Direct Model Checking of {PLC} Programs in {IL}

While there are several approaches applying model checking to PLC programs, it is still not used in industry. This is due to the limited applicability of the existing approaches, which all translate PLC programs into the input languages of existing model checkers and thus suffer from certain problems. This paper presents a new approach that applies model checking directly to PLC programs written in IL without using translations. This has some advantages: domain-specific information is available during verification, users can make propositions about all features of the PLC, and counterexamples are given in the same language as the program, thus, simplifying the process of locating errors. In the described approach, a tailored simulator builds the state space for verification. Within this simulator, different abstraction techniques are used to tackle the state-explosion problem. A case study shows the applicability of this approach.

[1]  I. Moon Modeling programmable logic controllers for logic verification , 1994, IEEE Control Systems.

[2]  Johan Lewi,et al.  A Linear Local Model Checking Algorithm for CTL , 1993, CONCUR.

[3]  Bastian Schlich,et al.  Delayed Nondeterminism in Model Checking Embedded Systems Assembly Code , 2007, Haifa Verification Conference.

[4]  Philippe Schnoebelen,et al.  Towards the automatic verification of PLC programs written in Instruction List , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[5]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[6]  Ralf Pinger,et al.  Automation of Formal Verification of PLC Programs Written in IL , 2007, VERIFY.

[7]  Georg Frey,et al.  Formal verification of PLC programs generated from signal interpreted Petri nets , 2001, 2001 IEEE International Conference on Systems, Man and Cybernetics. e-Systems and e-Man for Cybernetics in Cyberspace (Cat.No.01CH37236).

[8]  Keijo Heljanko Model Checking the Branching Time Temporal Logic CTL , 1997 .

[9]  Bastian Schlich,et al.  Model checking of software for microcontrollers , 2010, TECS.

[10]  Stephan Merz,et al.  Model Checking , 2000 .

[11]  Ralf Huuck,et al.  Software verification for programmable logic controllers , 2006 .

[12]  Thomas Mertke Formale Spezifikation reaktiver Systeme mit einer Sicherheitsfachsprache , 2004 .

[13]  Mordechai Ben-Ari,et al.  The temporal logic of branching time , 1981, POPL '81.

[14]  Stefan Kowalewski,et al.  Application of Static Analyses for State Space Reduction to Microcontroller Assembly Code , 2007, FMICS.

[15]  R. Kretschmann,et al.  INTERNATIONAL ELECTROTECHNICAL COMMISSION TECHNICAL COMMITTEE No. 65B: INDUSTRIAL-PROCESS MEASUREMENT AND CONTROL WORKING GROUP 7/TASK FORCE 3: PROGRAMMING LANGUAGES FOR PROGRAMMABLE CONTROLLERS (IEC 61131-3, -8) MINUTES OF MEETING , 2007 .

[16]  R. W. Lewis,et al.  Programming Industrial Control Systems Using IEC 1131-3 , 1995 .

[17]  Helmut Veith,et al.  Progress on the State Explosion Problem in Model Checking , 2001, Informatics.