Abstract
Introduction
Programmable Logic Controllers (PLC) perform numerous control tasks in manufacturing systems, transport systems, power systems. In order to ensure safety of these systems, PLC programs formal verification is therefore a major industrial concern. Program verification does not aim simply at checking the intrinsic properties of the program, e.g. no infinite loop, no locking point, ... , regardless of the application, but also at checking that the program behaviour complies with the application requirements. In this article we will mainly focus on this last kind of properties: the compliance of a given program with the properties required for the application.
A lot of methods have been developed to formally verify PLC programs written in IEC 61131-3 languages [5] . They have often used or adapted to Control Engineering methods issued from Computer Science such as model-checking [1] , translation into synchronous languages [6] . A good survey as well as a relevant classification can be found in [3] .
Our laboratory has contributed to this issue by achieving several works in model-checking since ten years. The first works used a specific model-checking tool [10] , developed for properties checking on Sequential Function Charts (SFC); the last ones [9] , [7] take benefit of the SMV symbolic model-checker [8] .
The results of these works are of interest because they have enabled to formally verify properties of industrial PLC programs written in several languages of the IEC 61131-3 standard. Nevertheless these researches have pointed out clearly that in some cases the model-checker is unable to provide a solution because of combinatory explosion. This drawback of model-checking has led us to undertake works aiming at providing an other complementary verification method.
To tackle the combinatory explosion problem implies to consider the underlying theory of model-checking tools. All these software are developed from DES theory and therefore consider a program as a state automaton. Even if symbolic model-checking is employed, the size of this automaton can be so huge that combinatory explosion occurs when dealing with some industrial programs. We have consequently searched for a verification method based on a more compact representation and have chosen an algebraic representation. With this approach the program shall be represented by a set of equations and verification shall be performed by symbolic reasoning on this set. The properties to be proved (the application requirements) shall therefore be also represented in the same algebraic form. Once the algebraic approach chosen, a problem arises: which algebra is to be used ? As the purpose is to represent the variables and the instructions of PLC standard languages, such as edge detectors, timer function blocks, Boolean memories, an algebra only dealing with states of Boolean variables is not suitable. We need to represent states, events and physical delays with the same formalism. It is the reason why we have decided to develop a new algebra providing this possibility. This algebra has been called ÁÁ because its aim is to represent at one and the same time, states, events and delays; it is therefore an Integrating framework.
This article is structured in the following way. The first section gives an overview of the verification method. Then we present the elements of the ÁÁ algebra as well as the way in which we express the behavior of basic function blocks of PLC standard languages into this algebra. This enables to establish generic properties of these function blocks useful when demonstrating the required properties. An example of formal verification of a safety-related program is given in the last part.
Verification method overview
PLC programs are developed by control engineers which use their skills and their experience to elaborate these programs from the requirements, with or without a development method specific to the application field considered or imposed by the customer or by the system supplier. The verification method shall be independent of the chosen development method. On the other hand the languages of the IEC 61131-3 standard are widely used for PLC programming and we will only consider programs written in these languages.
The first step of the verification method ( Figure 1 ) provides a formal representation in ÁÁ of the program behaviour. In the same way, properties required for the application have to be formalised with algebraic formulas. The last step is merely symbolic reasoning on the first set of formulas (those obtained from the program) in order to obtain the formulas expressing the required properties. 
Binary signals modelling
As mentioned in the introduction, the ÁÁ algebra shall provide a formal framework to represent and manipulate Boolean variables states, Boolean events and physical delays between events. The main idea for the definition of this algebra has been to consider binary signals, i.e. variables describing the evolution during time of Boolean values.
These evolutions are usually represented by timing diagrams. This representation is quite useful for control engineers but is not at all based on a sound formalism. In order to provide a formal framework for binary signals, we propose to represent them as piecewise-continuous functions from ÁÊ ·£ to Á ¼ ½ . The elements of ÁÁ are consequently formally defined in the following way :
The figure 2 shows an example of a function element of ÁÁ. Attention shall be paid to the right-continuity used for the edges (at the dates Ø ½ and Ø ¿ ) and to the doublediscontinuity (for the dates Ø ¾ and Ø ), mandatory to model events. A more detailed presentation is given in [11] . , , refer to elements of ÁÁ, ´Øµ, ´Øµ, ´Øµ refer to booleans, values of , , at a given instant Ø, " ", " ", " " mean respectively logical AND, OR, NOT, " ", "·", " " are used for operations of ÁÁ.
ÁÁ contains two special elements ½ £ (the one element) and ¼ £ (the zero element) defined as follows: 
Boolean algebra, the properties hereafter are satisfied [4] :
A partial order between elements of ÁÁ can be introduced by the subset relation "implication". This relation is defined as follows: It really matters to highlight the usefulness of this relation for properties checking. This will be illustrated in section 5. Furthermore, for all ¾ ÁÁ, the six following relations are equivalent:
This algebra must be distinguished from process algebra that are aimed to formally represent state automata. In our case, the underlying model of the algebra is not a kind of state automaton, but the binary signal, piecewisecontinuous function of time.
Function blocks behavior and properties
Once the algebra defined, it is possible to obtain a formal description of all the boolean function blocks of the IEC 61131-3 standard. This part focuses only on boolean memories, timers and edge detectors.
Memory operations
The bistable function blocks are defined in the standard as follows:
Function Block body
Two operations on ÁÁ have been defined for giving an algebraic semantic to bistable function blocks:
The ËÊ operation The ÊË operation 
Timing operations
The timer function blocks are defined in the standard as follows:
ON-delay Timing (TON) Graphical form
Timing diagram
+-------+ | TON | BOOL-|IN Q|-BOOL TIME-|PT ET|-TIME +-------+ +--------+ +---+ +--------+
OFf-delay Timing (TOF) Graphical form
The algebraic semantics of these function blocks is the following:
The TON operation The TOF operation 
Edge operations
The edge detection function blocks are defined in the standard as follows:
Rising edge detector Graphical form Function Block body 
Example
The usefulness of the ÁÁ algebra for properties checking will be demonstrated thanks to a simple safety-related program. The aim of this program is to monitor the safe operation of the two pushbuttons used to operate presses and similar dangerous machinery. It ensures that both hands of an operator are kept outside the danger zone during machine operation. Usually this safety-related function is realised by safety relays systems tested and approved by standards institutions. Nowadays this function is available in programmable safety systems. The behaviour of this function is standardised [2] . The main points are: P1 A cycle can only be initiated by pressing the two pushbuttons simultaneously (within 0.5 s).
P2 A cycle is interrupted by releasing one or both buttons to stop the output. The properties P1 and P2 can be easily proved from this formal definition of the program. These properties shall be written on ÁÁ as follows:
P1 To set "Å Î Ì ", it is necessary to have the two pushbuttons pressed and not to have one or both buttons pressed from 0,5s.
P2 If a pushbutton is released, the output "MVT" is reset. The property P1 is proved as follows:
The P3 property involves states of the same variables at different dates (for instance both inputs shall be at the false level at a given date t and at the true level at another date t', greater than t) and therefore is not so easy to prove than the two first ones. This property can be written in CTL temporal logic as follows:
To verify that kind of property, we are currently developing new operations on ÁÁ that enable to analyse the past of binary signals.
Conclusion and perspectives
The ÁÁ algebra provides a formal framework to represent Boolean variables states, events and physical delays and has permitted to develop the verification method presented in this article. This method has been tested in several cases with success. It is particularly well-suited for structured programs as industrial ones. The example described in this article is written in FBD; the same equations and reasoning would be obtained with a program in Ladder Diagram. Moreover the function blocks presented are defined for all the IEC 61113-3 languages (e.g. SFC); the results obtained may be therefore applied to any program developed in these languages.
To help the designer when properties checking, we have developed during the last year a solver under Mathematica R . This software relies on the basic properties of this boolean algebra as well as on the theorems related to function blocks and is able to simplify expressions on ÁÁ. The designer used this tool to realize symbolic calculus on ÁÁ. For our example, the properties P1 and P2 have been demonstrated automatically thanks to this solver.
The perspectives of these works are both formal and methodological. As mentioned at the end of the previous section, new operations increasing the potentiality of checking in ÁÁ are under development. From a methodological point of view, we have to consider the cooperation between the two verification methods nowadays used in our laboratory: model-checking and symbolic reasoning in ÁÁ. Rational and complementary use of these two approaches will be of benefit for large size industrial PLC programs verification.
