Alexander Weigl

Regression Verification for Programmable Logic Controller Software

Automated production systems are usually driven by Programmable Logic Controllers (PLCs). These systems are long-living – yet have to adapt to changing requirements over time. This paper presents a novel method for regression verification of PLC code, which allows one to prove that a new revision of the plant’s software does not break existing intended behavior.

Proving equivalence between control software variants for Programmable Logic Controllers

Automated production systems are usually driven by Programmable Logic Controllers (PLCs). These systems are long-living and have high requirements for software quality to avoid downtimes, damaged product and harm to personnel. While commissioning multiple systems of similar type, pragmatic adjustments of the software are often necessary, which results in two or more similar variants of initially identical software. For further evolution of the software, an equivalence analysis of the softwares behavior is beneficial to merge divergent development branches into a single program version. This paper presents a novel method for regression verification of PLC code, which allows one to prove that two variants of a plants software behave identically in specified situations, despite being implemented differently. For this, a regression verification method for PLC code was designed, implemented and evaluated. The notion of program equivalence for reactive PLC code is clarified and defined. Core elements of the method are the translation of PLC code into the SMV input language for model checkers, the adaptation of the coupling invariants concept to reactive systems, and the implementation of a toolchain using a model checker. The approach was successfully evaluated using the Pick-and-Place Unit benchmark case study.

Sound Probabilistic #SAT with Projection

We present an improved method for a sound probabilistic estimation of the model count of a boolean formula under projection. The problem solved can be used to encode a variety of quantitative program analyses, such as concerning security of resource consumption. We implement the technique and discuss its application to quantifying information flow in programs.

Efficient SAT-Based Pre-image Enumeration for Quantitative Information Flow in Programs

Quantitative Information Flow Analysis (QIF) measures the loss of an attacker’s uncertainty about the confidential information (pre-image) inside a software system after observing the system outputs (image). In this paper, we supplement the SAT-based QIF analysis for deterministic and terminating C programs, by introducing three algorithms for counting the pre-images and images, which utilizes advantages of incremental SAT solvers. Our tool sharpPI is competitive to mql, quail and chimp. An implementation is provided under http://formal.iti.kit.edu/sharpPI.

Generalised Test Tables: A Practical Specification Language for Reactive Systems

In industrial practice today, correctness of software is rarely verified using formal techniques. One reason is the lack of specification languages for this application area that are both comprehensible and sufficiently expressive. We present the concepts and logical foundations of generalised test tables – a specification language for reactive systems accessible for practitioners. Generalised test tables extend the concept of test tables, which are already frequently used in quality management of reactive systems. The main idea is to allow more general table entries, thus enabling a table to capture not just a single test case but a family of similar behavioural cases. The semantics of generalised test tables is based on a two-party game over infinite words.

A verification-supported evolution approach to assist software application engineers in industrial factory automation

Automated production systems (aPS) are complex systems with high reliability standards which can - besides through traditional testing - be ensured by verification using formal methods. In this paper we present a development process for aPS software supported by efficient formal techniques with easy-to-use specification formalisms to increase applicability in the aPS engineering domain. Our approach is tailored to the development of evolving aPS as existing behavior of earlier revisions is reused as specification for the verification. The approach covers three verification phases: regression verification, verification of critical interlock invariants and delta specification and verification. The approach is designed to be comprehensible by aPS software engineers: Two practically applicable specification means are presented. Formal methods have not yet been widely adapted in industrial aPS development since they lack (a) scalability, and (b) concise and comprehensible specification means. This paper shows concepts how to tackle both issues by referring to existing behavior during evolution verification to advance towards the goal of applicability in the aPS engineering domain. A laboratory case study demonstrates the feasibility and performance of the approach and shows promising results.

Generation of monitoring functions in production automation using test specifications

High quality requirements are set for automated production systems (aPS) as malfunctions can harm humans or cause severe financial loss. These malfunctions can be caused by faults in the control software of the aPS or its inability to correctly identify and handle unintended situations and errors in the technical process or hardware behavior. To achieve more dependable control software, software testing and formal verification can be used to find faults in the software, but require to make assumptions about possible situations (inputs) occurring in the aPS during runtime and often only allow the validation of specific cases. Monitoring individual functions within the control software during runtime can help to identify unspecified situations and raise warnings of the uncertainty about the suitability of a reaction. Yet, the design of reliable monitoring functions requires extensive experience and resources. For this reason, we propose a method for generating monitoring functions from available testing and verification specifications initially used for validating a control software function. Through this, it is possible to continuously assess the behavior of individual software functions and to identify and warn about a) violations of the test specification during runtime and b) unintended situations in which correct software behavior was never tested. Thus, the approach can help to assess and improve both the control software and specification quality through observation and behavior assessment far beyond the testing phase by efficiently reusing existing test specifications for runtime monitoring.