Efficient representation formal verification of PLC programs Vincent

Efficient representation formal verification of PLC programs Vincent Gourcuff, Olivier de Smet and Jean-Marc Faure LURPA – ENS de Cachan

Outline § Objective of the work § Construction of formal models § Representation construction • Dependencies analysis • Translation of PLC programs into formal models § Assessment of the representation efficiency § Conclusions and prospects 2

Objective Design of controllers for critical systems Requirements Power plant ? Refinery Control system Steam turbine 3

Objective Impact of the IEC 61508 standard § Functional safety of E/E/PE safety-related systems § Industrial need: to reach the SIL 3 or SIL 4 levels (SIL: Safety Integrity Level) • Hardware: redundancies, voting mechanisms, …. • Software: recommendations for development § SIL levels and software development Technique SIL 1 SIL 2 SIL 3 SIL 4 Semi-formal methods R R HR HR Formal methods including for example, CCS, CSP, HOL, LOTOS, OBJ, temporal logic, VDM and Z - R R HR 4

Objective Overall objective § To investigate the possibilities of formal verification for improving the SIL level of critical systems controlled by PLCs 5

Construction of formal models Formal verification of PLC programs Scheduler Initialization Requirements Program O 1 : = I 1 OR I 2; O 2 : = I 3 AND I 4; IF O 1 Inputs reading Program execution Outputs updating THEN O 3 : = I 3 AND NOT(I 4); Informal extrinsic (application-dependant) properties END_IF; O 4: = RS(O 5, I 1) 1 Formalization O 5 : = O 2 AND O 4; O 1 : = NOT(I 2 OR I 4); Formalization 2 AG (( dp_head_motor_up) => EF (!dp_head_motor_up )) Formal representation Model – Checker [Rausch Krogh 98] [Frey Litz 00] [de Smet Rossi 02] [Huuck Lukoschus Bauer 03] … Property proved 3 or counterexample 6

Construction of formal models Technical barriers when model-checking PLC programs Barriers 1 2 3 Potential solutions Specification of properties in formal language Libraries of parametrized properties Use of the results of previous functional or safety analysis State space explosion See what follows Counterexamples explanation Translation of counterexamples in a tailor made representation Limitation of the counterexamples length 7

Construction of formal models What is the meaning of a state ? Real world behavior Formal representations § Collection of automata PLC Cyclic scheduler Program Initialization Inputs reading Program execution Outputs updating IF O 1 THEN O 3 : = I 3 AND NOT(I 4); END_IF; Variables states Execution state ? Process Requirements Expected and unexpected states and sequences • 5 -tuple { S, Σ, Λ, T, G } : - 3 finite sets : • states (S) • input alphabet (Σ) • output alphabet (Λ) - a transition function (T : S × Σ → S) - an output function (G : S → Λ). § Transition relations on variables • Equations system: VARn+1 = F(VARn) - VARn+1 the set of variables, at the next step of calculus - VARn the set of variables, at the current step of calculus § Temporal logic statements • CTL • LTL 8

Construction of formal models Initial state Case of a PLC program I 1=1, I 2=0, I 3=1, I 4=0, O 1=0, O 2=1, O 3=0, O 4=0, O 5=1 Inputs reading I 1=0, I 2=0, I 3=1, I 4=0 PLC program O 1 : = I 1 OR I 2; I 1 O 2 : = I 3 AND I 4; IF O 1 I 2 I 3 I 4 THEN O 3 : = I 3 AND NOT(I 4); END_IF; O 4: = RS(O 5, I 1) O 5 : = O 2 AND O 4; O 1 : = NOT(I 2 OR I 4); PLC scheduler O 1=0 O 2 I 1=0, I 2=1, I 3=1, I 4=0 O 2=0 O 3 O 4 O 5 O 4=1 O 5=0 O 1=1 Outputs updating I 1=1, I 2=0, I 3=1, I 4=0, O 1=1, O 2=0, O 3=0, O 4=1, O 5=0 I 1=1, I 2=0, I 3=1, I 4=0, O 1=1, O 2=0, O 3=0, O 4=1, O 5=1 PLC cycle 2 9

Representation construction Features of the considered programs § PLC programs are executed sequentially; § only Boolean variables are used; § internal variables may be included in the program; § only the following statements of the ST language are allowed: • • • assignment; Boolean operators defined in IEC 61131 -3 standard (NOT, AND, OR, XOR) function block (FB) (IEC 61131 -3 standard or user-made) control statements, IF and CASE selection statements; iteration statements (FOR, WHILE, REPEAT) are forbidden; § multiple assignments of the same variable are possible. 10

Representation construction Global method PLC program Static analysis O 5 Static dependencies I 1 O 4 Taking into account execution order O 5, i Temporal dependencies I 1, i+1 O 4, i Formal model design Nu. SMV model 11

Static and temporal dependencies construction I 1 O 1 I 2 I 3 O 2 I 4 O 3 O 2, i+1 I 4, i+1 O 3, i+1 I 4, i+1 O 5 O 4 I 2 I 3, i+1 I 4 O 2 I 2, i+1 O 3 I 1 O 1 I 1, i+1 O 1 I 3 I 1, i+1 O 1 I 4 Static dependencies O 5, i I 1, i+1 O 4, i O 2, i+1 O 5, i+1 O 4, i+1 I 2, i+1 O 1, i+1 I 4, i+1 Temporal dependencies 12

Representation construction Translating ST controllers into Nu. SMV models: general algorithm ASSIGNMENT CONDITION BEGIN PLC_prog_TO_Nu. SMV_model(Pr) FOR each statement Si of Pr: IF Si is an assignment (Vi : = expressioni) THEN FOR each variable Vk in expressioni: Replace Vk by the variable pointed out in the temporal dependency (Vk, i or Vk, i+1) ELIF Si is a conditional structure (if cond; then stmt 1; else stmt 2) FOR each variable Vk in cond: Replace Vk by the variable pointed out in the temporal dependency (Vk, i or Vk, i+1) FOR each variable Vm assigned in Si : Replace Vm assignment by: ”case cond : assignment of Vm in PLC_prog_TO_Nu. SMV_model(stmt 1); !cond : assignment of Vm in PLC_prog_TO_Nu. SMV_model(stmt 2); esac ; ” STATEMENT CONDITIONAL STRUCTURE 13

Representation construction Translating ST controllers into Nu. SMV models: example + Temporal dependencies O 5, i I 1, i+1 O 4, i+1 Next(I 1) : = {0, 1}; Next(I 2) : = {0, 1}; Next(I 3) : = {0, 1}; Next(I 4) : = {0, 1}; Next(O 2) : = Next(I 3) & Next(I 4); Next(O 3) : = case Next(I 1) | Next(I 2) : Next(I 3) & !(Next(I 4)); !(Next(I 1) | Next(I 2)) : O 3; esac; Next(O 4) : = case From generic Next(I 1) : 0; models library O 5 : 1; 1 : O 4; esac; Next(O 5) : = Next(O 2) & Next(O 4); Next(O 1) : =!(Next(I 2) | Next(I 4)); 14

Representation construction Translating ST controllers into Nu. SMV models: comparison to previous approaches Next(I 1) : = {0, 1}; Next(I 2) : = {0, 1}; Next(I 3) : = {0, 1}; Next(I 4) : = {0, 1}; Next(O 2) : = Next(I 3) & Next(I 4); Next(O 3) : = case Next(I 1) | Next(I 2) : Next(I 3) & !(Next(I 4)); !(Next(I 1) | Next(I 2)) : O 3; esac; Next(O 4) : = case Next(I 1) : 0; O 5 : 1; 1 : O 4; esac; Next(O 5) : = Next(O 2) & Next(O 4); Next(O 1) : =!(Next(I 2) | Next(I 4)); No intermediary variables states No "line_counter" because the execution state is no more useful No "end_of_cycle" variable; one cycle is reduced to only one state 15

Efficiency assessment Basic example PLC program O 1 : = I 1 OR I 2; I 1 O 2 : = I 3 AND I 4; I 2 THEN I 3 END_IF; I 4 O 5 : = O 2 AND O 4; O 1 Reachable states System diameter representation of [d. SR 02] 314 out of 4336 22 proposed representation 21 out of 512 2 O 2 IF O 1 O 3 : = I 3 AND NOT(I 4); O 4: = RS(O 5, I 1) O 1 : = NOT(I 2 OR I 4); O 3 O 4 O 5 PLC scheduler Comparison of the state spaces sizes • state space reduction (about 15 times) • reduction of the maximum distance between states (system diameter) (11 times shorter) Þ indirect consequence : trace of counterexample reduced 16

Efficiency assessment Fishertechnik example [Special session at ACC 02] • • known tested machining line already written control program expected behavior known small scale system - 15 Inputs - 15 Outputs § Comparison of the proof process durations representation of [d. SR 02] liveness property proposed representation 5 h / 526 MB 2 s / 8 MB 20 min / 200 MB 2 s / 8 MB AG (( dp_head_motor_up) => EF (!dp_head_motor_up )) safety property AG (!INI => !(dp_head_motor_up & dp_motor_down)) 17

Conclusions § Efficiency of the representation assessed § Translation of PLC programs • Fully automated • Fast (some seconds or tens of seconds for industrial programs) On-going works § Improvement of the representation efficiency by limiting the number of stored variables § Taking into account integer and real variables § Design of a library of tailor-made function blocks 18

Efficient representation formal verification of PLC programs Thank you for attention

§ State distance 2 1 3 4 • • • d(1, 2) = 1 d(1, 3) = 2. . . d(2, 1) = 2. . . ÞSystem diameter • SD = max (d(I, j)) = 2 20