ArticlePublisher preview available

Automated Formal Analysis of Temporal Properties of Ladder Programs

Authors:
Cláudio Belo Lourenço
Cláudio Belo Lourenço
Cláudio Belo Lourenço
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Denis Cousineau
Denis Cousineau
Denis Cousineau
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Florian Faissole
Florian Faissole
Florian Faissole
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Claude Marché
Claude Marché
Claude Marché
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Show all 6 authorsHide
Read publisher preview
Download citation
To read the full-text of this research, you can request a copy directly from the authors.

Abstract and Figures

Programmable Logic Controllers are industrial digital computers used as automation controllers in manufacturing processes. The Ladder language is a programming language used to develop software for such controllers. In this work, we consider the description of the expected behaviour of a Ladder program under the form of a timing chart, describing a scenario of execution. Our aim is to prove that the given Ladder program conforms to the expected temporal behaviour given by such a timing chart. Our approach amounts to translating the Ladder code, together with the timing chart, into a program for the Why3 environment for deductive program verification. The verification proceeds with the generation of verification conditions: mathematical formulas to be checked valid using automated theorem provers. The ultimate goal is twofold. On the one hand, by obtaining a complete proof, one verifies the conformity of the Ladder code with respect to the timing chart with a high degree of confidence. On the other hand, in the case the proof is not fully completed, one obtains a counterexample, illustrating a possible execution scenario of the Ladder code which does not conform to the timing chart.
Figures - available from: International Journal on Software Tools for Technology Transfer
This content is subject to copyright. Terms and conditions apply.
A preview of this full-text is provided by Springer Nature.
Learn more
Content available from International Journal on Software Tools for Technology Transfer
This content is subject to copyright. Terms and conditions apply.
International Journal on Software Tools for Technology Transfer (2022) 24:977–997
https://doi.org/10.1007/s10009-022-00680-0
GENERAL
Special Issue: FMICS 2021
Automated formal analysis of temporal properties of Ladder programs
Cláudio Belo Lourenço1·Denis Cousineau2·Florian Faissole2·Claude Marché1·David Mentré2·Hiroaki Inoue3
Accepted: 18 October 2022 / Published online: 1 November 2022
© The Author(s), under exclusive licence to Springer-Verlag GmbH Germany, part of Springer Nature 2022
Abstract
Programmable Logic Controllers are industrial digital computers used as automation controllers in manufacturing processes.
The Ladder language is a programming language used to develop software for such controllers. In this work, we consider
the description of the expected behaviour of a Ladder program under the form of a timing chart, describing a scenario
of execution. Our aim is to prove that the given Ladder program conforms to the expected temporal behaviour given by
such a timing chart. Our approach amounts to translating the Ladder code, together with the timing chart, into a program
for the Why3 environment for deductive program verification. The verification proceeds with the generation of verification
conditions: mathematical formulas to be checked valid using automated theorem provers. The ultimate goal is twofold. On the
one hand, by obtaining a complete proof, one verifies the conformity of the Ladder code with respect to the timing chart with
a high degree of confidence. On the other hand, in the case the proof is not fully completed, one obtains a counterexample,
illustrating a possible execution scenario of the Ladder code which does not conform to the timing chart.
Keywords Ladder language for programming PLCs ·Timing charts ·Formal specification ·Deductive verification ·Why3
environment
1 Introduction
Programmable Logic Controllers (PLCs for short) are indus-
trial digital computers used as automation controllers in
manufacturing processes, such as assembly lines or robotic
devices. PLCs can simulate the hard-wired relays, timers and
sequencers they have replaced, via software that expresses
the computation of outputs from the values of inputs and
internal memory. The Ladder language, also known as Lad-
der Logic, is a programming language used to develop PLC
software. This language uses circuit diagrams of relay logic
hardware to represent a PLC program by a graphical diagram.
This language was one of the first available for programming
This work has been partially supported by the bilateral contract
ProofInUse-MERCE between Inria team Toccata and Mitsubishi
Electric R&D Centre Europe, Rennes.
BClaude Marché
Claude.Marche@inria.fr
1CNRS, Inria, LMF, Université Paris-Saclay, 91190
Gif-sur-Yvette, France
2Mitsubishi Electric R&D Centre Europe, Rennes, France
3Mitsubishi Electric Corporation, Amagasaki, Japan
PLCs, and is now standardised in the IEC 61131-3 standard
[29] among other languages [9] for programming PLCs. The
Ladder language is still widely used and very popular among
technicians and electrical engineers.
Because of the widespread use of PLCs in industry, veri-
fying that a given Ladder program conforms to its expected
behaviour is of critical importance. In this work, we consider
the description of the expected temporal behaviour under the
form of a timing chart, describing a scenario of execution.
Timing charts are commonly used in the industry to specify
small- to medium-sized programs, like in the Function Blocks
libraries that are shipped by PLC manufacturers together with
their programming software. Our approach consists of auto-
matically translating the Ladder code, and the timing chart
all together, into a program written in the WhyML language,
which is the input language of the generic Why3 environment
for deductive program verification [8]. In WhyML, expected
behaviours of program are expressed using contracts, which
are annotations expressed in formal logic. The Why3 envi-
ronment provides a set of software tools for checking that
the WhyML code conforms to these formal contracts. This
verification process is performed using automated theorem
provers as back-ends, so that at the end, if the back-end proof
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
... Ladder diagram features constitute an active research area. Verification of ladder program properties has been considered in [4,5]. Work [4] proposed an approach based on theorem proving. ...
... It presents how to map ladder diagram program fragments to algebraic expressions and means of manipulating them to prove program properties. The theorem proving is further analyzed in [5], which presents ...
DETECTION OF LADDER PROGRAM UNSTABLE STATES
Article
  • Sep 2024
This paper presents a modern method of detecting unstable states in ladder programs. Ladder programs are standard formalism used in a wide range of automation applications, especially in railway signaling systems. This formalism is characterized by a lack of explicit program control flow, which can result in the presence of unstable states. A state is unstable, if it leads to cyclic state transitions not anticipated by the designer (loop). The presence of unstable states is one of the possible program defects. This kind of defect is hard to detect and can harm program reliability. The presence of unstable states can be verified with formal methods by the construction of a ladder program model and analysis of its properties. The authors propose a method of static analysis of ladder programs by translating them into predicate logic formulas and construction of formulas expression stability of the program, which can be analyzed with SAT solvers. The presented method allows for automatic verification of the presence of unstable states in the program. The method is conservative (i.e., it concludes that the program has no unstable states only if it is the case). Preliminary experiments performed by authors with a Z3 solver indicate that the method is suitable for use for verification of interlocking programs of computer-based railway signaling systems.
View
... In the remainder of this Introduction to the special issue, we briefly present the contributions of the papers that make up this special issue. The paper Automated Formal Analysis of Temporal Properties of Ladder Programs, by Belo Lourenço et al. [5], the recipient of the FMICS 2021 Best Paper Award, describes a new approach for verifying the code running on programmable logic controllers (PLCs). PLCs are industrial digital computers used as automation controllers in manufacturing processes. ...
... In the future, Belo Lourenço et al. [5] would like to improve the counterexample generation of their tool and augment the trust in translation from ladder logic to WhyML by developing a systematic and automatic validation process. Hansen et al. [19] plan to formalize the FMI 3.0 standard, integrate the Scenario-Verifier with other orchestration engines, and examine whether it is possible to synthesize an optimal orchestration algorithm for a given co-simulation scenario. ...
Formal methods and tools for industrial critical systems
Article
Full-text available
  • Oct 2022
  • Int J Software Tool Tech Tran
Formal methods and tools have become well established and widely applied to ensure the correctness of fundamental components of industrial critical systems in domains like railways, avionics and automotive. In this Introduction to the special issue, we outline a number of recent achievements concerning the use of formal methods and tools for the specification and verification of critical systems from a variety of industrial domains. These achievements are represented by four properly revised and extended versions of papers that were selected from the 26th International Conference on Formal Methods for Industrial Critical Systems (FMICS 2021).
View
... Статья [24] посвящена дедуктивной верификации программ, написанных на языке LD из стандарта IEC 61131-3. Темпоральные требования к LD-программам задаются с помощью временных диаграмм. ...
Pattern-based approach to automation of deductive verification of process-oriented programs: patterns, lemmas and algorithms
Article
Full-text available
  • Dec 2024
Process-oriented programming is an approach to developing control software in which a program is defined as a set of interacting processes. PoST is a process-oriented language, which is an extension of the ST language from the IEC 61131-3 standard. In the field of control software development, formal verification plays an important role due to the need to ensure high reliability of such software. Deductive verification is a formal verification method in which a program and its requirements are represented as logical formulas, and logical inference is used to prove that the program satisfies the requirements. Control software often has temporal requirements. We formalize such requirements for process-oriented programs as control loop invariants. However, control loop invariants that represent requirements are not sufficient to prove the correctness of the program. Therefore, we add extra invariants containing auxiliary information. This paper considers the problem of automating deductive verification of process-oriented programs. An approach is proposed in which temporal requirements are specified using requirement patterns which are constructed from basic patterns. For each requirement pattern, a corresponding extra invariant pattern and lemmas are defined. In this paper, the proposed approach and schemes of basic and derived requirement patterns are described. The schemes of basic extra invariant patterns, schemes of lemmas defined for basic patterns, and a set of basic patterns and lemmas for them are considered. The scheme of derived extra invariant patterns and schemes of lemmas defined for derived patterns are defined. The algorithms for constructing derived extra invariant patterns and lemmas for them, as well as methods for proving these lemmas are presented. The schemes of proving verification conditions are considered. The proposed approach is demonstrated with an example. The analysis of related works has also been carried out.
View
... The programming of the PLC is carried out using the Ladder language [11][12][13] (Fig. 4) with serial/parallel connections and the defined variables. ...
Belt Transportation Monitoring Using SCADA Technology
Chapter
Full-text available
  • Apr 2024
The purpose of this study is to perform the monitoring of the automated belt conveyor transportation process using SCADA technology as well as to obtain the necessary skills for applying SCADA in case of other processes. Modern modelling and simulation methods were used, in order to analyse the results of the control simulation of multi-motor drives. This was done simultaneously with the optimization of the parameters of the automation model, then resorting to the analysis and synthesis of the Ladder program for command and control, correlated with the SCADA software. The method of modelling, simulation and software development for the middle layer of a belt transport flow is described. The practical application of modelling, simulation and software development and testing on the experimental plat-form is presented. The originality of the study results from the fact that it is carried out on the principal structure of the process, the automation strategy, respectively the specific requirements of the automatic control. The experimental test platform is hardware-in-the-loop. Monitoring is done using a series of software monitors written using SCADA software for remote monitoring and control. Practical implications of this work are that, based on this template, additional implementations would more easily be found, for instance by using future versions of SCADA with newer hardware and with additional monitoring system, for instance to develop applications such as transport belts and passenger transport bands in airports.
View
View
Automated Deductive Verification for Ladder Programming
Article
Full-text available
  • Dec 2019
Ladder Logics is a programming language standardized in IEC 61131-3 and widely used for programming industrial Programmable Logic Controllers (PLC). A PLC program consists of inputs (whose values are given at runtime by factory sensors), outputs (whose values are given at runtime to factory actuators), and the logical expressions computing output values from input values. Due to the graphical form of Ladder programs, and the amount of inputs and outputs in typical industrial programs, debugging such programs is time-consuming and error-prone. We present, in this paper, a Why3-based tool prototype we have implemented for automating the use of deductive verification in order to provide an easy-to-use and robust debugging tool for Ladder programmers.
View
Instrumenting a Weakest Precondition Calculus for Counterexample Generation
Article
Full-text available
  • Oct 2018
A major issue in the activity of deductive program verification is to understand why automated provers fail to discharge a proof obligation. To help the user understand the problem and decide what needs to be fixed in the code or the specification, it is essential to provide means to investigate such a failure. We present our approach for the design and the implementation of counterexample generation, exhibiting values for the variables of the program where a given part of the specification fails to be validated. To produce a counterexample, we exploit the ability of SMT solvers to propose, when a proof of a formula is not found, a counter-model. Turning such a counter-model into a counterexample for the initial program is not trivial because of the many transformations leading from a particular piece of code and its specification to a set of proof goals given to external provers.
View
Automated Verification of Temporal Properties of Ladder Programs
Chapter
  • Aug 2021
  • Lect Notes Comput Sci
Programmable Logic Controllers (PLCs) are industrial digital computers used as automation controllers in manufacturing processes. The Ladder language is a programming language used to develop PLC software. Our aim is to prove that a given Ladder program conforms to an expected temporal behaviour given as a timing chart, describing scenarios of execution. We translate the Ladder code and the timing chart into a program for the Why3 environment, within which the verification proceeds by generating verification conditions, to be checked valid using automated theorem provers. The ultimate goal is two-fold: first, by obtaining a complete proof, we can verify the conformance of the Ladder code with respect to the timing chart with a high degree of confidence. Second, when the proof is not fully completed, we obtain a counterexample, illustrating a possible execution scenario of the Ladder code which does not conform to the timing chart.
View
View
Abstraction and Genericity in Why3
Chapter
  • Oct 2020
  • Lect Notes Comput Sci
The benefits of modularity in programming—abstraction barriers, which allow hiding implementation details behind an opaque interface, and genericity, which allows specializing a single implementation to a variety of underlying data types—apply just as well to deductive program verification, with the additional advantage of helping the automated proof search procedures by reducing the size and complexity of the premises and by instantiating and reusing once-proved properties in a variety of contexts
View
View
Static versus Dynamic Verification in Why3, Frama-C and SPARK 2014
Conference Paper
  • Oct 2016
  • Lect Notes Comput Sci
Why3 is an environment for static verification, generic in the sense that it is used as an intermediate tool by different front-ends for the verification of Java, C or Ada programs. Yet, the choices made when designing the specification languages provided by those front-ends differ significantly, in particular with respect to the executability of specifications. We review these differences and the issues that result from these choices. We emphasize the specific feature of ghost code which turns out to be extremely useful for both static and dynamic verification. We also present techniques, combining static and dynamic features, that help users understand why static verification fails.
View
Building High Integrity Applications with SPARK
Book
  • Oct 2015
Software is pervasive in our lives. We are accustomed to dealing with the failures of much of that software - restarting an application is a very familiar solution. Such solutions are unacceptable when the software controls our cars, airplanes and medical devices or manages our private information. These applications must run without error. SPARK provides a means, based on mathematical proof, to guarantee that a program has no errors. SPARK is a formally defined programming language and a set of verification tools specifically designed to support the development of software used in high integrity applications. Using SPARK, developers can formally verify properties of their code such as information flow, freedom from runtime errors, functional correctness, security properties and safety properties. Written by two SPARK experts, this is the first introduction to the just-released 2014 version. It will help students and developers alike master the basic concepts for building systems with SPARK.
View
Formal Verification of Safety PLC Based Control Software
Conference Paper
  • Jun 2016
  • Lect Notes Comput Sci
Programmable Logic Controllers (PLCs) are widely used in the industry for various industrial automation tasks. Besides non-safety applications, the usage of PLCs became accepted in safety-critical installations, where the cost of failure is high. In these cases the used hardware is special (so-called fail-safe or safety PLCs), but also the software needs special considerations. Formal verification is a method that can help to develop high-quality software for critical tasks. However, such method should be adapted to the special needs of the safety PLCs, that are often particular compared to the normal PLC development domain. In this paper we propose two complementary solutions for the formal verification of safety-critical PLC programs based on model checking and equivalence checking using formal specification. Furthermore, a case study is presented, demonstrating our approach.
View
View