The use of programmable logic controllers in systems for controlling complex industrial processes has strict requirements for the correctness of PLC programs. Any software error is considered unacceptable. Despite this, the existing software development tools for PLC (for example, the well known Controller Development System (CoDeSys [6] ) provide only the usual debugging programs via testing (which does not guarantee the absence of errors) by visualizing objects of a PLC's control. In this context, the methods and approaches for the construction of correct programs for PLCs, including both direct programming methods and program correctness analysis technology, are of great interest.
where S is a finite set of states, s 0 ∈ S is the initial state, ⊆ S × S is the transition relation, and L : S → 2 p is function that marks each state by a set of atomic propositions that are true in this state.
The path in Kripke structure from the s 0 state is an infinite sequence of states π = s 0 s 1 s 2 … such that, for all i ≥ 0, there will be s i → s i + 1 .
LTL logic formulas are based on the following grammar at p ∈ P:
An LTL logic formula describes the property of one path of Kripke structure starting from a dedicated current state. The temporal operators X, F, G, and U have the following interpretation: Xϕ means that the formula ϕ must be satisfied in the next state, Fϕ -ϕ must be satisfied in a future state of the path, Gϕ -ϕ must be satisfied in the current and in all the future states of the path, and ψUϕ -ϕ must be satisfied in the current or future state (at that, in all operating states (since the current), the formula ψ must be satis fied before this moment). Kripke structure satisfies the formula (property) ϕ of the LTL logic if ϕ is satis fied for all paths starting from the initial state s 0 .
A programmable logic controller is a classic "reactive" system, which is a software controlled digital automaton having a plurality of inputs connected via sensors to the object of control, and a plurality of outputs connected to the actuators [3, 5] . The PLC controls the status of the inputs and produces certain sequences of program specified actions that affect the changing of the outputs. The PLC is designed to work in real time in industrial environments. The PLC program is executed in the working cycle (whose execution rate depends on the processor power). Reading of inputs, executing the program, and setting of outputs happens every passing cycle (then there begins a new passing of the working cycle).
A model of a PLC program as a Kripke structure can be constructed as follows. Let us take the vector of values of all the program variables, which can be divided into two parts, as the state of the model. The first part is a vector of inputs at the start of a new working cycle of the PLC. The second part is the output vector of values of internal variables and the values obtained after passing through a complete working cycle (at the inputs of the first part). In other words, the model state is the state of the PLC program after the passage of a full cycle. Thus, the transition from one state to another depends on the (previous) values of the outputs and the internal variables of the first state and the (new) values of the inputs of the second state.
VULNERABILITY AND VERIFICATION OF LD PROGRAMS
Graphically, the LD diagrams are presented in the form of two vertical power buses. There are chains formed by compound contacts between them. The load of each circuit is the relay. Each relay has contacts that can be used in other circuits. The LD language is included in the IEC 61131 3 standard for transpar ent transfer of existing solutions of control automatons realized (and accumulated in large quantities) in the form of electrical ladder circuits (ELC) to the PLC. However, such a "transparency" of transfer, namely, an image of ELC straight in the LD language, can lead to vulnerability of LD programs. The fol lowing example from [5] , which was designed to demonstrate the ease and convenience of ready made ELC solutions transference to PLC, can be used to show the vulnerabilities arising during the transfer, i.e., the possibility of the unexpected behavior of the PLC controlling program.
The circuit diagram of a code lock with an electromagnetic relay is shown Fig. 1a . The lock is opened by pressing the K1, K3, and K5 buttons, and the first button K1 in this sequence must be pressed while holding down the K0 button, thus setting the doorbell alarm signal. The doorbell is used to attract atten tion to the event of codes selection. All the intermediate relays P1, P3, and P5 work with self locking. They at the same time free the previous relay circuit. The erroneous pressing of K2, K4, K6-K9, or opening a door (door sensor = 1) place the lock into its original condition (with the help of relay P). The above circuit does not allow opening the lock (plunger = 1) while pressing all the buttons K0-K9 (with the same speed of operation of all the relays). However, such a possibility exists when implementing this circuit on the controller as the LD diagram in Fig. 1b . In this case, if all the buttons are pressed simultaneously during a single pass of the working cycle of the PLC, the signal that opens the lock (plunger = 1) will be billed to open. This time may be enough for the device that opens the lock to have enough time to read this signal and then put the lock into the open state. This situation occurs due to the fact that any PLC program, including the LD program, is executed in each PLC cycle serial from the left to right and from the top to bottom. Thus, the exhibition dropping signal of relay P will be available only on the next pass of the PLC cycle.
The possibility of the appearance of vulnerabilities during the transfer of made (well functioning) ELC solutions to the PLC leaves the need for checking what is obtained by transfer LD programs. However, at the same time, LD programs are a suitable object for verification. In particular, the modeling of LD dia grams in the language Cadence SMV [7] could be done in a fairly transparent way (for more details, see [4] ). The ease of modeling of LD programs of the SMV language is shown in Fig. 2 (the symbols "&," "|," "~," and "→" mean, respectively, logical "and," "or," "not," and the implication). In this example, the program of the code lock is rewritten so that the lock will be opened (i.e., it exhibits the signal plunger = 1) only if each of the "opening" buttons K1, K3, and K5 (in that order) will be pressed and released in series. In this case, pressing the other buttons-a signal from the door position sensor or the simultaneous opera tion of several "opening" buttons-will lead to the collapse of the typed code sequence into the initial state. An alarm bell will be activated when any button from K1 to K9 will be held down. During the sim ulation of a program using the SMV language, the value of the corresponding variable after the passage of one full cycle is determined by the next operator.
VULNERABILITY AND VERIFICATION OF SFC PROGRAMS
The LD language is mainly used for the transferring of existing solutions to PLC, and the other lan guages of IEC 61131 3 are used to write new programs for PLC. For example, it is much more convenient to rewrite the control program for code locking in the visual language SFC. One step that does not contain any commands within itself is given by pressing and releasing of each opening button (K1, K3, and K5) in the SFC diagram (see Fig. 3a ). For example, for two positions of the button K3, we have the following steps: S3W3D and S4W3U.
Step S7Open corresponds to the open state of the code lock.
Step S0 (always active after its activation) contains commands that are executed on each pass of the operating cycle. Two step S0 and S1W1D become active because of the parallel always ready to trigger transition from the initial step Init at the start of this SFC program.
Step S1W1D is waiting for pressing of the K1 button. During T12   T23   T34   T24  T21   S1W1D S4W3U  S3W3D   T32  T31   S1W1D S2W1U  S4W3U   T46  T45  T42  T41   S1W1D S2W1U  S5W5D   T51  T52  T56   S1W1D S2W1U S6W5U   T61  T62  T67   S1W1D S2W1U  S7Open   T71  T72  S1W1D passing of the working cycle for each active step (left to right and top to bottom), its contents executes, and then the conditions at the transitions (from this step) are checked. If one of the conditions has worked, then a transition to the other step that will be active at the passing on to the next cycle is performed. In this case, the current step itself is no longer active (of course, if the transition had not been committed at the same step). If none of the conditions on the transitions were fulfilled, then the current step is active and everything is repeated on the next pass of the working cycle. In contrast to LD programs, programs written in the SFC language are modeled not in such a trans parent manner. The possibility of building a transparent model for an SFC program in general is excluded for SMV due to the limitations of the language modeling. Transparency is lost because of the "parallelism" of the SFC chart's branches and the need to work with internal variables during prescribing of links between the steps and transitions. An internal variable is given under each step of the SFC chart. The activ ity of the corresponding step is determined by this variable. In the SFC program shown in Fig. 3a in addi tion to the inputs (K1-K9, Door) and outputs (Alarm, Plunger, Rst), there are eight auxiliary variables, one for each step of the chart. The presence of additional variables can be critical for verification tools that are based on binary decision diagrams (trees) of decisions (BDD), because the depth (and the size) of the BDD tree storing the program model is directly dependent on the number of program variables.
The number of steps in the SFC program can be reduced through the use of the so called simplified SFC language, which is used in the instrumental programming tool CoDeSys [6] . Only one step is given for the treatment of the pressing and releasing of the opening buttons in the SFC chart in Fig. 3b . For the K1, K3, and K5 buttons, we have accordingly the S1W1, S2W3, and S3W5 steps. In each such step, we use an auxiliary variable P, which tracks only pressing of the opening button. The situation in which simulta neously with the pressing of the opening button of the current step may be pressed the next opening button of the correct code sequence is tracked with the aid of the second auxiliary variable P2. The sign means that this step has an output action that takes place after one of the conditions on the transitions from this step, i.e., when exiting the step. The information on whether there was already pressed the opening button of the next step directly in front of it is transmitted (via the variable P) into the next step with help of an output action.
It may seem that the use of the variable P2 causes an unnecessary intermediate assignment, because if, for example, the exit of step S1W1 happens, then, at the current pass of the working cycle, the following command sequence will run: P := K1 OR P; P2 := P AND K3 AND NOT Rst; (checking of conditions on transitions); P := P2. In this case, there is no need for the variable P2. In addition, in the output S1W1.X action, there could be immediately prescribed P := P AND K3 AND NOT Rst, as there is a way out of the step, and the new value of P has no effect on the verification of the conditions on the transitions. However, here lies the vul nerability for SFC programs. The fact that the output operation is always performed in the step following the passage of the working cycle, in which input value of K3, may be different. For example, consider the following scenario. Suppose that, in the current cycle, the key K3 was read as being pressed, but then, dur ing the passage of this cycle, it was released; that is, on the next pass of the working cycle, the variable K3 will have a value of 0. In this case, assume that at the current working cycle the step S1W1 is active and the transition T12 to step S2W3 have fired. Then, the following working cycle before the execution of the acti vation step will perform S2W3 and the first output action S1W1.X, which (in the case of assigning P := P AND K3 AND NOT Rst) leads to the fact that P will be set to 0; i.e., the previous holding down of the K3 button will not be taken into account in the new pass of the working cycle. This explains the need for an "extra" unit with a P2 variable.
Thus, performing of the output action for the next step at the next pass of the working cycle interferes a bit with their order and the way of thinking in programming, thus resulting in possible vulnerability of SFC programs. Moreover, the presence of the step of the output action on it is given now two service vari ables. Consequently, in the case of a simplified SFC, we can find the vulnerability of an SFC program not having a number of service variables (the existence of which must be considered in the simulation).
AUTOMATON ST PROGRAMMING OF PLC
An automaton approach for programming of PLC can be applied to reduce the number of internal vari ables and to ensure the construction of transparent program models. In this approach, the logic of the X PLC program is represented as finite automata, the implementation of which is realized in the ST lan guage of IEC 61131 3. Figure 4 shows an automaton control program of code lock. Here, the control state machine is shown as a transition graph and represents (unlike SFC) only a schematic drawing that describes the program in the ST textual language (see Fig. 4 ). In the labels on the arcs of the transitions, above the line is prescribed the condition for the transition from the respective states, and below the line are the commands that should be executed (in the same passage of the working cycle) for triggering this condition. If none of the conditions on the arcs of the transitions are satisfied, then the commands are exe cuted as prescribed in the state. Thus, at each cycle are first checked all the conditions of the current state of transition; then, either a transition to a new state with the implementation of branch instructions or the current state remains active and it makes the team attributed to it. There are the commands that are always executed first on each pass of the working cycle of the PLC in the figure in the large rectangle. The current state is determined by the value of the variable @State. The values 0, 1, and 2 correspond to the states for the treatment of pressing/releasing of buttons K1, K3, and K5, respectively. The value 3 is reserved for (containing commands) a machine state that corresponds to the open state of the code lock (Plunger = 1). Controlling automaton starts when State = 0 and Plunger = 0.
The automaton approach to programming of PLC allows us to build transparent models of automata ST programs. An SMV model of an automaton ST program of code lock that is almost exactly the same as the simulated program itself is shown in Fig. 5 .
SPECIFICATION OF PLCS PROGRAM PROPERTIES
In whatever language program it was written, it is considered to be correct if it satisfies the requirements for its properties. For the correctness of PLC programs using the verification of the model (model check ing), the modeling programs in the verifier should also be able to express verifiable properties in the lan guage of temporal logic.
For example, the code lock program will be considered correct if opening the lock signal Plunger = 1 occurs only after the following sequence of steps: the K1 button is pressed, the K3 button is pressed, and the K5 button is pressed; at the same time (during this sequence), the door position sensor did not output a signal (i.e., the door did not open), none of the nonopening buttons was pressed, and there were no mul tiple simultaneous key presses. In addition, after setting a signal, Plunger = 1 must be cleared when you open the door or pressing a button.
However, this property is expressed only by means of temporal formulas and is not possible for any of the constructed models of the programs reviewed, including the code lock. There is a need to incorporate into the model auxiliary routines serving the temporal formula (the form of which must be as simple as Figure 6 is a built in SMV model supporting two subformulas of temporal properties Opening1 and Opening2 (which are preceded by the keyword assert) written in the LTL language of temporal logic. This routine in the variables X1, X2, and X3 accumulates a correct button pressing history. The temporal formula Opening1 states the following property: every time the opening sig nal Plunger = 1 is set, the history of the correct button presses must be of the form X3 = 1, X2 = X1 = 3 and 5, i.e., there was correctly typed the code sequence, the door is closed (Door = 0), and none of the buttons are pressed (Alarm = 0). Opening2 means that every time an opening sequence is received (X3 = 1, X2 = 3, X1 = 5), none of the buttons are pressed at this point (Alarm = 0) and the door is closed (Door = 0), it should be set the opening signal Plunger = 1.
PROGRAMMING FROM SPECIFICATIONS
The support subprogram and temporal formulas Opening1 Opening2 shown in Fig. 6 describing a pro cedural form of proper behavior are essentially a control program. The formulas Opening1 and Opening2 declaratively define those and only those program states in which should be set to open the lock signal Plunger = 1. Therefore, this specification (temporal formulas and support routine) can be quite simple and transparently transformed into the new ST program for control of the code lock as shown in Fig. 7 . Thus, we have a reverse direction of PLC program creation, i.e., from the model and specifications of the real ST program for PLC.
In conclusion, let us note that the combination of the automata approach and the approach based on the specification seems to be an interesting and promising area of research on the subject of programming and checking of PLC programs. 
