Counterexample-Guided Abstraction Refinement for PLCs

This paper presents a method for model checking programs for programmable logic controllers (PLCs) using the counterexample-guided abstraction refinement (CEGAR) approach. The technique is tailored to this specific hardware platform by accounting for the cyclic scanning mode that is symptomatic to PLCs. In particular, the hard-ware model poses the need for on-the-fly abstraction refinement in order to guarantee a deterministic control flow. It also allows to treat refinement phases triggered by input and global variables differently, leading to a more effective implementation. The effectiveness of this approach is shown in a case study, which highlights the verification process for function blocks that implement a specification provided by the industrial consortium PLCopen.

[1]  Philippe Schnoebelen,et al.  Towards the automatic verification of PLC programs written in Instruction List , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[2]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[3]  John Regehr,et al.  HOIST: a system for automatically deriving static analyzers for embedded systems , 2004, ASPLOS XI.

[4]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[5]  Daniel Kroening,et al.  Approximation Refinement for Interpolation-Based Model Checking , 2008, VMCAI.

[6]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[7]  Michael D. Smith,et al.  A high-performance microarchitecture with hardware-programmable functional units , 1994, Proceedings of MICRO-27. The 27th Annual IEEE/ACM International Symposium on Microarchitecture.

[8]  Ralf Pinger,et al.  Automation of Formal Verification of PLC Programs Written in IL , 2007, VERIFY.

[9]  John Regehr,et al.  Deriving abstract transfer functions for analyzing embedded software , 2006, LCTES '06.

[10]  R. Bell,et al.  IEC 61508: functional safety of electrical/electronic/ programme electronic safety-related systems: overview , 1999 .

[11]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[12]  Bastian Schlich,et al.  Model checking of software for microcontrollers , 2010, TECS.

[13]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[14]  Doaa Soliman,et al.  Verification and Validation of Safety Applications based on PLCopen Safety Function Blocks using Timed Automata in Uppaal , 2009 .

[15]  Stefan Kowalewski,et al.  Range Analysis of Microcontroller Code Using Bit-Level Congruences , 2010, FMICS.

[16]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[17]  I. Moon Modeling programmable logic controllers for logic verification , 1994, IEEE Control Systems.

[18]  Roberto Giacobazzi,et al.  Intuitionistic Implication in Abstract Interpretation , 1997, PLILP.

[19]  Armin Biere,et al.  Bounded model checking , 2003, Adv. Comput..

[20]  Stefan Kowalewski,et al.  Direct Model Checking of {PLC} Programs in {IL} , 2009 .

[21]  Jörg Brauer,et al.  Interval analysis of microcontroller code using abstract interpretation of hardware and software , 2010, SCOPES.

[22]  Ralf Huuck,et al.  Software verification for programmable logic controllers , 2006 .

[23]  Rolf Drechsler,et al.  VERIFICATION OF PLC PROGRAMS USING FORMAL PROOF TECHNIQUES , 2008 .

[24]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[25]  Georg Frey,et al.  Formal verification of PLC programs generated from signal interpreted Petri nets , 2001, 2001 IEEE International Conference on Systems, Man and Cybernetics. e-Systems and e-Man for Cybernetics in Cyberspace (Cat.No.01CH37236).

[26]  Harald Søndergaard,et al.  Automatic Abstraction for Congruences , 2010, VMCAI.

[27]  Philippe Granger,et al.  Static Analysis of Linear Congruence Equalities among Variables of a Program , 1991, TAPSOFT, Vol.1.

[28]  Sriram K. Rajamani,et al.  Refining Approximations in Software Predicate Abstraction , 2004, TACAS.

[29]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.