INTRODUCTION
Since numerous years safety is a major indumial issue. If it is flue tbat industries like Wnsport, critical industries (energy or chemical processes for instance) must, more than others, be concerned by safety objectives in fact all the industries must considm this subject. So, in order to handle safety, each industrial field has developed some particular standards. The W w m g demand for automated systems has led to take into acccunt control systems safety too. Nowadays industty needs rmt only safe processes but also safe control systems.
To federate safe sontml sytems development, the resent E C 61508 standard [I] pmposes a generic model that can be applied to all the Electrical ElecnoNcl Progranunable Electronic W E ) safety-related systems. This standard provides a generic frameuvrk within which accurate methods can be applied, whateverthe application domain should be, and shows moreover that safety must be an everyday preoccupation during all the life of a system Considering the great amount of methods developed in order to design and implement safe control systems, classification criteria have to be defined to organise these methods. We will focus only on two classi6cations based on complementarypoints of view: the control system life cycle and the expected objectives.
With a life cycle point of view, [2] introduces the On-line and Off-line safety notions based on the classical "square root" life cycle (Figure I) . This cycle is composed of two different phases: the conception phase and the exploitation phase. To these two phases are linked two kinds of safety: Off-line safety for the first phase, On-line safety for the second one.
--

OFF-LINE SAFETY ON-LINE SAFETY Figure 1 Lqe q c k and safqy
The purpose of the Off-line safety methods is to minimise the fault risk during conception, i.e. before the system is used. On the opposite side, the objective of the On-line snfefy methods is to ensure safety in an already implemented and running s y s t e m This article deals only with Off-line safefy methods. This anicle will focus on the off-line fault removal methods for control software. In the first part, simulation and verification methods are shortly described. This enables to point out the advantages and the draw%ack of these t w kinds of methods and leads to strongly advocate verification for safety-related system. The second pan is dedicated to the presentation of a formal method developed in our laboratory in order to verify pmgram developed in the IEC 61499 function blocks language.
On
n. CONTROL SOFTWARE SIMULATION AND VERIFICATION
Industrial control programs are developed by using standard languages described in the IEC 61131-3 or IEC 611499 [41 standards in order to be adapted to the industrial needs.
Whatever the chosm language could be (Sequential Function Chaa Ladder Diaor another standard language), a control program behaves as a Discrete Event System and hence can be represented by a state automton. It is the reason why software simulation and verification methods will be elglained thanks to this suitable represmtation of the behaviour of the control software.
A. Simulation
Tbis method consists in stimulating the progmn by inputs sequences representing the behaviour of the controlled process and in checking whether the outputs sequences generated by the program are compliant to the application requirements or not.
Simulation techniques are very popular in industry. They take benefit nf specialised software providing process simulation with user-friendly interfaces These soRvars tools Fdcilitate the generatim of input sequences and the interpretation of the results. Nevertheless the main drawback of simulation is not to enable a complete verification ofthe program behaviour within a reasonable time. This comes h m the huge amaylt of inpul sequences that should be generated to test the entire program A simple explanation can be given thanks to the state automaton depicted in Figure 2 and assumed to represent pan of the equivalent automaton of a control software. In this state space, simulation'is aimed at generating a set of paths and at verifying if properties a~ satisfied along t h m paths Unfortunately the huge size of state automata representing industrial control s o f t w a~ does not enable to go along all possible paths during a simulation session. In the example of the state automaton depicted in Figure 2 , simulation allows to check pmperties related to the path in bold but does not give any information on properties related to the other paths.
So, simulation is not an exhaustive method and the quality of a simulation session is up to the skill and the experience of the automation engineer who has to chwse relevant inputs sequences correspnding to usual and hazardous situations of the controlled procen. Formal verification methods have been developed to tackk this problem by providing m a n s allowing to verify the totality of a program.
B. Formal ve@cmion methods
Three kinds of formal Verification methods are usually defined : theoren-pmvingor algebraic methods mdel-checkhtg methods based on the translation of the model or the soRuan to be verified into a formal language, e.g. a Petri Net or a synchronous language. The last one is merely aimed to take benefit of f -1 anatpis tools develqred h m the target language. Hence only theoremproving and model-ctecking ax really basic verification methods that enable an exhaustive analpis.
Whatever the verification method could be, formal expression of the software behaviour and of the properties is +red Pmpeaies can be grouped into three categories [5]: vivacity and safety (something must or must not happen) and celerity (time related properties). A priori, those properties are defined in the requirements. All the verification methods need that the properties are written in a formal way. With this goal,
[6] introduces a formalism to express dynamic properties: the temporal logic. This logic enables to write formdas describing in a formal way expressions inchding words like "until", "always". CTL* [7] is an example of such a logic.
The algebraic methods'goal (a.k.a. theoremproving) is to do or to verify prwfs, manipulating only the syntax as it can be done in a mathematics' demonstration. A prover takes a hypothesis (H) as data or definitions and a formula or a properry to be proved 0 and search if 0 can be obtained from H using the deduction rules of the used loge. One of the interem of such a method is that no hypothesis on the model to analyse is to be made. More particularly infinite state automata can be proceeded. The main drawback is indecidability, which means that no solution is found in some cases. An exampleof theorem proving can be found in [SI.
Model-checking operates on state automata. The basis principle of this method is the marking process explained hereafter.
On the considered automata, for a property @, con-psed of sub-properties vi, each state q verifying will be marked thanks to a variable 9.v" true when V, is verified on q. Thus, q.@, which indicates whether the property is verified or not, can be obtained fmm the ¶.vi. More precisions on model checkers for the temporal logic CTL can be found in [9] .
All the mode-checking algorithms, and more generally all the algorithms using explicitly given state automata share the same problem: they hugely depend on the size of the automata.
Thus, the mading time is a function of the number of states and transitions of the automata. Even if it is possible to reduce a state automaton. the combinatory explosion makes classical modelchecking methods unusable for the verification of huge industrial systems.
In order to o v e m e this problem, a new kind of modelchecker named symbolic del-checker has been m a t e d Another drawback of modelehechg methods is that the languages used by model-checkea are not industrial languages (there isnoIEC61131-3 model-checkerforewnple).
So, the last solution cansisfs in the translation of the model or s o h to verify into a language from wbich formal verification tools (theoremprover or model-checker) have been developed. Synchronous languages offer this passibility.
Our laboratory has several results for each verification method: thememproving and model-checking (for example
[IZ], [13] , [14] ). In the following, an example of properties verification on an industrial standard language using the synchronous language SIGNAL will be presented.
m. EC 61499 FUNCTION BLOCKS DIAGRAMS VERIFICATION
This work is an abstract of the work presented in [14] . Its goal is to verify propenies on IEC 61499 function blocks models. This objective can only be achieved through a formally defined sy"tax and semantics for this function blmk language.
As proposed in [15] , this formalisation problem can be solved thanks to a new class of Petri Net named S i g n m e t Systems. The main drawback of such a method is that the verification twls don't exist and must be developed too. So we decided to use resulu on synchronous languages. More precisely, some similarities between EC 61499 function blocks diagrams and SIGNAL process diagrams having been remarked, the develapment of a verification method based on the synchronous language SIGNAL [I61 and on the (2/32, +, *)
algebra [17] was undertaken
This method consists mainly in (Figure 3 
A.
The IEC 61499 standard draR focuscr on indusmal-pmccss mcasuremnt and control system and proposes. to that purpose. seberal concepts including thc funcnon block1 (Figurc 4 a) ).
A funcnon block is built using fwo pans: the ECC ("Exccution Control Chart") part s h o w in F i y e 4 bJ which receives and sends events. and an algorirhmic part which receivcs and send$ data The ECC. which IS a stare automaton included tn the ECC pan. The syntactic formalisation of those N I~S can be made thanks to a static meramadel. This metarmdel will not be presented in this article.
The standard introduces several other concepts (scheduling function, communication blocks, ... )whose aim is to implement the diagram in a distributed real time system. Those concepts, mandatory when implementing a control system, will not be used in this paper, for only control design wili be considered Figure 6 depicts the chosen methodology. Figure 7 sketches the function block evolution algorithm that includes two loops. The first one models input events reading. the second one the ECC evolution. It matters to highlight that sevml evolutions of this last Imp (numbered 2 in figure 7) can happen before WO successive inputs reading. This feature, defined in the standard in order to ensure a deterministic beha6ur. means merely that an ECC stable state must be reached before reading the inputs. So this FE evolution algorithm can be called "Stabilitydriven".
B. Function Blocks Diagram tramlation
Figure 6 Translalion mahod
Yz!l Erohnrn dur ELC Figure 7 Behaviour of a b k k From this algorithmic representation, a global translation method from a FB into its SIGNAL equivalent model has been developed The main p h a s of the algorithm is the ECC evolution phase, expressed below in a SIGNAL syntax: Xi = hue when (((Xi%=hue) and (&%=false)) or ((X(i-l)%aue) and (R(i-I)S=hue))) default false
Where Xi is a state variable hue when the EC-state is active.
Ri is the receptivity of the downsueam transition of the state i.
This equation is nothing else than the hanslation into SIGNAL of the behaviour of a finite state automaton evolving according to IEC 61499 rules.
However, these signals have only a sense if they are linked to a given clock. That's why a clock, named Block Clock (Cbl). synchronised with the loop number 2 and with which are associated all the variables of the here-above equation, is to be defined However this clock addresses only internal variables of FB. To translate an entire FBD into SIGNAL., an other clock related to FB input and output events must be defined The definition of this clock as well as the relation between block clock and event clock is presented below.
Event and block cloch
No assumption is made on FB input events clocks: they can be different. In order to simplify the SIGNAL. model, a clock named event union clock and noted Cunion, equal to the union of the diffennt clocks of the input events, has been defied. To synchronise an input event with this clock is equivalent to create a Boolean signal, whose clock i s Cunion. m e when the event is present, false othenvise
The IEC standad indicates also that any occurrence of an output event brought about by an occurrence of an input event must be sent before the next occurrence of an input event This imposes to overclock Cunion. For that purpose, a clock named event clock and noted Ceve has been defined from Cunion. That clock has a period equal to a fraction of the lowest interval between two dates of Cunion. Figure 9 shows an instance of Ceve built from the Cunion clock of figure 8 with a period twice smaller than the lowest time interval of Cunion. all the occurrelres of input events are to be taken into account(no occurrenceis missed),andthat all the evolutions of a FB coming from a given input event occurrence should be ended before an other input event occurs.
This reactiviky properly leads to consider that the block clack is faster than the event clock so that no input event occurs during a FB evolution (loop number 2 in figure 7 ).
More precisely, the ratio between the event clock period and the block clock period shall be greater than or equal to the maxinumber of evolutions of the block coming from any input event occurrence. This number can be easily determined by analysing the evolutions of the ECC with regards to the algorithm of figure 7. Such a method has already been used in WI. 'There is no priority of a block on another.
There is no priority of an algorithm on another.
With these assumptions, it is passible to derive from a FBD a In order to ensue clocks consistency, two processes must been added for the inputs and for the outputs of each process The aim of these processes is to convert signals with the event clock to signals with the block clock (for the inputs) and vice versa (for the outputs). 
c. Example
In in one to five minutes. To illustrate the usefulness of the approach, some verification results of the property "the failure of all the pumps stam the emergency stop mode" will be given. This property is a vivacity property that had been chosen because it is a major concern for the designers of a nuclear power plant.
With our initial model, the SILDEX tool giver hvo kinds of results:
-There is a situation where, when all the pumps are out of order, the emergency stop mode is not reached.
Hence the studied properly is not verified with this model. A trace allowing to find haw this situation can be reached This trace is composed of a succession of input events leading to the faulty sitmation. These results enable to correct the initial model so that the property would be satisfied for any input events sequence.
For the moment, no property dealing with physical time has been verified bccause SILD= consides only logical time. This problem can be ovexome by giving a value to the gap between two instants of a clock e.g. by mslating a propmy such as "the pump must make less that 5 minutes to becom operational" into "the pump must take less than 100 periods of Ceve to become operational". 
N. CONCLUSIONS
