Sebastian Biallas

Arcade.PLC: a verification platform for programmable logic controllers

This paper introduces Arcade.PLC, a verification platform for programmable logic controllers (PLCs). The tool supports static analysis as well as ACTL and past-time LTL model checking using counterexample-guided abstraction refinement for different programming languages used in industry. In the underlying principles of the framework, knowledge about the hardware platform is exploited so as to provide efficient techniques. The effectiveness of the approach is evaluated on programs implemented using a combination of programming languages.

Cloud-Based Control: A Multi-tenant, Horizontally Scalable Soft-PLC

In industrial automation, the control and operation of factories and plants in usually performed by Programmable Logic Controllers (PLCs). As automation tasks find their way into more and more smaller application areas where it is economically not reasonable to employ, engineer and maintain a full, hardware-based PLC, a cloud-based software PLC (Soft-PLC) can serve as a Control-as-a-Service solution. In this paper, we address the question how a Soft-PLC can be augmented with cloud-required aspects such as elastic scalability and multi-tenancy. We introduce an architecture that realizes these properties and allows for the implementation of a multi-tenant, horizontally scalable Soft-PLC. Furthermore, we evaluate the most important quality attributes, i.e. Roundtrip times and scalability of our architecture based on a prototypical implementation and a case study from the building automation domain. Finally, we present lessons learned and give an outlook to further realistic scenarios for cloud-based control in industrial applications.

Automatic test case generation for PLC programs using coverage metrics

This paper presents a method for automatic test case generation for PLC software following the IEC61131-3 standard. The core component is a model checker that iteratively creates program traces, each of them covering a part of the program in terms of a coverage metric. These test cases are translated into Structured Text, a programming languages defined in the IEC61131-3, to allow the execution on a soft-PLC or the actual hardware. Our approach is evaluated on a set of function blocks that are used in industry. We demonstrate that test cases can be automatically generated within few seconds in most cases.

Applying static code analysis on industrial controller code

Static code analysis techniques are a well-established tool to improve the efficiency of software developers and for checking the correctness of safety-critical software components. However, their use is often limited to general purpose or “mainstream” programming languages. For these languages, static code analysis has found its way into many integrated development environments and is available to a large number of software developers. In other domains, e. g., for the programming languages used to develop many industrial control applications, tools supporting sophisticated static code analysis techniques are rarely used. This paper reports on the experience of the authors while adapting static code analysis to a software development environment for engineering the control software of industrial process automation systems. The applicability of static code analysis for industrial controller code is demonstrated by a case study using a real-world control system.

Loop leaping with closures

Loop leaping is the colloquial name given to a form of program analysis in which summaries are derived for nested loops starting from the innermost loop and proceeding in a bottom-up fashion considering one more loop at a time. Loop leaping contrasts with classical approaches to finding loop invariants that are iterative; loop leaping is compositional requiring each stratum in the nest of loops to be considered exactly once. The approach is attractive in predicate abstraction where disjunctive domains are increasingly used that present long ascending chains. This paper proposes a simple and an efficient approach for loop leaping for these domains based on viewing loops as closure operators.

Efficient Handling of States in Abstract Interpretation of Industrial Programmable Logic Controller Code

Abstract This paper presents an efficient static analysis for programmable logic controller code. For each program line (or each function block call), the analysis calculates an over-approximation of the possible values each variable can assume during all possible executions. This information can then be used to automatically check for certain critical program conditions such as division-by-zero and array-out-of-bounds. To make this approach applicable to large programs comprising many variables, we present a technique that only stores the values of a subset of the variables based on their context and liveness. We show how to detect typical problems in real PLC code.

PtrTracker: Pragmatic pointer analysis

Static program analysis for bug detection in industrial C/C++ code has many challenges. One of them is to analyze pointer and pointer structures efficiently. While there has been much research into various aspects of pointer analysis either for compiler optimization or for verification tasks, both classical categories are not optimized for bug detection, where speed and precision are important, but soundness (no missed bugs) and completeness (no false positives) do not necessarily need to be guaranteed.

SAT-based abstraction refinement for programmable logic controllers

This paper studies the application of counterexample-guided abstraction refinement to programs written in Instruction List as part of a model checking framework. More importantly, it presents an approach for automatic abstraction refinement based on SAT solving. This technique is based on an encoding of the semantics of Instruction List in propositional Boolean logic. Since elegant ideas and careful engineering have advanced SAT solvers to the state they can rapidly decide satisfiability of structured problems that involve thousands of variables, this approach scales well in practice. The true force of this method, however, is that a single description of the semantics of a program can be used to perform abstraction refinement in a number of abstract domains, including but not limited to intervals and bit sets, thereby decoupling the refinement from the chosen abstraction.

Predicate Abstraction for Programmable Logic Controllers

In this paper, we present a predicate abstraction for programs for programmable logic controllers (PLCs) so as to allow for model checking safety related properties. Our contribution is twofold: First, we give a formalization of PLC programs in first order logic, which is then used to automatically derive a predicate abstraction using SMT solving. Second, we employ an abstraction called predicate scoping which reduces the evaluation of predicates to certain program locations and thus can be used to exploit the cyclic scanning mode of PLC programs. We show the effectiveness of this approach in a small case study using programs from industry and academia.

Static Analysis of Lockless Microcontroller C Programs

Concurrently accessing shared data without locking is usually a subject to race conditions resulting in inconsistent or corrupted data. However, there are programs operating correctly without locking by exploiting the atomicity of certain operations on a specific hardware. In this paper, we describe how to precisely analyze lockless microcontroller C programs with interrupts by taking the hardware architecture into account. We evaluate this technique in an octagon-based value range analysis using access-based localization to increase efficiency.