Verification of programmable logic controller (PLC) programs written in IEC 61131-3 function block diagram (FBD) is essential in the transition from the use of traditional relay-based analog systems to PLC-based digital systems. This paper describes effective use of the well-known verification tool VIS for automatic verification of behavioral equivalences between successive FBD revisions. We formally defined FBD semantics as a state-transition system, developed semantic-preserving translation rules from FBD to Verilog programs, implemented a software tool to support the process, and conducted a case study on a subset of FBDs for APR-1400 reactor protection system design.
INTRODUCTION
Software safety [1] is an important issue for embedded real-time control systems such as those found in nuclear power plants. When verifying safety-critical software, formal methods [2] play critical roles in demonstrating compliance to regulatory requirements. The Korea Nuclear Instrumentation & Control System R&D Center (KNICS) [3] project 1 used the NuSCR [4] formal specification language and tool-set [5] to formally specify and verify software requirements for reactor protection systems (RPS) for the Advance Power Reactor-1400 (APR-1400) [7] . During the design and implementation phases, programmable logical controllers (PLC) software were written in IEC 61131-3 function block diagram (FBD) [8] , and software safety was verified thoroughly. Each release of FBDs becomes official only when authorities have verified the software; two types of formal verification, model checking [6] and equivalence checking, were applied to our FBDs. While the former examined whether or not FBD meets required properties, the latter determined behavioral equivalence between two FBD revisions. Units of equivalence checking can vary from a small module to a whole system, and verification tasks fulfill various needs of FBD programmers and safety engineers. Formal verification contributes to the demonstration of the software safety of PLC programs written in FBD.
This paper proposes how the Verification Interacting with Synthesis (VIS) system [9] can automatically verify FBDs. VIS is widely used in hardware analysis, and with its Verilog [10] front-end, it is also suitable for software analysis. VIS supports computational tree logic (CTL) model checking [11] , language emptiness checking, combinational and sequential equivalence checking, cycle-based simulation, and hierarchical synthesis. Although we explored the possibility of using VIS's sequential equivalence checking and simulation to verify FBD programs for the Advance Power Reactor-1400 (APR-1400) RPS, we chose Cadence Symbolic Model Verifier (SMV) [12] for model checking because VIS's CTL model checking has restrictions when specifying properties [13, 14] .
To enable VIS's equivalence checking using VIS, we first defined the semantics of FBD as a state transition system and developed rules for translating FBDs into semantically equivalent Verilog. We also implemented
VERIFICATION OF PLC PROGRAMS WRITTEN IN FBD WITH VIS
JUNBEOM YOO, SUNGDEOK CHA 1* and EUNKYOUNG JEE the FBD Verifier 1.1 [13] software tool to automate the translation and then used it on a subset of FBDs for APR-1400's RPS. We found VIS equivalence to be effective. This paper is organized as follows. Section 2 provides background information on FBD and Verilog in brief. A small translation example from FBD to Verilog is introduced. In Section 3, we formally define the FBD as a state transition system and explain the rules used to translate FBDs into Verilog. Section 4 reports an experiment conducted on a subset of FBDs for APR-1400's RPS with VIS equivalence checking. Section 5 discusses related work on PLC program verification, and Section 6 concludes.
BACKGROUND

FBD Programming
The IEC 61131-3 [8] to our discussion are illustrated in Fig. 1 . The behavior of a function block is intuitive as their names imply: ADD, AND, SEL, etc.
A portion of FBD for fixed set-point rising trip logic in an RPS BP (Bistable Processor) for APR-1400 is shown in Fig. 2 . It creates a warning signal, th_X_Pretrip, when the trip (e.g. reactor shutdown) condition remains true for k_Trip_Delay units of time as implemented in the TOF function block. The number in parenthesis above each function block denotes execution order. The output th_Prev_X_Pretrip from MOVE stores the current value of th_X_Pretrip for use in the next execution cycle. The TOF function block also maintains internal variables to store timing information.
Verilog Programming
Verilog is one of the most common hardware description languages (HDLs) used by integrated circuit (IC) designers. Verilog's increasing use in the specification of software logic for process control systems is clear when one considers that designs described in Verilog are technology independent, easy to develop and debug, and are considered more readable than schematics. Verilog has several variable types. A wire, similar to a physical wire in a circuit, is used to connect software development modules. Wires do not store their values. They are driven by continuous assignment statements or by connecting them to other module's outputs. Conversely, regs, used in procedural assignment blocks beginning with always, represent data objects that hold their value between execution cycles. Fig. 3 shows a Verilog program translated from the FBD from Fig. 2 according to the translation rules described in Section 3. They both show the same behavior as our analyses and experiments verified. There are two inputs (i.e. f_X and th_Prev_X_Pretrip) and two outputs (i.e. th_X_Pretrip and th_Prev_X_Pretrip). As input prefixes "k_" indicate constants, they are not considered input variables. Th_Prev_X_Pretrip is used as both input and output. Since it stores the value of th_X_Pretrip using the MOVE function block in FBD, we defined it as a reg variable in lines (8) and (32). FBD's output, th_X_Pretrip, is produced in the assign statements (12)~(18) by composing several function blocks in FBD. It also uses the timer variable to emulate a TOF function block, which we emulate with procedural assignments using always statements (19)~(31). We restricted the number of TOF internal states to six in this example as defined in (1) . In addition, we used the clk variable, reserved for simulation purposes in VIS, to simulate cyclic executions of the PLC. Thus, the Verilog module defined in Fig. 3 is executed every clk-usually 15 to 50 ms.
TRANSLATION FROM FBD INTO VERILOG
IEC 61131-3 FBD is a network of function blocks executed sequentially according to a (their) predefined order. In this section, we define the FBD programming language as a state transition system and propose FBDVerilog translation rules in a bottom-up manner. Section 3.1 explains function block translation, which is a unit of FBDs, and Section 3.2 explains component FBD translation. The translation of system FBD is introduced in Section 3.3. Unlike "primitive" function blocks whose translation rules are straightforward, some FBD features cannot be mapped directly. Such issues are described in subsection 3.4.
Function Block Translation
A function block is defined as a tuple composed of Name, input ports IP, output ports OP, and its behavior description BD as defined in Def. 1. IP and OP are the official terms used in IEC 61131-3. The behavior of a function block is defined as a set of predicates and assignments on input and output ports, respectively. A function block is a function from a set of input variables, which are assigned to input ports of the function block, to (usually) one output variable, which is assigned to one output port.
Definition 1 (Function Block)
A function block is defined as a tuple FB = < Name, IP, OP, BD >, where Name: a name of function block IP: a set of input ports, {ip1, ip2, … , ipn} OP: a set of output ports, {op1} BD: behavioral description ∑(pFB, aFB), where -pFB : a predicate on IP -aFB : assignments on OP Let VFB-I = {v1, v2, ..., vn} be a set of function block input variables which has n input ports, and VFB-O = {vo} be a set of function block output variables. If we define Ii as a set of input domains of the input variable vi (1<=i<=n) and IFB = I1 I2 ... In, and also OFB = Oo in the same way, then a function block is defined as follows: fFB: IFB OFB
The five rules shown below define how to translate a function block into an equivalent Verilog function. The translation rules are straightforward because there exists little semantic gap between the two. They both receive inputs, process data, and emit outputs. The output port type (i.e. Boolean, integer, or bit vector) determines the corresponding Verilog function type as Rule 1. Explicit type conversion might be needed when the output type of a function block is not supported by Verilog, i.e. real type variables. Similarly, each input and its type is declared as described in Rule 2. Function behavior is translated next as shown in Rules 3 and 4. As an example, Fig. 4 illustrates how the SUB and SEL function blocks are translated into Verilog.
Unlike simple function blocks, translation rules are more complex when it comes to timer operations. One must use reg type variables to track internal information. In addition, a timer's internal variable has to have discrete bounds. As a Verilog function cannot hold procedural assignments that treat reg variables, we use Verilog module feature instead.
Component FBD Translation
A Component FBD is a logical block of independent function blocks to which a number of function blocks are interconnected to generate meaningful outputs. Fig. 2 To produce optimal Verilog code, the use of Verilog functions must be avoided when equivalent expressions exist. For example, GE_INT in Fig. 2 can be translated into the built-in "f_X >= k_X_Pretrip_Setpoint" expression or a user-defined function GE_INT; the former translation is preferred. Fig. 3 shows how Rules 1 through 12 are applied to the FBD shown in Fig. 2 . Complete technical details are available elsewhere [15] .
System FBD Translation
The whole FBD software system is composed of a number of component FBDs and their interconnections. A System FBD defines the whole software system as a tuple composed of component FBDs Component_FBD, a set of transitions T between component FBDs, a set of input ports I, and a set of output ports O as defined in Def. 3. 
Practical Considerations on Translation Rules
When applying the above rules to large and complex real-world situations, the following guidelines are useful. First, one must distinguish "intermediate" FBD outputs from "externally visible" FBD outputs. That is, outputs of FBD subsystems must not be mapped as output variables. Rather, they must be declared as "internal" reg variables in the higher-level Verilog modules. Variable th_Prev_X_ Pretrip in Fig. 2 is such an example. Correctness on data dependency and proper ordering among the outputs of FBD subsystems are critical in translation.
Second, the translation of timer blocks (e.g. TOF and TON) requires synchronization between the global system clock, clk, and multiple local clocks. Fig. 6 describes a template for translating a TOF function block, which has IN and DELAY as inputs, and OUT and TIME as outputs. IN is an input Boolean variable, and DELAY is a variable specifying time delay. OUT is an output Boolean variable, and TIME represents the elapsed time of its internal timer. Output value OUT is 0 if input IN remained 0 during DELAY time periods since input IN changed from 1 to 0. Otherwise, the output is 1. The TOF described in Fig.  6 has up to 3 bits delay, or 2 3 =8 clock time. Output TIME is excluded in the Verilog code because it is used to monitor elapsed time of the local timer for simulation and debugging purposes only. The local clock of the timer is synchronized with the global clock clk using the "always @(posedge clk) begin"' statement. Each timer block can be declared as a separate Verilog module, and the behavior of multiple timers can be unfolded within the component FBD's definition as shown in Fig. 3 .
Third, one must be careful in deciding the number of bits used to represent timer delay values. Larger values exponentially increase the number of states to be explored. In the worst case, state explosion may occur in SMV model checking or VIS equivalence checking. Other blocks (e.g. Bistable or Counters) share the same issue.
VIS EQUIVALENCE CHECKING
We applied the proposed translation techniques to a subset of FBDs [16] for APR-1400's RPS BP currently under development in Korea and performed VIS equivalence checking on them. As the safety of APR-1400's RPS must be rigorously demonstrated, regulatory bodies strongly recommend that formal verification techniques be used. While model checking verifies whether or not FBD meets required properties, it is inadequate for verifying the behavioral equivalence between two FBD versions. On the other hand, VIS equivalence checking is particularly useful for checking if FBD design optimizations do not introduce errors.
In order to evaluate the effectiveness of the proposed approach, we conducted a case study using a subset of the preliminary version of bistable processor (BP) design. BP, as a part of a reactor protection system, is large and complex in that its design specifications, Rev. 02 released in 2006, consist of 1,355 function blocks and 1,038 variables; when translated using FBD Verifier 1.1, the Verilog program was 7,862 lines long. Section 4.1 introduces an overview of the VIS equivalence checking process, and the detailed experimental results are explained in Section 4.2. Fig. 7 shows an overview of the VIS equivalence checking process. FBD designs are programmed with the pSET [17] commercial engineering tool developed by the PLC vendor POSCON. The designs are subsequently compiled into executable code. FBD Verifier 1.1 translates the design into equivalent Verilog programs in ".v"' format. As the VIS verification system has no graphical user interface, we executed the VIS in a Cygwin environment where equivalence checking was performed. A program (vl2mv [18] ) in the VIS verification system translates Verilog programs from the ".v" into the ".mv"' format, which VIS can read and analyze. If any evidence of inequivalence is found, VIS generates a counterexample illustrating how changes on values of various variables lead to different behavior.
An Overview of Verification Process
Experimental Result
We performed the proposed automatic verification on a subset of FBDs for APR 1400's RPS BP. The FBD is depicted in Fig. 2 . It is an important part of BP logics, and was excerpted from a preliminary release of FBDs [16] for the purpose of this experiment. A different version of FBD is shown in Fig. 8 . It should have the same behavior as the FBD in Fig. 2 because it was mechanically synthesized from the same NuSCR requirements specification [19] using a synthesis technique previously reported [20] . Synthesis version allows FBD engineers to validate manually developed and optimized FBD programs even if the synthesized FBDs do not become part of an official release.
When VIS equivalence checking was performed, to our surprise, VIS determined the behaviors of the two FBD programs to be different and generated a seven-step counterexample (Fig. 9) 2 . For example, on transition from state 0 to 1, the value of "timer" changed from "T0" to "T1." Such changes are caused by the input f_X of "1011110." According to the counter-example, the inequivalence occurred when the pretrip fired (th_Prev_X_Pretrip = 0 in state 6), and then the pretrip condition was released in the next state 7 on input "0010110." As the VIS counterexample does not show different output values explicitly in the final state, we must use the simulation facility of VIS to fully investigate the cause for the in-equivalence and fix the errors.
Although the details are beyond the scope of this paper, the SEL function block numbered (15) in Fig. 2 has G input wired to th_Prev_X_Pretrip. It means that if the value is 1 then it is currently in a normal state, otherwise it is in a pretrip state. Although Timer function blocks should not be used when the system is in a pretrip state (i.e., th_Prev_X_Pretrip = 0), TOF timer block numbered (16) is executed after the SEL function block. Such redundant use of the TOF timer gave rise to different behavior, and domain engineers fixed the error by separating the TOF block so that it is used only when the system is in the normal state. Fig. 10 shows the modified FBD in which the computation on the TOF block takes prior to that of the SEL block. The VIS equivalence checking result was also a success (Fig. 11) . The modified FBD was used in later releases.
We also applied VIS equivalence checking to the FBDs for "manual reset variable set-point trip logic" of the APR-1400 RPS BP, which is more complex than the "fixed set-point rising trip logic" used above. We found several critical errors in both the manually developed and the synthesized FBD versions (Table 1 ). In addition to syntactic and trivial mistakes made by FBD engineers, we also detected several logical errors, which included some critical discrepancies between the two FBDs. Such errors could not easily be solved by changing the order of the function blocks or by replacing them. We even found logical errors in the NuSCR requirements specification [19] . All errors were fixed, and the requirements and design specification documents were updated. As mentioned earlier, analyzing the results of VIS equivalence checking counterexamples is often time prohibitive for FBD engineers and verifiers. VIS is executed in Cygwin or Linux environments in text mode, and the counterexample generated contains a lot of value information at the bit-level. We also had to rely on VIS's simulation to understand the output of FBDs. Even though VIS's equivalence checking is an efficient and useful automatic verification technique, the above obstacles render its widespread use in developing FBD programs difficult. We are currently developing a tool to assist visual Fig. 12 shows an interface design of a VIS Analyzer 0.8 prototype. Fig.  12a shows two Verilog programs read, and Fig. 12b is a result of the automatic execution of several VIS operations, i.e. vl2mv, seq_verify, and simulate.
RELATED WORK
Many approaches, including a PLCTOOLS tool-set [22] , for the formalization of PLC programs written in LD, ST, and FBD indented for formal verification, validation, and simulation exist in the literature [21] . FBD programs are modeled with high-level timed petri nets (HLTPN), and those nets are then used for design validation and code generation. MATLAB/SIMULINK provides a means for specifying and simulating plants. While PLCTOOLS focuses on designing, simulation, and PLC code generation, it does not support formal verification such as VIS equivalence checking.
Higher order logic (HOL) has been used to model requirements specifications [23] . There are no restrictions on data types in this approach since function blocks are modeled as relations on HOL streams. The Verilog we use has several restrictions on data types, i.e. Verilog has no real number type variables. It treats time implicitly, [25] interactions were defined between controllers and overall systems (plants) using FBDs; they were formalized [26] with a single-net systems (SNS) [27] model. The controller code was defined in FBD format, and the overall system was organized in IEC 61499 function blocks. In this approach, the complete structure is automatically translated into an SNS model using the Verification Environment for Distributed Environment (VEDA) tool. For the combined plant-controller model, model checking was performed using Singal/Event System Analyzer (SESA) [28] . While VIS equivalence checking verifies FBD programs from a unit module to a whole system, it focuses on the interactions between IEC 61499 function blocks, which correspond to subsystems and not detailed IEC 61131-3 function block diagrams.
In case of the automatic formal verification model checking of Verilog programs, there are several approaches using different model checkers. We have used the SMV model checker as previously implemented and experimented upon [13, 14] . As explained in Section 1, VIS's CTL model checking has some rigorous restrictions. We used Cadence SMV's LTL model checking to avoid them. CBMC [29] checks Verilog for consistency with ANSI-C programs. VCEGAR [30] performs model checking on Verilog using a counterexample guided abstraction refinement framework. However, these approaches have not yet been applied to the development of safety-critical software in industry except for the SMV approach.
CONCLUSION AND FUTURE WORK
This paper described effective use of VIS, a well-known verification tool, for automated software verification of PLC programs written in FBD. We formally defined FBD semantics as a state-transition system, developed translation rules from FBD to Verilog programs, implemented FBD Verifier 1.1 software tool to automate the translation, and performed VIS verification-equivalence checking on a subset of FBDs currently under development for an APR-1400 nuclear power reactor. The case study demonstrated that behavioral equivalence checking using VIS is an effective and useful verification technique that can easily be used in developing PLC programs.
As we perform VIS equivalence checking in Cygwin or Linux environment in text mode, automating the verification process and visualizing analysis results including VIS simulation would promote its applicability and usability remarkably. We also introduced a prototype tool design. We are planning on developing a tool suite supporting development, verification, and safety analysis throughout entire lifecycle phases from requirements specification to implementation.
