLLERS?

In control theory, a controller is a device which monitors and affects the

operational conditions of a given dynamical system. The operational
conditions are typically referred to as output variables of the system which can
be affected by adjusting certain input variables.
For example, the heating system of a house can be equipped with a
thermostat (controller) for sensing air temperature (output variable) which can
turn on or off a furnace or heater when the air temperature becomes too low or
too high.

2.2. TYPES OF CONTROLLERS

There are many types of controllers. Some of them are as follows:

2.2.1 PID CONTROLLERS

A proportional–integral–derivative controller (PID controller) is a generic

control loop feedback mechanism (controller) widely used in industrial control
systems.
PID controller attempts to correct the error between a measured process
variable and a desired set point by calculating and then outputting a corrective

7
action that can adjust the process accordingly and rapidly, to keep the error
minimal.
The PID controller calculation (algorithm) involves three separate
parameters; the proportional, the integral and derivative values. The
proportional value determines the reaction to the current error, the integral
value determines the reaction based on the sum of recent errors, and the
derivative value determines the reaction based on the rate at which the error
has been changing. The weighted sum of these three actions is used to adjust
the process via a control element such as the position of a control valve or the
power supply of a heating element.

Figure 2.1

2.2.2 COMPUTER NUMERICALLY CONTROLLED (CNC)

CONTROLLER

Computer Numerical Control (CNC) controllers, working as a brain for

manufacturing automation, are high value-added products counting for over
30% of the price of machine tools. CNC technology is generally considered as
a measure for the level of manufacturing technology of a nation. Often referred
to as "The Flower of Industrial Technology", the development of CNC

8
technology depends upon the integration of technologies from computer,
hardware, machining, and other industries, and requires strategic long-term
support, mostly on a governmental level.
Today, computer numerical control (CNC) machines are found almost
everywhere, from small job shops in rural communities to Fortune 500
companies in large urban areas. Truly, there is hardly a facet of manufacturing
that is not in some way touched by what these innovative machine tools can
do.
The most basic function of any CNC machine is automatic, precise, and
consistent motion control. Rather than applying completely mechanical
devices to cause motion as is required on most conventional machine tools,
CNC machines allow motion control in a revolutionary manner. All forms of
CNC equipment have two or more directions of motion, called axes. These
axes can be precisely and automatically positioned along their lengths of
travel. The two most common axis types are linear (driven along a straight
path) and rotary (driven along a circular path).

9
 Figure 2.2

2.2.3 PC BASED CONTROLLERS

The days of the PC being used just for visualization and production data
acquisition in control and automation applications is rapidly becoming a thing
of the past.
The PC is now increasingly recognized as an open and powerful
hardware platform, which can provide effective and reliable control, with no
requirement for additional processors or complex hardware additions.
Traditional automation and control systems typically comprise a number of
hardware and software elements; a PC for process visualization, hard PLCs
with coprocessor cards, coprocessor PLCs, I/O via field bus, motion control

10
via parallel cabling and a selection of software operating systems and
programming languages.
PC-based controller system is often used in the factory where it resists
the adverse environmental factors such as dustiness and extreme temperature.
Under this condition, PC-based controller system must meet the requirements
of reliability, durability, strong vibration, and extreme temperature. Since
industrial products do not require high level of math functions, appropriateness
is much more important than the performance.PC-based system is also used in
the medical care industry.
The disadvantages of this approach being high hardware and software
costs, complexity of system design and build plus, in many applications,
limited functionality.

2.2.4 PROGRAMMABLE LOGIC CONTROLLERS (PLC)

Programming Logic Controller or PLC as it is universally called is the “work

horse” of industrial automation.
The PLC, being a microprocessor based device, has a similar internal
structure to many embedded controllers and computers. They consist of the
CPU, Memory and I/O devices. These components are integral to the PLC
controller. Additionally the PLC has a connection for the Programming and
Monitoring Unit, Printer and Program Recorder.
Basically PLC is used for following applications in industry:
1) Machine controls.

11
2) Packaging, loading uploading and weighing.
3) Palletizing.
4) Material handling and similar Sequential task

2.2.5 DISTRIBUTED CONTROL SYSTEM (DCS)

A distributed control system (DCS) refers to a control system usually of a

manufacturing system, process or any kind of dynamic system, in which the
controller elements are not central in location (like the brain) but are
distributed throughout the system with each component sub-system controlled
by one or more controllers. The entire systems of controllers are connected by
a network for communication and monitoring.
DCS is a very broad term used in a variety of industries, to monitor and
control distributed equipment like Electrical power grids and electrical
generation plants, Environmental control systems, Traffic, water management
systems, Oil Refining plants, chemical, Pharmaceutical manufacturing, Dry
cargo and bulk oil carrier ships.
Distributed control systems (DCS) use decentralized elements or
subsystems to control distributed processes or complete manufacturing
systems. remote control panels contain terminal blocks, I/O modules, a
processor, and a communications interface. The communications medium in a
distributed control system (DCS) is a wired or wireless link which connects the
remote control panel to central control panel, SCADA, or human machine
interface (HMI).

12
 CHAPTER – 3

SUPERVISORY CONTROL AND DATA

ACQUISITION(SCADA)

3.1 WHAT IS MEANT BY SCADA?

SCADA stands for supervisory control and data acquisition. As the name
indicates it is not a full control system, but rather focuses on the supervisory
level. As such , it is a purely software package that is positioned on the top of

13
hardware to which it is interfaced in general via programmable logic
controllers (PLC’s ), or other commercial hardware modules.
S- supervisory (we can see process on monitor)
C- control(when setup is complete we can also control the process )
A- and
D- data( database can also be saved in plc or pc memory)
A- acquisition
SCADA programs are used in industrial process control applications for
centralized monitoring and recording of pumps, tank levels, switches,
temperatures etc. SCADA systems are also referred to as HMI (Human
Machine Interfaces), or the less politically correct MMI (Man Machine
Interfaces).
A SCADA program normally runs on a PC and communicates with
external instrumentation and control devices. Communications methods can be
via direct serial link, radio, modem, field bus or Ethernet links. If a mixture of
instruments with differing communication interfaces and protocols need to be
connected, then converters can be used. SCADA is often used on remote data
acquisition systems where the data is viewed and recorded centrally.
It’s an optional device used in automation for continuous monitoring.

Field Devices
(Motors, Heaters)

Field Instruments
(Sensors, Transducers,
Pressure Tx, Density Tx,
Thermocouples,
Thermistors, LVDT)

14
 Controllers
(PLC, DCS.CNC, PC
Based)

SCADA
(For continuous
monitoring)

Figure 3.1

The SCADA program has a user configured database which tells the
software about the connected instrumentation and which parameters within the
instruments are to be accessed. The database may also hold information on
how often the parameters of the instruments are accessed and if a parameter is
a read only value (e.g. a measured value) or read / write, allowing the operator
to change a value (e.g. an alarm set point).
The parameters of the instrument being accessed are normally split
between analogue (numeric) and logic (digital). When running, the SCADA
software continuously updates its own database with the latest analogue and
digital values collected from the instrumentation. Some SCADA systems also
allow real time calculations to be made on the received data and the results
would be available as a "virtual" value. The real time values can then be used
by the SCADA.

3.2 COMMUNICATIONS

15
3.2.1 INTERNAL COMMUNICATION

Server-client and server-server communication is in general on a publish-

subscribe and event-driven basis and uses a TCP/IP protocol, i.e., a
client application subscribes to a parameter which is owned by a
particular server application and only changes to that parameter are then
communicated to the client application.

3.2.2 ACCESS TO DEVICES

The data servers poll the controllers at a user defined polling rate. The polling
rate may be different for different parameters. The controllers pass the
requested parameters to the data servers. Time stamping of the process
parameters is typically performed in the controllers and this time-stamp
is taken over by the data server.
If the controller and communication protocol used support
unsolicited data transfer then the products will support this too. The
products provide communication drivers for most of the common PLCs and
widely used field-buses, e.g., Mod bus. Of the three field buses that are
recommended at CERN,
both Profibus and Worldfip are supported but CAN bus often not [3]. Some of
the drivers are based on third party products and therefore have
additional cost associated with them. VME on the other hand is generally not
supported.

3.3 FUNCTIONALITY

3.3.1 ACCESS CONTROL

Users are allocated to groups, which have defined read/write access

16
privileges to the process parameters in the system and often also to specific
product functionality.
3.3.2 TRENDING

The products all provide trending facilities and one can summarize
the common capabilities as follows:
1) the parameters to be trended in a specific chart can be predefined or defined
on- line
2) A chart may contain more than 8 trended parameters or pens and an
unlimited number of charts can be displayed (restricted only by the
readability)
3) Real-time and historical trending are possible, although generally not in the
same chart

Figure 3.2

4) Historical trending is possible for any archived parameter

5) Zooming and scrolling functions are provided
6) Parameter values at the cursor position can be displayed
The trending feature is either provided as a separate module or as a

17
graphical object (ActiveX), which can then be embedded into a synoptic
display. XY and other statistical analysis plots are generally not provided.

3.3.3 ALARM HANDLING

Alarm handling is based on limit and status checking and performed in the data
servers. More complicated expressions (using arithmetic or logical
expressions) can be developed by creating derived parameters on which status
or limit checking is then performed. The alarms are logically handled
centrally i.e., the information only exists in one place and all users see
the same status (e.g., the acknowledgement), and multiple alarm priority
levels (in general many more than 3 such levels) are supported.

Figure 3.3

3.3.4 LOGGING AND ARCHIVING

The terms logging and archiving are often used to describe the same
facility. However, logging can be thought of as medium-term storage of data
on disk, whereas archiving is long-term storage of data either on disk or
on another permanent storage medium. Logging is typically performed on a
cyclic basis, i.e., once a certain file size, time period or number of points is

18
reached the data is overwritten. Logging of data can be performed at a set
frequency, or only initiated if the value changes or when a specific
predefined event occurs. Logged data can be transferred to an archive
once the log is full.

Figure 3.4

The Logged data is time-stamped and can be filtered when viewed by a user.
The logging of user actions is in general performed together with either a user
ID or station ID. There is often also a VCR facility to play back archived data.

3.3.5 NETWORKING

1. In many application, we have to use more than one SCADA software /

operator stations. This can be achieved by taking the SCADA node on
network.
2. In many cases Ethernet TCP/IP is commonly used for networking.
3. In certain cases the SCADA software use propriety networking protocols
for networking.

19
3.3.6 DEVICE CONNECTIVITY

1. Every control hardware has its own communication protocol for

communicating with different hadrware / software. Some of the leading
communication protocol include Modbus, Profibus, Ethernet, Dh +, DH
485, Devicenet, Control net.
2. The SCADA software needs device driver software for communication
with PLC or other control hardware.
3. More the driver software available better is the device connectivity.
Most of the SCADA software used in the industry have connectivity
with most of the leading control system.

3.3.7 DATABASE CONNECTIVITY

1. In many plants, it is important to download the real-time information to

the MIS. In this case the database connectivity is must.
2. Many SCADA software don’t have their own database. Hence for
storage and reporting they use third party database like MS Access or
SQL.

3.3.8 SCRIPT

1. Script is a way of writing logic in SCADA software. Every SCADA

software has its own instructions and way of writing program.
2. Using scripts, one can develop complex applications. You can create

20
 your own functions to suit the process requirement. execution.
3. Various types of scripts make project execution simpler for programmer.

3.4 REPORT GENERTION

One can produce reports using SQL type queries to the archive, RTDB or logs.
Although it is sometimes possible to embed EXCEL charts in the report,
a "cut and paste" capability is in general not provided. Facilities exist to be
able to automatically generate, print and archive reports.

3.5 AUTOMATION

The majority of the products allow actions to be automatically triggered

by events. A scripting language provided by the SCADA products allows
these actions to be defined. In general, one can load a particular
display, send an Email, run a user defined application or script and
write to the RTDB.
The concept of recipes is supported, whereby a particular system
configuration can be saved to a file and then re-loaded at a later date
.Sequencing is also supported whereby, as the name indicates, it is possible to
execute a more complex sequence of actions on one or more devices.
Sequences may also react to external events. Some of the products do
support an expert system but none has the concept of a Finite rate
Machine (FSM).

3.6 APPLICATION DEVELOPMENT

3.6.1 CONFIGURATION

21
SCADA is not a specific technology, but a type of application. SCADA stands
for Supervisory Control and Data Acquisition — any application that gets data
about a system in order to control that system is a SCADA application.
A SCADA application has two elements:
1. The process/system/machinery you want to monitor a control — this can be
a power plant, a water system, a network, a system of traffic lights, or
anything else.
2. A network of intelligent devices that interfaces with the first system through
sensors and control outputs. This network, which is the SCADA system,
gives you the ability to measure and control specific elements of the first
system.
The development of the applications is typically done in two
stages. First the process parameters and associated information (e.g. relating
to alarm conditions) are defined through some sort of parameter
definition template and then the graphics, including trending and alarm
displays are developed, and linked where appropriate to the process
parameters. The products also provide an ASCII Export/Import
facility for the configuration data (parameter definitions), which enables
large numbers of parameters to be configured in a more efficient manner using
an external editor such as Excel and then importing the data into the
configuration database.
On-line modifications to the configuration database and the graphics are
generally possible with the appropriate level of privileges.

3.6.2 DEVELOPMENT TOOLS

The following development tools are provided as standard:

1. A graphics editor, with standard drawing facilities including freehand,

22
 lines, squares circles, etc. It is possible to import pictures in many
formats as well as using predefined symbols including e.g. trending
charts, etc. A library of generic symbols is provided that can be linked
dynamically to variables and animated as they change. It is also possible
to create links between views so as to ease navigation at run-time.

Figure 3.5

2. A data base configuration tool (usually through parameter templates). It is

in general possible to export data in ASCII files so as to be edited through
an ASCII editor or Excel.
3. A scripting language
4. An Application Program Interface (API) supporting C, C++, VB
5. A Driver Development Toolkit to develop drivers for hardware
that is not supported by the SCADA product.

3.7 APPLICATIONS OF SCADA

We can use SCADA to manage any kind of equipment. Typically, SCADA

systems are used to automate complex industrial processes where human
control is impractical — systems where there are more control factors, and
more fast-moving control factors, than human beings can comfortably manage.
Around the world, SCADA systems control.

3.7.1 ELECTRIC POWER GENERATION, TRANSMISSION AND

DISTRIBUTION

23
Electric utilities use SCADA systems to detect current flow and line voltage, to
monitor the operation of circuit breakers, and to take sections of the power grid
online or offline.

3.7.2 WATER AND SEWAGE

State and municipal water utilities use SCADA to monitor and regulate water
flow, reservoir levels, pipe pressure and other factors.

3.7.3 BUILDING, FACILITIES AND ENVIRONMENT

Facility managers use SCADA to control HVAC, refrigeration units,

lighting and entry systems.

3.7.4 MANUFACTURING

SCADA systems manage parts inventories for just-in-time manufacturing,

regulate industrial automation and robots, and monitor process and quality
control.

3.7.5 MASS TRANSIT

Transit authorities use SCADA to regulate electricity to subways, trams and

trolley buses; to automate traffic signals for rail systems; to track and locate
trains and buses; and to control railroad crossing gates.

3.7.6 TRAFFIC SIGNALS

SCADA regulates traffic lights, controls traffic flow and detects out-of-order
signals.

24
 SCADA systems provide the sensing capabilities and the computational
power to track everything that’s relevant to your operations.

3.8 POTENTIAL BENEFITS OF SCADA

The benefits one can expect from adopting a SCADA system for
the control of experimental physics facilities can be summarized as follows:
1. A rich functionality and extensive development facilities. The amount of
effort invested in SCADA product amounts to 50 to 100 p-years
2. The amount of specific development that needs to be performed by the end-
user is limited, especially with suitable engineering.
3. Reliability and robustness. These systems are used for mission critical
industrial processes where reliability and performance are paramount.
In addition, specific development is performed within a well-established
framework that enhances reliability and robustness.
4. Technical support and maintenance by the vendor.

25
 CHAPTER – 4
PROGRAMABLE LOGIC CONTROLLERS

4.1 INTRODUCTION
PLC development began in 1968 in response to a request from an US car
manufacturer (GE). The first PLCs were installed in industry in 1969.Modern

26
industrial environment is steered with the latest technological advancements in
computers and communication. Programmable Logic Controllers (PLC) based
automation is the outcome of that.

Figure 4.1

4.2 WHAT ARE PLC’S?

A programmable logic controller (PLC) or programmable controller is a digital

computer used for automationof electromechanical processes, such as control
of machinery on factory aassembly lines, amusement rides, or lighting fixtures.
PLCs are used in many industries and machines. Unlike general-purpose
computers, the PLC is designed for multiple inputs and output arrangements,
extended temperature ranges, immunity to electrical noise, and resistance to
vibration and impact. Programs to control machine operation are typically
stored in battery-backed or non-volatile memory. A PLC is an example of a
real time system since output results must be produced in response to input
conditions within a bounded time, otherwise unintended operation will result.
A PLC (i.e. Programmable Logic Controller) is a device that was invented to
replace the necessary sequential relay circuits for machine control. The PLC
works by looking at its inputs and depending upon their state, turning on/off its

27
outputs. The user enters a program, usually via software, that gives the desired
results.
PLCs are used in many "real world" applications. If there is industry
present, chances are good that there is a plc present. If you are involved in
machining, packaging, material handling, automated assembly or countless
other industries you are probably already using them. If you are not, you are
wasting money and time. Almost any application that needs some type of
electrical control has a need for a plc.
PLC controllers are low cost, compact, versatile units based on the standard
microprocessor architecture used in the control of machines or processes. They
are designed for ease of programming and maintenance. The plc systems
replace the old relay logic control systems in automated manufacturing and are
designed to provide an easy and efficient replacements for the bulky relay
logic controllers. The PLC, also known as programmable controller (PC) is
defined by the National Electrical Manufacturers Association (NEMA) in 1978
as:
"A digitally operating electronic apparatus which uses a programmable
memory for the internal storage of instructions for implementing specific
functions, such as logic, sequencing, timing, counting and arithmetic, to
control through digital or analog input/output, various types of machines or
process".
They essentially operate by detecting the on/off (logic) or analog inputs and
depending on the control programs - the ladder diagrams - outputs of the same
type (usually logic) are produced.
In PLC implementation, field wiring between the logic elements remains
unaltered, but there are no more hard wired connections between the devices.
Instead, the connections are stored in computer memory. This allows the

28
programming of these connections, which is in turn made easier as they are
entered in ladder logic.
PLC systems have considerable advantages over the old relay logic systems.
They include:
1. all the capabilities of the earlier systems,
2. dramatic performance increase over the relay logic systems
3. greater reliability
4. little maintenance due to no moving parts
5. no special programming skills required by maintenance personnel
6. physical size of the PLC system is much smaller than the conventional
relay based logic
7. and most importantly much lower cost
Although the PLC systems have many advantages, there are also
disadvantages. These include fault finding, as PLC systems are often much
more complex than the hard-wired relay systems. Secondly, the failure of the
PLC may completely stop the controlled process, whereas a fault in a
conventional control system would only disrupt the process. And thirdly,
external electrical interference may disrupt the PLC memory

4.3 PLC SCAN CYCLE

Normally, before any output devices can be turned on or off, the processor has
to scan the entire program that is in user memory, The program may be only of
a few rungs or it may be hundreds of pages in length, depending on the
equipment that is being controlled, Pocessor scan does the following:

29
4.3.1 INPUT SCAN

Input terminals are read and input status table is updated accordingly.

4.3.2 PROGRAM SCAN

During program scan,data in input table is applied to user Program, Program is

executed and output table is updated accordingly

4.3.3 OUTPUT SCAN

Data associated with output status table is transferred to output terminals

Time for one scan cycle is called scan time if scan time is less than efficiency
of plc would be greater

4.4 PLC VENDORS:

S.NO Company Country
1. Allen Bradley USA
2. Seimens Germany
3. ABB(Asia Brown Bravery) USA
4. GE Fanuc USA
5. Mitsubhishi Japan
6. OMRON Japan
7 MOORE Japan
8. L&T(Larson and Turbo) India

Table 1

4.5 ARCHITECTURE OF PLC:

A typical PLC can be divided into following components:

4.5.1 CENTRAL PROCESSING UNIT (CPU)

Microprocessor based, may allow arithmetic operations, logic operators, block

memory moves, computer interface, local area network, functions, etc.
CPU makes a great number of check-ups of the PLC controller itself so
eventual errors would be discovered early.

30
4.5.2 SYATEM BUSES

The internal paths along which the digital signals flow within the PLC are
called busses.
The system has four busses:
1. The CPU uses the data bus for sending data between the different elements,
2. The address bus to send the addresses of locations for accessing stored data,
3. The control bus for signals relating to internal control actions,
4. The system bus is used for communications between the I/O ports and the
I/O unit.
4.5.3 MEMORY
System (ROM) to give permanent storage for the operating system and the
fixed data used by the CPU.
RAM for data. This is where information is stored on the status of input and
output devices and the values of timers and counters and other internal
devices. EPROM for ROM’s that can be programmed and then the program
made permanent.

4.5.4 INPUT/OUTPUT SECTIONS

Inputs monitor field devices, such as switches and sensors.

Outputs control other devices, such as motors, pumps, solenoid valves,
and lights.

4.5.5 POWER SUPPLY

31
Most PLC controllers work either at 24 VDC or 220 VAC. Some PLC
controllers have electrical supply as a separate module, while small and
medium series already contain the supply module.

4.5.6 BATTERY
It is used to update date, time and other data. if battery is discharge then red
indication on plc glows named BATT.

4.6 PROGRAMMING DEVICE

The programming device is used to enter the required program into the
memory of the processor.
The program is developed in the programming device and then transferred to
the memory unit of the PLC.

4.7 PLC COMPONENTS

The CPU used in PLC system is a standard CPU present in many other
microprocessor controlled systems. The choice of the CPU depends on
the process to be controlled. Generally 8 or 16 bit CPUs fulfill the
requirements adequately.
Memory in a PLC system is divided into the program memory which is usually
stored in EPROM/ROM, and the operating memory. The RAM memory
is necessary for the operation of the program and the temporary storage
of input and output data. Typical memory sizes of PLC systems are
around 1kb for small PLCs, few kb for medium sizes and greater than
10-20 kb for larger PLC depending on the requirements. Many PLC
would support easy memory upgrades.
Input/Output units are the interfaces between the internal PLC systems and the
external processes to be monitored and controlled. Since the PLC is a logic
based device with a typical operating voltage of 5 volts and the external

32
processes usually demand higher powers and currents, the I/O modules are
optically or otherwise isolated. The typical I/O operating voltages are 5V - 240
V dc (or ac) and currents from 0.1A up to several amperes. The I/O modules
are designed in this way to minimize or eliminate the need for any
intermediate circuitry between the PLC and the process to be controlled. Small
PLC units would have around 40 I/O connections with larger ones having
more than 128 with either local or remote connections and extensive upgrade
capabilities.

Figure 4.2
Programming units are essential components of the PLC systems. Since they
are used only in the development/testing stage of a PLC program, they are not
permanently attached to the PLC. The program in a ladder diagram or other
form can be designed and usually tested before downloading to the PLC.

4.8 PLC OPERATION

The PLC operates internally in a way very similar to computers. The inputs are
continuously monitored and copied from the I/O module into RAM memory

33
which is divided into the input and output sections. The CPU steps through the
control program in another section of the memory and fetches the input
variables from the input RAM. Depending on the program and the state of
inputs, the output RAM is filled with the control variables which are then
copied into the I/O module where they control the processes.

4.9 PLC PROGRAMMING

One of the main advantages of the PLC controller is that it is a programmable

device, which makes it possible, unlike in the relay logic, to easily design and
modify the control program or process without any changes in the wiring (no
hardware modifications). To make the programming of the PLC systems easy
and efficient, industry standards defining the programming approach and the
programming languages used were adopted. This reduces the need for
personell training by making a set of languages standard for all PLC platforms
on the market. Knowing the PLC programming languages and programming
standards is thus one of the most important considerations for anyone involved
in the PLC area.

4.10 PLC LANGUAGE

The function of all programming languages is to allow the user to

communicate with the programmable controller (PC) via a programming
device. They all convey to the system, by means of instructions, a basic control
plan.
Ladder diagrams, function blocks, and the sequential function chart are the
most common types of languages encountered in programmable controller

34
system design. Ladder diagrams form the basic PC languages, while function
blocks and the sequential function charting are categorized as high-level
languages. The basic programmable controller languages consist of a set of
instructions that will perform the most common type of control functions like
relay replacement, timing, counting, sequencing, and logic. However, the
instruction set may be varied from one controller to another, because it
depends on controller model, specification and requirements. It may be
extended or enhanced to perform other basic operations.
Here are some typical combinations of the languages:
1. Ladder diagrams only.
2. Ladder diagrams and function blocks.
3. Ladder and sequential function chart.
4. Ladder, function blocks, sequential function chart.

4.11 LADDER LANGUAGE

The ladder diagram language is a symbolic instruction set that is used to create
a programmable controller program. Before the extension of the ladder
language, the standard ladder instruction set was limited to performing only
relay equivalent functions, using the basic relay-type contact and coil symbols
similar to those shown in figure 1. A necessary for greater flexibility, coupled
with developments in technology, it is now extended to six sub-instruction sets
and they are relay-type, timer/counter, data manipulation, arithmetic, data
transfer, and program control. Desired control logic can be obtained by
formatting the ladder instruction symbols and store into memory.

4.12 ALLEN BRADLEY PLC

35
 Figure 4.3

4.13 RELAY TYPE INSTRUCTION

The relay-type instructions are the most basic of programmable controller
instructions. They provide the same capabilities as hardwired relay logic, but
with greater flexibility. These instructions have the ability to examine the
ON/OFF status of a specific bit addressed in memory and to control the state
of an internal or external output bit. The following relay-type instructions are
the most commonly available in any controller that has a ladder diagram
instruction set.

4.13.1 NORMALLY OPEN CONTACT

The normally open contact is programmed when the presence of the input
signal is needed to turn an output ON. When evaluated, the referenced address
is examined for an ON (1) condition. The reference address may contains the
status of an external input, external output, or internal output. During the
examination, if the reference address is ON, then the normal open contact will
close and permit logic continuity (power flow). If it is OFF (0), then the
normally open contact will assume its normally programmed state (open), thus
breaking logic continuity.

36
 Figure 4.4

4.13.2 NORMALLY CLOSED CONTACT

The normally closed contact is working as opposite to the normally open

contact. It is programmed when the absence of the referenced signal is needed
to turn an output ON (1). The reference address is examined for an OFF (0)
condition. If the address is OFF, then the normally closed contact will remain
closed, allowing logic continuity. When it is ON, the contact will open and
break logic continuity.

Figure 4.5

4.13.3 BRANCH START

The branch start instruction begins each parallel logic branch of a rung. It is
the first instruction programmed if a parallel branch or logical OR functions is
needed in a logic rung.

Figure 4.6

4.13.4 BRANCH END

37
The branch end instruction finishes a set of parallel branches. This instruction
is used after the last instruction of the last branch to complete a set of parallel
branches.

Figure 4.7

4.13.5 ENERGIZE COIL ( )

The energize coil instruction is programmed to control either an output

connected to the controller, or an internal output bit. If any rung path has logic
continuity, the referenced output is turned ON. The output is turned OFF if
logic continuity is lost. When the output is ON, a normally opened contact of
the same address will close, and a normally closed contact will open. If the
output goes OFF, any normally opened set of contacts will then open, and
normally closed contacts will close. An example is shown (figure 3) to
illustrate the rung relay-type instructions. Either of the input is true, the output
will be true.

Figure 4.8
4.13.6 LATCH COIL AND UNLATCH COIL (L) (U)
The latch coil instruction is programmed, for an output to remain energized (if
necessary) even though the status of the input bits that caused the output to
energize may change. If any rung path has logic continuity, the output is turned
ON and retained ON even if logic continuity or system power is lost. The
latched output will remain latched ON until it is unlatched by an output
instruction of the same reference address. The unlatch instruction is the only

38
automatic (programmed) means of resetting the latched output. Although most
controllers allow latching of internal or external outputs, some are restricted to
latching internal outputs only.

Figure 4.9

4.14 TIMER INSTRUCTIONS

They are output instructions that provide the same functions as would
hardware timers and counters. They are used to activate and deactivate a
device after an elapsed period or an expired count. These instructions are
generally considered internal outputs. Like the relay-type instructions, timer
and counter instructions are fundamental to the ladder diagram instruction set.
The operations of timers and counters are quite similar, in fact they are both
counters. A timer counts the number of times that a fixed interval of time (e.g.,
0.1sec, 1.0sec) elapses. A counter simply counts the occurrence of an event.
These instructions require an accumulator (ACC) register (word location) to
store the elapsed count and a preset (PR) register to store a preset value and to
determine the number of event occurrences or time-based intervals that are to
be counted.

4.14.1 TIMER ON DELAY INSTRUCTION (TON)

The programmed of this time delay ON timer instruction is to provide delayed

action or to measure the duration for which some event is occurring. When
there is any rung path has logic continuity, the timer begins counting time-
based intervals and counts until the accumulated (ACC) time equals the preset
(PR) value as long as the rung conditions remain true. When the accumulated

39
time equals the preset value, a timer DONE bit in the accumulated word is set
to 1. Whenever the rung logic conditions for the TON instruction go false, the
accumulated value is reset to all zeros.

Figure 4.10

4.14.2 TIMER OFF DELAY (TOF)

As the name implied, this output instruction is programmed to provide time

delayed action. If logic continuity is lost, the timer begins counting time-based
intervals until the accumulated time equals the programmed preset value.
When the accumulated time equals the preset time, the output is de-energized,
and the timed bit (bit 15) is set to zero.

Figure 4.11

4.14.3 RETENTIVE ON DELAY (RTO)

This instruction is used for the timer to retain accumulated value when
necessary, even if logic continuity or power is lost. The timer begins counting
time-based intervals when there is logic continuity of the timer rung path, until
the accumulated time equals the preset value. Then an output is energized, and
the timed out contact associated with the output is turned ON. The timer
contacts can be used throughout the program as a NO or NC contact. The
retentive timer accumulator value must be reset by the retentive timer reset

40
instruction. Retentive or Accumulating timer- holds or retains the current
elapsed time when the sensor turns off in mid-stream. It is called RTO.

Figure 4.12

4.14.4 RETENTIVE ON RESET

The retentive timer reset output instruction is used to reset retentive timer
accumulator. If any rung path has logic continuity, then the accumulated value
of the retentive timer with the same word address is reset to zero.

4.15 COUNTER INSTRUCTIONS

4.15.1 UP-COUNTER (CTU)

The up-counter output instruction will increment by one each time the counted
event occurs. A control application of a counter is to turn a device ON or OFF
after reaching a certain count..

Figure 4.13

4.15.2 COUNTER RESET

The counter reset output instruction reset the up- and down-counter
accumulated values. When programmed, the CTR coil is given the same
reference address as the CTU and CTD coils. The preset and accumulated
values are displayed on the ladder diagram, but they have no real function. If

41
the CTR rung condition is TRUE, the counter with the same address will be
cleared.

4.15.3 DOWN COUNTER (CTD)

The down-counter output instruction will count down by one each time a
certain event occurs. Each time the down-count event occurs, the accumulated
value is decremented. In normal use, the down-counter is used in conjunction
with the up-counter to form an up/down counter.

Figure 4.14

4.16 ARITHEMATIC OPERATIONS

Addition, subtraction, multiplication, and division are the four basic operations
included in the arithmetic operations. These instructions use the contents of
two word locations and perform the desired function.
The add and subtract instructions use one word. Multiply and divide need two
words for the computed result.

4.16.1 ADDITION (ADD) (+)

The ADD instruction performs the addition of two values stored in two
different memory locations. The processor uses a GET (data transfer)
instruction to access the two values. The result is stored in the word address
referenced by the ADD coil. The input conditions should be programmed
before the values are accessed in the addition rung, if the addition operation is
enabled only when the rung conditions are true.

42
 Figure 4.15

4.16.2 SUBTRACTION (SUB) (-)

It performs the subtraction operation of two registers. As in addition, if there is
a condition to enable the subtraction, it should be programmed before the
values are accessed in the rung. The subtraction result register will use a minus
sign to represent a negative result.

Figure 4.16

4.16.3 MULTIPLICATION (MUL)

Multiplication operation is performed when MUL is defined. It uses two
registers to hold the results of the operation between two operand registers.
The two registers are referenced by two output coils. It should be programmed
before the two operands are accessed in the multiplication rung, if there is a
condition to enable the operation.

Figure 4.17

43
4.16.4 DIVIDE (DIV)
The DIV instruction performs the quotient calculations of two numbers. The
result of the division is held in two result registers as referenced by the output
coils. The first register generally holds the integer, while the second result
register holds the decimal fraction.

Figure 4.18

4.17 DATA COMPERISON OPERATIONS

The manipulation of data using ladder diagram instructions, generally involves

simple register (word) operations to compare the contents of two registers. In
the ladder language, there are three basic data comparison instructions: equal
to, greater than, and less than. Based on the result of a greater than, less than,
or equal to comparison, an output can be turned ON or OFF, or more other
operation can be performed.

4.17.1 EQUAL TO (==)

The equal to instruction is used to compare the contents of two referenced

registers for an equal condition, when the rung conditions are true. If the
operation is true, the output coil is energized.

44
 Figure 4.19

4.17.2 LESS THEN (<)

The less instruction compares the contents of the value of one register to the
value stored in second register. If the test condition is true (i.e less than), the
output coil is energized.

Figure 4.20

4.17.3 GREATER THAN (>)

Greater than instruction operates the same way as the less than instruction,
except it test for greater than condition. Some controllers do not have this
function, because a greater than" function can perform using the "less than"
logic by reversing the order of the data and the "less than" function in the logic
rung.

Figure 4.21

4.18 JUMP (JMP)

The jump instruction allows the CPU to jump to a new position in the ladder
diagram from the normal sequential execution. If the jump logic rung is true,
the jump coil (JMP) instructs the CPU to jump to and execute the rung labelled
with the same reference address as the jump coil. This allows the program to
execute rungs out of the normal sequential flow of a standard ladder program.

45
4.19 LANEL [LBL]

The label (LBL) is to identify that ladder rung which is the destination of a
jump instruction. The label reference must match that of the jump instruction
with which it is used. The label instruction does not contribute to logic
continuity, and it is always logically true. It is placed as the first logic
condition in the rung. A label instruction referenced by a unique address can be
defined only once in a program.

4.20 RETURN (RET)

The RET instruction is used to terminate a ladder jump subroutine. It must be

used at the end of each subroutine.

4.21SINKING-SOURCING CONCEPT

4.21.1 SINKING

the current driving capability of a circuit, to draw a current toward the ground
or zero voltage, or to a lower voltage.
4.21.2 SOURCING

the current driving capability of a circuit, to draw a current from the power
supply or the higher voltage in the circuit. Most commonly used DC module
options in PLCs are:
1.Sinking input and
2.Sourcing output module

46
 Figure 4.22

Sinking I/O circuits on the I/O modules receive (sink) current from sourcing
field devices. Sinking output modules used for interfacing with electronic
equipment.
PLC has input and output lines through which it is connected to a system it
directs. Input can be keys, switches, sensors while outputs are led to different
devices from simple signalization lights to complex communication modules.
This is a very important part of the story about PLC controllers because
it directly influences what can be connected and how it can be connected to
controller inputs or outputs. Two terms most frequently mentioned when
discussing connections to inputs or outputs are "sinking" and "sourcing".The
most brief definition of these two concepts would be:
SINKING = Common GND line (-)
SOURCING = Common VCC line (+)

4.22 ALLEN BRADLEY DATA FILE DESCRIPTION

File # Type Description
O0 Output This file stores the state of output terminals for
the controller.
I1 Input This file stores the state of input terminals for
the controller.
S2 Status This file stores controller operation information
useful for troubleshooting controller and
program operation.
B3 Bit This file stores internal relay logic.
T4 Timer This file stores the timer accumulator and preset
values and status bits.
C5 Counter This file stores the counter accumulator and
preset values and status bits.
R6 Control This file stores the length, pointer position, and
status bits for control instructions such as shift
registers and sequencers.
N7 Integer This file is used to store bit information or
numeric values with a range of -32767 to 32768.

47
 –5
CHAPTER – 5
LADDER LOGIC EXAMPLES

5.1 SEQUENTIALLY OPERATING THREE MOTORS WITH

DELAY BY USING TIMER

Problem consists of one push button (NO Type), three TON Timers and three
outputs. Which have to be operated in following sequence .
When push button is pressed then timer 1 starts and output 1 run for 10
sec. after completion of 10 sec. timer 2 start and output 2 run for 20 sec. after
that timer 2 stops and timer 3 start so output 3 run for 25 sec. again the process
start with same sequence. when push button is released then all timer reset and
whole process gets stops.

Figure 5.1

48
5.2 SEQUENTIALLY TURN OFF THE THREE OUTPUTS BY
USING TIMER AND LESS THAN INSTRUCTION

Problem consists of one push button (NO Type), One TON Timers, Three less
than instruction and three outputs. Which have to be operated in following
sequence .
When push button is pressed then timer starts and all three output run. 1
Output stop after 10 sec. duration. 2 output stop after 15 sec. Duration. 3
output stop after 20 sec. duration. again the process start with same sequence.
When push button is released then all timer reset and whole process gets
stops.

49
 Figure 5.2

CONCLUSION

All the different languages have the function of providing the easy
programming, program modification and allowing the user the choice of a
most appropriate language for a particular application. In this way the ease of
use and maximum functionality is achieved without placing any constraints on
the possible application of a PLC system. The standardization of the PLC
languages and the programming styles has meant that the common set of
languages, the subject of this report, is supported by all the manufacturers of
the PLC systems. Together with all the other advantages the PLC systems have
over the relay logic systems, they have assumed a dominant position once held

50
by the relay logic controllers in the field of process and automated
manufacturing control. SCADA systems have made substantial progress
over the recent years in terms of functionality, scalability, performance
and openness such that they are an alternative to in house development even
for very demanding and complex control systems as those of physics
experiments.

51
 BIBLIOGRAPHY

[1] Madhuchhanda Mitra and Samarjit Sen Gupta, “Programmable Logic

Controllers and Industrial Automation”,penram International publishing
(India) Pvt. Ltd.,Third Edition.2005
[2] Stuart A. Boyer, “Scada:Supervisory Control and Data Acquisition”,2nd
Edition, April 2006
[3] S.Brian Morriss, “Programmable Logic Controllers” Prentice Hall
Publication, Eighth Edition, July 1999.
[4]Nebojsa Matric, “Introduction to PLC Controllers”,
http://www.aarkstore.com/reports/Home-Automation-Solutions-and-Business-
Issues-2009-18434.html

52