No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
From IEC 61131-3 Function Block Diagrams to Sequentially Constructive Statecharts
Programmable Logic Controllers (PLCs) are embedded computers widely used in industrial control systems. Ensuring that a PLC software complies with its specification is a challenging task. Formal verification has become a recommended practice to ensure the correctness of safety-critical software but is still underused in industry due to the complexity of building and managing formal models of real applications. In this paper, we propose a general methodology to perform automated model checking of complex properties expressed in temporal logics (e.g., CTL, LTL) on PLC programs. This methodology is based on an Intermediate Model (IM), meant to transform PLC programs written in various standard languages (ST, SFC, etc.) to different modeling languages of verification tools. We present the syntax and semantics of the IM and the transformation rules of the ST and SFC languages to the nuXmv model checker passing through the intermediate model. Finally, two real cases studies of CERN PLC programs, written mainly in the ST language, are presented to illustrate and validate the proposed approach.
As production automation systems have been and are becoming more and more complex, the task of quality assurance is increasingly challenging. Model-based testing is a research field addressing this challenge and many approaches have been suggested for different applications. The goal of this paper is to review these approaches regarding their suitability for the domain of production automation in order to identify current trends and research gaps. The different approaches are classified and clustered according to their main focus which is either testing and test case generation from some form of model automatons, test case generation from models used within the development process of production automation systems, test case generation from fault models or test case selection and regression testing.
Programmable logic controllers (PLCs) are heavily used in industrial control systems, because of their high capacity of simultaneous input/output processing capabilities. Characteristically, PLC systems are used in mission critical systems, and PLC software needs to conform real-time constraints in order to work properly. Since PLC programming requires mastering low-level instructions or assembly like languages, an important step in PLC software production is modelling using a formal approach like Petri nets or automata. Afterward, PLC software is produced semiautomatically from the model and refined iteratively. Model checking, on the other hand, is a well-known software verification approach, where typically a set of timed properties are verified by exploring the transition system produced from the software model at hand. Naturally, model checking is applied in a variety of ways to verify the correctness of PLC-based software. In this paper, we provide a broad view about the difficulties that are encountered during the model checking process applied at the verification phase of PLC software production. We classify the approaches from two different perspectives: first, the model checking approach/tool used in the verification process, and second, the software model/source code and its transformation to model checker’s specification language. In a nutshell, we have mainly examined SPIN, SMV, and UPPAAL-based model checking activities and model construction using Instruction Lists (and alike), Function Block Diagrams, and Petri nets/automata-based model construction activities. As a result of our studies, we provide a comparison among the studies in the literature regarding various aspects like their application areas, performance considerations, and model checking processes. Our survey can be used to provide guidance for the scholars and practitioners planning to integrate model checking to PLC-based software verification activities.
Software safety for nuclear reactor protection systems (RPSs) is the most important requirement for the obtainment of permission for operation and export from government authorities, which is why it should be managed with well-experienced software development processes. The RPS software is typically modeled with function block diagrams (FBDs) in the design phase, and then mechanically translated into C programs in the implementation phase, which is finally compiled into executable machine codes and loaded on RPS hardware - PLC (Programmable Logic Controller). Whereas C Compilers are fully-verified COTS (Commercial Off-The-Shelf) software, translators from FBDs to C programs are provided by PLC vendors. Long-term experience, experiments and simulations have validated their correctness and function safety. This paper proposes a behavior-preserving translation from FBD design to C implementation for RPS software. It includes two sets of translation algorithms and rules as well as a prototype translator. We used an example of RPS software in a Korean nuclear power plant to demonstrate the correctness and effectiveness of the proposed translation.
This paper addresses scalability of model-checking using the NuSMV model-checker. To avoid or at least limit combinatory explosion, an efficient representation of PLC programs is proposed. This representation includes only the states that are meaningful for properties proof. A method to translate PLC programs developed in structured text into NuSMV models based on this representation is described and exemplified on several examples. The results, state space size and verification time, obtained with models constructed using this method are compared to those obtained with previously published methods so as to assess efficiency of the proposed representation
Esterel and Safe State Machines (SSMs) are synchronous lan- guages dedicated to the modeling of embedded reactive systems. While Esterel is a textual language, SSMs are based on the graph- ical Statecharts formalism. Statecharts are often more intuitive to understand than their textual counterpart, and their animated simulation can help to visualize subtle behaviors of a program. However, in terms of editing speed, revision management, and meta-modeling, the textual nature of Esterel is advantageous. We present an approach to transform Esterel v5 programs into equiva- lent SSMs. This permits a design flow where the designer develops a system at the Esterel level, but uses a graphical browser and sim- ulator to inspect and validate the system under development. We synthesize SSMs in two phases. The first phase transforms an Esterel program into an equivalent SSM, using a structural trans- lation that results in correct, but typically not very compact SSMs. The second phase iteratively applies optimization rules that aim to reduce the number of states, transitions and hierarchy levels to en- hance readability of the SSM. As it turned out, this optimization is also useful for the traditional, manual design of SSMs. The com- plete transformation has been implemented in a prototypical mod- eling environment, which allows to demonstrate the practicality of this approach and the compactness of the generated SSMs.
The IEC 61131-3 standard defines a model and a set of programming languages for the development of industrial automation software. It is widely accepted by industry and most of the commercial tool vendors advertise compliance with it. On the other side, Model Driven Development (MDD) has been proved as a quite successful paradigm in general-
purpose computing. This was the motivation for exploiting the benefits of MDD in the industrial automation domain.
With the emerging IEC 61131 specification that defines an object-oriented (OO) extension to the function block model, there will be a push to the industry to better exploit the benefits of MDD in automation systems development. This work discusses possible alternatives to integrate the current but also the emerging specification of IEC 61131 in the model driven development process of automation systems. IEC 61499, UML and SysML are considered as possible alternatives to allow the developer to work in higher layers of abstraction than the one supported by IEC 61131 and to more effectively move from requirement specifications into the implementation model of the system.
Twelve years ago, Proceedings of the IEEE devoted a special section to the synchronous languages. This paper discusses the improvements, difficulties, and successes that have occured with the synchronous languages since then. Today, synchronous languages have been established as a technology of choice for modeling, specifying, validating, and implementing real-time embedded applications. The paradigm of synchrony has emerged as an engineer-friendly design method based on mathematically sound tools.
The state of the art in real-time programming is briefly reviewed.
The synchronous approach is then introduced informally and its possible
impact on the design of real-time and reactive systems is discussed. The
authors present and discuss the application fields and the principles of
synchronous programming. The major concern of the synchronous approach
is to base synchronous programming languages on mathematical models.
This makes it possible to handle compilation, logical correctness
proofs, and verification of real-time programs in a formal way, leading
to a clean and precise methodology for design and programming
We introduce a systematic approach for automatically creating a visual diagram, akin to the graphical SCADE model, from a Lustre program. This not only saves tedious manual drawing effort but also enables modeling software to automatically provide the developer with different meaningful views for the same program. We also extend the SCCharts language with data-flow constructs that adhere to the Lustre semantics, which permits a translation from Lustre to graphical SCCharts. This allows using the SCCharts code generation, simulation and visualization tooling also for Lustre programs, in addition to the already existing Lustre compilation techniques. Furthermore, we investigate how the sequentially constructive model of computation, used in SCCharts and other synchronous languages, can be used to conservatively extend Lustre. We have implemented and validated this work with the Eclipse-based open-source KIELER framework.
Programmable Logic Controllers (PLCs) are widely used in the industry for various industrial automation tasks. Besides non-safety applications, the usage of PLCs became accepted in safety-critical installations, where the cost of failure is high. In these cases the used hardware is special (so-called fail-safe or safety PLCs), but also the software needs special considerations. Formal verification is a method that can help to develop high-quality software for critical tasks. However, such method should be adapted to the special needs of the safety PLCs, that are often particular compared to the normal PLC development domain. In this paper we propose two complementary solutions for the formal verification of safety-critical PLC programs based on model checking and equivalence checking using formal specification. Furthermore, a case study is presented, demonstrating our approach.
Eine pragmatische Vorgehensweise für die Softwareentwicklung Eingebetteter Systeme wurde auf die Automatisierungstechnik übertragen. Mit einem Standard-Werkzeug können UML-Modelle automatisch mittels eines Codegenerators in IEC 61131-3 Code übersetzt und in eine Soft-SPS importiert werden. Außerdem ist die Systemarchitektur Teil der ModelIierung und erlaubt somit die automatische Verknüpfung der Hard- und Softwareprojektierung. Am Beispiel einer Sortieranlage werden die Vorgehensweise und die Code-Erzeugung erläutert sowie die Ergebnisse einer ersten Evaluation vorgestellt.
The international standard IEC 61131-3, which supports Brad Cox' concept of "Software-ICs" for industrial control programming, is increasingly being used in safety-related application domains. They include safety-instrumented functions, such as burner management, emergency shutdown and gas leak detection, but also complex automation processes controlling, e.g., chemical production plants. For such highly dependable applications, code inspection and testing, the predominant quality assurance techniques used in practice today, are, in general, not sufficient to demonstrate the functional correctness and safety of an application. This paper presents a theorem prover-based verification technique as a supplementary validation measure. The verification task is separated into the a priori verification of reusable function blocks, which are usually maintained in domain-specific libraries, and a separate compositional proof of individual application programs. Core concepts of the standardized languages, their semantic embedding into higher order logic, and the verification approach are illustrated with a small example. Some design ideas for a verification tool usable by automation engineers and safety licensing authorities conclude the contribution.
We present a new visual language, SCCharts, designed for specifying safety-critical reactive systems. SCCharts use a statechart notation and provide determinate concurrency based on a synchronous model of computation (MoC), without restrictions common to previous synchronous MoCs. Specifically, we lift earlier limitations on sequential accesses to shared variables, by leveraging the sequentially constructive MoC. The semantics and key features of SCCharts are defined by a very small set of elements, the Core SCCharts, consisting of state machines plus fork/join concurrency. We also present a compilation chain that allows efficient synthesis of software and hardware.
In this paper we propose an approach to verify PLC programs, a common platform to control systems in the industry. Programs written in the languages of the IEC 61131-3 standard are automatically translated to B machines and are then amenable to formal analysis of safety constraints and general structural properties of the application. This approach thus integrates formal methods into existing industrial processes.
We present the Esterel programming language which is especially designed to program reactive systems, that is systems which maintain a permanent interaction with their environment: real-time process controllers, communication protocols, man-machine interface drivers, etc. Esterel is a deterministic concurrent programming language. It differs from classical asynchronous languages by its synchrony hypothesis: the outputs of a system are conceptually synchronous with its inputs. The synchrony hypothesis permits a high-level modular programming style simpler and more rigorous than its asynchronous counterpart. We present the imperative primitives of Eesterel and the temporal manipulations they permit. We give a small programming example. We present two mathematical semantics of Eesterel, which are given by conditional rewrite rules and related by a correctness theorem. The behavioral semantics defines the behavior of programs in an uneffective way as the solution of fixpoint equations. The effective execution semantics computes actions to be performed by a conceptually infinitely fast execution machine. To relate the two semantics, we solve the causality problems that are inherent in synchronous formalisms. We show how the Eesterel v2 and Eesterel v3 compilers efficiently translate concurrent Eesterel programs into efficient equivalent sequential automata that can be implemented in conventional sequential languages. We discuss the quality of this object code and the practical adequacy of the synchrony hypothesis.
Effiziente Steuerungsprogrammierung durch automatische Modelltransformation von Matlab/Simulink/Stateflow nach IEC 61131-3
- G Bayrak
- F Abrishamchian
- B Vogel-Heuser
Effiziente Steuerungsprogrammierung durch automatische Modelltransformation von Matlab/Simulink/Stateflow nach IEC 61131-3
- Bayrak