Enrique Blanco Viñuela

Formal Verification of Complex Properties on PLC Programs

Formal verification has become a recommended practice in the safety-critical application areas. However, due to the complexity of practical control and safety systems, the state space explosion often prevents the use of formal analysis. In this paper we extend our former verification methodology with effective property preserving reduction techniques. For this purpose we developed general rule-based reductions and a customized version of the Cone of Influence (COI) reduction. Using these methods, the verification of complex requirements formalised with temporal logics (e.g. CTL, LTL) can be orders of magnitude faster. We use the NuSMV model checker on a real-life PLC program from CERN to demonstrate the performance of our reduction techniques.

Applying Model Checking to Industrial-Sized PLC Programs

Programmable logic controllers (PLCs) are embedded computers widely used in industrial control systems. Ensuring that a PLC software complies with its specification is a challenging task. Formal verification has become a recommended practice to ensure the correctness of safety-critical software, but is still underused in industry due to the complexity of building and managing formal models of real applications. In this paper, we propose a general methodology to perform automated model checking of complex properties expressed in temporal logics [e.g., computation tree logic (CTL) and linear temporal logic (LTL)] on PLC programs. This methodology is based on an intermediate model (IM) meant to transform PLC programs written in various standard languages [structured text (ST), sequential function chart (SFC), etc.] to different modeling languages of verification tools. We present the syntax and semantics of the IM, and the transformation rules of the ST and SFC languages to the nuXmv model checker passing through the IM. Finally, two real cases studies of the European Organization for Nuclear Research (CERN) PLC programs, written mainly in the ST language, are presented to illustrate and validate the proposed approach.

Bringing Automated Model Checking to PLC Program Development { A CERN Case Study {

Abstract Verification of critical software is a high priority but a challenging task for industrial control systems. Model checking appears to be an appropriate approach for this purpose. However, this technique is not widely used in industry yet, due to some obstacles. The main obstacles encountered when trying to apply formal verification techniques at industrial installations are the difficulty of creating models out of PLC programs and defining formally the specification requirements. In addition, models produced out of real-life programs have a huge state space, thus preventing the verification due to performance issues. Our work at CERN (European Organization for Nuclear Research) focuses on developing efficient automatic verification methods for industrial critical installations based on PLC (Programmable Logic Controller) control systems. In this paper, we present a tool generating automatically formal models out of PLC code. The tool implements a general methodology which can support several input languages, like the PLC programming languages defined in the IEC 61131 standard, as well as the model formalisms of different model checker tools. The tool supports the three main stages of model checking: system modelization, requirement formalization and counterexample analysis. In addition, a verification case study of a PLC program, written in Structured Text (ST) language implemented at CERN is described. The paper shows that the verification process is automatized and supported by the proposed tool, thus its difficulty is completely hidden for the control engineer.

Formal Verification of Safety PLC Based Control Software

Programmable Logic Controllers PLCs are widely used in the industry for various industrial automation tasks. Besides non-safety applications, the usage of PLCs became accepted in safety-critical installations, where the cost of failure is high. In these cases the used hardware is special so-called fail-safe or safety PLCs, but also the software needs special considerations. Formal verification is a method that can help to develop high-quality software for critical tasks. However, such method should be adapted to the special needs of the safety PLCs, that are often particular compared to the normal PLC development domain. In this paper we propose two complementary solutions for the formal verification of safety-critical PLC programs based on model checking and equivalence checking using formal specification. Furthermore, a case study is presented, demonstrating our approach.

Modelling and Formal Verification of Timing Aspects in Large PLC Programs

One of the main obstacle that prevents model checking from being widely used in industrial control systems is the complexity of building formal models out of PLC programs, especially when timing aspects need to be integrated. This paper brings an answer to this obstacle by proposing a methodology to model and verify timing aspects of PLC programs. Two approaches are proposed to allow the users to balance the trade-off between the complexity of the model, i.e. its number of states, and the set of specifications possible to be verified. A tool supporting the methodology which allows to produce models for different model checkers directly from PLC programs has been developed. Verification of timing aspects for real-life PLC programs are presented in this paper using NuSMV.

Model-based automated testing of critical PLC programs

Testing of critical PLC (Programmable Logic Controller) programs remains a challenging task for control system engineers as it can rarely be automated. This paper proposes a model based approach which uses the BIP (Behavior, Interactions and Priorities) framework to perform automated testing of PLC programs developed with the UNICOS (UNified Industrial COntrol System) framework. This paper defines the translation procedure and rules from UNICOS to BIP which can be fully automated in order to hide the complexity of the underlying model from the control engineers. The approach is illustrated and validated through the study of a water treatment process.

PLC code generation based on a formal specification language

The complexity and quality needs of PLC-based control system software have largely increased. Formal specification methods can help to cope with these needs. Besides formal verification, another benefit of a formal specification language is the possibility to provide automatic generation of the final source code. This paper overviews PLCspecif, our formal specification language for PLC programs and presents a code generation method for the language. The result of the code generator is a Structured Text (ST) code that not only corresponds to the formal semantics of the specification, but is also configurable, readable, understandable, and follows development conventions and standards. The code generation method shows that PLC-specif is applicable and well-adapted to the PLC domain.

Nonlinear Model Predictive Control for the Superfluid Helium Cryogenic Circuit of the Large Hadron Collider

Superfluid helium is used in the cryogenic circuit that cools down and stabilizes temperature of more than 1600 high performance, main superconducting magnets of the Large Hadron Collider (LHC) - the new particle accelerator at European Organization for Nuclear Research (CERN). This paper presents a simulation study of the application of Nonlinear Model Predictive Control (NMPC) to the Superfluid Helium Cryogenic Circuit. First, the new first principles, distributed parameter model of the circuit to be used in online optimization is reviewed. Then stabilization of the superconducting magnets temperature using NMPC based on the model and Continuation/ Generalized Minimum Residual (C/GMRES) algorithm is described. Finally the small computational cost of C/GMRES solution/approximation method and resulting real-time feasibility are highlighted.

JACoW : What is special about PLC software model checking?

Model checking is a formal verification technique to check given properties of models, designs or programs with mathematical precision. Due to its high knowledge and resource demand, the use of model checking is restricted mainly to core parts of highly critical systems. However, we and many other authors have argued that automated model checking of PLC programs is feasible and beneficial in practice. In this paper we aim to explain why model checking is applicable to PLC programs even though its use for software in general is too difficult. We present an overview of the particularities of PLC programs which influence the feasibility and complexity of their model checking. Furthermore, we list the main challenges in this domain and the solutions proposed in previous works. Authors’ manuscript. Presented at the 16th Int. Conference on Accelerator and Large Experimental Control Systems (ICALEPCS 2017), Barcelona, Spain, 2017. The final publication is available via DOI 10.18429/JACoW-ICALEPCS2017-THPHA159.

Beam screen cryogenic control improvements for the LHC run 2

This paper presents the improvements made on the cryogenic control system for the LHC beam screens. The regulation objective is to maintain an acceptable temperature range around 20 K which simultaneously ensures a good LHC beam vacuum and limits cryogenic heat loads. In total, through the 27 km of the LHC machine, there are 485 regulation loops affected by beam disturbances. Due to the increase of the LHC performance during Run 2, standard PID controllers cannot keeps the temperature transients of the beam screens within desired limits. Several alternative control techniques have been studied and validated using dynamic simulation and then deployed on the LHC cryogenic control system in 2015. The main contribution is the addition of a feed-forward control in order to compensate the beam effects on the beam screen temperature based on the main beam parameters of the machine in real time.