

# Formal Methods and Verification (FMV)

#### **HSE-RP**

Katharina Ceesay-Seitz Hamza Boukabache **BE-ICS** 

Ignacio David Lopez Miguel Borja Fernández Adiego Jean-Charles Tournier Enrique Blanco Viñuela

09/12/2021

## Context – Formal Methods and Verification (FMV)

- Initiative from HSE-RP and BE-ICS
- Support of the RAS WG

**Formal methods** can contribute to design and develop **safe and reliable systems** 

## Objectives:

- Build a CERN formal methods community
- Inventory and return of experience of CERN projects and tools using formal methods
- Promote the collaboration between different groups
- Identify the applicability of formal methods to other areas
- Inform other groups on the benefits of the methods
- Establish relation with external institutes / universities / companies
- Report on current research status (e.g. conference reports)

## Context - Failure categories

#### RAS WG



From degradation mechanism

Stochastic methods **Measures** to combat the hardware random failures (e.g. RBD, FTA, etc.)

#### 2. Systematic Failures

- Incorrect specification/design
- Human errors
- Software errors
- Maintenance and modifications
- ....

Deterministic methods Measures to combat the systematic failures (e.g. formal specification, formal verification, (functional) testing, etc.)

#### **Formal Methods**

All types of failures have an impact on the **reliability** and **availability** of the global system

## Contents

## 1. Brief introduction to formal methods

- What are/ Where can we apply/ When should we apply formal methods?
- Why they are not very popular in certain industries (yet)?

## 2. CERN examples

- Industrial Controls domain (BE-ICS):
  - Formal Verification (**model checking**) of PLC programs
  - Formal Specification of PLC programs
- Digital electronics design domain (HSE-RP)
  - Formal Verification (model checking) of VHDL code
  - Semi-formal **specification** of requirements for HDL designs

## **3. Conclusions**

## What are Formal Methods?

#### Techniques based on mathematics and formal logic (precise semantics)



## Where can we use Formal Methods?

Different phases of a system development, for example:

- Specification and modelling: use of unambiguous languages to describe a system (precise description, code generation, test case generation, etc.)
- Formal model **simulation**: formal models to simulate the behaviour of the real system (e.g. model simulation with UPPAAL)
- Formal verification: formalized properties checked against a formal model (e.g. model checking)
- Test or code generation: formal models to generate relevant test cases or the code itself
- Equivalence checking (does the implementation **match** the specification?)
- and more ...

## Where are Formal Methods being used?

#### Formal specification

amazon

Using TLA+ to create a clear and concise specification, leading to a subsequent

code reduction https://cacm.acm.org/magazines/2015/4/184701-how-amazon-web-services-uses-formal-methods/fulltext

Formal verification





Correctness, Modelling and Performance of Aerospace Systems <a href="http://www.compass-toolset.org">http://www.compass-toolset.org</a>

#### FACEBOOK Meta

Integration of their static analyser INFER into their software development

process <a href="https://www.inf.ed.ac.uk/teaching/courses/sp/2019/lecs/distefano-scaling-2019.pdf">https://www.inf.ed.ac.uk/teaching/courses/sp/2019/lecs/distefano-scaling-2019.pdf</a>



Use of the model checker SPIN to verify the model of a software <a href="http://spinroot.com/gerard/pdf/spin04.pdf">http://spinroot.com/gerard/pdf/spin04.pdf</a>



Verification of **neural-network**-based **control** systems in non-towered airports to avoid collisions at landing

https://www.researchgate.net/publication/356096882\_Formal\_Analysis\_of\_Neural\_Network-Based\_Systems\_in\_the\_Aircraft\_Domain



And many more ...



Formal Verification of Critical Aerospace Software https://hal.archives-ouvertes.fr/hal-01184099/document



Use of the formal specification language **VDM** to specify industrial applications https://www.researchgate.net/publication/2879682\_The\_IFAD\_VDM-SL\_toolbox

## Why aren't Formal Methods widely used?

| Pros                         | Cons                                      |
|------------------------------|-------------------------------------------|
| Unambiguity                  | High cost                                 |
| (well-defined semantics)     | (time)                                    |
| <i>Precision</i>             | <i>Limitation of computational models</i> |
| (e.g. software verification) | (state space explosion in model checking) |
|                              | Usability                                 |

- Using formal methods is **more "expensive"** than traditional alternatives in engineering
- Real-life system models may be too large to be handled by simulators or model checkers

## When should/could we use Formal Methods?

When the **cost of a system failure is higher than the cost of using formal methods** Some examples:

- Safety critical systems
  - ✓ Damage to the environment, the installation, people
  - ✓ Damage of the reputation of the company/organization
  - ✓ Recommended by the standards (e.g. IEC 61508)
- Software libraries used in many systems
- etc.

## Which Formal Method should we use?

- The most appropriate to **describe the behavior** of your system
- The most appropriate for the final purpose (specification, formal verification, etc.)
- A formalism supported by tools (e.g. simulator, model checker, etc.)

## Formal methods and the standards (e.g. functional safety)

#### IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems

#### Table A.1 – Software safety requirements specification

| Technique/Measure * |                                                                                                     | Ref.         | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|---------------------|-----------------------------------------------------------------------------------------------------|--------------|-------|-------|-------|-------|
| 1a                  | Semi-formal methods                                                                                 | Table B.7    | R     | R     | HR    | HR    |
| 1b                  | Formal methods                                                                                      | B.2.2, C.2.4 |       | R     | R     | HR    |
| 2                   | Forward traceability between the system safety<br>requirements and the software safety requirements | C.2.11       | R     | R     | HR    | HR    |
| 3                   | Backward traceability between the safety<br>requirements and the perceived safety needs             | C.2.11       | R     | R     | HR    | HR    |
| 4                   | Computer-aided specification tools to support<br>appropriate techniques/measures above              | B.2.4        | R     | R     | HR    | HR    |

(See 7.2)

#### Table A.5 – Software design and development – software module testing and integration

|    | Technique/Measure *                                                                                                  | Ref.                        | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|----|----------------------------------------------------------------------------------------------------------------------|-----------------------------|-------|-------|-------|-------|
| 1  | Probabilistic testing                                                                                                | C.5.1                       |       | R     | R     | R     |
| 2  | Dynamic analysis and testing                                                                                         | B.6.5<br>Table B.2          | R     | HR    | HR    | HR    |
| 3  | Data recording and analysis                                                                                          | C.5.2                       | HR    | HR    | HR    | HR    |
| 4  | Functional and black box testing                                                                                     | B.5.1<br>B.5.2<br>Table B.3 | HR    | HR    | HR    | HR    |
| 5  | Performance testing                                                                                                  | Table B.6                   | R     | R     | HR    | HR    |
| 6  | Model based testing                                                                                                  | C.5.27                      | R     | R     | HR    | HR    |
| 7  | Interface testing                                                                                                    | C.5.3                       | R     | R     | HR    | HR    |
| 8  | Test management and automation tools                                                                                 | C.4.7                       | R     | HR    | HR    | HR    |
| 9  | Forward traceability between the software design specification<br>and the module and integration test specifications | C.2.11                      | R     | R     | HR    | HR    |
| 10 | Formal verification                                                                                                  | C.5.12                      |       |       | R     | R     |

#### (See 7.4.7 and 7.4.8)

IEC 61511: Functional safety – Safety instrumented systems for the process industry sector

several references to model checking. For example from IEC 61511-2:2016 Annex B:

"... specification should be implemented in the graphical language of the **model checking** workbench environment..."

# Industrial Controls Domain

- Introduction to **model checking**
- Formal verification (model checking) of PLC programs
- Formal specification of PLC programs

## Formal verification and model checking



## Formal verification tools



## Introduction to model checking (e.g. for PLC programs)



- If "Input1", "Input2", "Input3" and "Input4" are BOOL, then we need to check 2<sup>4</sup> = 16 combinations
- If they are **INT** (16-bit), then **2**<sup>16\*4</sup> ≈ **1.8**\*10<sup>19</sup> combinations
- for large systems (many variables), such requirements **cannot** (practically) **be checked by using testing techniques**
- Peer reviews and testing can (normally) catch most of the "problems" (e.g. code bugs), but not the CORNER CASES
  - E.g. Ariane 5 rocket explosion (more than 500 millions US\$ cost due to a software flaw in control software)

## Introduction to model checking (for PLC programs)

Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property



#### **PLCverif** internals

## PLCverif internals – PLC program modeling



## **PLCverif internals –** Translation to model checker input language



#### (Inline and reduce the model)



(simplified) nuXmv model



| MODULE main                                                                                                         |
|---------------------------------------------------------------------------------------------------------------------|
| VAR                                                                                                                 |
| loc : {init_pv, end, loop_start, callEnd, prepare_EoC,};<br>FC1_in1 : boolean;<br>FC1 in2 : boolean;                |
| —                                                                                                                   |
| FC1_out1 : boolean; frozen                                                                                          |
|                                                                                                                     |
| assertion_error : unsigned word[16]; frozen                                                                         |
| EoC : boolean; frozen                                                                                               |
| ASSIGN                                                                                                              |
| CFA structure (loc)                                                                                                 |
| <pre>init(loc) := init_pv;</pre>                                                                                    |
|                                                                                                                     |
| esac;                                                                                                               |
| <pre>init(FC1_in1) := FALSE;</pre>                                                                                  |
| <pre>next(FC1_in1) := case</pre>                                                                                    |
| <pre>loc = loop_start &amp; (TRUE) : {TRUE, FALSE};</pre>                                                           |
| TRUE : FC1_in1;                                                                                                     |
| esac;                                                                                                               |
| <pre>init(FC1_out1) := FALSE;</pre>                                                                                 |
| <pre>next(FC1_out1) := case</pre>                                                                                   |
| loc = x & (TRUE) : ((FC1_in1)   (!(FC1_in2))) & ((!(FC1_in3))   (FC1_in4));                                         |
| TRUE : FC1_out1;                                                                                                    |
| esac;                                                                                                               |
| <pre>init(assertion_error) := 0ud16_0;</pre>                                                                        |
| <pre>next(assertion_error) := case</pre>                                                                            |
| <pre>loc = verificationLoop_VerificationLoop_16 &amp; (!(((FC1_out1) = (FALSE)) -&gt; (FC1_out2))) : 0ud16_1;</pre> |
| TRUE :assertion_error;                                                                                              |
| esac;                                                                                                               |
| <pre>init(EoC) := FALSE;</pre>                                                                                      |
| next(EoC) := case                                                                                                   |
| loc = callend & (TRUE) : TRUE;                                                                                      |
| loc = prepare_EoC & (TRUE) : FALSE;                                                                                 |
| TRUE : EOC;                                                                                                         |
| esac;                                                                                                               |
| Requirement                                                                                                         |
| CTLSPEC AG((EoC) -> ((assertion_error) = (0ud16_0)));                                                               |

#### Temporal logic formula

# PLCverif internals – executing nuXmv

# Executing the model checking algorithm (nuXmv)

#### Counterexample

trace that indicates that the **model** (PLC program) and the **specification do not match** 

| Windows PowerShell                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| PS C:\dev\PLCverif\tools\nuxmv> .\nuXmv.exe .\verifCase1.smv<br>*** This is nuXmv 1.1.1 (compiled on Wed Jun 1 10:23:30 2016)<br>*** Copyright (c) 2014-2016, Fondazione Bruno Kessler                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| *** For more information on nuXmv see https://nuxmv.fbk.eu<br>*** or email to <nuxmv@list.fbk.eu>.<br/>*** Please report bugs at https://nuxmv.fbk.eu/bugs<br/>*** (click on "Login Anonymously" to access)<br/>*** Alternatively write to <nuxmv@list.fbk.eu>.</nuxmv@list.fbk.eu></nuxmv@list.fbk.eu>                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| *** This version of nuXmv is linked to NuSMV 2.6.0.<br>*** For more information on NuSMV see <http: nusmv.fbk.eu=""><br/>*** or email to <nusmv-users@list.fbk.eu>.<br/>*** Copyright (C) 2010-2014, Fondazione Bruno Kessler</nusmv-users@list.fbk.eu></http:>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| *** This version of nuXmv is linked to the CUDD library version 2.4.1<br>*** Copyright (c) 1995-2004, Regents of the University of Colorado                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| *** This version of nuXmv is linked to the MiniSat SAT solver.<br>*** See http://minisat.se/MiniSat.html<br>*** Copyright (c) 2003-2006, Niklas Een, Niklas Sorensson<br>*** Copyright (c) 2007-2010, Niklas Sorensson                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| *** This version of nuXmv is linked to MathSAT<br>*** Copyright (C) 2009-2016 by Fondazione Bruno Kessler<br>*** Copyright (C) 2009-2016 by University of Trento<br>*** See http://mathsat.fbk.eu                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| <pre> specification AG (EoC -&gt;assertion_error = 0ud16_0) is false<br/> as demonstrated by the following execution sequence<br/>Trace Description: CTL Counterexample<br/>Trace Type: Counterexample<br/>-&gt; State: 1.1 &lt;-<br/>loc = init_pv<br/>FCl_in1 = FALSE<br/>FC1_in2 = FALSE<br/>FC1_in3 = FALSE<br/>FC1_out1 = FALSE<br/>FC1_out2 = FALSE<br/>FC1_out2 = FALSE<br/>EOC = FALSE<br/>-&gt; State: 1.2 &lt;-<br/>loc = loop_start<br/>-&gt; State: 1.3 &lt;-<br/>loc = x<br/>FC1_in1 = TRUE<br/>FC1_in3 = TRUE<br/>-&gt; State: 1.4 &lt;-<br/>loc = verificationLoop_VerificationLoop_16<br/>-&gt; state: 1.5 &lt;-<br/>loc = verificationLoop_VerificationLoop_end<br/>-&gt; State: 1.7 &lt;-<br/>loc = prepare_EoC<br/>EoC = TRUE</pre> |

## PLCverif (for users)



The complexity of using formal methods is hidden by the tool (PLCverif) – More details in www.cern.ch/plcverif

## Formal verification of PLC programs at CERN

#### **Functional Safety projects**

- Magnet test benches:
  - SM18 Safety PLC programs (CEM Specification + PLCverif)
  - B180 FAIR and B311 Switchboard Safety PLC programs
- **ITER** case study: verification of PLC program in charge of a safety critical communication protocol

B. Fernandez et al. "Applying model checking to critical PLC applications : An ITER case study" in Proc. of the 17<sup>th</sup> ICALEPCS <u>https://cds.cern.ch/record/2305319/files/thpha161.pdf</u>

#### SPS Personnel Safety System: fail-safe PLC program

*B. Fernandez et al. "Applying model checking to highly-configurable safety critical software: The SPS-PPS PLC program" in Proc. of the 18<sup>th</sup> ICALEPCS* 

Non-safety PLC programs but widely used at CERN:

• UNICOS object library (used in the LHC Cryogenics control system, many C&V plants, Gas systems, etc.)

B. Fernandez et al. "Cause-and-Effect Matrix specifications for safety critical systems at CERN" in Proc. of the 17<sup>th</sup> ICALEPCS <u>https://accelconf.web.cern.ch/icalepcs2019/papers/mopha041.pdf</u>



Some of the models had 5.0 \* 10<sup>91</sup> and 6.5 \* 10<sup>555</sup>

combinations to be checked (Potential State Space)





## Formal specification of PLC programs – PLCspecif



## Contact – Formal Methods interest group

If you are interested in Formal Methods, please subscribe to the following egroup:

formal-methods-interest-group@cern.ch

(you will get updates about future events and presentations)

If you want to get started with formal methods or stablish a collaboration, you can send an email to the following egroup:

formal-methods-working-group-admin@cern.ch

We have created a *readthedocs page*, where useful information about formal methods and verification will be collected:

https://readthedocs.web.cern.ch/display/FMVWG/Formal+methods+interest+group+Home

