1 / 43

Use of formal methods to verify PLC code and its applicability to safety systems

Use of formal methods to verify PLC code and its applicability to safety systems. Borja Fernández Adiego (BE-ICS) Contains Joint work of Enrique Blanco, Jean-Charles Tournier, Daniel Darvas and Gyula Sallai. Context. Very brief introduction to Industrial controls and

teresajewell
Télécharger la présentation

Use of formal methods to verify PLC code and its applicability to safety systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Use of formal methods to verify PLC code and its applicability to safety systems Borja Fernández Adiego (BE-ICS) Contains Joint work of Enrique Blanco, Jean-Charles Tournier, Daniel Darvas and Gyula Sallai

  2. Context Very brief introduction to Industrial controls and Safety Systems

  3. Safety Systems Industrial controls Supervision S7 Improve the reliability of the PLC programs PLC Control Profisafe Profibus Field

  4. Context Very brief introduction to Formal Methods

  5. What are Formal Methods? Techniques based on mathematics and formal logic e.g. Petri Nets, B-method, Temporal Logic, Automata, etc. MACHINE Switch SETS STATE = {closed, open} VARIABLES state INVARIANT state : STATE INITIALISATION state := open OPERATIONS toggle = IF state = open THEN state := closed ELSE state := open END ; END AG ((a Λ b) → c)

  6. Where can we use Formal Methods? Different phases of a system development, for example: • Specification and modelling: use of unambiguous languages to describe a system • Simulation: formal models to simulate the behaviour of the real system • Formal verification: formalized properties checked against a formal model • Test or code generation: formal models to generate relevant test cases or the code itself • and more …

  7. Why aren’t Formal Methods widely used? • Using formal methods is more expensive than traditional alternatives in engineering • Real-life system models may be too large to be handled by simulators or model checkers • Using formal methods implies a learning process of the formalism and how to use it

  8. When should/could we use Formal Methods? When the cost of a system failure is higher than the cost of using formal methods Some examples: • Safety critical systems • Damage to the environment, the installation, people • Damage of the reputation of the company/organization • Recommended by the standards (e.g. IEC 61508) • Software library used in many systems • etc. • The most appropriate to describe the behavior of your system • The most appropriate for the final purpose (specification, formal verification, etc.) • A formalism supported by tools (e.g. simulator, model checker, etc.) Which Formal Method should we use?

  9. Some real life examples Aerospace industry: Brat, G. et al. 2004, Experimental evaluation of verification an validation tools on Martian rover software. Formal Methods in System Design, pages 167–198.) Aircraft industry: Hall, A. et al. 1992, Formal methods in a real air traffic control project. In IEEE Colloquium on Software in Air Traffic Control Systems - The Future, pages 7/1–7/4) Railway industry: James P. et al. 2010,Automatically verifying railway interlockings using SAT-based model checking. In Proc. of the 10th International Workshop on Automated Verification of Critical Systems(AVoCS), volume 35.

  10. Motivation • BE-ICS develops Industrial Control and Safety systems • Some examples: • LHC Cryogenics control systems • Cooling and ventilation control systems • LHC, SPS and PS Access control and Protection systems • Safety Instrumented Systems (SM18, FAIR and B311 test benches) • Etc. • Most of these systems use PLCs (Programmable Logic Controllers) as a control device • Goal → improve the reliability of PLC programs Guarantee that the PLC programs are compliant with the specifications • How? → By using formal methods

  11. Outline • Introduction to Model checking • Introduction to PLC programs • Model checking applied to PLC programs • Some real life examples

  12. Introduction to model checking Two main techniques can be applied to increase the software reliability: • Testing: it checks if certain properties or test cases in the real system (the code is executed) • Formal verification: it uses formal methods to check a formal property on a model of the system (e.g. model checking) In industry (including CERN) manual, automated testing or simulation techniques are the most popular approaches

  13. Introduction to model checking Given a global model of the system and a formal property, the model checking algorithm checks exhaustively that the model meets the property Clarke and Emerson (1982) and Queilleand Sifakis (1982) Specifications  Formalmodel Formal requirement Model Checker Property OK Automata, Timed automata, Petri nets, etc. Temporal Logic  Property failed Trace leading to the violation Real System (hardware, software)

  14. Model checking vs Testing Input1 PLC program Output1 (valve a) Model checking tools:nuXmv, UPPAAL, CBMC, SPIN, KRONOS, etc. • Input2 • Input3 • Output2 • (valve b) • Input4 Requirement 1 (Functionality) If Input1is FALSE then Output2 is FALSE … Requirement 2 (Safety) If Output1 is FALSE then Output2 is TRUE 4 Boolean input variables -> 24 = 16 combinations 4 Word (16-bit) input variables -> 216*4≈ 1.8*1019 combinations for large systems (many input var.), Requirement 2 cannot (practically) be solved by using testing techniques 14

  15. Why model checking is not widely used? • Modelling: find the appropriate formalism and the right level of abstraction • Temporal logic: hard to use • State space explosion: there is a limitation on the number of combinations to check

  16. Outline • Introduction to Model checking • Introduction to PLC programs • Model checking applied to PLC programs • Some real life examples

  17. Introduction to PLCs • Programmable Logic Controller • Is the most popular control device in the process industry • Also popular device for the development of Safety Instrumented Systems • IEC61511 standard: "Functional safety - Safety instrumented systems for the process industry sector“ • More than 1000 PLC applications are developed and maintained at CERN (mainly Siemens and Schneider PLCs)

  18. Introduction to PLC execution platform (simplified) PI PO Sensors CPU OIM IIM 1 3 main program (OB1 for Siemens PLCs) 2 Actuators • Scan Cycle • Reading the actual values from periphery to the Input Image Memory • Interpreting and executing the PLC program • Writing the computed values from the Output Image Memory to the periphery

  19. PLC software IEC 61131-3 standard defines the 5 PLC programming languages: • ST (Structured Text) and IL (Instruction List) as textual languages • FBD (Function Block Diagram), Ladder and SFC (Sequential Function Chart) as graphical languages • Different PLC vendors have different implementations • E.g. Siemens ST -> SCL, IL -> STL (with slightly different semantics)

  20. PLC software ST language SFC language

  21. PLC software LADDER language IL language LADDER and FBD are (currently) the mandatory languages to write Safety PLC programs

  22. Outline • Introduction to Model checking • Introduction to PLC programs • Model checking applied to PLC programs • Some real life examples

  23. Applying model checking to PLC programs PLC programs Model checking algorithms Intermediate Model Control Flow Automata … Formalized requirements Requirements If Output1 is FALSE then Output2 is TRUE AG (!Output1 → Output2)

  24. Methodology overview • General methodology • Multiple PLC languages • Multiple verification tools • Counterexample analysis

  25. Intermediate model (simplified) • Control Flow Automata • Network of automata • Automaton • Locations • Assignment Transitions • Source loc. • Target loc. • Guard • Variable assignment • Call Transitions • Source loc. • Target loc. • Guard • Automaton call • Variables (simple or arrays)

  26. PLC program Modeling

  27. PLC program Modeling

  28. PLC program Modeling • Execution platform (Scan cycle): • Input (sensor) reading • Executing the program • Output writing

  29. PLC program Modelling and req. formalization AG(EoC→QW0 = 0) Inlined model

  30. Translation to model checker input language nuXmv model checker AG(EoC→QW0 = 0)

  31. Execute nuXmv

  32. Execute nuXmv AG(EoC→QW0 = 10)

  33. Is it worth to use Model Checking to PLCs? • Not without tool support • It is (very) hard to create models out of PLC programs • It is (very) hard to formalize the requirements in temporal logic • In BE-ICS we have developed the tool PLCverifhttp://cern.ch/plcverif • Hide the complexity of using formal methods from the user • The methodology shall be compatible with any development process of PLC programs • Technologies: Java, Xtext, EMF, …

  34. PLCverif

  35. Outline • Introduction to Model checking • Introduction to PLC programs • Model checking applied to PLC programs • Verification of real life Safety critical PLC programs

  36. Formal methods applied to Safety critical PLC programs (SM18 ClusterG) • Test benches for superconducting magnets (SM18, FAIR, B311) • Risksto personnel and equipment • Cryogenics • Vacuum • Power converters • Cooling & ventilation • Need for Safety Instrumented Systems (IEC 61511 standard)

  37. IEC 61511 safety lifecycle

  38. Resulting control and safety systems Operational requirements Safety requirements (SIFs) Siemens PLC 317F-2PN/DP ST language + UNICOS LADDER language + Siemens Safety Distributed Library Profisafe

  39. Running PLCverif • The fail-safe PLC program (STL version) was imported to PLCverif • 2000 lines of STL exported code • 240 input Boolean variables • We formalized around 30 verification cases (SIFs)

  40. PLCverif results • Verification average time of 1 – 2 minutes per assertion • Several discrepancies between the specification and the PLC program were found: • Problems in the specification • Bugs in the PLC programs

  41. PLCverifwith more systems We have applied PLCverif to several fail-safe PLC programs • The rest of the SM18 test benches • B311 test bench (Switchboard project) • B180 FAIR test bench • ITER case study: verification of PLC program in charge of a safety critical communication protocol • SPS Personnel Safety system: fail-safe PLC program Non-safety PLC programs but widely used at CERN: • UNICOS object library (used in the LHC Cryogenics control system, many C&V plants, Gas systems, etc.)

  42. Summary and conclusions

  43. Conclusions • It is worth to use formal methods for critical systems, but it comes with a (big) cost … • They can be applied to specification, code verification, simulation, etc. • We have found several (many?) PLC programs bugs or specification problems by using PLCverif (model checking) • … even in well-tested production systems • If you want to apply model checking to PLC programs, consider PLCverif • If you use another programming language, there are many options: • E.g CBMC for C and C++ programs

More Related