Efficient representation for formal verification of PLC programs Vincent Gourcuff, Olivier de Smet and Jean-Marc Faure LURPA – ENS de Cachan

WODES’06 - Efficient representation for formal verification of PLC programs 2 Outline  Objective of the work  Construction of formal models  Representation construction Dependencies analysis Translation of PLC programs into formal models  Assessment of the representation efficiency  Conclusions and prospects

Objective WODES’06 - Efficient representation for formal verification of PLC programs 3 Design of controllers for critical systems Control system Steam turbine Power plant Refinery Requirements ?

Objective WODES’06 - Efficient representation for formal verification of PLC programs 4 Impact of the IEC standard  Functional safety of E/E/PE safety-related systems  Industrial need: to reach the SIL3 or SIL4 levels (SIL: Safety Integrity Level) Hardware: redundancies, voting mechanisms, …. Software: recommendations for development  SIL levels and software development TechniqueSIL1SIL2SIL3SIL4 Semi-formal methodsRRHR Formal methods including for example, CCS, CSP, HOL, LOTOS, OBJ, temporal logic, VDM and Z -RRHR

Objective WODES’06 - Efficient representation for formal verification of PLC programs 5 Overall objective  To investigate the possibilities of formal verification for improving the SIL level of critical systems controlled by PLCs

Construction of formal models WODES’06 - Efficient representation for formal verification of PLC programs 6 Formal verification of PLC programs Model – Checker Property proved or counterexample Requirements Scheduler Inputs reading Program execution Outputs updating Initialization Program O 1 := I 1 OR I 2 ; O 2 := I 3 AND I 4 ; IF O 1 THEN O 3 := I 3 AND NOT(I 4 ); END_IF; O 4 := RS(O 5,I 1 ) O 5 := O 2 AND O 4 ; O 1 := NOT(I 2 OR I 4 ); Informal extrinsic (application-dependant) properties Formal representation Formalization AG (( dp_head_motor_up) => EF (!dp_head_motor_up )) Formal representation [Rausch Krogh 98] [Frey Litz 00] [de Smet Rossi 02] [Huuck Lukoschus Bauer 03] … 2 1 3

Construction of formal models WODES’06 - Efficient representation for formal verification of PLC programs 7 Technical barriers when model-checking PLC programs BarriersPotential solutions Specification of properties in formal language Libraries of parametrized properties Use of the results of previous functional or safety analysis State space explosionSee what follows Counterexamples explanationTranslation of counterexamples in a tailor made representation Limitation of the counterexamples length 1 2 3

Construction of formal models WODES’06 - Efficient representation for formal verification of PLC programs 8 What is the meaning of a state ? Formal representations  Collection of automata 5-tuple { S, Σ, Λ, T, G } : -3 finite sets : states (S) input alphabet (Σ) output alphabet (Λ) -a transition function (T : S × Σ → S) -an output function (G : S → Λ).  Transition relations on variables Equations system: VAR n+1 = F(VAR n ) -VAR n+1 the set of variables, at the next step of calculus -VAR n the set of variables, at the current step of calculus  Temporal logic statements CTL LTL Real world behavior ? Requirements Cyclic scheduler PLC IF O 1 THEN O 3 := I 3 AND NOT(I 4 ); END_IF; Inputs reading Program execution Outputs updating Initialization Program Variables states Execution state Process Expected and unexpected states and sequences

Construction of formal models WODES’06 - Efficient representation for formal verification of PLC programs 9 Case of a PLC program O 1 := I 1 OR I 2 ; O 2 := I 3 AND I 4 ; IF O 1 THEN O 3 := I 3 AND NOT(I 4 ); END_IF; O 4 := RS(O 5,I 1 ) O 5 := O 2 AND O 4 ; O 1 := NOT(I 2 OR I 4 ); I1I1 I2I2 I3I3 I4I4 O1O1 O2O2 O3O3 O4O4 PLC program O5O5 PLC scheduler I 1 =1, I 2 =0, I 3 =1, I 4 =0, O 1 =0, O 2 =1, O 3 =0, O 4 =0,O 5 =1 Inputs reading Outputs updating Initial state PLC cycle 1 PLC cycle 2 I 1 =0, I 2 =0, I 3 =1, I 4 =0 O 1 =0 O 2 =0 I 1 =1, I 2 =0, I 3 =1, I 4 =0, O 1 =1, O 2 =0, O 3 =0, O 4 =1,O 5 =0 I 1 =0, I 2 =1, I 3 =1, I 4 =0 I 1 =1, I 2 =0, I 3 =1, I 4 =0, O 1 =1,O 2 =0,O 3 =0,O 4 =1,O 5 =1 O 4 =1 O 5 =0 O 1 =1

Representation construction WODES’06 - Efficient representation for formal verification of PLC programs 10 Features of the considered programs  PLC programs are executed sequentially;  only Boolean variables are used;  internal variables may be included in the program;  only the following statements of the ST language are allowed: assignment; Boolean operators defined in IEC standard (NOT, AND, OR, XOR) function block (FB) (IEC standard or user-made) control statements, IF and CASE selection statements; iteration statements (FOR, WHILE, REPEAT) are forbidden;  multiple assignments of the same variable are possible.

Representation construction WODES’06 - Efficient representation for formal verification of PLC programs 11 Global method PLC program Static dependencies Static analysis Formal model design NuSMV model Temporal dependencies Taking into account execution order O 4,i+1 I 1,i+1 O 4,i O 5,i O4O4 I1I1 O4O4 O5O5

WODES’06 - Efficient representation for formal verification of PLC programs 12 Static and temporal dependencies construction I1I1 O1O1 I2I2 I3I3 O2O2 I4I4 O1O1 O3O3 I4I4 I3I3 O3O3 O4O4 I1I1 O4O4 O5O5 O2O2 O5O5 O4O4 I2I2 O1O1 I4I4 I 1,i+1 O1O1 I 2,i+1 I 3,i+1 O 2,i+1 I 4,i+1 O 3,i+1 I 4,i+1 I 3,i+1 O 3,i O 4,i+1 I 1,i+1 O 4,i O 5,i O 2,i+1 O 5,i+1 O 4,i+1 I 2,i+1 O 1,i+1 I 4,i+1 I 1,i+1 I 2,i+1 Static dependenciesTemporal dependencies

Representation construction WODES’06 - Efficient representation for formal verification of PLC programs 13 Translating ST controllers into NuSMV models: general algorithm BEGIN PLC_prog_TO_NuSMV_model(Pr) FOR each statement S i of Pr: IF S i is an assignment (V i := expression i ) THEN FOR each variable V k in expression i : Replace V k by the variable pointed out in the temporal dependency (V k,i or V k,i+1 ) ELIF Si is a conditional structure (if cond; then stmt 1 ; else stmt 2 ) FOR each variable V k in cond: Replace V k by the variable pointed out in the temporal dependency (V k,i or V k,i+1 ) FOR each variable V m assigned in S i : Replace V m assignment by: ”case cond : assignment of V m in PLC_prog_TO_NuSMV_model(stmt 1 ); !cond : assignment of V m in PLC_prog_TO_NuSMV_model(stmt 2 ); esac ; ” ASSIGNMENT CONDITIONAL STRUCTURE CONDITION STATEMENT

Representation construction WODES’06 - Efficient representation for formal verification of PLC programs 14 Translating ST controllers into NuSMV models: example Next(I1) := {0, 1}; Next(I2) := {0, 1}; Next(I3) := {0, 1}; Next(I4) := {0, 1}; Next(O2) := Next(I3) & Next(I4); Next(O3) := case Next(I1) | Next(I2) : Next(I3) & !(Next(I4)); !(Next(I1) | Next(I2)) : O3; esac; Next(O4) := case Next(I1) : 0; O5 : 1; 1 : O4; esac; Next(O5) := Next(O2) & Next(O4); Next(O1) :=!(Next(I2) | Next(I4)); From generic models library + Temporal dependencies O 4,i+1 I 1,i+1 O 4,i O 5,i

Representation construction WODES’06 - Efficient representation for formal verification of PLC programs 15 Translating ST controllers into NuSMV models: comparison to previous approaches Next(I1) := {0, 1}; Next(I2) := {0, 1}; Next(I3) := {0, 1}; Next(I4) := {0, 1}; Next(O2) := Next(I3) & Next(I4); Next(O3) := case Next(I1) | Next(I2) : Next(I3) & !(Next(I4)); !(Next(I1) | Next(I2)) : O3; esac; Next(O4) := case Next(I1) : 0; O5 : 1; 1 : O4; esac; Next(O5) := Next(O2) & Next(O4); Next(O1) :=!(Next(I2) | Next(I4)); No intermediary variables states No "line_counter" because the execution state is no more useful No "end_of_cycle" variable; one cycle is reduced to only one state

Efficiency assessment WODES’06 - Efficient representation for formal verification of PLC programs 16 Basic example Comparison of the state spaces sizes state space reduction (about 15 times) reduction of the maximum distance between states (system diameter) (11 times shorter)  indirect consequence : trace of counterexample reduced Reachable states System diameter representation of [dSR02] 314 out of proposed representation 21 out of O 1 := I 1 OR I 2 ; O 2 := I 3 AND I 4 ; IF O 1 THEN O 3 := I 3 AND NOT(I 4 ); END_IF; O 4 := RS(O 5,I 1 ) O 5 := O 2 AND O 4 ; O 1 := NOT(I 2 OR I 4 ); I1I1 I2I2 I3I3 I4I4 O1O1 O2O2 O3O3 O4O4 PLC program O5O5 PLC scheduler

Efficiency assessment WODES’06 - Efficient representation for formal verification of PLC programs 17 Fishertechnik example [Special session at ACC02] known tested machining line already written control program expected behavior known small scale system -15 Inputs -15 Outputs  Comparison of the proof process durations representation of [dSR02] proposed representation liveness property AG (( dp_head_motor_up) => EF (!dp_head_motor_up )) 5h / 526MB2s / 8MB safety property AG (!INI => !(dp_head_motor_up & dp_motor_down)) 20min / 200MB2s / 8MB

WODES’06 - Efficient representation for formal verification of PLC programs 18 Conclusions  Efficiency of the representation assessed  Translation of PLC programs Fully automated Fast (some seconds or tens of seconds for industrial programs) On-going works  Improvement of the representation efficiency by limiting the number of stored variables  Taking into account integer and real variables  Design of a library of tailor-made function blocks

Efficient representation for formal verification of PLC programs Thank you for attention

WODES’06 - Efficient representation for formal verification of PLC programs  State distance d(1,2) = 1 d(1,3) = 2... d(2,1) = 2...  System diameter SD = max (d(I,j)) = 2