PLCverif: Status of a Formal Verification Tool for Programmable Logic Controller

Programmable Logic Controllers (PLC) are widely used for industrial automation including safety systems at CERN. The incorrect behaviour of the PLC control system logic can cause significant financial losses by damage of property or the environment or even injuries in some cases, therefore ensuring their correct behaviour is essential. While testing has been for many years the traditional way of validating the PLC control system logic, CERN developed a model checking platform to go one step further and formally verify PLC logic. This platform, called PLCverif, first released internally for CERN usage in 2019, is now available to anyone since September 2020 via an open source licence. In this paper, we will first give an overview of the PLCverif platform capabilities before focusing on the improvements done since 2019 such as the larger support coverage of the Siemens PLC programming languages, the better support of the C Bounded Model Checker backend (CBMC) and the process of releasing PLCverif as an open-source software.Comment: 18th International Conference on Accelerator and Large Experimental Physics Control Systems (ICALEPCS2021

Are congenital malformations more frequent in fetuses with intrahepatic persistent right umbilical vein? A comparative study

Objective Persistent right umbilical vein (PRUV) is a vascular anomaly where the right umbilical vein remains as the only conduit that returns oxygenated blood to the fetus. It has classically been described as associated with numerous defects. We distinguish the intrahepatic variant (better prognosis) and the extrahepatic variant (associated with worse prognosis). The objective of this study was to compare rates of congenital malformations in fetuses with intrahepatic PRUV (I-PRUV) versus singleton pregnancies without risk factors. Materials and Methods A multicenter, crossover design, comparative study was performed between 2003 and 2013 on fetuses diagnosed with I-PRUV (n = 56), and singleton pregnancies without congenital malformation risk factors (n = 4050). Results Fifty-six cases of I-PRUV were diagnosed (incidence 1:770). A statistically significant association between I-PRUV and the presence of congenital malformations (odds ratio 4.321; 95% confidence interval 2.15–8.69) was found. This positive association was only observed with genitourinary malformations (odds ratio 3.038; 95% confidence interval 1.08–8.56). Conclusion Our rate of malformations associated with I-PRUV (17.9%) is similar to previously published rates. I-PRUV has shown a significant increase in the rate of associated malformations, although this association has only been found to be statistically significant in the genitourinary system. Noteworthy is the fact that this comparative study has not pointed to a significant increase in the congenital heart malformation rate. Diagnosis of isolated I-PRUV does not carry a worse prognosis

A Configurable CEGAR Framework with Interpolation-Based Refinements

International audienceCorrectness of software components in a distributed system is a key issue to ensure overall reliability. Formal verification techniques such as model checking can show design flaws at early stages of development. Abstraction is a key technique for reducing complexity by hiding information, which is not relevant for verification. Counterexample-Guided Abstraction Refinement (CEGAR) is a verification algorithm that starts from a coarse abstraction and refines it iteratively until the proper precision is obtained. Many abstraction types and refinement strategies exist for systems with different characteristics. In this paper we show how these algorithms can be combined into a configurable CEGAR framework. In our framework we also present a new CEGAR configuration based on a combination of abstractions, being able to perform better for certain models. We demonstrate the use of the framework by comparing several configurations of the algorithms on various problems, identifying their advantages and shortcomings

Transforming PLC Programs into Formal Models for Verification Purposes

Most of CERN’s industrial installations rely on PLC-based (Programmable Logic Controller) control systems developed using the UNICOS framework. This framework contains common, reusable program modules and their correctness is a high priority. Testing is already applied to find errors, but this method has limitations. In this work an approach is proposed to transform automatically PLC programs into formal models, with the goal of applying formal verification to ensure their correctness. We target model checking which is a precise, mathematical-based method to check formalized requirements automatically against the system

Applying model checking to industrial-sized PLC programs

Programmable logic controllers (PLCs) are embedded computers widely used in industrial control systems. Ensuring that a PLC software complies with its specification is a challenging task. Formal verification has become a recommended practice to ensure the correctness of safety-critical software, but is still underused in industry due to the complexity of building and managing formal models of real applications. In this paper, we propose a general methodology to perform automated model checking of complex properties expressed in temporal logics [e.g., computation tree logic (CTL) and linear temporal logic (LTL)] on PLC programs. This methodology is based on an intermediate model (IM) meant to transform PLC programs written in various standard languages [structured text (ST), sequential function chart (SFC), etc.] to different modeling languages of verification tools. We present the syntax and semantics of the IM, and the transformation rules of the ST and SFC languages to the nuXmv model checker passing through the IM. Finally, two real cases studies of the European Organization for Nuclear Research (CERN) PLC programs, written mainly in the ST language, are presented to illustrate and validate the proposed approach

Modelling and formal verification of timing aspects in large PLC programs

One of the main obstacle that prevents model checking from being widely used in industrial control systems is the complexity of building formal models out of PLC programs, especially when timing aspects need to be integrated. This paper brings an answer to this obstacle by proposing a methodology to model and verify timing aspects of PLC programs. Two approaches are proposed to allow the users to balance the trade-off between the complexity of the model, i.e. its number of states, and the set of specifications possible to be verified. A tool supporting the methodology which allows to produce models for different model checkers directly from PLC programs has been developed. Verification of timing aspects for real-life PLC programs are presented in this paper using NuSMV

Formal verification of complex properties on PLC programs

Formal verification has become a recommended practice in the safety-critical application areas. However, due to the complexity of practical control and safety systems, the state space explosion often prevents the use of formal analysis. In this paper we extend our former verification methodology with effective property preserving reduction techniques. For this purpose we developed general rule-based reductions and a customized version of the Cone of Influence (COI) reduction. Using these methods, the verification of complex requirements formalised with temporal logics (e.g. CTL, LTL) can be orders of magnitude faster. We use the NuSMV model checker on a real-life PLC program from CERN to demonstrate the performance of our reduction techniques

Bringing Automated Model Checking to PLC Program Development - A CERN Case Study

Verification of critical software is a high priority but a challenging task for industrial control systems. Model checking appears to be an appropriate approach for this purpose. However, this technique is not widely used in industry yet, due to some obstacles. The main obstacles encountered when trying to apply formal verification techniques at industrial installations are the difficulty of creating models out of PLC programs and defining formally the specification requirements. In addition, models produced out of real-life programs have a huge state space, thus preventing the verification due to performance issues. Our work at CERN (European Organization for Nuclear Research) focuses on developing efficient automatic verification methods for industrial critical installations based on PLC (Programmable Logic Controller) control systems. In this paper, we present a tool generating automatically formal models out of PLC code. The tool implements a general methodology which can support several input languages, like the PLC programming languages defined in the IEC 61131 standard, as well as the model formalisms of different model checker tools. The tool supports the three main stages of model checking: system modelization, requirement formalization and counterexample analysis. In addition, a verification case study of a PLC program, written in Structured Text (ST) language implemented at CERN is described. The paper shows that the verification process is automatized and supported by the proposed tool, thus its difficulty is completely hidden for the control engineer

Automated Generation of Formal Models from ST Control Programs for Verification Purposes

In large industrial control systems such as the ones installed at CERN, one of the main issues is the ability to verify the correct behaviour of the Programmable Logic Controller (PLC) programs. While manual and automated testing can achieve good results, some obvious problems remain unsolved such as the difficulty to check safety or liveness properties. This paper proposes a general methodology and a tool to verify PLC programs by automatically generating formal models for different model checkers out of ST code. The proposed methodology defines an automata-based formalism used as intermediate model (IM) to transform PLC programs written in ST language into different formal models for verification purposes. A tool based on Xtext has been implemented that automatically generates models for the NuSMV and UPPAAL model checkers and the BIP framework