An algebraic approach for PLC programs verification
Jean-Marc Roussel, Jean-Marc Faure

To cite this version:
Jean-Marc Roussel, Jean-Marc Faure. An algebraic approach for PLC programs verification. 6th International Workshop on Discrete Event Systems (WODES’02), Oct 2002, Zaragoza, Spain. pp. 303-308. hal-00356884

HAL Id: hal-00356884
https://hal.archives-ouvertes.fr/hal-00356884
Submitted on 28 Jan 2009

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
An algebraic approach for PLC programs verification

Jean-Marc Roussel, Jean-Marc Faure
LURPA-ENS de Cachan
61, Avenue du Pt Wilson
F-94235 Cachan Cedex FRANCE
Jean-Marc.Roussel@lurpa.ens-cachan.fr, Jean-Marc.Faure@lurpa.ens-cachan.fr

Abstract

This article presents a verification based on a specific Boolean algebra, called \( \mathcal{I} \), and symbolic reasoning on equations defined in this algebra. The formal definition of this algebra enables to model binary signals that include variables states, events, as well as physical delays between events. The behavior of the generic function blocks of the IEC 61131 standard as well as of PLC programs using these function blocks can be described in this algebra. Properties proof on PLC programs is performed by demonstrating, from the program, the formulas that express in the \( \mathcal{I} \) algebra the properties to be proved.

1. Introduction

Programmable Logic Controllers (PLC) perform numerous control tasks in manufacturing systems, transport systems, power systems. In order to ensure safety of these systems, PLC programs formal verification is therefore a major industrial concern. Program verification does not aim simply at checking the intrinsic properties of the program, e.g. no infinite loop, no locking point, ... , regardless of the application, but also at checking that the program behaviour complies with the application requirements. In this article we will mainly focus on this last kind of properties: the compliance of a given program with the properties required for the application.

A lot of methods have been developed to formally verify PLC programs written in IEC 61131-3 languages [5]. They have often used or adapted to Control Engineering methods issued from Computer Science such as model-checking [1], translation into synchronous languages [6]. A good survey as well as a relevant classification can be found in [3].

Our laboratory has contributed to this issue by achieving several works in model-checking since ten years. The first works used a specific model-checking tool [10], developed for properties checking on Sequential Function Charts (SFC); the last ones [9], [7] take benefit of the SMV symbolic model-checker [8].

The results of these works are of interest because they have enabled to formally verify properties of industrial PLC programs written in several languages of the IEC 61131-3 standard. Nevertheless these researches have pointed out clearly that in some cases the model-checker is unable to provide a solution because of combinatorial explosion. This drawback of model-checking has led us to undertake works aiming at providing an other complementary verification method.

To tackle the combinatorial explosion problem implies to consider the underlying theory of model-checking tools. All these software are developed from DES theory and therefore consider a program as a state automaton. Even if symbolic model-checking is employed, the size of this automaton can be so huge that combinatorial explosion occurs when dealing with some industrial programs. We have consequently searched for a verification method based on a more compact representation and have chosen an algebraic representation. With this approach the program shall be represented by a set of equations and verification shall be performed by symbolic reasoning on this set. The properties to be proved (the application requirements) shall therefore be also represented in the same algebraic form. Once the algebraic approach chosen, a problem arises: which algebra is to be used ? As the purpose is to represent the variables and the instructions of PLC standard languages, such as edge detectors, timer function blocks, Boolean memories, an algebra only dealing with states of Boolean variables is not suitable. We need to represent states, events and physical delays with the same formalism. It is the reason why we have decided to develop a new algebra providing this possibility. This algebra has been called \( \mathcal{I} \) because its aim is to represent at one and the same time, states, events and delays; it is therefore an Integrating framework.

This article is structured in the following way. The first section gives an overview of the verification method. Then we present the elements of the \( \mathcal{I} \) algebra as well as the way
in which we express the behavior of basic function blocks of PLC standard languages into this algebra. This enables to establish generic properties of these function blocks useful when demonstrating the required properties. An example of formal verification of a safety-related program is given in the last part.

2 Verification method overview

PLC programs are developed by control engineers which use their skills and their experience to elaborate these programs from the requirements, with or without a development method specific to the application field considered or imposed by the customer or by the system supplier. The verification method shall be independent of the chosen development method. On the other hand the languages of the IEC 61131-3 standard are widely used for PLC programming and we will only consider programs written in these languages.

The first step of the verification method (Figure 1) provides a formal representation in $I$ of the program behaviour. In the same way, properties required for the application have to be formalised with algebraic formulas. The last step is merely symbolic reasoning on the first set of formulas (those obtained from the program) in order to obtain the formulas expressing the required properties.

3 A Boolean algebra for binary signals

3.1 Binary signals modelling

As mentioned in the introduction, the $I$ algebra shall provide a formal framework to represent and manipulate Boolean variables states, Boolean events and physical delays between events. The main idea for the definition of this algebra has been to consider binary signals, i.e. variables describing the evolution during time of Boolean values.

These evolutions are usually represented by timing diagrams. This representation is quite useful for control engineers but is not at all based on a sound formalism. In order to provide a formal framework for binary signals, we propose to represent them as piecewise-continuous functions from $\mathbb{R}^+\times$ to $\mathbb{B} = \{0, 1\}$. The elements of $I$ are consequently formally defined in the following way:

$$I = \left\{ f : \mathbb{R}^+ \times \rightarrow \mathbb{B} \mid \forall t \in \mathbb{R}^+ : (\exists \epsilon > 0 : (\forall (\epsilon_1, \epsilon_2) \in (0, \epsilon)^2, f(t - \epsilon_1) = f(t - \epsilon_2)) \right\}$$

The figure 2 shows an example of a function element of $I$. Attention shall be paid to the right-continuity used for the edges (at the dates $t_1$ and $t_3$) and to the double-discontinuity (for the dates $t_2$ and $t_4$), mandatory to model events. A more detailed presentation is given in [11].

![Figure 2. Example of function element of $I$](Image)

To distinguish the operations on the elements of $I$ from the operations on the booleans, different notations are used:

- $f, g, h$ refer to elements of $I$,
- $f(t), g(t), h(t)$ refer to booleans, values of $f, g, h$ at a given instant $t$,
- "\&", "\lor" mean respectively logical AND, OR, NOT,
- "\land", "\lor", "\lnot" are used for operations of $I$.

$I$ contains two special elements $1^*$ (the one element) and $0^*$ (the zero element) defined as follows:

$$1^* : \mathbb{R}^+ \rightarrow \mathbb{B} \quad 0^* : \mathbb{R}^+ \rightarrow \mathbb{B}$$

$$1^*(t) \mapsto 1 \quad 0^*(t) \mapsto 0$$
3.2 Structure of Boolean Algebra

To compose the elements of \( \mathcal{I} \), three closed operations have been defined:

The AND operation
\[
\mathcal{I}^2 \rightarrow \mathcal{I} \quad (f, g) \rightarrow f \wedge g
\]

The OR operation
\[
\mathcal{I}^2 \rightarrow \mathcal{I} \quad (f, g) \rightarrow f \lor g
\]

The NOT operation
\[
\mathcal{I} \rightarrow \mathcal{I} \quad f \rightarrow \neg f
\]

\((\mathcal{I}, +, \cdot, 1, 0)\) is a Boolean algebra because the following conditions are satisfied for all \( f, g, h \in \mathcal{I} \):

- Commutative Laws:
  \[ f \cdot g = g \cdot f \quad f + g = g + f \]
- Distributive Laws:
  \[ f \cdot (g + h) = (f \cdot g) + (f \cdot h) \quad f + (g \cdot h) = (f + g) \cdot (f + h) \]
- Absorption Laws:
  \[ f \cdot (f + g) = f \quad f + (f \cdot g) = f \]
- Idempotent Laws:
  \[ f \cdot f = f \quad f + f = f \]
- Dominance Laws:
  \[ f \cdot 1 = f \quad f + 0 = f \]
- Identity Laws:
  \[ f \cdot 0 = 0 \quad f + 1 = 1 \]
- Inverse Laws:
  \[ f \cdot \neg f = 0 \quad f + \neg f = 1 \]

As \((\mathcal{I}, +, \cdot, 1, 0)\) is a Boolean algebra, the properties hereunder are satisfied [4]:

\[
\begin{align*}
&f \cdot f = f \quad f + f = f \\
&f \cdot 0 = 0 \quad f + 1 = 1 \\
&f \cdot (f + g) = f \\
&f + (f \cdot g) = f \\
&f \cdot (f \cdot g) = f \\
&f + (f + g) = (f \cdot g) + h \\
&f \cdot (f + h) = (f + g) \cdot h \\
\end{align*}
\]

A partial order between elements of \( \mathcal{I} \) can be introduced by the subset relation “implication”. This relation is defined as follows:

\[ f \rightarrow g \quad \text{if and only if} \quad \forall t \in \mathcal{I}^{t+}, \quad f(t) \Rightarrow g(t) \]

where \( \Rightarrow \) is the implication operation on \( \mathcal{I} \).

4 Function blocks behavior and properties

Once the algebra defined, it is possible to obtain a formal description of all the boolean function blocks of the IEC 61131-3 standard. This part focuses only on boolean memories, timers and edge detectors.

4.1 Memory operations

The bistable function blocks are defined in the standard as follows:

<table>
<thead>
<tr>
<th>Bistable Function Block (Set dominant)</th>
<th>Graphical form</th>
<th>Function Block body</th>
</tr>
</thead>
<tbody>
<tr>
<td>BOOL-S</td>
<td>S1</td>
<td>Q1</td>
</tr>
<tr>
<td>-</td>
<td>+---+</td>
<td></td>
</tr>
<tr>
<td>R1</td>
<td>Q1</td>
<td>R0</td>
</tr>
<tr>
<td>+---+</td>
<td>+---+</td>
<td>+---+</td>
</tr>
</tbody>
</table>

Two operations on \( \mathcal{I} \) have been defined for giving an algebraic semantic to bistable function blocks:

The SR operation
\[
\mathcal{I}^2 \rightarrow \mathcal{I} \quad (s, r) \rightarrow \text{SR}(s, r)
\]

with \( \forall t \in \mathcal{I}^{t+}, \):

\[
\text{SR}(s, r)(t) = s(t) \lor \neg r(t) \land (s(t_1) = 1) \land (\forall t_2 \in [t_1, t], \ r(t_2) = 0))
\]

Figure 3 depicts two binary signals \( s, r \) inputs of two SR and RS function blocks and the corresponding outputs \( \text{SR}(s, r), \text{RS}(s, r) \).

With these definitions, the following theorems have been established:

\[
\begin{align*}
& s \rightarrow \text{SR}(s, r) \quad \text{SR}(s, r) = s \\
& r \rightarrow \text{RS}(s, r) \quad \text{RS}(s, r) = s \\
& \text{SR}(s, 1) = s \quad \text{SR}(1, r) = 1 \quad \text{RS}(0, r) = 0 \\
& \text{RS}(s, 1) = 0 \quad \text{RS}(1, r) = r \quad \text{RS}(0, r) = 0 \\
& \text{RS}(s, 0) = s \\
& \text{RS}(s, r) = \text{RS}(s, r) \quad \text{RS}(s + r, f) = \text{RS}(s, r) \\
& \text{SR}(s, r_1 + r_2) = \text{SR}(s, r_1) \cdot \text{SR}(s, r_2) \\
& \text{SR}(s_1 + s_2, r) = \text{SR}(s_1, r) + \text{SR}(s_2, r) \\
& \text{RS}(s, r_1 + r_2) = \text{RS}(s, r_1) \cdot \text{RS}(s, r_2) \\
& \text{RS}(s_1 + s_2, r) = \text{RS}(s_1, r) + \text{RS}(s_2, r)
\end{align*}
\]
4.2 Timing operations

The timer function blocks are defined in the standard as follows:

<table>
<thead>
<tr>
<th>ON-delay Timing (TON)</th>
<th>Timing diagram</th>
</tr>
</thead>
<tbody>
<tr>
<td>Graphical form</td>
<td>Timing diagram</td>
</tr>
<tr>
<td>+------------+</td>
<td>IN</td>
</tr>
<tr>
<td>BOOL</td>
<td>IN</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>OFF-delay Timing (TOF)</th>
<th>Timing diagram</th>
</tr>
</thead>
<tbody>
<tr>
<td>Graphical form</td>
<td>Timing diagram</td>
</tr>
<tr>
<td>+------------+</td>
<td>IN</td>
</tr>
<tr>
<td>BOOL</td>
<td>IN</td>
</tr>
</tbody>
</table>

The algebraic semantics of these function blocks is the following:

The TON operation
\[
\mathbb{I} \rightarrow \mathbb{I}, \quad f \mapsto d/f, \quad f \mapsto f/d
\]
with \( \forall t \in \mathbb{R}^+ \),

\[
(d/f)(t) = \begin{cases} 
0 & \forall t < d \\
(t - d, t], f(t_1) = 1 & \forall t \geq d 
\end{cases}
\]

The TOF operation

\[
\mathbb{I} \rightarrow \mathbb{I}, \quad f \mapsto d/f \rightarrow f/d
\]

\[
(f/d)(t) = \begin{cases} 
0 & \forall t < d \\
(t - d, t], f(t_1) = 1 & \forall t \geq d 
\end{cases}
\]

Figure 4 depicts a binary signal \( f \), input of the TON and TOF function blocks and the corresponding outputs \( d/f \), \( f/d \).

This definition enables to establish the following theorems:

\[d/f \Rightarrow f \quad f \Rightarrow f/d\]

4.3 Edge operations

The edge detection function blocks are defined in the standard as follows:

<table>
<thead>
<tr>
<th>Rising edge detector</th>
</tr>
</thead>
<tbody>
<tr>
<td>Graphical form</td>
</tr>
<tr>
<td>+------------+</td>
</tr>
<tr>
<td>BOOL</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Falling edge detector</th>
</tr>
</thead>
<tbody>
<tr>
<td>Graphical form</td>
</tr>
<tr>
<td>+------------+</td>
</tr>
<tr>
<td>BOOL</td>
</tr>
</tbody>
</table>

As previously, two operations on \( \mathbb{I} \) are defined:

The Rising Edge operation
\[
\mathbb{I} \rightarrow \mathbb{I}, \quad f \mapsto \uparrow f
\]
with \( \forall t \in \mathbb{R}^+ \),

The Falling Edge operation
\[
\mathbb{I} \rightarrow \mathbb{I}, \quad f \mapsto \downarrow f
\]
The output signal can only be reinitiated after both inputs have been released and the pushbuttons are operated again.

To obtain this behaviour, the control program depicted in figure 6 has been designed. This program is written with the Function Block Diagram (FBD) PLC programming language, though it could be possible to give an equivalent program in Ladder Diagram (LD). Only standard functions: bitwise boolean functions (AND, OR), bistable function blocks (SR, RS) and edge detection function blocks (R/TRIG) have been used.

This program can be model in $\mathcal{L}$ as follows:

\[
\begin{align*}
MVT &= RS(S1,S2,S3) \\
S1 &= (B1 + B2)/0,5s \\
S3 &= B1.B2
\end{align*}
\]

The properties P1 and P2 can be easily proved from this formal definition of the program. These properties shall be written on $\mathcal{L}$ as follows:

P1  To set “$MVT$”, it is necessary to have the two pushbuttons pressed and not to have one or both buttons pressed from 0.5s.

\[\uparrow MVT \iff (B1 \cdot B2) / 0.5s \]

P2  If a pushbutton is released, the output “MVT” is reset.

\[B1 + B2 \iff \neg MVT\]

The property P2 is merely proved as follows:

- \[\neg MVT \iff (B1 \cdot B2)\]  Reasons
- \[S3 \iff MVT\]  Using: \[r \iff RS(s,r)\]
- \[B1 + B2 \iff MVT\]  Consequently

\(\uparrow f(t) = f(t) \land (\exists \varepsilon_0 > 0 \ | \forall \varepsilon \in (0, \varepsilon_0) \ f(t - \varepsilon) = 0)\)
\(\downarrow f(t) = \overline{f(t)} \land (\exists \varepsilon_0 > 0 \ | \forall \varepsilon \in (0, \varepsilon_0) \ f(t - \varepsilon) = 1)\)

Figure 5 depicts a binary signal $f$, input of the Rising Edge and Falling Edge function blocks and the corresponding outputs $\uparrow f$, $\downarrow f$.

5 Example

The usefulness of the $\mathcal{L}$ algebra for properties checking will be demonstrated thanks to a simple safety-related program. The aim of this program is to monitor the safe operation of the two pushbuttons used to operate presses and similar dangerous machinery. It ensures that both hands of an operator are kept outside the danger zone during machine operation. Usually this safety-related function is realised by safety relays systems tested and approved by standards institutions. Nowadays this function is available in programmable safety systems. The behaviour of this function is standardised [2]. The main points are:

P1  A cycle can only be initiated by pressing the two pushbuttons simultaneously (within 0.5 s).

P2  A cycle is interrupted by releasing one or both buttons to stop the output.

P3  The output signal can only be reinitiated after both inputs have been released and the pushbuttons are operated again.

Two-hand monitoring : external Interface

Two-hand monitoring : body
The property $P_1$ is proved as follows: 
\[ \uparrow MVT = \uparrow (RS(S_1, S_2, S_3)) \]
By definition of $MVT$
\[ \uparrow (RS(S_1, S_2, S_3)) \Rightarrow \uparrow (S_1, S_2, S_3) \]
Using: $\uparrow (RS(s, r)) \Rightarrow s$ (Property not yet presented)
\[ \uparrow (S_1, S_2, S_3) \Rightarrow S_1, S_2, S_3 \]
Using: $\uparrow f \Rightarrow f$
\[ S_1, S_2, S_3 \Rightarrow S_1, S_2, S_3 \]
By definition of $\Rightarrow$
\[ S_3 = B_1 \land B_2 = B_1 \cdot B_2 \]
Law of the Double Complement
\[ S_1 = (B_1 + B_2) \cdot 0, 5s = 0, 5s/(B_1 + B_2) \]
Using: $t_1/\bar{f} = f/t_1$
\[ S_1 \cdot S_3 = B_1 \cdot B_2, 0, 5s/(B_1 + B_2) \]
Using precedent results
\[ \uparrow MVT \Rightarrow B_1 \cdot B_2, 0, 5s/(B_1 + B_2) \]
Consequently

The $P_3$ property involves states of the same variables at different dates (for instance both inputs shall be at the false level at a given date $t$ and at the true level at another date $t'$, greater than $t$) and therefore is not so easy to prove than the two first ones. This property can be written in CTL temporal logic as follows:

\[ AG (\text{met} \Rightarrow \neg((b_1 \land b_2) [U [\neg \text{met} \land EX (\text{met})]])) \]

To verify that kind of property, we are currently developing new operations on $I$ that enable to analyse the past of binary signals.

6 Conclusion and perspectives

The $I$ algebra provides a formal framework to represent Boolean variables states, events and physical delays and has permitted to develop the verification method presented in this article. This method has been tested in several cases with success. It is particularly well-suited for structured programs as industrial ones. The example described in this article is written in FBD; the same equations and reasoning would be obtained with a program in Ladder Diagram. Moreover the function blocks presented are defined for all the IEC 61131-3 languages (e.g. SFC); the results obtained may be therefore applied to any program developed in these languages.

To help the designer when properties checking, we have developed during the last year a solver under Mathematica®. This software relies on the basic properties of this boolean algebra as well as on the theorems related to function blocks and is able to simplify expressions on $I$. The designer used this tool to realize symbolic calculus on $I$. For our example, the properties $P_1$ and $P_2$ have been demonstrated automatically thanks to this solver.

The perspectives of these works are both formal and methodological. As mentioned at the end of the previous section, new operations increasing the potentiality of checking in $I$ are under development. From a methodological point of view, we have to consider the cooperation between the two verification methods nowadays used in our laboratory: model-checking and symbolic reasoning in $I$. Rational and complementary use of these two approaches will be of benefit for large size industrial PLC programs verification.

References