Abstract-Industrial automation systems are commonly obliged to comply with correctness requirements and safety standards. Testing and simulation are traditionally used to ensure this compliance. For mission-critical applications, formal verification and model checking in particular are also used, but such techniques are computationally intensive and difficult to apply in practice. This paper searches for synergies between testing and model checking by generalizing an earlier proposed formal test modeling framework. It presents a technique of testing automation systems with the use of model checking, which now supports multiple model checking environments and a more generic test case representation. The proposed technique is applied on a case study involving a simple safety-critical system with timing requirements. Experiments show that the technique is fast despite the use of formal methods and at the same time has several benefits compared to usual testing.
I. INTRODUCTION
Verification and validation are common procedures for industrial automation systems to ensure their reliability and compliance with safety standards such as IEC 61508 [1] . These activities are commonly implemented by means of testing and simulation. In testing [2] , the behavior of control software is checked on predefined scenarios, known as test cases. In simulation [3] , the behavior of the simulation model of the closed-loop system (that is, the one composed of the controller and the plant under control) is examined. As for formal techniques, which are less popular due to their complexity, model checking [4] , [5] can be applied to prove or disprove specifications by exploring the full state space of the system under verification. However, for large-scale systems, model checking is hard to apply due to its high computational complexity.
On the one hand, testing is a popular and ubiquitously used methodology unlike model checking. On the other hand, model checking offers a more comprehensive analysis of the considered automation system. These observations motivate the development of a hybrid approach, which would be as fast and easy to apply as testing, but would provide better means for system analysis.
This work continues the research direction established in [6] , where a testing framework based of the net condition/event systems (NCES) [7] formalism has been proposed. Unlike [6] , the approach presented in this paper is generic 978-1-5090-6505-9/17/$31.00 c 2017 IEEE with respect to the employed formal language. In particular, we apply it together with wide-spread model checking environments SPIN 1 and NuSMV 2 . NCES are not considered due to their limited tool support, but the proposed solution can be applied to formal models of this type as well. Moreover, we use a more general test representation as finite-state machines (FSMs) which is not limited to linear sequences of inputs and required outputs.
The evaluation of the technique on a case study involving a simple safety-critical system in performed on verifiers employing two different model checking approaches: explicitstate (SPIN) and symbolic (NuSMV) model checking. While using explicit model checking for testing is fast, symbolic model checking is shown to be slower, but it scales well in the cases of long test cases and multiple tested controllers. The evaluation also deals with the question of checking test case correctness.
The rest of the paper is structured as follows. Section II reviews related research. Then, Section III explains the proposed approach. This approach is further applied on a case study in Section IV. Finally, Section V concludes the paper.
II. RELATED WORK
This paper is a direct continuation of the work [6] , where a framework for formal modeling of the testing process for automation systems is proposed. In [6] , testing is modeled using the formalism of NCES. While the basic idea of [6] is similar to the one of the present paper, the latter develops the former in two aspects: in terms of supported model languages (the ones with better tool support are used) and by considering a more general test case representation.
In the rest of the section, two related research topics are reviewed: known formal notations to represent test cases and test suites, and model checking together with related concepts.
A. Formal test case representations
The simplest possible representation of a test case is a finite sequence of elements. In [8] , test cases are represented as finite sequences of symbols from a chosen alphabet. Such an approach is sufficient in [8] , since the tested entities in [8] are FSMs without any separation of inputs and outputs. Test suites are represented as trees. A similar representation of test cases is employed in [6] , except that inputs and output are now separated.
In [9] , a formal model of testing is introduced. The implementation of the tested system, its specification and test cases, which are generated based on specification, are formally represented with labeled transition systems (LTS), a class of finite-state models. Essentially, test cases are defined as a sort of state machines, whose transitions are annotated with inputs and outputs and which have special states indicating successful and unsuccessful test completion. Test cases are further constrained to make cycles of ordinary states impossible, which guarantees that tests execution is finite. In contrast, in the present paper this restriction is omitted, which allows infinite test executions, which are treated as test failures unless the special accepting state is reached.
B. Temporal specifications and model checking
Temporal logics [4] , [5] are formalisms which allow expressing specifications over system behaviors formally. The formulas of linear temporal logic (LTL) specify constraints which must be satisfied for every possible system execution. Being an extension of the Boolean propositional logic, LTL additionally includes temporal operators. Assume that system behavior is viewed as a sequence of states. Temporal operators include, but are not limited to the following ones: X refers to the next state, G requires that a certain formula is satisfied always, and F asserts that it is satisfied for some state in the future. As for computation tree logic (CTL), every its temporal operator is annotated with a quantifier E ("there exists a path") or A ("for all paths"). Consequently, the following CTL operators exist: EX, AX, EG, AG, EF, AF.
The problem of model checking refers to checking a temporal property for a chosen model. Formally, such a model is required to be a Kripke structure, but commonly used verifiers such as NuSMV, SPIN and UPPAAL hide these details and allow describing the system in a more natural way. In particular, such languages allow describing the system as a state machine or a system of connected state machines. Depending on the employed algorithms, model checking can be explicitstate (e.g. in SPIN and UPPAAL) and symbolic (NuSMV). Specifically for automation systems, model checking is subdivided into open-loop model checking, which checks only the controller model, and closed-loop model checking [10] which examines the entire system composed of the plant and the controller. A comparison of these techniques can be found in [11] .
III. PROPOSED TECHNIQUE
In this paper, a technique of testing automation systems by means of model checking is proposed. Basically, the proposed technique is composed of the following steps:
1) Controller modeling. The source code of the controller to be tested is transformed to its formal model. This step can be potentially automated, for example using approaches such as [12] - [15] . In the following subsections, we explain each step of the technique in more detail.
A. Controller modeling
At the first stage of the approach, the source code of the controller must be converted into a formal model. In this paper, we assume that the controller is a PLC program: that is, it comprises of a routine which is executed in cycles, the delay between which is constant. Such programs are commonly represented according to the IEC 61131-3 [20] international standard. Potentially, the proposed technique can be applied to distributed applications such as the ones complying with the IEC 61499 [21] standard: this would require considering non-cyclic execution.
Ideally, the source code of the controller (which may be also represented with visual languages such as function blocks and ladder logic) can be transformed to its formal model automatically using approaches such as [12] - [15] . Unfortunately, such approaches are not yet implemented as open tools, so in Section IV of this paper we model the controller manually.
B. Plant modeling
We describe the stage of plant modeling before considering test case models since plant modeling for model checking is an established technique, and our model of test cases will maintain many properties of the plant model.
The model of the plant represents physical and mechatronic aspects of the plant, regardless of its controller. Such a model is required in closed-loop approaches [10] , and many methods of its construction, including automated ones, are known [16] - [19] . In such approaches, the controller model and the plant model are connected together. Since the plant model is often nondeterministic, the closed-loop system becomes nondeterministic as well, which is common in model checking. For the case of PLC applications this means that on each cycle the controller and the plant models exchange values of controller inputs and outputs.
Within the proposed testing technique, the presence of the plant model is optional. The reason for this is the lack of necessity to consider it during the usual process of testing, and since the technique proposed in this paper models this process, the plant model is not required. Nevertheless, this technique is able to benefit from this model in the following ways:
1 
C. Test case modeling
As mentioned in Section II-A, multiple test case representations are known. Since in this paper we limit our attention to PLC software, a test case can be considered as an entity which interacts with the controller under test in the discrete manner, by submitting inputs to the controller and receiving its outputs. Thus, the test case model is similar to the plant model in terms of its interface (inputs and outputs), but there are two important differences between these two types of formal models:
• Test case models must be deterministic, which corresponds to real life.
• Test case models judge whether the controller's behavior is correct or not. The simplest type of models which submits to these requirements is the linear sequence of inputs and required outputs, like the one in [6] . However, such models require concrete behavior from the controller for each input scenario and hence are incapable of checking incomplete specifications. The solution which is applied in this paper is to use deterministic Moore FSMs. Formally, a test case is a tuple (S, s 0 , s a , I, O, T, λ), where S is the finite set of states, s 0 ∈ S is the initial state, s a ∈ S is the accepting state, I and O are the finite sets of controller input value combinations and controller output value combinations respectively, δ : S × O → S is the transition relation, and λ : S → I is the output function. Accepting states are commonly considered in deterministic finite automata (DFA) and not in FSMs, but their necessity here is explained by the need to check the controller's correctness: if and only if this state is eventually reached during the test-and-controller interaction, then the test case is passed. Otherwise, the test case is failed.
An example of a test case model visually represented as an FSM is shown in Fig. 1 . Later such FSMs will be expressed using the formal languages of SPIN and NuSMV verifiers.
D. Formulating temporal specifications
Normally, temporal specifications are formulated for either the controller or the closed-loop system to be checked on its entire state space. Model checking, however, is typically a time-consuming procedure. Within the testing technique proposed in this paper, such temporal specifications are suggested to be checked only on execution scenarios specified by test cases. This approach does not reach the level of dependability achieved by ordinary model checking, but allows checking temporal properties for complicated controllers. Depending on the employed modeling language, temporal properties can be formulated in formal notations such as LTL and CTL. They can be interpreted as an additional test oracle which determines whether the controller behaves correctly on the predefined test scenarios.
E. Model checking
The process of model checking, which can be automatically performed in environments such as NuSMV, SPIN and UPPAAL, is used to achieve three goals.
First, to check whether the selected test case is passed, the inevitability of reaching the accepting state of the test case is checked. This can be expressed as either LTL property F s a or CTL property AF s a . If the test case to be checked is selected nondeterministically, the same properties will check whether the accepting state is reached in all the test cases. If either of the test cases is failed, the corresponding system execution path will be generated by the verifier as a counterexample.
Second, temporal specifications formulated according to Section III-D are checked on test cases. Similarly to the previous case, a counterexample will be generated if either of the test cases is failed.
Third, if the plant model is available, then the validity of a test case can be checked in the following sense: the test case is valid if it enforces the system to produce an input-output behavior which is possible if the test case is replaced with the nondeterministic plant model. To implement such a check, the system of three components (the plant, the controller and the test case models) is considered. The test case model is connected with the controller model with inputs and outputs, as usual, and the plant model is configured to passively accept the outputs of the controller. The test case is valid if and only if the following CTL property is violated:
where n is the number of controller inputs, and i are controller inputs produced by the test and the plant model, respectively. Unfortunately, this property has no representation in LTL, which means that the SPIN model checker is unable to check it. Nevertheless, another explicit-state model checker UPPAAL would be able to check properties like the specified one.
IV. CASE STUDY
The suggested technique has been applied to a case study comprising a fictitious traffic lights system where the controller must comply with certain timing specifications. This system is described below, after which the details of applying the proposed technique are presented.
A. Description and specification
We consider the example of a traffic lights device responsible for regulating traffic in all directions at a crossroads. The overview of the considered system is shown in Fig. 2 . The two orthogonal directions will be further referred to as directions D1 and D2, and the systems of lights for each of the directions will be referred to as T1 and T2. Technically, each of these light systems has six lamps, where each of colors red, yellow and green is visible in opposite directions.
The device is operated with a single PLC. The PLC has two binary traffic intensity sensors T1 INTENSE and T2 INTENSE for directions D1 and D2. The rationale behind these inputs is to provide the traffic lights a means to favor the direction of the most intense traffic. Then, the PLC can be optionally accessed by a human operator, who can switch the system to the manual mode (modeled Once the manual mode is turned off, the system proceeds as if it was at the beginning of a round.
B. Controller
For simplicity we assume that the PLC cycle time equals one second. The controller code was implemented according to the IEC 61131-3 standard in the Structured Text language in CODESYS 3 . It involves six TON (on delay) timers, which are reset at the beginning of each period and are given proper delays. After that, these timers consequently fire and change the lights accordingly. If the program encounters the MANUAL input signal, the timers are reset and the controller displays the colors provided as manual inputs. A part of the described implementation is shown in Fig. 3 .
After the PLC implementation was prepared, the controller has been manually modeled in the languages of NuSMV and SPIN verifiers. In the NuSMV model, each new time step refers to the next PLC cycle, and variable assignments within a cycle are implemented using the technique of static single assignment. In the SPIN model, this is not the case. As a consequence, temporal specifications were altered to make them be effectively checked only after the controller finishes each of its cycles.
C. Plant model
The plant model corresponds to the environment where the PLC operates, which in our case means two entities from 
D. Temporal specifications
Formulated temporal specifications include the requirements for the automatic (i.e. non-manual) mode that: certain color combinations are prohibited; each traffic light always shows exactly one color; colors change in permitted order. For the manual mode, the traffic lights are obliged to show the manually specified colors. These requirements were formulated in LTL for SPIN and in CTL for NuSMV. Exact timing information specified in Section IV-A is not included into the temporal specification since it is difficult to formulate in LTL and CTL. Timing requirements will be checked by test cases described in the next subsection. Several examples of specifications formulated in CTL are provided below: 1) AG(¬MANUAL → ¬(T1 GREEN ∧ T2 GREEN)): "in the automatic mode, both lights shall not show green"; 2) AG(¬MANUAL → T1 GREEN ∨ T1 YELLOW ∨ T1 RED): "in the automatic mode, the first light shall show at least one color"; 3) AG(¬MANUAL → ¬(T1 GREEN ∧ T1 YELLOW)): "in the automatic mode, the first light shall not show green and yellow simultaneously"; 4) AG(T1 GREEN ∧ T2 RED → AU(T1 GREEN ∧ T2 RED, MANUAL ∨ T1 YELLOW ∧ T2 RED)): "in the automatic mode, color combination (green, red) shall only change to (yellow, red), and this change shall eventually happen"; 5) AG(MANUAL → (T1 YELLOW = T1 YELLOW MAN)): "in the manual mode, the first light shall show yellow if and only if the corresponding manual signal is on".
E. Test cases
Test cases for the traffic lights example were prepared based on the methodology of model-based testing (MBT) [22] , wherein test cases are derived from models of system specification, which are prepared independently from the system implementation. Fig. 4 shows the abstract specification of the system represented as a state machine: the traffic lights change their colors in the predefined order, which can be interrupted by manual mode activation. Using the graphwalker 4 tool, a test suite of five abstract test cases was generated to ensure the edge coverage of the state machine from Fig. 4 . Since abstract test cases are only paths in the state machine, they were further concretized to incorporate traffic intensity information and concrete light colors to show in the manual mode. During this concretization, each test case was subdivided into four ones depending on the employed traffic intensities in both directions.
Test cases obtained using MBT, however, were short and did not exercise the system for more than two rounds. Due to this reason, for each combination of traffic intensities, an additional test case was specified manually that required the system to be executed for 250 rounds. Later these tests will be referred to as "long" ones. Considering the length of each round, the length of each "long" test is 12500 PLC cycles, which is roughly equal to 208 minutes. In the next subsection, we will see how model checking speeds up the testing process significantly.
F. Test case execution
The principal part of the evaluation of the proposed approach comprised test case execution by performing model checking. In SPIN, all tests were successfully passed. Among them, the execution time of tests obtained using MBT was around one second, and the execution time of "long" tests was around 2.6 seconds. These results indicate that, despite performing model checking, it is possible to execute tests much faster than in conventional testing.
In NuSMV, the execution of the same test cases took significantly more time. The median execution time of all 24 considered test cases was 18.4 minutes, and the executions of eight tests did not finish within the time limit of one hour. Apparently, the reason for such slow performance is the nature of symbolic model checking, which is performed by NuSMV. While the determinism of the tested formal model makes explicit-state model checking process only one execution path, symbolic model checking has no means to benefit from model's determinism, and hence its execution time still depends on the complexity of the formal model. On the other hand, no significant difference of execution time for long and short tests was observed.
G. Additional checks
Model checking of the temporal properties specified in Section IV-D have been performed on the test cases. In SPIN, each property has been checked for each test case independently. All the checks succeeded, and model checking execution times varied between 1.5 and 2.0 seconds for MBTgenerated test cases and between 2.4 and 4.0 seconds for "long" test cases. In NuSMV, for each test case, all temporal properties were checked in one run of the verifier since it is able to reuse information obtained during property checking. However, only 7 out of 24 NuSMV executions terminated within one hour. When ordinary closed-loop model checking was then performed as well, its execution time was only 45 seconds. Since at the same time model checking with the plant model is more dependable, we conclude that model checking on test cases is not reasonable for symbolic model checkers such as NuSMV.
Then, test validation has been run as described in Section III-E. Due to the lack of CTL support in SPIN, it was performed only in NuSMV. This time, the median model checking time was impossible to estimate since more than 12 NuSMV executions violated the time limit of one hour. We conclude that performing such a check in a symbolic model checking is not worth its purpose; either an explicitstate model checking like UPPAAL should be used, or other means of test validation should be searched for.
Finally, we consider the scenario of testing simultaneously several controllers with small differences. This idea has been inspired by the work [23] . The application of this scenario in real life is testing product lines, where different products are composed of common modules. In our case, we applied a simpler approach: 25 different controllers were obtained by altering two delays of the timers, each of which was configured to have five distinct values. In SPIN, such a check for MBT-generated tests lasted around 1.4-1.8 seconds, and "long" test execution time was around 53-55 seconds. Thus, the time required for model checking grows with the number of checked controllers, which is an expected result for explicitstate model checking. In NuSMV, the median test execution time was 33.6 minutes, and the executions of nine tests did not finish within one hour. Compared to the execution of single controller tests and accounting for the number of tested controllers, these results indicate that symbolic model checking is more suitable for testing controller families than single controllers.
V. DISCUSSION AND CONCLUSIONS
In this paper, which continues the research direction of the work [6] , a technique of testing automation systems using model checking has been proposed. Performing testing on the level of formal models has potential benefits of analyzing the entire system execution if a test case is failed, validating test cases, testing multiple controllers simultaneously, checking temporal specifications on specific system execution paths, and testing timed systems (like the one considered in the case study) without the need of simulating the actual delays in the system.
Among the shortcomings of the technique are the substitution of the original tested controller with its formal model, which might be imprecise, and the lack of open access tools which are able to generate such models automatically. Controller modeling is a general problem of formal methods applied to industrial automation. If the controller is modeled manually, a modeling error can be occasionally made. Then, even if this model is generated automatically (with approaches such as [12] - [15] ), the issue of discretizing real values may arise.
The proposed technique has been evaluated on a case study using two types of model checkers: an explicit-state one (SPIN) and a symbolic one (NuSMV). It has been shown that, despite the use of model checking, which is commonly time consuming, testing using an explicit-state model checker is fast. For a symbolic model checking, test execution times are significantly larger, which makes the application of the technique in this case doubtful. On the other hand, if test cases are long but can be represented in a compact way, and if multiple similar controllers are tested simultaneously, then symbolic model checking is more scalable.
To make the proposed technique useful in industrial practice, the level of automation of its steps must be increased. This concerns automating the generation of formal models of controllers, plants and test suites. Although approaches for this do exist, they are not yet available as user-friendly tools with graphical interface. The very process of testing as model checking needs profound tool support as well -otherwise, the simplicity of testing, which is potentially reachable for the proposed approach, will not be achieved.
Apart from working on the aforementioned practical aspect, future work may involve adding the support of the UPPAAL model checker, modeling timing aspects of systems with timed automata (with the help of UPPAAL), generating test cases based on the plant model, and applying the approach to distributed event-based automation systems, including the ones represented in the IEC 61499 standard.
