Software verification for programmable logic controllers

Programmable logic controllers (PLCs) occupy a big share in automation control. Their programming languages are, however, born out of historical needs and do not comply to state-of-the art programming concepts. Moreover, programming is mostly undertaken by the designers of the control systems. In sum this adds to the creation of erroneous software and, even more, unsafe control systems. In this work we focus on the software verification aspects for PLCs. For two selected programming languages, Sequential Function Charts (SFC) and Instruction List (IL) we discuss semantic issues as well as verification approaches. For SFCs we develop a model checking framework while for IL we suggest static analysis techniques, i.e., a combination of data flow analysis and abstract interpretation. Several case studies corrobate our approach.

[1]  Fernando Jiménez-Fraustro,et al.  A synchronous model of the PLC programming language ST , 1999 .

[2]  Bernd S. W. Schröder,et al.  Algorithms for the Fixed Point Property , 1999, Theor. Comput. Sci..

[3]  Wang Yi,et al.  Uppaal in a nutshell , 1997, International Journal on Software Tools for Technology Transfer.

[4]  Pierre Wolper,et al.  Reasoning About Infinite Computations , 1994, Inf. Comput..

[5]  Pravin Varaiya,et al.  What's decidable about hybrid automata? , 1995, STOC '95.

[6]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[7]  Gordon D. Plotkin,et al.  A structural approach to operational semantics , 2004, J. Log. Algebraic Methods Program..

[8]  James Madden,et al.  Preparation of function charts for control systems , 1988 .

[9]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[10]  Girish Bhat,et al.  Efficient on-the-fly model checking for CTL , 1995, Proceedings of Tenth Annual IEEE Symposium on Logic in Computer Science.

[11]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[12]  Matthew B. Dwyer,et al.  Tool-supported program abstraction for finite-state verification , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[13]  Thomas A. Henzinger,et al.  Hybrid Automata: An Algorithmic Approach to the Specification and Verification of Hybrid Systems , 1992, Hybrid Systems.

[14]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[15]  Wolfgang Thomas,et al.  Automata on Infinite Objects , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[16]  Robert E. Tarjan,et al.  A fast algorithm for finding dominators in a flowgraph , 1979, TOPL.

[17]  Matthew B. Dwyer,et al.  Slicing Software for Model Construction , 2000, High. Order Symb. Comput..

[18]  Pierre Wolper,et al.  Memory-efficient algorithms for the verification of temporal properties , 1990, Formal Methods Syst. Des..

[19]  Erik Schon,et al.  On the Computation of Fixpoints in Static Program Analysis with an Application to Analysis of AKL , 1995 .

[20]  Albert Benveniste,et al.  programmi language and its , 2001 .

[21]  J. Cendelín IEC1131-3 Programming methodology , 2004 .

[22]  Kenneth L. McMillan,et al.  Symbolic model checking: an approach to the state explosion problem , 1992 .

[23]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[24]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[25]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[26]  Monika Heiner,et al.  A Petri Net Semantics for the PLC Language Instruction List , 1998 .

[27]  F. Bourdoncle Semantiques des langages imperatifs d'ordre superieur et interpretation abstraite , 1992 .

[28]  Ralf Huuck,et al.  Towards automatic verification of embedded control software , 2001, Proceedings Second Asia-Pacific Conference on Quality Software.

[29]  Philippe Schnoebelen,et al.  Towards the automatic verification of PLC programs written in Instruction List , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[30]  David L. Dill,et al.  Java model checking , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[31]  Olivier Rossi,et al.  Formal Modeling of Timed Function Blocks for the Automatic Verification of Ladder Diagram Programs , 2000 .

[32]  Josef Tapken MOBY/PLC - A Design Tool for Hierarchical Real-Time Automata , 1998, FASE.

[33]  Frédéric Loulergue,et al.  Développement d'applications avec Objective CAML by E. Chailloux, P. Manoury and B. Pagano, O'Reilley, 2003 , 2004, Journal of functional programming.

[34]  N. Falconer Structured Programming , 1973, Nature.

[35]  César Muñoz,et al.  An Overview of SAL , 2000 .

[36]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[37]  Matthew B. Dwyer,et al.  Bandera: extracting finite-state models from Java source code , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[38]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[39]  Pierre Wolper,et al.  An automata-theoretic approach to branching-time model checking , 2000, JACM.

[40]  K. Mani Chandy,et al.  Proofs of Networks of Processes , 1981, IEEE Transactions on Software Engineering.

[41]  Adam L. Turk,et al.  Verification of Real Time Chemical Processing Systems , 1997, HART.

[42]  David E. Evans,et al.  Static detection of dynamic memory errors , 1996, PLDI '96.

[43]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[44]  M. Werre-De Haas,et al.  The history of the play , 1961 .

[45]  I. Moon Modeling programmable logic controllers for logic verification , 1994, IEEE Control Systems.

[46]  Stephan Merz,et al.  Model Checking: A Tutorial Overview , 2000, MOVEP.

[47]  George J. Pappas,et al.  Discrete abstractions of hybrid systems , 2000, Proceedings of the IEEE.

[48]  Bruce H. Krogh,et al.  Formal verification of PLC programs , 1998, Proceedings of the 1998 American Control Conference. ACC (IEEE Cat. No.98CH36207).

[49]  Sean R Eddy,et al.  What is dynamic programming? , 2004, Nature Biotechnology.

[50]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[51]  Leslie Lamport The ‘Hoare logic’ of concurrent programs , 2004, Acta Informatica.

[52]  Philippe Granger,et al.  Static Analysis of Linear Congruence Equalities among Variables of a Program , 1991, TAPSOFT, Vol.1.

[53]  Frits W. Vaandrager,et al.  Operational and Logical Semantics for Polling Real-Time Systems , 1998, FTRTFT.

[54]  Henning Dierks Synthesising controllers from real-time specifications , 1997, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[55]  R. W. Lewis,et al.  Programming Industrial Control Systems Using IEC 1131-3 , 1995 .

[56]  Joseph Sifakis,et al.  Specification and verification of concurrent systems in CESAR , 1982, Symposium on Programming.

[57]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[58]  Todd D. Millstein,et al.  Polymorphic predicate abstraction , 2005, TOPL.

[59]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[60]  Gerard J. Holzmann,et al.  Automating software feature verification , 2000, Bell Labs Technical Journal.

[61]  Henrik Theiling,et al.  Reliable and Precise WCET Determination for a Real-Life Processor , 2001, EMSOFT.

[62]  Bernd J. Krämer,et al.  A Highly Dependable Computing Architecture for Safety-Critical Control Applications , 2004, Real-Time Systems.

[63]  Oded Maler,et al.  Reachability Analysis via Face Lifting , 1998, HSCC.

[64]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[65]  Florence Maraninchi,et al.  Operational and Compositional Semantics of Synchronous Automaton Compositions , 1992, CONCUR.

[66]  Ralf Huuck,et al.  A STOPWATCH SEMANTICS FOR HYBRID CONTROLLERS , 2002 .

[67]  Moshe Y. Vardi Branching vs. Linear Time: Final Showdown , 2001, TACAS.

[68]  Joseph Sifakis,et al.  From ATP to timed graphs and hybrid systems , 1991, Acta Informatica.

[69]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[70]  Patrick Cousot,et al.  Semantic foundations of program analysis , 1981 .

[71]  Cliff B. Jones,et al.  Developing methods for computer programs including a notion of interference , 1981 .

[72]  Tommaso Bolognesi,et al.  Tableau methods to describe strong bisimilarity on LOTOS processes involving pure interleaving and enabling , 1994, FORTE.

[73]  Matthew S. Hecht,et al.  Flow Analysis of Computer Programs , 1977 .

[74]  Alain Deutsch,et al.  Interprocedural may-alias analysis for pointers: beyond k-limiting , 1994, PLDI '94.

[75]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[76]  Edsger W. Dijkstra,et al.  Structured programming , 1972, A.P.I.C. Studies in data processing.

[77]  Ranjit Jhala,et al.  Microarchitecture Verification by Compositional Model Checking , 2001, CAV.

[78]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[79]  Patrick Cousot,et al.  Méthodes itératives de construction et d'approximation de points fixes d'opérateurs monotones sur un treillis, analyse sémantique des programmes , 1978 .

[80]  Bengt Lennartson,et al.  On the execution of discrete event systems as sequential function charts , 2001, Proceedings of the 2001 IEEE International Conference on Control Applications (CCA'01) (Cat. No.01CH37204).

[81]  François Masdupuy,et al.  Array abstractions using semantic analysis of trapezoid congruences , 1992, ICS '92.

[82]  R. Huuck,et al.  SOFTWARE VERIFICATION FOR EMBEDDED SYSTEMS , 2002 .

[83]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[84]  H.-M. Hanisch,et al.  Modeling of PLC behavior by means of timed net condition/event systems , 1997, 1997 IEEE 6th International Conference on Emerging Technologies and Factory Automation Proceedings, EFTA '97.

[85]  Hanno Wupper,et al.  Timed automaton models for simple programmable logic controllers , 1999, Proceedings of 11th Euromicro Conference on Real-Time Systems. Euromicro RTS'99.

[86]  Wolfgang Reisig Petri Nets: An Introduction , 1985, EATCS Monographs on Theoretical Computer Science.

[87]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[88]  Bruce A. Francis,et al.  Optimal Sampled-Data Control Systems , 1996, Communications and Control Engineering Series.

[89]  Amir Pnueli,et al.  Checking that finite state concurrent programs satisfy their linear specification , 1985, POPL.

[90]  Brian A. Davey,et al.  An Introduction to Lattices and Order , 1989 .

[91]  Philippe Granger Static analysis of arithmetical congruences , 1989 .

[92]  François Bourdoncle,et al.  Efficient chaotic iteration strategies with widenings , 1993, Formal Methods in Programming and Their Applications.

[93]  Amir Pnueli,et al.  On the Development of Reactive Systems , 1989, Logics and Models of Concurrent Systems.

[94]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[95]  Ralf Huuck,et al.  An Abstract Model for Sequential Function Charts , 2000 .

[96]  S. Kowalewski,et al.  An environment for model-checking of logic control systems with hybrid dynamics , 1999, Proceedings of the 1999 IEEE International Symposium on Computer Aided Control System Design (Cat. No.99TH8404).

[97]  Henning Dierks,et al.  PLC-automata: a new class of implementable real-time automata , 1997, Theor. Comput. Sci..

[98]  David L. Dill,et al.  Timing Assumptions and Verification of Finite-State Concurrent Systems , 1989, Automatic Verification Methods for Finite State Systems.

[99]  Philippe Le Parc,et al.  Proving Sequential Function Chart Programs Using Automata , 1998, Workshop on Implementing Automata.

[100]  Sergio Yovine,et al.  Kronos: a tool for verifying real-time systems , 1992 .

[101]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[102]  Stuart Anderson,et al.  Design for Proof: An Approach to the Design of Domain-Specific Languages , 1998, Formal Aspects of Computing.

[103]  Thomas A. Henzinger,et al.  The Algorithmic Analysis of Hybrid Systems , 1995, Theor. Comput. Sci..

[104]  A. Nerode,et al.  Logics for hybrid systems , 2000, Proceedings of the IEEE.

[105]  S. Lamperiere-Couffin,et al.  Formal validation of PLC programs: A survey , 1999, 1999 European Control Conference (ECC).

[106]  B.H. Krogh,et al.  Design recovery for relay ladder logic , 1993, IEEE Control Systems.

[107]  C. A. R. Hoare,et al.  A Theory of Communicating Sequential Processes , 1984, JACM.

[108]  Stephen A. Edwards,et al.  The specification and execution of heterogeneous synchronous reactive systems , 1998 .

[109]  Kenneth L. McMillan,et al.  The SMV System , 1993 .

[110]  Paul Caspi,et al.  Embedded Control: From Asynchrony to Synchrony and Back , 2001, EMSOFT.

[111]  James C. Corbett,et al.  Expressing checkable properties of dynamic systems: the Bandera Specification Language , 2002, International Journal on Software Tools for Technology Transfer.

[112]  Patrick Cousot,et al.  Abstract Interpretation Based Formal Methods and Future Challenges , 2001, Informatics.

[113]  Stefan Pettersson,et al.  Analysis and Design of Hybrid Systems , 1999 .

[114]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[115]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[116]  Gerard J. Holzmann,et al.  UNO: Static Source Code Checking for User-Defined Properties 1 , 2002 .

[117]  Pascal Brisset,et al.  FaCiLe : a Functional Constraint Library , 2001 .

[118]  Gérard Berry,et al.  The Esterel Synchronous Programming Language: Design, Semantics, Implementation , 1992, Sci. Comput. Program..