

# Use of **formal methods** to **verify PLC code** and its **applicability to safety systems**

Borja Fernández Adiego (CERN)

Contains Joint work of Enrique Blanco, Jean-Charles Tournier, Daniel Darvas and Gyula Sallai

## Industrial controls

# Safety Systems



## Introduction to model checking

Two main techniques can be applied to increase the software reliability:

☐ Testing: it checks if certain properties or test cases in the real system (the code is executed)

☐ Formal verification: it uses formal methods to check a formal property on a model of the system (e.g. model checking)

In industry (including CERN) manual, automated testing or simulation techniques are the most popular approaches

## Introduction to model checking

Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property

Clarke and Emerson (1982) and Queille and Sifakis (1982)



## Model checking vs Testing

Model checking tools: nuXmv, UPPAAL, CBMC, SPIN, KRONOS, etc.



Requirement 1 (Functionality)

If Input1 is FALSE

then Output2 is FALSE

Requirement 2 (Safety)

If Output1 is FALSE

then Output2 is TRUE

4 Boolean input variables -> 2<sup>4</sup> = 16 combinations 4 Word (16-bit) input variables -> 2<sup>16\*4</sup> ≈ 1.8\*10<sup>19</sup> combinations

for large systems (many input var.), Requirement 2 cannot (**practically**) be solved **by using testing techniques** 

# Why model checking is not widely used?

| Pros                                 | Cons                                                |
|--------------------------------------|-----------------------------------------------------|
| Checks exhaustively all combinations | We have to create the <b>model</b> of the system    |
|                                      | We have to use <b>temporal logic</b> (requirements) |
|                                      | State space explosion                               |
|                                      |                                                     |

- Modelling: find the appropriate formalism and the right level of abstraction
- **Temporal logic**: hard to use
- State space explosion: there is a limitation on the number of combinations to check

### Methodology overview



- ☐ General methodology
  - ☐ Multiple PLC languages
  - ☐ Multiple verification tools
  - ☐ Counterexample analysis

#### **Control Flow Automata**



# Is it worth to use Model Checking to PLCs?

- Not without tool support
- It is (very) hard to create models out of PLC programs
- It is (very) hard to formalize the requirements in temporal logic
- At CERN, we have developed the tool PLCverif <a href="http://cern.ch/plcverif">http://cern.ch/plcverif</a>
  - Hide the complexity of using formal methods from the user
  - The methodology shall be compatible with any development process of PLC programs
  - Technologies: Java, Xtext, EMF, ...

# **PLCverif demo**

# Formal methods applied to Safety critical PLC programs (SM18 ClusterG)

Test benches for superconducting magnets (SM18, FAIR, B311)

- Risks to personnel and equipment
  - Cryogenics
  - Vacuum
  - Power converters
  - Cooling & ventilation

 Need for Safety Instrumented Systems (IEC 61511 standard)



## Running PLCverif

- The fail-safe PLC program (STL version) was imported to PLCverif
  - 2000 lines of STL exported code
  - 240 input Boolean variables
- We formalized around 30 verification cases (SIFs)

| Reference     | SIF1_PC10                                                                                                                                           |
|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
| Related risk  | Risk analysis references 1 and 2                                                                                                                    |
| Functionality | Shutdown the PC (10KA) if the corresponding temperature of the cable is high (thermoswitch signal = 0) or the water flow is low (switch signal = 0) |
| Formalized    | If (                                                                                                                                                |
| functionality | NOT MTBG_WCCF_HFM_BIS_P OR                                                                                                                          |
|               | NOT MTBG_WCCF_HFM_BIS_M OR                                                                                                                          |
|               | NOT MTBG_WCCT_PC10_EE10 OR                                                                                                                          |
|               | NOT MTBG_WCCT_EE10_INV OR                                                                                                                           |
|               | NOT MTBG_WCCT_INV_HFM                                                                                                                               |
|               | )                                                                                                                                                   |
|               |                                                                                                                                                     |
|               | Then (MTBG_PC10_PERMIT_Q = FALSE)                                                                                                                   |
| Safety level  | SIL1                                                                                                                                                |
| Safety mode   | Low demand                                                                                                                                          |

#### **PLCverif** results

- Verification average time of 1 2 minutes per assertion
- Several discrepancies between the specification and the PLC program were found:
  - Problems in the specification
  - Bugs in the PLC programs



# **PLCverif demo**

# Conclusions

- It is worth to use formal methods **for critical systems**, but it comes with a (big) cost ...
- They can be applied to specification, code verification, simulation, etc.
- We have found several (many?) PLC programs bugs or specification problems by using PLCverif (model checking)
  - ... even in well-tested production systems
- If you want to apply **model checking to PLC programs**, consider **PLCverif**