ArticlePDF Available

Abstract and Figures

Functional Safety is a major concern in the design of automation systems today. Many of those systems are realized using Programmable Logic Controllers (PLCs) programmed according to IEC 61131-3. PLCopen – as IEC 61131 user organization – semi-formally specified a set of software function blocks to be used in safety applications according to IEC 61508. In the presented work, formal models in the form of timed automata for the safety function blocks (SFBs) are constructed from the semi-formal specifications. The accordance of the formalized blocks to the specification is verified using model checking. Furthermore, their behaviour is validated against specified test cases by simulation. The resulting verified and validated library of formal models is used to build a formal model of a given safety application – built from SFBs – and to verify and validate its properties.
Content may be subject to copyright.
Verification and Validation of Safety Applications based on PLCopen Safety Function Blocks
using Timed Automata in Uppaal
Doaa Soliman and Georg Frey
Chair of Automation, Saarland University
University Campus Building A5.1, 66123 Saarbrücken, Germany
(e-mail: doaa.soliman@aut.uni-saarland.de, georg.frey@aut.uni-saarland.de)
Abstract: Functional Safety is a major concern in the design of automation systems today. Many of those
systems are realized using PLCs programmed according to IEC 61131-3. PLCopen as IEC 61131 user
organization specified a set of software Function Blocks to be used in Safety Applications according to
IEC 61508 in 2006. The specification of Technical Committee 5 contains twenty Safety Function Blocks
(SFBs) as a library together with some specifications of their use. A second part issued in 2008
demonstrates the use of the defined SFBs in real applications. In the presented work, formal models for
the SFBs are derived from the semi-formal specification in the PLCopen documents. Those blocks are
verified using model checking and the accordance of their temporal behavior with the PLCopen
specification is further validated by simulation. The resulting library of formal models allows to build a
formal model of a given safety application built from SFBs and to verify its properties. This is
demonstrated using an example from the second part of the PLCopen specification.
Keywords: Safety Application, Timed Automata, PLC, Safety Function Block, IEC 61508, IEC61131-3
Verification and Validation, Model-Checking.
1. INTRODUCTION
Nowadays, PLCs are increasingly being used to implement
safety functions for safety critical systems. One of the
preferred languages in this area is Function Block Diagram
(FBD) according to IEC 61131-3. There are many research
projects in the field of verification and implementation of
function blocks libraries according to this standard e.g.
Völker and Krämer (2001) or Song et al. (2004). However,
safety issues are not addressed in IEC 61131-3, and PLC
programming software packages have only library function
blocks dealing in general with communication, mathematical
operations, logic, and so on. As a step for building safety
applications in IEC 61131-3 FBD according to IEC 61508,
PLCopen (2006) specifies a set of so-called Safety Function
Blocks (SFBs). Several manufacturers of IEC 61131
programming tools have already implemented libraries
according to this specification.
The main aim of the presented work is to ease the verification
of safety applications built up using the PLCopen SFBs in
one of the commercially available tools. To this end a
modular (function block oriented) approach is taken. For all
specified SFBs a corresponding formal model is built using
Timed Automata (TA). To verify a safety application, the
formal model of the application is derived by combining the
previously specified TA in the same structure as the original
SFBs are combined in the PLC software.
Before applications can be verified however, it has to be
assured that the formal models are actually describing the
behaviour of the SFBs correctly.
The description of SFBs by PLCopen contains three parts for
each SFB respectively:
1. A graphical description of the internal states and
behaviour using a state diagram.
2. A list of properties described in natural language.
3. Timing diagrams describing the temporal behaviour
for some specific scenarios.
In the presented approach the graphical description (1
st
part)
is translated into a TA in the language of the Uppaal tool. To
validate the temporal behaviour, simulations of the model are
performed and the results are compared to the timing
diagrams (3
rd
part). The list of textual properties (2
nd
part) is
formalized using temporal logic. By using model checking
see e.g. Berard et al. (2001) it is then verified that these
properties hold on the TA.
This paper is organized as follows: In the next section an
overview of the proposed approach to verify safety
applications is given. Section 3 describes the formalization of
SFBs in detail using an example from the PLCopen Library.
The use of the formalized SFBs for verification is
demonstrated in section 4, utilizing an example from
PLCopen (2008). The paper closes with a short summary and
an outlook on further work.
2. APPROACH TO VERIFY SAFETY APPLICATIONS
The presented approach is based on the development process
given in Fig.1. To build a safety application an engineer is
assumed to build his software using a library of SFBs that
was implemented according to the PLCopen specification. To
do so, the specification for the safety application is read and
interpreted by the engineer and the solution is implemented in
a PLC programming tool. Now it has to be verified that the
implemented application fulfils the original specification. To
this end in the presented work, the process described in the
shaded part of Fig. 1 is proposed. Following the structure
(interconnection of SFBs) of the implemented application a
formal model of the safety application is built from a library
of pre-formalized SFBs. On this model properties derived
from the original specification can be verified.
Lib. of imple-
mentedSFBs in
accordance with
PLCopen-Spec.
Lib. of formal-
izedSFBs in
accordance with
PLCopen-Spec.
Specification
of the Safety
Application
Implementation by
connecting SFBs to an
SFB-network in PLC-
Programming-Tool
Implemented
Safety
Application
Formalization of Safety
Application using
formalized SFBs
Formalized
Safety
Application
Verification
Formalization of
Properties to be
verified
Formalized
Properties
Fig. 1. Proposed development process for verified Safety
Applications using the PLCopen SFBs.
The main part of the presented work is to provide the library
of pre-formalized SFBs. This process is shown in the right
(shaded) part of Fig.2. Starting from the PLCopen
specification a library of SFBs is built using TA in the
Uppaal tool. It is then verified that those formal models are
actually conforming to the PLCopen specification. On the
other side (left part of Fig. 2) it is assumed that the
manufacturer of a programming tool starts from the same
specification and build a set of implemented SFBs. The
conformance of these SFBs to the PLCopen specification is
normally certified by some organization like TÜV. In the
following it is assumed that the implemented SFBs are
actually behaving like described in the PLCopen
specification.
The next section shows in detail how to build a validated and
verified SFB Library in accordance with PLCopen
specifications.
PLCopen SFB
Specification
Implementation of SFBs
in PLC-Programming-Tool
(by Tool-Provider)
Formalization of SFBs
using Timed Automata
in Uppaal
Library of SFBs in
PLC-Program-
ming-SW
Library of formal
SFBs in Uppaal
Certification Verification
Lib. of imple-
mentedSFBs in
accordance with
PLCopen-Spec.
Lib. of formal-
izedSFBs in
accordance with
PLCopen-Spec.
Fig. 2. Process of deriving the Safety Function Block
Libraries for implementation (left) and verification (right)
from the PLCopen specification.
3. CONSTRUCTING THE SAFETY FUNCTION BLOCK
LIBRARY FOR VERIFICATION
3.1 Formalization of SFBs in Uppaal
As described in Behrmann et al. (2004), Uppaal allows
analysis of networks of timed automata with binary
synchronization. It contains three main parts. First, timed
processes are described using a graphical editor. Second,
systems can be simulated by a graphical simulator. Finally,
reachability properties can be verified using the verifier.
To formalize an SFB, the process depicted in Fig. 3 is
followed. First of all the Input/Output variables of the SFB
are declared according to the interface description in the
PLCopen document. Then, the state diagram is transferred to
TA using the graphical editor of Uppaal. Depending on this
TA and the input sequence scenario extracted from the timing
diagram, a simulation is executed to validate the temporal
behaviour using the graphical simulator. Thereafter, the
textual properties are translated into Temporal Logic (TL)
formulae. Using the verifier, the properties of the safety
function can be verified. Actually, the use of symbolic model
checking in combination with TA would be sufficient to
verify the behaviour of the formalized SFBs. However, the
additional use of simulation is useful for two distinct reasons.
First of all, to validate specific scenarios presented in the
specification it is the more direct approach. Second, and
much more important, it allows users not familiar with formal
models to assess the results directly.
In the frame of the presented work, all twenty SFBs defined
by PLCopen have been formalized according to this
procedure. As an example, the following sub-section
describes the process in detail for the SFB SF_Equivalent.
Formalized
Properties
Formalization
in Timed
Automata
Properties
(Text)
Behavior:
Automaton
(Graphics)
Extraction of
Scenario Input
Sequence
Formalization
in Temporal
Logic
Formalized
Automaton
Simulation
Scenarios
Validation by
Simulation
Verification by Model
Checking
PLCopen SFB
Specification
Temporal
Behavior of
specific
Scenarios
(Timing
Diagrams)
Fig. 3. Detailed description of the process to build a verified
and validated formalized SFB.
3.2 Complete Description of one SFB: SF-Equivalent
The Input/Output variables declarations are shown in Fig. 4.
Moreover, an interface description (Name, Data Type, Initial
Value and Function) of every variable is tabled. A Textual
Functional description of the SFB is as follows:
“This function block converts two equivalent SAFEBOOL
inputs to one SAFEBOOL output with discrepancy time
monitoring. Both input Channels A and B are interdependent.
The function block output shows the result of the evaluation
of both channels. If one channel signal changes from TRUE
to FALSE the output immediately switches off (FALSE) for
safety reasons.”
The state diagram is shown in Fig. 5. The inputs are used as
transition guards and the outputs are updated according to the
state location. The Time input is assumed a clock.
Additionally the temporal behaviour of the SFB is described
for specific scenarios in a timing diagram (Fig. 6). Finally, a
description and output setting of every state are tabled. This
table defines the output variables’ values for each state in the
state diagram, and is used later in verification.
Fig. 4: SFB SF_Equivalent
Fig. 5. State diagram for SFB SF_Equivalent.
Fig. 6. Part of the timing diagram of SFB SF_Equivalent.
3.3 Formalization of SF-Equivalent
First of all, the Input/Output variables are declared as shown
in Fig. 7. These variables are declared globally to allow
sharing by other automata.
Fig. 7. Declarations of variables, clocks, and channels.
Second, state diagram of the SFB is graphically translated to
state transition automaton shown in Fig. 8. Additionally,
three automata of the Boolean input variables are constructed
to give the facility to vary these inputs while implementing
the simulation. The synchronisation between these processes
is achieved by shared variables (global declaration) and
message passing (channels), cf. Fig. 7.
As it appears in the state diagram of Fig. 5, the outgoing
transitions from every state are numbered according to
priorities where 0 is the highest priority. In translating the
state diagram of PLCopen in a TA in Uppaal the problem of
covering priorities arises. However this problem can be easily
solved by extending the transition condition of a low priority
condition with the negation of a high priority transition. A
detailed analysis performed for all SFBs shows that this
extension is not always necessary.
Prior to simulation, one should be sure that the output
variables vary correctly with every state location of the SFB
automaton. This can be achieved by querying about the value
of these variables in every state location using the verifier.
For example, in location Error3, both Ready and Error are
True and S_EquivalentOut is False. This liveness property is
converted to a CTL formula as follows:
SF_Equivalent.Error3-->(Ready_Eq)&(!S_EquivalentOut)& (Error_Eq)
The result of the verification assured this property and other
similar properties of all locations.
Using the automata (Fig. 8) simulation in Uppaal validated
the timing diagrams from the PLCopen specification (Fig. 6).
Fig. 9 shows the response of SF_Equivalent automaton to the
change in input automata synchronized by channels
(horizontal arrows).
Fig. 9. Simulation scenario for the timing diagram in Fig. 6.
Fig. 8. Uppaal Timed Automaton of SF_Equivalent.
After simulation, deadlock-freeness of the system is checked
with the property:
A[] not deadlock
Now, the accordance of the automaton to the textual
functional description is checked by verification. Taking a
part of this description mentioned above, for example, “If one
channel signal changes from TRUE to FALSE the output
immediately switches off (FALSE) for safety reasons”. A
corresponding CTL formula is derived:
A<> SF_Equivalent.Safety_Output_Enabled&((!A)|(!B)) imply
!S_EquivalentOut
This reachability property and all other textual properties are
satisfied assuring the functionality of the SFB TA.
4. VERIFICATION OF A SAFETY APPLICATION
The process described in Section 2 is now applied using the
models introduced in the previous section to an example
taken from the second part of the PLCopen specification.
There, for every example, a block diagram is available
showing the interconnection between SFBs and also showing
the safety inputs and outputs. A description of safety
functions and declaration of the used variables are also given.
Sometimes, additionally, a timing diagram is given.
In the following, the first example from this specification
“Emergency stop with safe stop & equivalent monitoring” is
used. Fig. 10 shows a solution for this problem implemented
in FBD by connecting SFBs directly or via simple logic
gates. This example uses the following safety functions:
Issuing the emergency stop (via SF_EmergencyStop) or
interrupting the light beam in the light curtain (via
SF_ESPE) stops the drive in accordance with stop
category 1.
The stop of the electrical drive within a predefined time
is monitored (via SF_SafeStop1).
The Safe Status of the drive is indicated by the
S_Stopped variable, connected to the functional
application
If the stop is performed by the Emergency Switch, a
manual reset is required (via SF_EmergencyStop)
If a monitoring time violation is detected (via
SF_SafeStop1), manual error acknowledge is required to
allow a reset.
The 2 channel connectors of the emergency stop are
monitored. An error is detected when both inputs do not
have the same status once the discrepancy time has
elapsed (via SF_EQUIVALENT)
The functional stop in this example is performed as a
safe stop issued from the functional application. A restart
interlock for this stop is not necessary.
The Uppaal tool has the ability to import constructed TA and
combine them in a new system. Hence, the four SFB TA and
the required input TA are imported easily in one system. The
next step is to achieve the connection according to Fig. 10.
To avoid internal modification inside every SFB, the
connections are achieved by new TA. As shown in Fig. 10,
there are two direct connections from SF_Equivalent to
SF_EmergencyStop (C1,C2). And another two non-direct
connections from SF_EmergencyStop and SF_ESPE to
SF_SafeStop1 (C3,C4). Fig. 11 shows the four connections
TA.
Fig. 11. Timed processes for connections between SFBs.
Fig. 10. Safety application to be verified
.
Every conniction TA is constructed from one initial-urgent
location and tow self-loop-transitions (edges). The edges can
have discrete guards and arbitrary updates, but no guards
over clocks. As soon as the input (guards) of the connection
TA changes, the output (channels and shared variables) is
immediately issued without delay. The simulation (Fig. 12)
proved that the system is working as mentioned in PLCopen
Part 2. Some of the verified properties are as following:
Property 1: After the activation of SF_Equivalent and
SF_ESPE, the SF_SafeStop will keep activated.
E[] Active_Eq&Active_ESPE imply Ready_SS1
Property 2: Issuing the Emergency stop (via
SF_EmergencyStop) or interrupting the light beam in the
light curtain (via SF_ESPE) stops the drive in accordance to
stop category 1.
A<> ((!A)|(!B)|(!ESPE_In))& Acknowledge imply S_Stopped
A[] SF_SafeStop1.Drive_Stopped imply T<=MT
Both properties are verified, guaranteeing that the application
works as expected.
5. SUMMARY AND OUTLOOK
In this paper an approach for the verification of safety
applications built form PLCopen Safety Function Blocks
(SFBs) was presented and illustrated using an example. It has
to be made clear, that the presented approach relies on the
assumption that the implementation of the SFBs actually
follows the specification of PLCopen in all details. This
assumption is normally verified by certification of SFBs by
independent organizations likeV.
Future work in this project will concentrate on automating the
model building step. Based on the PLCopen XML
interchange format for PLC applications the formal model
will be built from the pre-defined automata automatically.
REFERENCES
Berard et al. (2001). Systems and Software Verification,
Model-Ckecking Techniques and Tools. Spriger,
Germany.
Gerd Behrmann, Alexandre David, Kim G. Larsen (2004). A
tutorial on Uppaal, Uppaal web site, Documentation,
Tutorials.
Myung Jun Song, Seo Ryong Koo, and Poong Hyun Seong
(2004). Development of a Verification Method for
Timed Function Blocks Using ESDT and SMV. IEEE
InternationalSymposium HASE’04.
Norbert Völker, Bernd J. Krämer (2001). Automated
verification of Function block-based industrial control
systems. Since of Computer, Volume 42, Pages 101-113.
PLCopen (2006). Part 1: Concepts and Function Blocks.
TC5, Safety Software Technical Specification,
Version1.0, PLCopen, Germany.
PLCopen (2008). Part 2: User Examples. TC5, Safety
Software Technical Specification, Version1.0, PLCopen,
Germany.
Fig. 12. Simulation scenario of the safety application.
... However, the application of this approach to control-command programs remains difficult because it requires the consideration of other parameters such as the cyclical execution of the control-command programs. Indeed, if the Uppaal model checker has been widely used for the verification of control-command programs in the literature (Da Silva et al., 2008;De Vasconcelos Oliveira et al., 2010;Mokadem et al., 2010;Soliman & Frey, 2011), the Uppaal counterexamples simulation on control-command programs has received little research attention. ...
Conference Paper
Full-text available
In order to facilitate the understanding and the interpretation of the counterexamples returned by ModelCheckers, this paper presents an MDE-based approach for the automatic visualization and simulation of the Uppaal counterexamples (traces) directly on the control-command programs. Indeed, Uppaal traces are automatically transformed into generic (platform-independent) traces. A metamodel modeling the generic traces resulting from the execution of the control-command programs, according to the PLCOpen standard, is also proposed. The generic traces are then transformed into specific traces, which can be directly simulated on vendor-platforms. Our approach has been validated on a concrete industrial case study.
... The PLCopen organization has developed the industrial control programming language standard IEC61131-3 and has developed five standardized programming languages for the development of PLC applications, including the FBD graphical language. It uses motion control function blocks to write PLC control programs, which can reduce the threshold for developing motion control systems and improve the reliability of the system [11][12][13]. In industrial production line systems, the main actuating devices are motor systems based on motion control, such as servo drives and robotic arms. ...
Preprint
The rapid development of Industrial Internet has brought new changes to the system architecture for industrial manufacturing. This paper proposes a system architecture applicable to small-scale personalization production lines, the key of which is a three-layer architecture with the Internet layer, data layer, and field control layer, in which the user’s requirements for personalization product are transmitted from the Internet to the production line and the production equipment realizes the personalized production of products by motion control. This system architecture for production lines integrates Industrial Internet and smart manufacturing technologies, which reduces the complexity of the enterprise system architecture and increases the flexibility of the system compared to mass personalization production systems. The system architecture has been proven in a flexible production line for yogurt filling and can lay the foundation for the trans-formation of industrial manufacturing to a personalization production.
... Cetteétude montre d'ailleurs que les résultats de la vérifica-2État de l'art des méthodes de Vérification et Validation existantes tion sont plus intéressants en présence du modèle de PO (approche model-based). Dans(Soliman and Frey, 2011), les auteurs proposent une démarche qui permet de transformer des programmes de commandeécrits en FBD en automates temporisés sous le Model-Checker UPPAAL(Larsen et al., 1997), afin d'en vérifier des propriétés de sûreté. Enfin,Mokadem et al. (2010) proposent une méthode basée sur la réécriture des programmes LD en automates temporisés communicants sous UPPAAL, afin de vérifier des propriétés de sûreté et de vivacité.Ces approches proposent toutes des solutions pour traduire les programmes API en langages formelles, mais les modèles de programmes obtenus sont souvent complexes et provoquent facilement l'explosion combinatoire de l'espace d'états. ...
Thesis
La SNCF cherche à mettre en place des solutions innovantes permettant d’améliorer la sécurité et les conditions de travail des chargés d’études lors des travaux d’automatisation des EALE (Équipements d'Alimentation des Lignes Électrifiées). En partant de l’étude théorique du projet jusqu’à sa validation sur site, en passant par la mise en œuvre des programmes, du câblage des armoires, et de leur vérification sur plateforme et en usine, ces différentes tâches s’avèrent souvent être longues, complexes, et répétitives, sans compter les risques d’erreurs humaines.En vue d’améliorer les conditions de travail des chargés d’études, ce projet de recherche vise principalement à améliorer leurs méthodologies de vérification et de validation (V&V) des systèmes de contrôle commande (programmes automates et câblage des armoires de contrôle commande). Ce projet intitulé « Vérification formelle et simulation pour la validation des systèmes de contrôle commande des EALE » est basée sur l’utilisation des méthodes formelles et du Virtual Commissioning (mise en service virtuel), il se décompose en deux axes :- la vérification hors ligne des programmes API : basée sur une approche formelle, la méthode s’appuie sur une modélisation de l’installation électrique, des programmes API et du cahier de recette dans le model-checker Uppaal. Le principe consiste à vérifier automatiquement que les programmes respectent les spécifications fonctionnelles du cahier des charges, tout en étant formellement sûrs de fonctionnement.- la validation en ligne des programmes et du câblage des armoires de contrôle commande, grâce à l’utilisation du Virtual Commissioning en mode Software-In-the-Loop (pour la validation des programmes) puis en mode Hardware-In-the-Loop (pour la validation du câblage des armoires). La validation se fera de manière automatisée.
Article
The rapid development of industrial Internet has resulted in significant changes in industrial manufacturing system architecture. In this study, a system architecture suitable for small‐scale personalized production lines is proposed. The core of this architecture is a three‐layer structure comprising the Internet layer, data layer, and field control layer. The system facilitates the transmission of user‐specific product demands from the Internet to the production line, where the production equipment achieves personalized production through motion control. This system architecture for production lines integrates industrial Internet and smart manufacturing technologies, reducing the complexity of the enterprise system architecture and enhancing the flexibility of the system compared to large‐scale personalized production systems. The effectiveness of this system architecture was validated using a flexible yogurt filling production line and lays a foundation for the transformation of industrial manufacturing from the tradition system to a personalized production.
Article
Full-text available
The development of supervisory controllers for cyber-physical systems is a laborious and error-prone process. Supervisor synthesis enables control designers to automatically synthesize a correct-by-construction supervisor from a model of the plant combined with a model of the control requirements. From the supervisor model, controller code can be generated which is suitable for the implementation on a programmable logic controller (PLC). Supervisors for industrial systems that operate in close proximity to humans have to adhere to strict safety standards. To achieve these standards, safety PLCs (SPLCs) are used. For SPLC implementation, the supervisor has to be split into a regular part and a safety part. In previous work, a method is proposed to automatically split a supervisor model for this purpose. The method assumes that the provided plant model is a collection of finite automata. In this paper, the extension to extended finite automata is described. Additionally, guidelines are provided for modeling the plant and the requirements to achieve a favorable splitting. A case study on a rotating bridge is elaborated which has been used to validate the method. The case study spans all development steps, including the implementation of the resulting supervisor to control the real bridge.
Article
With the development of the industrial control system, Programmable Logic Controllers (PLCs) are increasingly adopted in the process automation. Moreover, many PLCs play key roles in safety-critical systems like nuclear power plants, where robust and reliable control programs are required. To ensure the quality of programs, testing and verification methods are necessary. In this paper, we present a novel methodology which applies model checking to verifying PLC programs. Specifically, we focus on the Structured Text (ST) language which is a widely-used, high-level programming language defined in the IEC 61131-3 standard. A formal model named Behaviour Model (BM) is defined to specify the behaviour of ST programs. An algorithm based on variable state analysis for automatically extracting the BM from an ST program is given. An algorithm based on the automata-theoretic approach is proposed to verify Linear Temporal Logic (LTL) properties on the BM. Finally, a real-life case study is presented.
Article
Full-text available
We give an efficient procedure for verifying that a finite-state concurrent system meets a specification expressed in a (propositional, branching-time) temporal logic. Our algorithm has complexity linear in both the size of the specification and the size of the global state graph for the concurrent system. We also show how this approach can be adapted to handle fairness. We argue that our technique can provide a practical alternative to manual proof construction or use of a mechanical theorem prover for verifying many finite-state concurrent systems. Experimental results show that state machines with several hundred states can be checked in a matter of seconds.
Conference Paper
Functional Safety is a major concern in the design of automation systems today. Many of those systems are realized using PLCs programmed according to IEC 61131–3. PLCopen as IEC 61131 user organization specified a set of software Function Blocks to be used in Safety Applications according to IEC 61508 in 2006. The specification of Technical Committee 5 contains twenty Safety Function Blocks (SFBs) as a library together with some specifications of their use. A second part issued in 2008 demonstrates the use of the defined SFBs in real applications. In the presented work, formal models for the SFBs are derived from the semi-formal specification in the PLCopen documents. Those blocks are verified using model checking and the accordance of their temporal behavior with the PLCopen specification is further validated by simulation. The resulting library of formal models allows to build a formal model of a given safety application – built from SFBs – and to verify its properties. This is demonstrated using an example from the second part of the PLCopen specification.
Book
This practical monograph gives a comprehensive introduction to the concepts and languages of the IEC 61131 standard used to program industrial control systems. The second edition of this established reference covers the latest developments of the IEC 61131 standard. The text and the numerous examples have been extensively updated and present the state of the art of programming industrial automation systems. A summary of the special requirements in programming industrial automation systems and the corresponding features in the IEC 61131-3 standard makes the book suitable for students as well as PLC experts. The material is presented in an easy-to-understand form using numerous examples, illustrations and summary tables. The book also includes a purchaser's guide. Karl-Heinz John Degree in Computer Science 1981, degree thesis on microprogramming. Since 1984 at infoteam Software GmbH, co-owner and chief executive officer (CEO), his areas of responsibility include the development of IEC 61131 programming systems, such as OpenPCS. He is also a founder member of PLCopen (www.plcopen.org) and vice-president of ASQF (www.asqf.de). Michael Tiegelkamp Degree in Computer Science 1988, degree thesis on PLC architectures. From 1988 to 1994 at infoteam Software GmbH, project manager and head of marketing, responsible for PLC programming systems. Since 1994 at SIEMENS AG, project manager for development and later group manager for product definition in the field of SIMATIC, since 2004 various manager positions in the field of low-voltage energy distribution. © Springer-Verlag Berlin Heidelberg 2001, 2010. All rights are reserved.
Thesis
In this work, an approach was introduced to facilitate the verification process of safety applications built up from the PLCopen (2006) safety library. This approach is practiced with the help of safety applications used in real life, presented by PLCopen (2008). It was discovered that the verification approach is applicable and most helpful. This encouraged the researchers to think about the automation of the presented approach; More precisely, to automate the transformation process of a safety application to a formal model to be verified via the UPPAAAL model checker. However, many difficulties had to be faced in order to realise a transformation tool. Since the presented transformation approach is based on an XML platform, it is necessary to find an IEC 61131-3 programing tool that supports not only the PLCopen safety library, but also the exportation of the PLCopen XML scheme. Unfortunately, a qualified IEC 61131-3 programing tool did not exist at the time the research was undertaken. However, many software producers have future plans to support all required features. To overcome these difficulties, steps were taken to integrate the needed features in the partially qualified IEC 61131-3 tool. It was the MultiProg tool from KW-Software, which supported the exportation of PLCopen XML schema, but not the PLCopen safety library. This therefore, made it necessary to implement a user defined PLCopen safety library to be used in constructing safety applications with the MultiProg tool. This implemented safety library was then directly verified using the [mc]square model checker, which was joint work with the Embedded Software Laboratory (Prof. Kowalewski), RWTH Aachen University, Germany. Finally, a qualified IEC 61131-3 programming tool was available. Consequently, an exported PLCopen XML from a safety application could be handled. As a first step to realising a transformation tool, meta-models of source and target XML domains are defined. Following this, transformation rules are formalised based on the meta-models. A prototype transformation tool is therefore developed and tested using some real safety applications. The next step is the formalisation of safety applications written in the FBD programing language and required UPPAAL systems. And of course, formalisation of detailed transformation rules is also defined. This led to developing the end version of the safety application to the timed automata SA2TA tool. This was a joint venture with the Software Engineering group (Prof. Thramboulidis) in Patras University, Greece. As a case study to test the applicability of the transformation tool, the SA2TA is then used as part of a whole methodology to upgrade a legacy system to conform to safety standards. The legacy system needed to be upgraded is an XY drawing table located in the automation laboratory in Saarland University, Germany. The suggested methodology was applied to the XY table, and the designed safety application is transformed to a UPPAAL TA system for verification purposes. Therefore, the verification process is carried out based on safety functionalities defined through the designing stage. It was found that not all safety functionalities were satisfied on the UPPAAL system, which led to some modifications in the designed safety application to meet the required safety functionalities. Some possible technical extensions to make the proposed methodology even easier to use are for example, the automatic transfer of simulation traces between PLC tools and UPPAAL in both directions. From PLC tools to UPPAAL for automatic validation and from UPPAAL to PLC tools for the visualisation of counter examples. However, one question still remains. Since there is a gap between safety engineering and software engineering; who is responsible for applying verification processes on the resulting UPPAAL system from safety applications? It is believed that more effort is required in the direction of verification to minimise this gap and facilitate obtaining safety properties in formal languages.
Article
Model checking is a powerful approach for the formal verification of software. It automatically provides complete proofs of correctness, or explains, via counter-examples, why a system is not correct. Here, the author provides a well written and basic introduction to the new technique. The first part describes in simple terms the theoretical basis of model checking: transition systems as a formal model of systems, temporal logic as a formal language for behavioral properties, and model-checking algorithms. The second part explains how to write rich and structured temporal logic specifications in practice, while the third part surveys some of the major model checkers available.
Conference Paper
In recent years, the interest in the formalization of PLC programs increased. The paper provides a classification scheme for the works done in this field. This scheme includes the sources used for formalization, the level of the formalization process (i.e. the complexity of structures that could be han-dled by the approach), the aim of the formalization (Re-Engineering or Verification) and the formal model used to represent the formalized PLC program. The scheme is applied to several examples.
Conference Paper
Model checking is emerging as a practical tool for automated debugging of complex reactive systems such as embedded controllers and network protocols (see [23] for a survey). Traditional techniques for model checking do not admit an explicit modeling of time, and are thus, unsuitable for analysis of real-time systems whose correctness depends on relative magnitudes of different delays. Consequently, timed automata [7] were introduced as a formal notation to model the behavior of real-time systems. Its definition provides a simple way to annotate state-transition graphs with timing constraints using finitely many real-valued clock variables. Automated analysis of timed automata relies on the construction of a finite quotient of the infinite space of clock valuations. Over the years, the formalism has been extensively studied leading to many results establishing connections to circuits and logic, and much progress has been made in developing verification algorithms, heuristics, and tools. This paper provides a survey of the theory of timed automata, and their role in specification and verification of real-time systems.
Chapter
To model the behavior of finite-state asynchronous real-time systems we propose the notion of timed Bchi automata (TBA). TBAs are Bchi automata coupled with a mechanism to express constant bounds on the timing delays between system events. These automata accept languages of timed traces, traces in which each event has an associated real-valued time of occurrence. We show that the class of languages accepted by TBAs is closed under the operations of union, intersection and projections, and the trace language obtained by projecting the language accepted by a TBA is -regular. It turns out that TBAs are not closed under complement, and it is undecidable whether the language of one automaton is a subset of the language of another. This result is an obstruction to automatic verification. However, we show that a significant (proper) subclass represented by deterministic timed Muller automata (DTMA) is closed under all the boolean operations. Consequently, a system modeled by a TBA can be automatically verified with respect to a specification given as a DTMA.
Article
We propose timed (finite) automata to model the behavior of real-time systems over time. Our definition provides a simple, and yet powerful, way to annotate state-transition graphs with timing constraints using finitely many real-valued clocks. A timed automaton accepts timed words–infinite sequences in which a real-valued time of occurrence is associated with each symbol. We study timed automata from the perspective of formal language theory: we consider closure properties, decision problems, and subclasses. We consider both nondeterministic and deterministic transition structures, and both Büchi and Muller acceptance conditions. We show that nondeterministic timed automata are closed under union and intersection, but not under complementation, whereas deterministic timed Muller automata are closed under all Boolean operations. The main construction of the paper is an (PSPACE) algorithm for checking the emptiness of the language of a (nondeterministic) timed automaton. We also prove that the universality problem and the language inclusion problem are solvable only for the deterministic automata: both problems are undecidable (Π11-hard) in the nondeterministic case and PSPACE-complete in the deterministic case. Finally, we discuss the application of this theory to automatic verification of real-time requirements of finite-state systems.