Verification of Plc Programs Written in Fbd with Vis

Software safety [1] is an important issue for embedded real-time control systems such as those found in nuclear power plants. When verifying safety-critical software, formal methods [2] play critical roles in demonstrating compliance to regulatory requirements. The Korea Nuclear Instrumentation & Control System R&D Center (KNICS) [3] project used the NuSCR [4] formal specification language and tool-set [5] to formally specify and verify software requirements for reactor protection systems (RPS) for the Advance Power Reactor-1400 (APR-1400) [7]. During the design and implementation phases, programmable logical controllers (PLC) software were written in IEC 61131-3 function block diagram (FBD) [8], and software safety was verified thoroughly. Each release of FBDs becomes official only when authorities have verified the software; two types of formal verification, model checking [6] and equivalence checking, were applied to our FBDs. While the former examined whether or not FBD meets required properties, the latter determined behavioral equivalence between two FBD revisions. Units of equivalence checking can vary from a small module to a whole system, and verification tasks fulfill various needs of FBD programmers and safety engineers. Formal verification contributes to the demonstration of the software safety of PLC programs written in FBD. This paper proposes how the Verification Interacting with Synthesis (VIS) system [9] can automatically verify FBDs. VIS is widely used in hardware analysis, and with its Verilog [10] front-end, it is also suitable for software analysis. VIS supports computational tree logic (CTL) model checking [11], language emptiness checking, combinational and sequential equivalence checking, cycle-based simulation, and hierarchical synthesis. Although we explored the possibility of using VIS's sequential equivalence checking and simulation to verify FBD programs for the Advance Power Reactor-1400 (APR-1400) RPS, we chose Cadence Symbolic Model Verifier (SMV) [12] for model checking because VIS's CTL model checking has restrictions when specifying properties [13,14]. To enable VIS's equivalence checking using VIS, we first defined the semantics of FBD as a state transition system and developed rules for translating FBDs into semantically equivalent Verilog. We also implemented VERIFICATION OF PLC PROGRAMS WRITTEN IN FBD WITH VIS