Efficient representation for formal
verification of PLC programs
Vincent Gourcuff, Olivier de Smet and
Jean-Marc Faure
LURPA – ENS de Cachan
Outline
 Objective of the work
 Construction of formal models
 Representation construction
• Dependencies analysis
• Translation of PLC programs into formal models
 Assessment of the representation efficiency
 Conclusions and prospects
WODES’06 - Efficient representation for formal verification of PLC programs
2
Objective
Design of controllers for critical systems
Requirements
Power plant
?
Refinery
Control system
Steam turbine
WODES’06 - Efficient representation for formal verification of PLC programs
3
Objective
Impact of the IEC 61508 standard
 Functional safety of E/E/PE safety-related systems
 Industrial need: to reach the SIL3 or SIL4 levels (SIL:
Safety Integrity Level)
• Hardware: redundancies, voting mechanisms, ….
• Software: recommendations for development
 SIL levels and software development
Technique
SIL1
SIL2
SIL3
SIL4
Semi-formal methods
R
R
HR
HR
Formal methods including for example, CCS, CSP, HOL,
LOTOS, OBJ, temporal logic, VDM and Z
-
R
R
HR
WODES’06 - Efficient representation for formal verification of PLC programs
4
Objective
Overall objective
 To investigate the possibilities of formal verification for
improving the SIL level of critical systems controlled by
PLCs
WODES’06 - Efficient representation for formal verification of PLC programs
5
Construction of formal models
Formal verification of
PLC programs
Scheduler
Requirements
Program
O1 := I1 OR I2;
Initialization
O2 := I3 AND I4;
IF O1
THEN
Inputs reading
Program execution
O3 := I3 AND NOT(I4);
Informal extrinsic
(application-dependant)
properties
1
END_IF;
O4:= RS(O5,I1)
Outputs updating
Formalization
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
Formalization
2
AG (( dp_head_motor_up) =>
EF (!dp_head_motor_up ))
Formal
representation
Formal
representation
Model – Checker
[Rausch Krogh 98]
[Frey Litz 00]
[de Smet Rossi 02]
[Huuck Lukoschus Bauer 03]
…
Property proved
3
or counterexample
WODES’06 - Efficient representation for formal verification of PLC programs
6
Construction of formal models
Technical barriers when model-checking
PLC programs
1
2
3
Barriers
Potential solutions
Specification of properties in
formal language
Libraries of parametrized properties
Use of the results of previous
functional or safety analysis
State space explosion
See what follows
Counterexamples explanation Translation of counterexamples in a
tailor made representation
Limitation of the counterexamples
length
WODES’06 - Efficient representation for formal verification of PLC programs
7
Construction of formal models
What is the meaning of a state ?
Real world behavior
Formal representations
 Collection of automata
PLC
Cyclic scheduler
• 5-tuple { S, Σ, Λ, T, G } :
- 3 finite sets :
• states (S)
• input alphabet (Σ)
• output alphabet (Λ)
- a transition function (T : S × Σ → S)
- an output function (G : S → Λ).
Program
Initialization
Inputs reading
Program execution
IF O1
THEN
O3 := I3 AND NOT(I4);
END_IF;
Outputs updating
Variables states
Execution state
?
Process
Requirements
Expected and
unexpected states
and sequences
 Transition relations on variables
• Equations system:
VARn+1 = F(VARn)
- VARn+1 the set of variables, at the next
step of calculus
- VARn the set of variables, at the current
step of calculus
 Temporal logic statements
• CTL
• LTL
WODES’06 - Efficient representation for formal verification of PLC programs
8
Construction of formal models
Initial state
Case of a PLC program
I1=1, I2=0, I3=1, I4=0,
O1=0, O2=1, O3=0, O4=0,O5=1
Inputs reading
I1=0, I2=0, I3=1, I4=0
I1=0, I2=1, I3=1, I4=0
PLC program
O1 := I1 OR I2;
I1
O2 := I3 AND I4;
IF O1
I2
I3
I4
THEN
O3 := I3 AND NOT(I4);
END_IF;
O1
O1=0
O2
O2=0
O3
O4
O4=1
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
PLC scheduler
O5
O5=0
O1=1
Outputs updating
I1=1, I2=0, I3=1, I4=0,
O1=1, O2=0, O3=0, O4=1,O5=0
I1=1, I2=0, I3=1, I4=0,
O1=1,O2=0,O3=0,O4=1,O5=1
PLC cycle 1
PLC cycle 2
WODES’06 - Efficient representation for formal verification of PLC programs
9
Representation construction
Features of the considered programs
 PLC programs are executed sequentially;
 only Boolean variables are used;
 internal variables may be included in the program;
 only the following statements of the ST language are
allowed:
•
•
•
•
•
assignment;
Boolean operators defined in IEC 61131-3 standard (NOT, AND, OR, XOR)
function block (FB) (IEC 61131-3 standard or user-made)
control statements, IF and CASE selection statements;
iteration statements (FOR, WHILE, REPEAT) are forbidden;
 multiple assignments of the same variable are possible.
WODES’06 - Efficient representation for formal verification of PLC programs
10
Representation construction
Global method
PLC program
O1 := I1 OR I2;
PLC program
I1
O2 := I3 AND I4;
I2
THEN
I3
END_IF;
O2
IF O1
O3 := I3 AND NOT(I4);
I4
O1
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
O3
O4
O5
PLC scheduler
Static analysis
O5
Static dependencies
I1
O4
O4
Taking into account execution order
O5,i
Temporal dependencies
Next(I1) := {0, 1};
Next(I2) := {0, 1};
Next(I3) := {0,1,i+1
1};
4,i+1
Next(I4) := {0, 1};
Next(O2) := Next(I3) & Next(I4);
Next(O3) :=
4,i
case
Next(I1) | Next(I2) : Next(I3) & !(Next(I4));
!(Next(I1) | Next(I2)) : O3;
esac;
Next(O4) :=
case
Next(I1) : 0;
O5 : 1;
1 : O4;
esac;
Next(O5) := Next(O2) & Next(O4);
Next(O1) :=!(Next(I2) | Next(I4));
I
O
O
Formal model design
NuSMV model
WODES’06 - Efficient representation for formal verification of PLC programs
11
I1,i+1
Static and temporal
dependencies construction
I1
O1
I2,i+1
I2
I3
I3,i+1
O2
O1 := I1 OR I2;
I1
O2 := I3 AND I4;
I2
THEN
O2
IF O1
O3 := I3 AND NOT(I4);
I3
I4
END_IF;
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
O3
O4
O5
I2,i+1
O3
I3
O3,i
O3
O3,i+1
I3,i+1
I4
I4,i+1
O5
O5,i
I1
O4
I1,i+1
O4
O2
PLC scheduler
I1,i+1
O1
O1
O2,i+1
I4,i+1
I4
PLC program
O1
O4,i
O5
O2,i+1
O4
I2
O4,i+1
O5,i+1
O4,i+1
O1
I2,i+1
I4
Static dependencies
O1,i+1
I4,i+1
Temporal dependencies
WODES’06 - Efficient representation for formal verification of PLC programs
12
Representation construction
Translating ST controllers into NuSMV models:
general algorithm
ASSIGNMENT
CONDITION
BEGIN PLC_prog_TO_NuSMV_model(Pr)
FOR each statement Si of Pr:
IF Si is an assignment (Vi := expressioni)
THEN
FOR each variable Vk in expressioni:
Replace Vk by the variable pointed out in
the temporal dependency (Vk,i or Vk,i+1)
ELIF Si is a conditional structure (if cond; then stmt1; else stmt2)
FOR each variable Vk in cond:
Replace Vk by the variable pointed out in
the temporal dependency (Vk,i or Vk,i+1)
FOR each variable Vm assigned in Si :
Replace Vm assignment by:
”case
cond : assignment of Vm in
PLC_prog_TO_NuSMV_model(stmt1);
!cond : assignment of Vm in
PLC_prog_TO_NuSMV_model(stmt2);
esac ; ”
STATEMENT
CONDITIONAL
STRUCTURE
WODES’06 - Efficient representation for formal verification of PLC programs
13
Representation construction
Translating ST controllers into NuSMV models:
example
PLC program
O1
O1 := I1 OR I2;
I1
O2 := I3 AND I4;
I2
THEN
O2
IF O1
O3 := I3 AND NOT(I4);
I3
I4
END_IF;
O3
O4
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
O5
+
Temporal dependencies
O5,i
I1,i+1
O4,i
O4,i+1
Next(I1) := {0, 1};
Next(I2) := {0, 1};
Next(I3) := {0, 1};
Next(I4) := {0, 1};
Next(O2) := Next(I3) & Next(I4);
Next(O3) :=
case
Next(I1) | Next(I2) : Next(I3) & !(Next(I4));
!(Next(I1) | Next(I2)) : O3;
esac;
Next(O4) :=
case
From generic
Next(I1) : 0;
models library
O5 : 1;
1 : O4;
esac;
Next(O5) := Next(O2) & Next(O4);
Next(O1) :=!(Next(I2) | Next(I4));
WODES’06 - Efficient representation for formal verification of PLC programs
14
Representation construction
Translating ST controllers into NuSMV models:
comparison to previous approaches
Next(I1) := {0, 1};
Next(I2) := {0, 1};
Next(I3) := {0, 1};
Next(I4) := {0, 1};
Next(O2) := Next(I3) & Next(I4);
Next(O3) :=
case
Next(I1) | Next(I2) : Next(I3) & !(Next(I4));
!(Next(I1) | Next(I2)) : O3;
esac;
Next(O4) :=
case
Next(I1) : 0;
O5 : 1;
1 : O4;
esac;
Next(O5) := Next(O2) & Next(O4);
Next(O1) :=!(Next(I2) | Next(I4));
No intermediary variables states
No "line_counter" because the
execution state is no more useful
No "end_of_cycle" variable; one
cycle is reduced to only one state
WODES’06 - Efficient representation for formal verification of PLC programs
15
Efficiency assessment
Basic example
PLC program
O1 := I1 OR I2;
I1
O2 := I3 AND I4;
I2
THEN
I3
END_IF;
I4
O5 := O2 AND O4;
O1
Reachable
states
System
diameter
representation
of [dSR02]
314
out of 4336
22
proposed
representation
21
out of 512
2
O2
IF O1
O3 := I3 AND NOT(I4);
O4:= RS(O5,I1)
O1 := NOT(I2 OR I4);
O3
O4
O5
PLC scheduler
Comparison of the state spaces sizes
• state space reduction (about 15 times)
• reduction of the maximum distance between states (system diameter)
(11 times shorter)
 indirect consequence : trace of counterexample reduced
WODES’06 - Efficient representation for formal verification of PLC programs
16
Efficiency assessment
Fishertechnik example [Special session at ACC02]
•
•
•
•
known tested machining line
already written control program
expected behavior known
small scale system
- 15 Inputs
- 15 Outputs
 Comparison of the proof process durations
representation of
[dSR02]
liveness property
proposed
representation
5h / 526MB
2s / 8MB
20min / 200MB
2s / 8MB
AG (( dp_head_motor_up) =>
EF (!dp_head_motor_up ))
safety property
AG (!INI => !(dp_head_motor_up &
dp_motor_down))
WODES’06 - Efficient representation for formal verification of PLC programs
17
Conclusions
 Efficiency of the representation assessed
 Translation of PLC programs
• Fully automated
• Fast (some seconds or tens of seconds for industrial programs)
On-going works
 Improvement of the representation efficiency by limiting
the number of stored variables
 Taking into account integer and real variables
 Design of a library of tailor-made function blocks
WODES’06 - Efficient representation for formal verification of PLC programs
18
Efficient representation for formal
verification of PLC programs
Thank you
for attention
State distance
2
1
3
4
•
•
•
•
•
d(1,2) = 1
d(1,3) = 2
...
d(2,1) = 2
...
System diameter
• SD = max (d(I,j)) = 2
WODES’06 - Efficient representation for formal verification of PLC programs
20