Automated Formal Verification of PLC (Programmable Logic Controller) Programs

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
A Survey of Runtime Verification Jonathan Amir 2004.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Efficient representation for formal verification of PLC programs Vincent Gourcuff, Olivier de Smet and Jean-Marc Faure LURPA – ENS de Cachan.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
An Evaluation of MC/DC Coverage for Pair-wise Test Cases By David Anderson Software Testing Research Group (STRG)
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Timed Automata.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
Presenter: PCLee – This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
1 Static Analysis Methods CSSE 376 Software Quality Assurance Rose-Hulman Institute of Technology March 20, 2007.
VERTAF: An Application Framework for Design and Verification of Embedded Real-Time Software Pao-Ann Hsiung, Shang-Wei Lin, Chih-Hao Tseng, Trong-Yen Lee,
ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England.
Describing Syntax and Semantics
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Abstract Verification is traditionally done by determining the truth of a temporal formula (the specification) with respect to a timed transition system.
Application of Formal Verification Methods to the analysis of Bearings-only Ballistic Missile Interception Algorithms Eli Bendersky Michael Butvinnik Supervisor:
By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.
CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.
Balancing Practices: Inspections, Testing, and Others JAXA scenario (formal method) Masa Katahira Japanese Space Agency.
Lifecycle Verification of the NASA Ames K9 Rover Executive Dimitra Giannakopoulou Mike Lowry Corina Păsăreanu Rich Washington.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
1 The CeNTIE project is supported by the Australian Government through the Advanced Networks Program of the Department of Communications, Information Technology.
Institute e-Austria in Timisoara 1 Author: prep. eng. Calin Jebelean Verification of Communication Protocols using SDL ( )
B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.
Framework for the Development and Testing of Dependable and Safety-Critical Systems IKTA 065/ Supported by the Information and Communication.
CS6133 Software Specification and Verification
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Joseph Cordina 1/11 The Use of Model-Checking for the Verification of Concurrent Algorithms Joseph Cordina Department of C.S.&A.I.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
QuickCheck: A Lightweight Tool for Random Testing of Haskell Programs By Koen Claessen, Juhn Hughes ME: Mike Izbicki.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.
Verification & Validation By: Amir Masoud Gharehbaghi
CSCI1600: Embedded and Real Time Software Lecture 28: Verification I Steven Reiss, Fall 2015.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
Properties Incompleteness Evaluation by Functional Verification IEEE TRANSACTIONS ON COMPUTERS, VOL. 56, NO. 4, APRIL
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
Whole Test Suite Generation. Abstract Not all bugs lead to program crashes, and not always is there a formal specification to check the correctness of.
Dániel Darvas (CERN BE-ICS-PCS / TU Budapest) DSL tools for formal verification Spoofax meeting 19/01/2016, CERN Joint work with B. Fernández, E. Blanco,
Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.
The PLA Model: On the Combination of Product-Line Analyses 강태준.
Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.
Sandeep Patil, Sayantan Bhadra, Valeriy Vyatkin
Formal verification of industrial control systems
Improving the quality of PLC programs
Formal Methods: Model Checkers and Theorem Provers
Formally Specified Monitoring of Temporal Properties
Aspect Validation: Connecting Aspects and Formal Methods
IS 2935: Developing Secure Systems
Automated Extraction of Inductive Invariants to Aid Model Checking
A Trusted Safety Verifier for Process Controller Code
Presentation transcript:

Automated Formal Verification of PLC (Programmable Logic Controller) Programs ICS – ESTEREL meeting 21/01/2016

Outline Context – Idea (goal) Background & state of the art Approach - Novelty State of the project – results Conclusions

Context ICS group: Industrial Control and Safety. PLC control systems: Standard and Safety Instrumented Systems. Need: Guarantee that the PLC code is compliant with the specifications. Currently: manual and automated testing Useful, but not efficient for every type of requirements. Difficult to test safety requirements: “if out1 is true, out2 should be false” PLC program Specifications IEC 61131-3

IEC 61508: Software design and dev. (table A.2) Context IEC 61508: Software design and dev. (table A.2) Even for SIL1 it is recommended to use [Semi]-formal methods

Idea – Problems – State of the art Applying formal verification to PLC programs (new developments and existing systems independently of the purpose) But… Why formal verification is not widely used in industry yet? How can we fill the gap between the automation and formal verification worlds? Other industries using formal methods: NASA: Remote Agent spacecraft control system (Deep Space 1 mission). Aircraft industry: Airbus A340 flight control , etc. Train systems: Subway in Paris, Line 14. Communication protocols: IPv6 protocol. Etc. What about formal verification in PLC based control systems? Industry: ESTEREL (SCADE), Siemens and ABB doing research. Academia: RWTH Aachen University, TU Dortmund, ENS Cachan, …

Background: Model checking Formal methods Verification Formal verification Testing Formal specification (B, Z, Alloy, …) Model checking Static analysis Formalisms: Automata, Petri Nets, Temporal Logic Verif. based on theorem proving

Why model checking is not widely used in automation? Real System (hardware, software) Specifications How to get models? How to formalize requirements? Formal Model Formal Requirement Automated generation Patterns Which model checker should be used? Model checker How to proceed with a counterexample? satisfied not satisfied Multiple (general meth.)  Counter-example Analysis & Demonstration How to make it efficient? Reductions

Model checking vs. Testing MC checks the specifications against a model instead of the real system. Allows to check properties that are almost impossible to test (e.g. liveness properties). Checks all possible combinations. Gives a counterexample when a discrepancy is found. Possible to automatize (can be used by non-formal method experts). State space explosion.

Our approach: methodology overview General method for applying formal verification: Generate formal models automatically out of PLC code. Includes several input PLC languages (IEC 61131-3: SFC, ST, IL, Ladder, FBD). Easy integration of different formal verification tools. 2 4 1 3

Model example

Our approach: methodology overview Traditional PLC program development 1 How can we be sure that a bug found by this methodology is real? 2 3 We can use the counterexample in the real system and prove it 4

Project status: CASE tool prototype

Project status & Results The methodology has been applied to PLC programs at CERN: UNICOS library: Bugs have been found in previously tested PLC programs. Full UNICOS applications: Cryogenic control system (QSDN). Future development & research: Extending the PLC grammars. Production-ready CASE tool. More abstraction and reduction techniques. Control system specifications. Applying extensively this approach to CERN PLC programs. Static analysis.

Conclusion and summary Model checking can be applied to PLC programs. Contribution → Difficulty can be hidden: Automated model generation, requirement patterns, automatic reduction techniques and counterexample analysis. We have found discrepancies in our systems: Incomplete or incorrect specification. Mistake in the implementation. Bugs can be proved in the real systems (counterexample info). Models are built out of the PLC programs. No standards for PLC program specification.

Testing vs. model checking Model checking tools: algorithms to check that a global model (hardware, software, process, etc.) meets given requirements. e.g. NuSMV, UPPAAL, Dfinder (BIP), SPIN, KRONOS, etc. Testing Inputs are known, outputs are checked Model checking Usually: The possibility of an output combination is checked. Can be used for other ways too. + - 3 ? 5 3 + ?

Testing vs. model checking Q0.0 := (I0.0 AND I0.1) OR Var1 Requirement If I0.0 is FALSE and I0.1 is FALSE , then Q0.0 is FALSE (Incomplete) testing may answer that this property is correct. Model checking will answer that this property is not correct and it will provide a counterexample: Var1 == 1

Testing vs. model checking PLC program … Q0.0 Q0.1 I0.0 IW2 I0.1 IW3 Safety Requirement If Q0.0 is TRUE, then Q0.1 is FALSE Model checking will explore all input combinations and will verify the safety property It’s a extremely complicated task for Testing.

Model checking Temporal logic Boolean logic Temporal operators How to build the formal models? Automata, Petri nets, Timed automata, … How to build the formal requirement? Temporal Logic Temporal logic Boolean logic operators AND, OR, NOT predicates input=TRUE, temp>100 + Temporal operators in the future … always … once … until…

Intermediate model (IM) Automata-based formalism Simple: but strong enough to represent any PLC feature. General and close to the modelling language used by the verification tools.

Results with the UNICOS library CERN PLC programs developed with the UNICOS Framework: Library of objects (representing the logic of real equipment) Expressed in PLC code: ST language. Metrics of the PLC program Metric OnOff PLC code Lines of code 600 Input variables 60 Output variables 62 Data types Booleans, integers, floats, time, etc. Timers 3

Results with the UNICOS library Metric Non-reduced model Reduced Specific Model * Potential state space ~10218 ~1036 ~1010 # Variables 255 118 33 Generation 0.3 s 11.3 s 12.6 s NuSMV Verification (with cex.) – 160.8 s 0.5 s * Based on a real requirement about the mode manager of the OnOff object Cone of Influence algorithm (property preserving reduction techniques)

Results with an UNICOS control system QSDN control system PLC code 110 FBs and FCs 17,500 lines of code Formal model 302 automata PSS = ~1031985 Goal: Verify the specific logic of the application

Results with an UNICOS control system Example of a variable dependency graph Reduced variable dependency graph Safety req. If Seq.Stop.x → Valve1.AuOffR Metric Non-reduced model Reduced Model* PSS ~1031985 ~105048 # Variables 31,402 3757 Generation 4.2 s 15.3 s NuSMV Verification – Metric Non-reduced model Reduced Model* Abstract Model ** PSS ~1031985 ~105048 ~1013 # Variables 31,402 3757 20 Generation 4.2 s 15.3 s 5.4 s NuSMV Verification – 0.25 s * Using property preserving reduction techniques ** Using non-property preserving reduction techniques

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.