Software Verification for Programmable Logic Controllers

Programmable logic controllers (PLCs) occupy a big share in automation control. Their programming languages are, however, born out of historical needs and do not comply to state-of-the art programming concepts. Moreover, programming is mostly undertaken by the designers of the control systems. In sum this adds to the creation of erroneous software and, even more, unsafe control systems. In this work we focus on the software verification aspects for PLCs. For two selected programming languages, Sequential Function Charts (SFC) and Instruction List (IL) we discuss semantic issues as well as verification approaches. For SFCs we develop a model checking framework while for IL we suggest static analysis techniques, i.e., a combination of data flow analysis and abstract interpretation. Several case studies corrobate our approach

Formal Verification, Engineering and Business Value

How to apply automated verification technology such as model checking and static program analysis to millions of lines of embedded C/C++ code? How to package this technology in a way that it can be used by software developers and engineers, who might have no background in formal verification? And how to convince business managers to actually pay for such a software? This work addresses a number of those questions. Based on our own experience on developing and distributing the Goanna source code analyzer for detecting software bugs and security vulnerabilities in C/C++ code, we explain the underlying technology of model checking, static analysis and SMT solving, steps involved in creating industrial-proof tools

SFEDL’04 Preliminary Version Semantics and Analysis of Instruction List Programs Abstract

Instruction List (IL) is a simple typed assembly language commonly used in embedded control. There is little tool support for IL and, although defined in the IEC 61131-3 standard, there is no formal semantics. In this work we develop a formal operational semantics. Moreover, we present an abstract semantics, which allows approximative program simulation for a (possibly infinte) set of inputs in one simulation run. We also extended this framework to an abstract interpretation based analysis, which is implemented in our tool Homer. All these analyses can be carried out without knowledge of formal methods, which is typically not present in the IL community

Verifying Timing Aspects of VHS Case Study 1

This paper deals with an exception handling for VHS Case Study 1. A number of orthogonal timing constraints define a challenging control problem. We examine this one using timed automata for modeling, and Kronos and HyTech for model-checking. Additionally, we approach it using timed condition/event systems as the basic model and analyze these ones by transforming them automatically into Kronos code and checking them on this level. 1 Introduction Safety critical systems have been for a long time the main motivation for applying formal methods. A major reason is that in this field a failure might easily lead to big financial deficits or even losses of life. Within the recent years a number of modeling frameworks came up as well as various tools supporting the specification and verification of these systems. In this paper we focus on two modeling approaches coming from different origins. One is the theory of timed automata [AD94] widely used in the computer science community and the othe..

Towards Automatic Verification of Embedded Control Software

The language sequential function charts (SFC) is a programming and structuring language for programmable logic controllers (PLC). It is defined in the IEC 611313 standard and includes various interesting concepts such as parallelism, hierarchy, priorities, and activity manipulation. Although SFCs are perpetually used in the engineering community for programming and the design of embedded control systems, there are hardly any specific verification approaches for them. Existing approaches for Petri Nets, Grafcets, or (UML-)Statecharts do not really apply to SFCs, whose structures are similar, but include distinct features. In this work we present a method to model-check SFCs. This is done by defining a translation of SFCs into the native language of the Cadence Symbolic Model Verifier (CaSMV). This translation is specifically tailored to cover all the concepts of SFCs and can be performed automatically. Moreover, we demonstrate our approach by an application to a control process in chemical engineering