PLCverif: A TOOL TO VERIFY PLC PROGRAMS BASED ONMODEL CHECKING TECHNIQUES

Model checking is a promising formal verification method to complement testing in order to improve the quality of PLC programs. However, its application typically needs deep expertise in formal methods. To overcome this problem, we introduce PLCverif, a tool that builds on our verification methodology and hides all the formal verification-related difficulties from the user, including model construction, model reduction and requirement formalisation. The goal of this tool is to make model checking accessible to the developers of the PLC programs. Currently, PLCverif supports the verification of PLC code written in ST (Structured Text), but it is open to other languages defined in IEC 61131-3. The tool can be easily extended by adding new model checkers. INTRODUCTION AND MOTIVATION Operating an accelerator complex to provide facilities for particle physics research involves numerous process control tasks. Many of them (such as cooling and ventilation, cryogenics, gas systems) are controlled by Programmable Logic Controllers (PLCs) at CERN, the European Nuclear Research Organization. As these systems are critical for the operation of CERN, the correctness of the executed PLC applications is a high priority. Testing is a widely used solution to find potential failures in software. However, testing is not an universal solution for the verification of programs, for the following main reasons: • Testing cannot show the absence of bugs, it can only show their presence. • Testing can only check the outputs given by the software under test for some selected input sequences (test inputs). It cannot check efficiently general statements (e.g. “If output FireAlarm is true, then the output NoAlarmPresent should always be false.”) or liveness properties (e.g. “If a request is received, a response will be sent eventually.”). Model checking is a good candidate to complement testing in order to reduce these weaknesses [1]. This paper introduces the high-level concepts of model checking and our proposed solution to incorporate model checking in the PLC software development process. CHALLENGES OF MODEL CHECKING Model checking is a formal verification technique that takes (1) a mathematical model of the system to be checked and (2) a formalized requirement. The model checker algorithms can decide if the given requirement is satisfied for the ∗ E-mail of the corresponding author: [email protected] given model or not. Contrarily to testing, model checking checks all possible executions of the program and reports if any of them violates the requirement. Model checking is also able to generate counterexamples, i.e. input sequences demonstrating the violation of the given requirements. However, model checking is not a silver bullet. There are three main obstacles of using this technique: 1. The model checker tools need a mathematical representation of the program. Constructing them needs lots of effort and experience in the formal methods domain. 2. The requirements should also be formalized for model checking. This is a similarly challenging task. 3. Model checking is computationand memory-intensive. The generated models of the programs are often too large or too complex to be analysed with the available computation capacity. These obstacles are difficult to overcome. The available tools require deep expertise in the formal verification domain. This could be the main reason why model checking is not widely used in industry yet, apart from some highly safetycritical applications in avionics, railway industry, etc. Our goal is to provide a model checking solution for the PLC domain by overcoming the mentioned obstacles. All of them contain both theoretical and technical challenges. In earlier work [2, 3] we have provided solutions for the theoretical obstacles. All these solutions have been incorporated in a tool called PLCverif that makes model checking accessible for the developers in the PLC domain. This paper focuses on this tool and on the bridge between the formal methods and PLC domains. PLCverif: A BRIDGE BETWEEN FORMAL VERIFICATION AND PLC DOMAINS In this section we overview the main features of the PLCverif tool. We focus on the user’s point of view, therefore the structure of this section follows the normal workflow of a user.