efficient representation for formal verification of plc programs
DESCRIPTION
Efficient representation for formal verification of PLC programs. Vincent Gourcuff, Olivier de Smet and Jean-Marc Faure LURPA – ENS de Cachan. Outline. Objective of the work Construction of formal models Representation construction Dependencies analysis - PowerPoint PPT PresentationTRANSCRIPT
Efficient representation for formal verification of PLC programs
Vincent Gourcuff, Olivier de Smet and Jean-Marc Faure
LURPA – ENS de Cachan
WODES’06 - Efficient representation for formal verification of PLC programs 2
Outline
Objective of the work
Construction of formal models
Representation construction• Dependencies analysis
• Translation of PLC programs into formal models
Assessment of the representation efficiency
Conclusions and prospects
Objective
WODES’06 - Efficient representation for formal verification of PLC programs 3
Design of controllers for critical systems
Control system
Steam turbine
Power plant
Refinery
Requirements
?
Objective
WODES’06 - Efficient representation for formal verification of PLC programs 4
Impact of the IEC 61508 standard
Functional safety of E/E/PE safety-related systems Industrial need: to reach the SIL3 or SIL4 levels (SIL:
Safety Integrity Level) • Hardware: redundancies, voting mechanisms, ….
• Software: recommendations for development
SIL levels and software development
Technique SIL1 SIL2 SIL3 SIL4
Semi-formal methods R R HR HR
Formal methods including for example, CCS, CSP, HOL,
LOTOS, OBJ, temporal logic, VDM and Z
- R R HR
Objective
WODES’06 - Efficient representation for formal verification of PLC programs 5
Overall objective
To investigate the possibilities of formal verification for improving the SIL level of critical systems controlled by PLCs
Construction of formal models
WODES’06 - Efficient representation for formal verification of PLC programs 6
Formal verification of PLC programs
Model – Checker
Property proved
or counterexample
Requirements
Scheduler
Inputs reading
Program execution
Outputs updating
Initialization
ProgramO1 := I1 OR I2;
O2 := I3 AND I4;
IF O1
THEN
O3 := I3 AND NOT(I4);
END_IF;
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
Informal extrinsic (application-dependant)
properties
Formal representatio
n
Formalization
Formalization
AG (( dp_head_motor_up) => EF (!dp_head_motor_up )) Formal
representation
[Rausch Krogh 98][Frey Litz 00]
[de Smet Rossi 02][Huuck Lukoschus Bauer 03]
…
2
1
3
Construction of formal models
WODES’06 - Efficient representation for formal verification of PLC programs 7
Technical barriers when model-checking PLC programs
Barriers Potential solutions
Specification of properties in formal language
Libraries of parametrized properties
Use of the results of previous functional or safety analysis
State space explosion See what follows
Counterexamples explanation Translation of counterexamples in a tailor made representation
Limitation of the counterexamples length
1
2
3
Construction of formal models
WODES’06 - Efficient representation for formal verification of PLC programs 8
What is the meaning of a state ?
Formal representations Collection of automata
• 5-tuple { S, Σ, Λ, T, G } :
- 3 finite sets :
• states (S)
• input alphabet (Σ)
• output alphabet (Λ)
- a transition function (T : S × Σ → S)
- an output function (G : S → Λ).
Transition relations on variables• Equations system:
VARn+1 = F(VARn)
- VARn+1 the set of variables, at the next step of calculus
- VARn the set of variables, at the current step of calculus
Temporal logic statements• CTL
• LTL
Real world behavior
?
Requirements
Cyclic scheduler
PLC
IF O1
THENO3 := I3 AND NOT(I4);END_IF;
Inputs reading
Program execution
Outputs updating
Initialization
Program
Variables states
Execution state
Process
Expected and unexpected states
and sequences
Construction of formal models
WODES’06 - Efficient representation for formal verification of PLC programs 9
Case of a PLC program
O1 := I1 OR I2;
O2 := I3 AND I4;
IF O1
THEN
O3 := I3 AND NOT(I4);
END_IF;
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
I1
I2
I3
I4
O1
O2
O3
O4
PLC program
O5
PLC scheduler
I1=1, I2=0, I3=1, I4=0, O1=0, O2=1, O3=0, O4=0,O5=1
Inputs reading
Outputs updating
Initial state
PLC cycle 1 PLC cycle 2
I1=0, I2=0, I3=1, I4=0
O1=0
O2=0
I1=1, I2=0, I3=1, I4=0, O1=1, O2=0, O3=0, O4=1,O5=0
I1=0, I2=1, I3=1, I4=0
I1=1, I2=0, I3=1, I4=0,O1=1,O2=0,O3=0,O4=1,O5=
1
O4=1
O5=0
O1=1
Representation construction
WODES’06 - Efficient representation for formal verification of PLC programs 10
Features of the considered programs
PLC programs are executed sequentially;only Boolean variables are used; internal variables may be included in the program;only the following statements of the ST language are
allowed:• assignment;
• Boolean operators defined in IEC 61131-3 standard (NOT, AND, OR, XOR)
• function block (FB) (IEC 61131-3 standard or user-made)
• control statements, IF and CASE selection statements;
• iteration statements (FOR, WHILE, REPEAT) are forbidden;
multiple assignments of the same variable are possible.
Representation construction
WODES’06 - Efficient representation for formal verification of PLC programs 11
Global method
PLC program
Static dependencies
Static analysis
Formal model design
NuSMV model
O1 := I1 OR I2;
O2 := I3 AND I4;
IF O1
THEN
O3 := I3 AND NOT(I4);
END_IF;
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
I1
I2
I3
I4
O1
O2
O3
O4
PLC program
O5
PLC scheduler
O1 := I1 OR I2;
O2 := I3 AND I4;
IF O1
THEN
O3 := I3 AND NOT(I4);
END_IF;
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
I1
I2
I3
I4
O1
O2
O3
O4
PLC program
O5
PLC scheduler
Temporal dependencies
Taking into account execution order
Next(I1) := {0, 1};
Next(I2) := {0, 1};
Next(I3) := {0, 1};
Next(I4) := {0, 1};
Next(O2) := Next(I3) & Next(I4);
Next(O3) :=
case
Next(I1) | Next(I2) : Next(I3) & !(Next(I4));
!(Next(I1) | Next(I2)) : O3;
esac;
Next(O4) :=
case
Next(I1) : 0;
O5 : 1;
1 : O4;
esac;
Next(O5) := Next(O2) & Next(O4);
Next(O1) :=!(Next(I2) | Next(I4));
O4,i+1I1,i+1
O4,i
O5,i
O4I1
O4
O5
WODES’06 - Efficient representation for formal verification of PLC programs 12
Static and temporaldependencies construction
I1 O1
I2
I3 O2
I4
O1
O3
I4
I3
O3
O4I1
O4
O5
O2 O5
O4
I2 O1
I4
I1,i+1 O1
I2,i+1
I3,i+1 O2,i+1
I4,i+1
O3,i+1
I4,i+1
I3,i+1
O3,i
O4,i+1I1,i+1
O4,i
O5,i
O2,i+1 O5,i+1
O4,i+1
I2,i+1 O1,i+1
I4,i+1
I1,i+1
I2,i+1
Static dependencies Temporal dependencies
O1 := I1 OR I2;
O2 := I3 AND I4;
IF O1
THEN
O3 := I3 AND NOT(I4);
END_IF;
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
I1
I2
I3
I4
O1
O2
O3
O4
PLC program
O5
PLC scheduler
O1 := I1 OR I2;
O2 := I3 AND I4;
IF O1
THEN
O3 := I3 AND NOT(I4);
END_IF;
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
I1
I2
I3
I4
O1
O2
O3
O4
PLC program
O5
PLC scheduler
Representation construction
WODES’06 - Efficient representation for formal verification of PLC programs 13
Translating ST controllers into NuSMV models:general algorithmBEGIN PLC_prog_TO_NuSMV_model(Pr)
FOR each statement Si of Pr:IF Si is an assignment (Vi := expressioni)THEN
FOR each variable Vk in expressioni:Replace Vk by the variable pointed out inthe temporal dependency (Vk,i or Vk,i+1)
ELIF Si is a conditional structure (if cond; then stmt1; else stmt2)FOR each variable Vk in cond:
Replace Vk by the variable pointed out inthe temporal dependency (Vk,i or Vk,i+1)
FOR each variable Vm assigned in Si :Replace Vm assignment by:
”casecond : assignment of Vm in PLC_prog_TO_NuSMV_model(stmt1);!cond : assignment of Vm in PLC_prog_TO_NuSMV_model(stmt2);
esac ; ”
ASSIGNMENT
CONDITIONAL STRUCTURE
CO
ND
ITIO
NS
TA
TE
ME
NT
Representation construction
WODES’06 - Efficient representation for formal verification of PLC programs 14
Translating ST controllers into NuSMV models:example
Next(I1) := {0, 1};
Next(I2) := {0, 1};
Next(I3) := {0, 1};
Next(I4) := {0, 1};
Next(O2) := Next(I3) & Next(I4);
Next(O3) :=
case
Next(I1) | Next(I2) : Next(I3) & !(Next(I4));
!(Next(I1) | Next(I2)) : O3;
esac;
Next(O4) :=
case
Next(I1) : 0;
O5 : 1;
1 : O4;
esac;
Next(O5) := Next(O2) & Next(O4);
Next(O1) :=!(Next(I2) | Next(I4));
From generic models library+
Temporal dependencies
O1 := I1 OR I2;
O2 := I3 AND I4;
IF O1
THEN
O3 := I3 AND NOT(I4);
END_IF;
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
I1
I2
I3
I4
O1
O2
O3
O4
PLC program
O5
O4,i+1I1,i+1
O4,i
O5,i
Representation construction
WODES’06 - Efficient representation for formal verification of PLC programs 15
Translating ST controllers into NuSMV models: comparison to previous approaches
Next(I1) := {0, 1};
Next(I2) := {0, 1};
Next(I3) := {0, 1};
Next(I4) := {0, 1};
Next(O2) := Next(I3) & Next(I4);
Next(O3) :=
case
Next(I1) | Next(I2) : Next(I3) & !(Next(I4));
!(Next(I1) | Next(I2)) : O3;
esac;
Next(O4) :=
case
Next(I1) : 0;
O5 : 1;
1 : O4;
esac;
Next(O5) := Next(O2) & Next(O4);
Next(O1) :=!(Next(I2) | Next(I4));
No intermediary variables states
No "line_counter" because theexecution state is no more useful
No "end_of_cycle" variable; one cycle is reduced to only one state
Efficiency assessment
WODES’06 - Efficient representation for formal verification of PLC programs 16
Basic example
Comparison of the state spaces sizes• state space reduction (about 15 times)
• reduction of the maximum distance between states (system diameter) (11 times shorter)
indirect consequence : trace of counterexample reduced
Reachable states
System diameter
representation of [dSR02]
314out of 4336
22
proposed representation
21out of 512
2
O1 := I1 OR I2;
O2 := I3 AND I4;
IF O1
THEN
O3 := I3 AND NOT(I4);
END_IF;
O4:= RS(O5,I1)
O5 := O2 AND O4;
O1 := NOT(I2 OR I4);
I1
I2
I3
I4
O1
O2
O3
O4
PLC program
O5
PLC scheduler
Efficiency assessment
WODES’06 - Efficient representation for formal verification of PLC programs 17
Fishertechnik example [Special session at ACC02]
• known tested machining line
• already written control program
• expected behavior known
• small scale system
- 15 Inputs
- 15 Outputs
Comparison of the proof process durations
representation of [dSR02]
proposed representation
liveness propertyAG (( dp_head_motor_up) => EF (!dp_head_motor_up ))
5h / 526MB 2s / 8MB
safety propertyAG (!INI => !(dp_head_motor_up & dp_motor_down))
20min / 200MB 2s / 8MB
WODES’06 - Efficient representation for formal verification of PLC programs 18
Conclusions
Efficiency of the representation assessed
Translation of PLC programs• Fully automated• Fast (some seconds or tens of seconds for industrial programs)
On-going works
Improvement of the representation efficiency by limiting the number of stored variables
Taking into account integer and real variablesDesign of a library of tailor-made function blocks
Efficient representation for formal verification of PLC programs
Thank you
for attention
WODES’06 - Efficient representation for formal verification of PLC programs 20
1
2
4
3
State distance• d(1,2) = 1• d(1,3) = 2• ...• d(2,1) = 2 • ...
System diameter• SD = max (d(I,j)) = 2