2009 International Conference on Measuring Technology and Mechatronics Automation
Development of a PLC Virtual Machine orienting IEC 61131-3 Standard
Zhou Chunjie
Key laboratory of ministry of education for image
processing and intelligent control
Department of control science and engineering,
Huazhong University of Science and Technology
Wuhan, Hubei, China
Email:
[email protected]
Email:
[email protected]
Abstract—Programmable Logic Controller (PLC) plays a more
and more important role in the field of industry. To deal with
the heterogeneity of manufacture-dependent programming
languages, IEC 61131-3 international standard has promoted
the PLC openness to developing. In this paper, we present a
proposal to implement the IEC 61131-3 standard in a PLC
virtual machine (VM), which is a new kind of high-level
language VM and takes Instruction List (IL) as the
intermediate code. We discuss the syntax and semantics of IL,
and show the design architecture for the emulation engine
using both interpretation and translation methods. The PLC
VM enables developers to rapidly porting an IEC-61131-3
application onto different platforms. We have implemented the
PLC VM on a C51 based embedded PLC platform.
Keywords-Programmable logic controller; virtual machine;
IEC 61131-3
I. INTRODUCTION
With the accelerating popularity of networked control
system, as a main type of discrete controller, the PLC has
been unprecedentedly applied in industry field. Traditional
programming languages for PLC had several drawbacks,
including [1]: weak software structure, limited control over
program execution, and in particular, limited facilities for
software porting due to the lack of unified syntax and
semantics between PLC products.
The IEC 61131-3 standard is a global standard that tries
to overcome these problems to improve software quality [2].
However, the software porting problem is still outstanding
because of different addressing schemes, various tasks scan
rates, and a lack of standard file format to store IEC 61131-3
applications. In this paper, we focus on proposing a
virtualization based solution to such a software porting
problem.
Virtual machine provides a way of enhance software
interoperability, system impregnability, and platform
versatility [3], which are used in a number of disciplines
ranging from programming languages to processor
architectures. When a system (or subsystem), e.g. a processor,
memory, or I/O device, is virtualized, its interface and all
resources visible through the interface are mapped onto the
interface and resources of a real system actually
implementing it. With this concept, the PLC VM is the
978-0-7695-3583-8/09 $25.00 © 2009 IEEE
DOI 10.1109/ICMTMA.2009.422
Authorized licensed use limited to: China University of Petroleum. Downloaded on January 18,2025 at 15:19:28 UTC from IEEE Xplore. Restrictions apply.
Chen Hui
Key laboratory of ministry of education for image
processing and intelligent control
Department of control science and engineering,
Huazhong University of Science and Technology
Wuhan, Hubei, China
traditional PLC system in abstract, using the hardware-
independent instruction set and shielding the application
logic from hardware. When hardware platform changes, only
the PLC VM needs to be transplanted, and the user's
application does not require any changes in procedures.
Hence, The VM provides an effective way to port the IEC
61131-3 based application logic onto different platforms.
Innovationally, our virtual machine is orienting PLC
programming standard - IEC 61131-3. One of the standard
languages - IL is taken as the intermediate code to cope with
hardware-independent control logic. Meanwhile, unified
local API interfaces are designed to deal with hardware-
dependent calls in the instruction interpretation process. In
short, Pre-compiling the local resources, real time
interpreting the IL logic and on-demand calling the local
interfaces are the main characteristics of our PLC VM.
The rest of this paper is organized as follows: Section II
overviews the related work in two aspects: IEC 61131-3
standard and embedded virtualization technology; Section III
shows the virtualized system architecture for PLC VM.
Section IV analyzes the syntax and semantics of IL,
describes the VM hardware-dependent configuration process
and details the implementation of instruction emulation
engine. The implementation and test of PLC VM on a C51
based PLC platform is presented in Section V. This is
followed by a conclusion and future work in section VI.
II. RELATED WORK
A. IEC 61131-3 overview
The IEC 61131 standard is a general framework that tries
to establish the rules to which all PLCs should adhere to,
encompassing mechanical, electrical, and logical aspects.
The third part, IEC 61131-3, deals with the programming
aspect of the industrial controllers, defining the logical
programming blocks and the programming languages.
IEC61131-3 has stipulated five kinds of programming
languages, including instruction list (IL), ladder diagram
(LD), sequential function diagram (SFC), function block
diagram (FBD) and structured text (ST).
IL is a simple typed, low-level, assembly language,
frequently used whenever it is necessary to have compact,
time-critical code. In particular, it can act as the intermediate
carrier for the other four languages, LD, SFC, FBD and ST.
374
For instance, the famous IEC 61131-3 compiler OpenPCS [4] application environment does not directly correspond to real
takes the IL as the basic component to support the internal platform. Instead, it is designed for ease of portability and to
translation between high-level languages. match the features of VM. The VM is focused on minimizing
hardware-specific and OS-specific features, which would
B. Embedded virtualization technology compromise platform independence.
VMs can be divided into two categories [3]: process
U s e r D e v e lo p m e n t E n v iro m e n t
virtual machine and system virtual machine. The former can
only provide a virtual environment to a single system process, IE C 6 1 1 3 1 -3 b ased
P ro g ram
such as Java, Smalltalk and the other high-level language C o m p i le r
(HLL) VM. The latter is to virtual system as a whole, such as P la tfo rm -d e p e n d e n t
H ex C ode
P o rta b le C o d e
VMWare and Virtual PC.
Over the years, designers have developed a number of
HLL VMs targeted at specific languages. A well known VM V M lo a d e r
P r e -in s ta ll
example was Java virtual machine (JVM) [5]. To deal with V ir t u a l M a c h i n e I m a g e
platform dependent, Java programs should first be compiled
V M In te r p r e te r
to java binary classes, and then JVM loads and executes it.
By applying Java technology, Grabner [6] proposed Virtual RTOS
L ocal A PI
PLC architecture to be platform independent. However, its H o s t I n s tr u c tio n s L ib ra ry
implementation is focused on realizing remote supervision
and maintenance through general purpose computer. H ard w ra re I/O
PLC is a typical kind of embedded device, whose C P U R e g is te r M e m o ry P e r ip h e ra l
architecture is different from general purpose computer.
Yuki Kinebuchi [7] has discussed the benefits of applying Figure 1. VM-based system architecture
virtualization techniques on embedded systems. Much to our
regret, the performance of its implementation was not Specially, a compiler front-end generates abstract
enough to meet the strict resource requirements, and also machine code, called portable code. This portable code is in
lacking in the support of real-time guarantee. Heiser [8] essence the machine code for VM. It could be distributed
argued that virtualization is unable to meet the special onto different platforms. For each platform, an interpreter in
requirements of embedded systems. Hence, when we think in VM takes each instruction, decodes it, and then performs the
virtual machines we always remember the overhead of the required state transformations involving memory and stack.
interpretation. Nowadays, apart from this thought, I/O and peripheral functions are performed via a set of
virtualization constitutes a valid approach to be applied to standard API calls which are defined as a part of the VM.
another typical embedded application field - wireless sensor IV. IMPLEMENTATION OF VIRTUAL MACHINE
network (WSN). The proof is the broad range of software
proposals for WSNs based on virtual machines [9]. A. Portable code – IL language
As we’ve seen, there is still lack of work to apply
embedded virtualization technologies for PLC. Our work is IEC 61131-3 defines five standard programming
focused on designing a HLL VM to support IEC 61131-3 languages for PLC. Among them, IL is the only assemble
languages, called PLC VM. It enables users to rapidly port language which could be direct interpreted as an intermediate
applications to different platforms, specially the restricted code. Other type of languages can be translated to IL
embedded environment. program. Therefore, we choose IL as the portable code to
support the full-set of IEC 61131-3.
III. PLC VIRTUAL MACHINE 1) Syntax
IL is executed line by line. Each instruction line is
A. Design goals corresponding to an executable PLC order. Apart from the
The overall goal is to enable developers to rapidly variable declarations, IL programs are sequences of
implement back ends of PLC applications. We identified the statements. A statement mainly consists of a command and a
two specific PLC VM design goals: series of operands. Sometimes, a statement begins with a
x Provide programming support for IEC 61131-3 label to denote the command location in the program.
standard, through interpreting IL code. Additionally, programs can be augmented by annotations.
x Provide a unified set of local resource interfaces to An example is shown in Figure.2.
shield the differences between PLC platforms, such Label ˖ Command Opcode Opcode
, ˄* Annotations *˅
as addressing schemes, task scan rates, peripheral #1 #n
devices driver and so on. START : LD %IX1.1 (*push the run button*)
B. System Architecture OR %QX10.1 (*self holding contact*)
ANDN %IX1.2 (*push the stop button*)
Full cross-platform portability is more easily achieved by JMP START (*return to beginning*)
designing it into overall system architecture. Here, as the
illustration of VM-based system architecture (Figure.1), the Figure 2. Instruction structure of IL program

375

Authorized licensed use limited to: China University of Petroleum. Downloaded on January 18,2025 at 15:19:28 UTC from IEEE Xplore. Restrictions apply.
 2) Semantics The major components of a PLC VM are shown in
Semantics analysis is to determine what statement is Figure. 3. They perform the following functions.
legitimate. The matching rules are listed in Table I. In
general, we considers the following three major points: x VM loader: writes the IL code as input ”data” into a
x Read the command line by line and record the start region of memory holding the interpretation and
and the end point. translation routines.
x Identify the command and operand types. x Initialization: allocates memory space for the code
x Check whether the scope of the operations beyond cache, operand stack and matching rule table used
the limit. during the emulation process.
Firstly, the appearance of ":" denotes the beginning of an x Emulation engine: uses both interpretation and
instruction line, and "\n" is the end. Secondly, identifying the binary translation to emulate the IL instructions. The
COMMAND is to match the first “string” with definition of emulation is mainly performed via interpretation
IL Code. Following COMMAND strings is categorized to with a prerecorded intermediate form. And the
different types of operands. For instance, “LD S1” is translation is responsible for dealing with the local
identified as the pattern “string+string1”, an indirect operand, operations which happened in interpretation progress.
and then translated to the pattern “%+string+num” according x Local API manager: provides a unified local call
to variable definitions. “LD %IX1.1” is usually interpreted as interfaces for code interpretation, and decides which
the 1st bit of the 1st input channel. If the operand pattern is translations should be flushed out to make room for
not matched, the semantics analyzer should step into error new translations.
process. x OS call emulator: translates the VM activity into an
appropriate call on the OS and then handles any
TABLE I. MATCHING RULES FOR INTERPRETATION associated information returned as a result of the call.
x I/O & Peripheral emulator: translates the I/O or
Type Interpreter Behavior peripheral operations into an appropriate call on the
match as Label; local resource code library and then handles any
˗ associated information returned as a result of the call.
store the name and line number
match as Command; Moreover, which has been denoted in the Fig.3, to
string+string1: match string1 as Opcode achieve the platform-independent, there are three steps
and replace the string1 with should be completed before the run of PLC VM:
string
immediate/indirect operand;
string+num: match num as Opcode, num is x VM environment configuration, that is to allocate
immediate operand memory for storing IL code and set operand stack.
match as Opcode, %+string+num: indirect x Replacement of the indirect operands with the actual
%
operand system IO address, the decoupling of the relationship
between the local related operations and the control
(* Annotation, ignored
logic.
, Delimiter between Opcodes x Encapsulation of the peripheral driver package under
a unified set of interfaces, to allocate the special
\n end of one instruction line code cache for operation of the local resource library.
C. Emulation engine
. delimiter between numbers within Opcode;
The following detailed the PLC VM design (Figure. 4).
JMP/CAL/RET: match as interpreting process control PLC_VM is a factory class, which is responsible for the
function creation of the other four components of VM, while an
interface function InterpretCodes to explain the IL-code,
B. Virtualization components
using the pointer CcodeBase* for the location of each
Code
preprocessor Peripheral Driver command to call the command execution function. As the
VM Loader IL Code
(2) I/O Register IL-code interpretation is designed based on object-oriented
Local idea, each command is a subclass which is derived from
(2)
Initialization
Config.
Emulation Engine
Info. super class CCodeBase. CCodeBase is to provide a pure
(1)
Translator Local API Local virtual function. Each command subclass inherits it, rewrite
Interpreter
Manager Resource the function and realize the semantic itself. In this way, there
(1) Code
Library is no need change the interface code for the interpretation of
Initialize
signals
Matching
Rule
I/O & each command.
OS Call Peripheral
Table Emulator (3)
Emulator Initialize
signals

Real Time Operating System

Timer Memory CPU I/O Peripheral

Figure 3. The configuration of PLC VM

376

Authorized licensed use limited to: China University of Petroleum. Downloaded on January 18,2025 at 15:19:28 UTC from IEEE Xplore. Restrictions apply.
 PLC _A PP The IL program decoded process in the emulation engine
is described in Figure.5. Firstly, the Load_ILCodes() loads
the IL program. Then, the VM runs a process to analyze the
A ddCode
PLC _V M
variable and function definitions in the head of source code,
--CCodeM aintain* m _pCodeM aintain and translate the indirect operands to be immediate operand
--CCodeM aintain* m _pO perM aintain (actual address). Following that, by matching command code,
--CCodeM aintain* m _pFuncM aintain
--CC odeM aintain* m _pD ataM aintain if the CAL or JMP are found, the information of functions
+Create() : bool blocks and the jump target address in the IL program will be
+InterpretCode()
+TranslateCode() collected. Based on it, the source IL code would be
+A ddCode(CCodeBase& CodeBase)() rearranged to be an optimized form which is to reduce the
work of interpretation and improve the efficiency. Finally,
C D ataM aintain C O perM aintain C FuncM aintain the interpretation process is to execute the optimized code
line by line, since each line represents a logic command
execution or a local call.

C C odeM aintain V. EXPERIMENTS AND ILLUSTRATION

Our platform consists of three parts: an embedded
+A ddCode(CCodeBase& CodeBase)()
+Save() hardware platform; a compact micro-kernel to provide real-
time task scheduling and interfaces for secondary
Figure 4. The class structure of emulation engine development; and a PLC VM to execute IL code.
The major four components in VM are listed below: A. Proposed platform
x Stack of function calls (CFuncMaintain): to record P1
CAN
the point of function call and the context switch. UART0 RAM P2
x Stack of operands (COperMaintain): used for UART1
CPU
˄ C51˅
P3
buffering the immediate results of computing, similar Ethernet Ethernet
P4 I/O
Port
to the Evaluation Stack in .NET CLR framework. Controller P5

x Data sector (CDataMaintain): responsible for the RUN/

SET BATT DOG
A/D
D/A
storage of local and global variables. When PR0

accomplishing the interpretation of one instruction Figure 6. The proposed embedded platform
line, the data sector would be recovered immediately.
x Code buffer area (CCodeMaintain): responsible for 1) Hardware
the maintenance of IL code, load and remove. As shown in Figure.6, The proposed hardware platform
D. IL decoded process is based on: a high-performance micro-controller chipset,
including a CPU C8051f120 (MPS peak is 100MHz), 128K
PLC_VM->AddCode() program memory (Flash) on chip and 256K data storage
areas (expand RAM). In accordance with the requirements,
Vars&Func. definition
preprocessor I/O port can be reuse as SPI, I2C interface, external interrupt,
external counter, AD/DA port. Besides, the communication
Matching Command interfaces, such as CAN, UART and Ethernet, are also
Y
available on the embedded platform.
Special Func.? PLC_VM->TranslateCode() 2) Micro-kernel
N
N N
The kernel is a reduced and compact OS, which has been
PLC_VM->InterpretCode() CAL? JMP?
used in our previous implementation of embedded PLC [10].
Error
Y Y The main characteristics are as follows:
Command
Optimized IL Code Input Compiler to
Function Block
line x Task scheduling: scheduling on the interpretation
location
tasks of VM and the asynchronous events on ports.
Get Instruction
Instruction Normally, the CPU is released to the code
conunter++
Excecution
Create local
call point
interpretation cycle in PLC VM. When the
RET?
N asynchronous event takes place, the PLC VM task
Instruction counter ++
Y will be suspended and executed the asynchronous
Save
results
Get JMP
segment
task. If a number of external events occurred, the
N kernel employs priority-based scheme to deal with
End?
Y Rearrange the the collision.
Execution complete &
instruction
line sequence
x Interprocess communication: allocates a special data
reset data segment
resources for the IL program interpretation, part of
Figure 5. The IL decoded process
which named the file index table (local file area).

377

Authorized licensed use limited to: China University of Petroleum. Downloaded on January 18,2025 at 15:19:28 UTC from IEEE Xplore. Restrictions apply.
 The external events are formed as a set of local files. specific procedures according to the unified set of call
Through the index table, the interpretation of IL can interfaces – local API manager.
communicates and deals with the external events. Finally, these specific procedures are the execution files
x Conflict resolution: for the hard real-time tasks, the which act as responses to the VM call.
priority is depend on the response time; for the soft
C. Test results
real-time tasks, the priority arranged in a polling way,
which is to check the task flag bits and execute one Firstly, PLC VM implementation cost on C8051F120
by one when there is no hard real-time task request. platform is presented in the following table II. It shows that
When task drove resource to the limit, the system the PLC VM totally costs 67150 bytes code space and
will respond to the delay. To meet real-time 15248 bytes data space in current implementation. In fact,
requirements, the kernel queries the implementation the PLC VM procedure is written in C language for the ease
status of the tasks and adjusts the task priorities. of implementation on C8051f120, although the
B. Implementation virtualization architecture is illustrated in component based
idea. The interpretation of each command line is a call to
With respect to the reconfigurable of PLC VM, the VM corresponding execution function. Additionally, in order to
runtime environment and the hardware-dependent local decrease the overhead induced by VM, the division of data
resource library were developed separately. The embedded space is static and allocated manually before the system run.
developing tool Keil C51 compiled the local resource
library to be HEX file. During interpretation progress, the TABLE II. THE SPACE COST OF PLC VM
HEX file would response to the calls of hardware-dependent
Component Code(bytes) Data(bytes)
operations through the unified local manager interface.
HEX file is often used to transfer the program and data Emulation engine 13386 10000
that would be stored in a ROM. It is composed of any Matching rules 4380 200
number of HEX records. Each record is made up of five
fields that are arranged in the following format: VM loader 803 20
Headings, or heads, are organizational devices that guide Initialization 493 20
the reader through your paper. There are two types:
component heads and text heads. I/O library 698 8
:llaaaatt[dd...]cc Network library 47390 5000
: is the colon that starts every Intel HEX record. Total 67150 15248
ll is the record-length field that represents the number of
data bytes (dd) in the record. Secondly, we measured the IL instruction execution time.
aaaa is the address field that represents the starting As listed in Table III, the results are range from 0.025ms to
address for subsequent data in the record. 0.131ms. Except for the floating math (costs 0.131ms), all
tt is the field that represents the HEX record type: 00 - the instruction will be interpreted within 0.05ms. It shows
data record; 01 - end-of-file record; 02 - extended segment that when given the highest priority, the interpretation
address record; 04 - extended linear address record process in VM would bring little influence on the kernel,
[dd…] is the data field. since the 0.1ms level real time scheduling was supported in
cc is the checksum field that represents the checksum of our kernel.
the record. TABLE III. TYPICAL EXECUTION TIME OF INSTRUCTION
In order to extract the target code from HEX file, we
defined a data structure as follows: Instruction type Time cost (ms)

typedef struct Hex Bit operation 0.032

{ int len; Logic comparing 0.038
int addr;
Math 0.025-0.131
unsigned char data[16];
struct Hex *next; Procedure control 0.048
} hexformat;
VI. CONCLUSION AND OUTLOOK
We designed a HEX file reading process as follows:
The first step is to define a set of linked lists Hexlist with In this paper, we have presented a HLL VM to support
the structure type of hexformat, and load the records of HEX IEC 61131-3, called PLC VM. It enables users to rapidly
file into the list of nodes one by one. porting IEC 61131-3 applications to different platforms,
The second step is to sort the linked lists by the specially the restricted embedded system. The
HexList.addr in ascending order. implementation also presents several other features. First,
The third step is to read the HexList.data at the beginning the other four IEC 61131-3 languages (LD, ST, FBD, and
of linked lists, repeat the above executions in turn, whose SFC) are supported through the intermediate code - IL
times is decided by HexList.len, and write the results to some indirectly. Second, rapid second-development of PLC VM

378

Authorized licensed use limited to: China University of Petroleum. Downloaded on January 18,2025 at 15:19:28 UTC from IEEE Xplore. Restrictions apply.
is enabled, because various peripheral drivers or user
configurations can be loaded without affecting the
architecture. Third, since applications could not directly
perform on the OS-kernel or hardware, the virtualized
architecture provides a good protection on the lower-level
code.
Further research can included at least three aspects:
x Further code optimization.
x Interface to IEC61131-3 development tools, such as
OpenPCS.
x Implementation on other platform architectures.
ACKNOWLEDGMENT
This work was supported by the guidance program of the
state's "tenth five-years" science and technology project (No.
2005BA206C), and national natural science foundation of
china (No. 60674081).
REFERENCES
[1] R.W. Lewis, Programming industrial control systems using IEC
1131-3, IEE Control Engineering Series, London, UK, 1998.
[2] IEC 61131-3: “Programmable Controllers – Part 3 ‘Programming
Languages, International Electrotechnical Commission’,” 2001.
379
Authorized licensed use limited to: China University of Petroleum. Downloaded on January 18,2025 at 15:19:28 UTC from IEEE Xplore. Restrictions apply.
[3] James E.Smith and Nair Ravi, "The architecture of virtual machines,"
Computer, vol. 38, n 5, May. 2005, pp. 32-38.
[4] Infoteam, OpenPCS 2004 Automation Suite for IEC 61131-3,
http:/www.infoteam.de/downloads/open/IEC_61131/
[5] Gosling J., B. Joy and G. Steele, The Java Language Specification 3rd
ed, Addison Wesley, MA,USA, 2005.
[6] Grabner M., Leonhartsberger G., Leutgeb A. and Altmann J., "Java in
industrial automation - A Virtual PLC," Proc.of IEEE Computer
Society's International Computer Software and Applications
Conference, Chicago, USA, Oct. 2001, pp. 477-479.
[7] Yuki Kinebuchi, Hidenari Koshimae, Shuichi Oikawa and Tatsuo
Nakajima, "Virtualization Techniques for Embedded Systems," Proc
of 12th IEEE International Conference on Embedded and Real-Time
Computing and Applications, Sydney, Australia, Aug. 2006, pp. 27-
42.
[8] Gernot Heiser, "The role of virtualization in embedded systems," Proc
of 1st Workshop on Isolation and Integration in Embedded Systems,
Glasgow, UK, April. 2008, pp. 11-16.
[9] Cai Yanwen, Chen Tianzhou and Wu Zhaohui, “Component-based
Network Protocols on Communication Device,” Application
Research of Computers, vol 21, n 12, 2004, pp. 253-256.
[10] Zhou Chunjie, Xiong Rui and Wang Yongji, "Design and
Implementation of Embedded PLC Software Platform Based on
Network," Computer Engineering and Applications, vol 42, n 34,
2006, pp. 76-80.