efficient representation for formal verification of plc programs vincent gourcuff, olivier de smet...

Efficient representation for formal verification of PLC programs

Vincent Gourcuff, Olivier de Smet and Jean-Marc Faure

LURPA – ENS de Cachan

WODES’06 - Efficient representation for formal verification of PLC programs 2

Outline

Objective of the work

Construction of formal models

Representation construction• Dependencies analysis

• Translation of PLC programs into formal models

Assessment of the representation efficiency

Conclusions and prospects

Objective


Design of controllers for critical systems

Control system

Steam turbine

Power plant

Refinery

Requirements

?

Objective


Impact of the IEC 61508 standard

Functional safety of E/E/PE safety-related systems Industrial need: to reach the SIL3 or SIL4 levels (SIL:

Safety Integrity Level) • Hardware: redundancies, voting mechanisms, ….

• Software: recommendations for development

SIL levels and software development

Technique SIL1 SIL2 SIL3 SIL4

Semi-formal methods R R HR HR

Formal methods including for example, CCS, CSP, HOL,

LOTOS, OBJ, temporal logic, VDM and Z

- R R HR

Objective


Overall objective

To investigate the possibilities of formal verification for improving the SIL level of critical systems controlled by PLCs



Formal verification of PLC programs

Model – Checker

Property proved

or counterexample

Requirements

Scheduler

Inputs reading

Program execution

Outputs updating

Initialization

ProgramO1 := I1 OR I2;

O2 := I3 AND I4;

IF O1

THEN

O3 := I3 AND NOT(I4);

END_IF;

O4:= RS(O5,I1)

O5 := O2 AND O4;

O1 := NOT(I2 OR I4);

Informal extrinsic (application-dependant)

properties

Formal representatio

n

Formalization

Formalization

AG (( dp_head_motor_up) => EF (!dp_head_motor_up )) Formal

representation

[Rausch Krogh 98][Frey Litz 00]

[de Smet Rossi 02][Huuck Lukoschus Bauer 03]

…

2

1

3



Technical barriers when model-checking PLC programs

Barriers Potential solutions

Specification of properties in formal language

Libraries of parametrized properties

Use of the results of previous functional or safety analysis

State space explosion See what follows

Counterexamples explanation Translation of counterexamples in a tailor made representation

Limitation of the counterexamples length

1

2

3



What is the meaning of a state ?

Formal representations Collection of automata

• 5-tuple { S, Σ, Λ, T, G } :

- 3 finite sets :

• states (S)

• input alphabet (Σ)

• output alphabet (Λ)

- a transition function (T : S × Σ → S)

- an output function (G : S → Λ).

Transition relations on variables• Equations system:

VARn+1 = F(VARn)

- VARn+1 the set of variables, at the next step of calculus

- VARn the set of variables, at the current step of calculus

Temporal logic statements• CTL

• LTL

Real world behavior

?

Requirements

Cyclic scheduler

PLC

IF O1

THENO3 := I3 AND NOT(I4);END_IF;

Inputs reading

Program execution

Outputs updating

Initialization

Program

Variables states

Execution state

Process

Expected and unexpected states

and sequences



Case of a PLC program

O1 := I1 OR I2;

O2 := I3 AND I4;

IF O1

THEN


END_IF;

O4:= RS(O5,I1)

O5 := O2 AND O4;


I1

I2

I3

I4

O1

O2

O3

O4

PLC program

O5

PLC scheduler

I1=1, I2=0, I3=1, I4=0, O1=0, O2=1, O3=0, O4=0,O5=1

Inputs reading

Outputs updating

Initial state

PLC cycle 1 PLC cycle 2

I1=0, I2=0, I3=1, I4=0

O1=0

O2=0

I1=1, I2=0, I3=1, I4=0, O1=1, O2=0, O3=0, O4=1,O5=0

I1=0, I2=1, I3=1, I4=0

I1=1, I2=0, I3=1, I4=0,O1=1,O2=0,O3=0,O4=1,O5=

1

O4=1

O5=0

O1=1

Representation construction


Features of the considered programs

PLC programs are executed sequentially;only Boolean variables are used; internal variables may be included in the program;only the following statements of the ST language are

allowed:• assignment;

• Boolean operators defined in IEC 61131-3 standard (NOT, AND, OR, XOR)

• function block (FB) (IEC 61131-3 standard or user-made)

• control statements, IF and CASE selection statements;

• iteration statements (FOR, WHILE, REPEAT) are forbidden;

multiple assignments of the same variable are possible.



Global method

PLC program

Static dependencies

Static analysis

Formal model design

NuSMV model

O1 := I1 OR I2;

O2 := I3 AND I4;

IF O1

THEN


END_IF;

O4:= RS(O5,I1)

O5 := O2 AND O4;


I1

I2

I3

I4

O1

O2

O3

O4

PLC program

O5

PLC scheduler

O1 := I1 OR I2;

O2 := I3 AND I4;

IF O1

THEN


END_IF;

O4:= RS(O5,I1)

O5 := O2 AND O4;


I1

I2

I3

I4

O1

O2

O3

O4

PLC program

O5

PLC scheduler

Temporal dependencies

Taking into account execution order

Next(I1) := {0, 1};

Next(I2) := {0, 1};

Next(I3) := {0, 1};

Next(I4) := {0, 1};

Next(O2) := Next(I3) & Next(I4);

Next(O3) :=

case

Next(I1) | Next(I2) : Next(I3) & !(Next(I4));

!(Next(I1) | Next(I2)) : O3;

esac;

Next(O4) :=

case

Next(I1) : 0;

O5 : 1;

1 : O4;

esac;

Next(O5) := Next(O2) & Next(O4);

Next(O1) :=!(Next(I2) | Next(I4));

O4,i+1I1,i+1

O4,i

O5,i

O4I1

O4

O5


Static and temporaldependencies construction

I1 O1

I2

I3 O2

I4

O1

O3

I4

I3

O3

O4I1

O4

O5

O2 O5

O4

I2 O1

I4

I1,i+1 O1

I2,i+1

I3,i+1 O2,i+1

I4,i+1

O3,i+1

I4,i+1

I3,i+1

O3,i

O4,i+1I1,i+1

O4,i

O5,i

O2,i+1 O5,i+1

O4,i+1

I2,i+1 O1,i+1

I4,i+1

I1,i+1

I2,i+1

Static dependencies Temporal dependencies

O1 := I1 OR I2;

O2 := I3 AND I4;

IF O1

THEN


END_IF;

O4:= RS(O5,I1)

O5 := O2 AND O4;


I1

I2

I3

I4

O1

O2

O3

O4

PLC program

O5

PLC scheduler

O1 := I1 OR I2;

O2 := I3 AND I4;

IF O1

THEN


END_IF;

O4:= RS(O5,I1)

O5 := O2 AND O4;


I1

I2

I3

I4

O1

O2

O3

O4

PLC program

O5

PLC scheduler



Translating ST controllers into NuSMV models:general algorithmBEGIN PLC_prog_TO_NuSMV_model(Pr)

FOR each statement Si of Pr:IF Si is an assignment (Vi := expressioni)THEN

FOR each variable Vk in expressioni:Replace Vk by the variable pointed out inthe temporal dependency (Vk,i or Vk,i+1)

ELIF Si is a conditional structure (if cond; then stmt1; else stmt2)FOR each variable Vk in cond:

Replace Vk by the variable pointed out inthe temporal dependency (Vk,i or Vk,i+1)

FOR each variable Vm assigned in Si :Replace Vm assignment by:

”casecond : assignment of Vm in PLC_prog_TO_NuSMV_model(stmt1);!cond : assignment of Vm in PLC_prog_TO_NuSMV_model(stmt2);

esac ; ”

ASSIGNMENT

CONDITIONAL STRUCTURE

CO

ND

ITIO

NS

TA

TE

ME

NT



Translating ST controllers into NuSMV models:example

Next(I1) := {0, 1};

Next(I2) := {0, 1};

Next(I3) := {0, 1};

Next(I4) := {0, 1};


Next(O3) :=

case


!(Next(I1) | Next(I2)) : O3;

esac;

Next(O4) :=

case

Next(I1) : 0;

O5 : 1;

1 : O4;

esac;



From generic models library+

Temporal dependencies

O1 := I1 OR I2;

O2 := I3 AND I4;

IF O1

THEN


END_IF;

O4:= RS(O5,I1)

O5 := O2 AND O4;


I1

I2

I3

I4

O1

O2

O3

O4

PLC program

O5

O4,i+1I1,i+1

O4,i

O5,i



Translating ST controllers into NuSMV models: comparison to previous approaches

Next(I1) := {0, 1};

Next(I2) := {0, 1};

Next(I3) := {0, 1};

Next(I4) := {0, 1};


Next(O3) :=

case


!(Next(I1) | Next(I2)) : O3;

esac;

Next(O4) :=

case

Next(I1) : 0;

O5 : 1;

1 : O4;

esac;



No intermediary variables states

No "line_counter" because theexecution state is no more useful

No "end_of_cycle" variable; one cycle is reduced to only one state

Efficiency assessment


Basic example

Comparison of the state spaces sizes• state space reduction (about 15 times)

• reduction of the maximum distance between states (system diameter) (11 times shorter)

indirect consequence : trace of counterexample reduced

Reachable states

System diameter

representation of [dSR02]

314out of 4336

22

proposed representation

21out of 512

2

O1 := I1 OR I2;

O2 := I3 AND I4;

IF O1

THEN


END_IF;

O4:= RS(O5,I1)

O5 := O2 AND O4;


I1

I2

I3

I4

O1

O2

O3

O4

PLC program

O5

PLC scheduler

Efficiency assessment


Fishertechnik example [Special session at ACC02]

• known tested machining line

• already written control program

• expected behavior known

• small scale system

- 15 Inputs

- 15 Outputs

Comparison of the proof process durations

representation of [dSR02]

proposed representation

liveness propertyAG (( dp_head_motor_up) => EF (!dp_head_motor_up ))

5h / 526MB 2s / 8MB

safety propertyAG (!INI => !(dp_head_motor_up & dp_motor_down))

20min / 200MB 2s / 8MB


Conclusions

Efficiency of the representation assessed

Translation of PLC programs• Fully automated• Fast (some seconds or tens of seconds for industrial programs)

On-going works

Improvement of the representation efficiency by limiting the number of stored variables

Taking into account integer and real variablesDesign of a library of tailor-made function blocks

Efficient representation for formal verification of PLC programs

Thank you

for attention


1

2

4

3

State distance• d(1,2) = 1• d(1,3) = 2• ...• d(2,1) = 2 • ...

System diameter• SD = max (d(I,j)) = 2

efficient representation for formal verification of plc programs vincent gourcuff, olivier de smet...

Documents

formal models assessment

representation limitation

cachan slide

plcs slide

initialization program

z rrhr slide

outline objective

overall objective