A PLC is a reactive system. It repeats the execution of a user program periodically. There are three main phases for program execution (working cycle): (1) reading from inputs (sensors) and latching them in the memory, (2) program execution, (3) latching the values of the output variables to the environment [4, 9] .
INTRODUCTION
Application of programmable logic controllers (PLCs) for systems which control complex industrial processes makes rigorous correctness demands to PLC programs. Any software error is considered to be inadmissible. However, the existing development tools for programming PLC, for example widely known CoDeSys (Controller Development System) [7] , provide only usual debugging facilities through testing programs (not guaranteeing total absence of errors) by means of visualization of PLC control objects. At the same time certain theoretical knowledge and experience of applying the existing developments in the field of formal methods of modeling and analysis of software systems are accumulated. The programming of logical controllers is a practical area, in which existing developments could have successful applica tion-implementation of formal methods in the process of program design at the level of a well function ing technology.
checking is most suitable for "discrete" problems of logical control, requiring PLCs with binary inputs and outputs. This provides a finite space of possible states of PLC programs.
Earlier in article [2] , a review of methods and approaches to programming "discrete" PLC problems was carried out in the languages LD, SFC and ST. For these approaches the usability of the model check ing method for the analysis of program correctness with respect to the automatic verification tool Cadence SMV [12] was evaluated. Some possible PLC program vulnerabilities arising at traditional approaches to programming of PLC was revealed.
In particular, existing articles relating to correctness analysis of PLC programs [5, 10, 11] is mainly devoted to construction of translators from IEC 61131 standard languages to interface languages of veri fication software. The demonstration of results is carried out by trivial examples. However, our experience of working with the practical logic control problems showed that the direct translation does nothing for analysis of program properties, since it is often not possible to express desired properties in temporal logic languages.
In this article, an approach to construction and verification of PLC programs for discrete problems is proposed. For the specification of the program behavior, we use the linear time temporal logic LTL. Pro gramming is carried out in ST language according to an LTL specification. The correctness analysis of an LTL specification is carried out by the symbolic model checking tool Cadence SMV [12] .
The purpose of the article is to describe an approach to programming PLC, which would provide a pos sibility of PLC program correctness analysis by the model checking method.
MODEL CHECKING. A PLC PROGRAM MODEL
Model checking is the process of checking whether a given model (a Kripke structure) satisfies a given logical formula.
A Kripke structure on a set of atomic propositions P is a state transition system = (S, s 0 , →, L), with a non empty set of states S, an initial state s 0 ∈ S, a transition relation →⊆ S × S which is defined for all s ∈ S, and a function L: S → 2 P , labeling every state by a subset of atomic propositions.
A path of the Kripke structure from the state s 0 -is an infinite consequence of states π = s 0 s 1 s 2 … where
The linear time temporal logic language is considered as a specification language for behavioural properties of a programming model. PLC is a classic reactive control system, which once running must always have a correct infinite behavior. LTL formulas allow to represent this behavior.
The syntax of the LTL formula is given by the following grammar, p i ∈ P: ϕ, ψ ::= true|p 0 |p 1 |...|p n | ¬ ϕ |ψ ∧ ϕ|Xϕ|ψUϕ|Fϕ|Gϕ.
An LTL formula describes a property of one path of the Kripke structure, descending from an empha sized current state.
The temporal operators X, F, G and U are interpreted as follows: Xϕ-ϕ must hold at the next state, Fϕ-ϕ must hold at some future state, Gϕ-ϕ must hold at the current state and all future states, ψUϕ-ϕ holds at the current or a future state, and Fϕ = trueUϕ, Gϕ = ¬F¬ϕ must hold up until this point. In addition, classical logical operators ∨ and ⇒ will be used further.
The Kripke structure satisfies an LTL formula (property) ϕ, if ϕ holds true for all paths, starting from the initial state s 0 .
The Kripke model for a PLC program can be built quite naturally. The state of the model is a state of a PLC program (vector of values of all program variables) after the complete passing of a working cycle. A transition from one state to another is one program execution for the working cycle.
Notice, that the model differs from the PLC program by discrete representation of timers [1] . If there are no timers in the program, the behavior of the model coincides with the program behavior.
Atomic propositions of the model are logical expressions on PLC program variables with using arith metic and relational operators.
PROGRAMMING CONCEPT
The purpose of the article is to describe an approach to programming PLC, which would provide a pos sibility of PLC program correctness analysis by the model checking method. We will proceed from con venience and simplicity of using this method. We require holding two following conditions. Condition 1. The value of each variable must not change more than once per one full execution of the program while passing the PLC working cycle.
Condition 2. The value of each variable must change at only one place in the program in some operation block without nestings.
These conditions are reasonable because inputs are always latched while operating the cycle. We will change the variable value only when it is really necessary, i.e. we will forbid an access to the variable by assigning if conditions of mandatory changing of its value do not hold.
In this approach the requirements of changing the value of a certain variable V after one pass of the PLC working cycle are represented by the following LTL formulas.
The following LTL formula is used for describing situations, leading to an increase of the variable value V:
(1) This formula means that whenever a new value of variable V is larger than its previous value, recorded in the variable _V, it follows that the old value of variable V satisfies the condition OldValCond, the condition of the external action FiringCond is accomplished, and the new value of variable V is the value of the expression NewValExpr.
The leading underscore symbol "_" in the denotation of the variable _V is taken as a pseudo operator, allowing to refer to the previous state value of the variable V. This pseudo operator can be used only under the scope of the temporal operator X.
The conditions FiringCond and OldValCond are logical expressions on program variables and constants, which are constructed by using comparison operators, logical and arithmetic operators and the pseudo operator "_". By definition, the pseudo operator can be only applied to variables.
The expression FiringCond describes situations, when changing the value of the variable V is needed (if it is allowed by the condition OldValCond).
The expression NewValExpr is built by using variables and constants, comparison, logical and arith metic operators and the pseudo operator "_".
For descriptions of all possible increasing value situations the formula (1) may have several sets of con sidered conjunctive parts OldValCond i ∧ FiringCond i ∧ V = NewValExpr i , combined in a disjunction, after the operator ⇒.
Situations that lead to a decrease of V value are described similarly:
Temporal formulas of form (1) and (1') describe a desired behavior of some integer variable. A more simple LTL formula is proposed to use in case of a logical (binary) data type variable. The fol lowing formula describes situations which increase the value of a binary variable V:
Situations that lead to a decrease of the variable V value are described similarly:
In a special case of specification form (1) and (1'), where for V we have FiringCond = FiringCond' = 1, NewValExpr = NewValExpr', OldValCond = (_V < NewValExpr) and OldValCond' = (_V > NewValExpr):
. This specification can be replaced by the following LTL formula:
We will call the variable V a register variable, if it has a specification of forms (1), (1'), (2) and (2'). If V is constructed by a specification of form (3), it is called a function variable. In the special case of speci fication (3) , where the expression NewValExpr does not contain the leading underscore pseudo operator "_", the variable V is called a substitution variable.
It is important to note that each LTL formula template is constructive, i.e. the program can be easily build from the specification, that would correspond to temporal properties expressed by these formulas. Thus, we can say that PLC programming is reduced to building a behavior specification of each program variable, which is an output or auxiliary internal variable. The condition of changing a value in only one place in the program eases debugging. It gives a simple evaluation of the program text volume and readi
ness. The process of writing a program code is completed, when specification for each such variable is cre ated. Note, that quantity and meaning of output variables are defined by a PLC and a problem formulation. The program specification is divided into two parts: (1) specification of the behavior of all program variables (except inputs), (2) specification of common program properties. The second part of specifica tion affects quantity and meaning of internal auxiliary PLC program variables.
In specification it is important to consider the order of temporal formulas describing the behavior of the variables. A variable without the pseudo operator "_" may be involved in the specification of another variable behavior only if the specification of its behavior is completed and located in the text above.
If necessary, we will use the keyword "Init" for indicating a variable initial value. For example, Init(V) = 1 means that the variable V initially is set to 1. If the initial value of some variable is not explicitly defined, it is assumed that this value is zero.
PROGRAMMING BY LTL SPECIFICATION In this section, we consider a way of constructing a program code by constructive LTL specification of the program variable behavior. In general, a translation process from LTL formulas to the program code is the following.
Two temporal formulas of the variable V, marked V+ (value increase, (1)) and V-(value decrease, (1')), are set in conformity to the text block in the ST language:
IF
OldValCond AND FiringCond THEN V := NewValExpr; (*V+*) ELSIF OldValCond' AND FiringCond' THEN V := NewValExpr'; (*V-*) END_IF.
If the number of conjunctive blocks OldValCond i ∧ FiringCond i ∧ V = NewValExpr i in LTL formulas will be more than two, the number of alternative branches "ELSIF" will grow (by one branch for each new block).
Note, that the behavior of the obtained program will completely satisfy LTL formulas of specifications. We have a simple assignment in the case of function variable V (3): V := NewValExpr. (* V *) Each program variable must be defined in the description section (local or global) and initialized in conformity with the specification. Note that, for example, in CoDeSys [7] all variables are initialized to zero by default.
In addition, we must implement the idea of the pseudo operator "_". To do this, at the end of the pro gram an area for a pseudo operator section is allocated. In this area an assignment _V := V is added after describing the behavior of all specification variables. The assignment is added for each variable V, to the last value of which is addressed as _V. The variable _V is also necessary to be defined in the description section with the same initialization as for the variable V.
Note, that the approach to programming by specification, which describes the reason of changing each program variable value, looks very natural and reasonable, because a PLC output signal is the control sig nal, and changing the value of this control signal usually carries an additional meaning. For example, it is important to understand why an engine or some lamp must be turned on/off. Therefore, it seems quite obvious that every variable must be accompanied by two properties, one for each direction changing. It is assumed that if the change conditions are not met, the variable remains at its previous state.
BUILDING SMV MODEL BY LTL SPECIFICATION
We consider the verifier Cadence SMV [12] as a software tool of correctness analysis by the model checking method. It is proposed to build a Kripke structure model in the SMV language with further ver ification of common program properties satisfiability for this model after creating the specification. If some common program property is not hold for the model, the verifier builds an example of an incorrect path in a Kripke structure model, by which corrections in the specification are produced. And only after all the program properties have been verified with positive results, ST progam of PLC is built by specifi cation.
The SMV language allows to define a variable value in the next state of a model by using the "next" operator. Branching the transition relation is provided by the "nondeterministic" assignment. For exam ple, the assignment next(V) := {0, 1} means that states and transitions to them will be generated both with V = 0 and V = 1. In the SMV language the symbols "&", "|", "~" and " >" denote the logical "and", "or", "not" and implication, respectively.
The SMV language is oriented to creating the following states of Kripke models from the current state. The initial current state of the model is the state of the program after initialization. Therefore, specifica tion of the behavior of a variable V (1) and (1') will be easier (clearer) to rewrite in the following equivalent form V+:
And then we get an SMV model of a variable V behavior quite naturally, setting the "next" operator in conformity to the temporal operator X:
case{next ( Consider a specification of the behavior of a substitution variable V. In this case NewValExpr does not contain the pseudo operator "_". This allows to rewrite the specification in the following equivalent form:
V : XG(V = NewValExpr).
In fact, this formula means that if the initial state of the model does not considered, an equality V = NewValExpr must hold in all other states of the model. The fairness of the formula XG(V = NewValExpr) follows from the fairness of the more general formula G(V = NewValExpr). Therefore, the more general formula can be used as the constructive specification for building the SMV model of a substitution vari able V.
The SMV model is built by this specification in the form of the assignment V := NewValExpr.
The Cadence SMV verifier allows to check program models containing up to 59 binary variables (all variables in SMV are represented by sets of binary variables). The substitution variables are not included into this number, i.e. only register variables and function variables are considered.
LOGIC GAME "31" Consider a logic game "31," which is formulated as follows. There are 24 playing cards laying out on the table in six rows faces down: 4 aces (4 units) are in the first row, 4 deuces-in the second, 4 triplesin the third, 4 fours-in the fourth, 4 fives-in the fifth, 4 sixes-in the sixth. There are two players. Play ers alternate turns. A player turns over one card per one turn. Only cards that are faced down can be turned over. The player loses, if after his move the sum of cards turned over becomes more than 31.
The task is to construct a PLC program (with 7 binary inputs and 18 binary outputs) for controlling the game "31." If PLC is the second player, PLC must win every time, when the first player starts a game with turning card "3," "4" or "6." If the first player starts the game with card "1," "2" or "5," then PLC must win, if the first player does not use "take out" strategies of "1," "2" or "5," respectively. Figure 1 shows a diagram of game control panel. The buttons "1," "2," "3," "4," "5," and "6" are used for "turning" the corresponding card. Pressing a button is incorrect and is not taken in consideration if it was pressed simultaneously with other button. It should be unpressed and then pressed correctly. Correct pressing one of button decrements a corresponding "card display" value. Initial display value is "4" for each display. Display values are limited by zero. Sum of "turned" cards is displayed on the "sum display" after each turn of Player and/or PLC.
"Start" button allows to restart the game. The last move is indicated by turning on one of the six lamps located over the corresponding number. A turn is shown by lamp "player turn" or "PLC turn." A winner is shown by corresponding lamp "player" or "PLC."
PLC interface is shown in Fig. 1 . Outputs to "sum display" and "card display" are not depicted on the interface in order to save space. Hereinafter a code, responsible for display information, will be dropped for the same reasons.
Common Program Properties and Auxiliary Variables
Global variables of PLC program are defined by PLC interface. Auxiliary internal variables are usually needed to express common program properties, taken from a problem statement and necessity of the algo rithm implementation. In this section, we consider some common program properties for the logic game "31" as the example. This properties are specified as LTL formula with use of auxiliary variables.
It is important to note that description of some internal variables and timers follows directly from the problem statement. For example, we use variables V1, V2, V3, V4, V5 and V6 to store the number of "unturned" cards of different denomination, and variable Sum-to store the sum value of all "turned" cards. Other internal variables may appear on the assumption of programming ease and program readability.
Explicit common program properties for a logical game are the properties, which express the confor mity between program behavior and winning strategies. The game strategy description assumes the manipulation with the notion of a turn in general, meaning turning cards, as well as the notion of a con crete turn, appropriate to turning a card with specific denomination. For these purposes, we use the vari ables Mv1, Mv2, Mv3, Mv4, Mv5 and Mv6. If the value of these variables is 1, it means that a turn, con sisting in turning over cards in denominations of 1, 2, 3, 4, 5 and 6, respectively, was made. If the value of Mv is 1, the game turn was made on this passage of PLC working cycle. PLC game strategy may vary depending on resources or "unturned" cards availability. We will determine the impossibility for the PLC to make a turn according to the direct strategy with a variable Lck.
We use the variable Rst to specify the necessity to reset the game to the initial state. Incorrect pressing of buttons will be detected with a variable Skp.
So, consider some examples of common program properties for the logic game "31."
(1) G(¬PLCWin ∨ ¬ManWin) means that there are no situations, in which the PLC and the Player are winners at the same time.
(2) The value of Sum variable always remains less than or equal to 37: G(Sum ≤ 37).
The formula G(Mv1 + Mv2 + Mv3 + Mv4 + Mv5 + Mv6 ≤ 1) forbids to make more than one game turn for one passage of the PLC working cycle.
(4) Pressing the button PBStart should lead to resetting the game to the initial state:
CONCLUSIONS
The approach has been successfully approved on some (about a dozen) "discrete" logical control prob lems of different types with the average number of binary PLC inputs and outputs about 30 and the total number of binary program variables up to 59. For example, the properties relating to the maintenance of a technological process (to exclude the possibility of nonconforming product outflow), were verified for a PLC program controlling a mixture preparation device. The properties relating to connection standby pumps in time were tested for the problem of the hydraulic pump system control. And the properties of mandatory execution of received commands of cabin lift calling were tested for a library lift control prob lem. The verification work was carried out on a PC with the processor Intel Core i7 2600K 3.40 GHz. Time spent by the verifier Cadence SMV to check the specified properties is limited to a few seconds.
The further work aim is to build software tools for modeling, specification, construction and verifica tion of PLC programs, according to the results of our work.
