# PLCverif: STATUS OF A FORMAL VERIFICATION TOOL FOR PROGRAMMABLE LOGIC CONTROLLER

I. D. Lopez-Miguel\*, J-C. Tournier, B. Fernandez, CERN, Geneva, Switzerland

## Abstract

maintain attribution to the author(s), title of the work, publisher, and DOI

Any distribution of this work must

terms of the CC BY 3.0 licence (© 2022).

the

under

used

þe

may

work

Programmable Logic Controllers (PLC) are widely used for industrial automation including safety systems at CERN. The incorrect behaviour of the PLC control system logic can cause significant financial losses by damage of property or the environment or even injuries in some cases. Therefore ensuring their correct behaviour is essential. While testing has been for many years the traditional way of validating the PLC control system logic, CERN developed a model checking platform to go one step further and formally verify PLC logic. This platform, called PLCverif, was first released internally for CERN usage in 2019, is now available to anyone since September 2020 via an open source licence. In this paper, we will first give an overview of the PLCverif platform capabilities before focusing on the improvements done since 2019 such as the larger support coverage of the Siemens PLC programming languages, the better support of the C Bounded Model Checker backend (CBMC) and the process of releasing PLCverif as an open-source software.

### **INTRODUCTION**

Programmable Logic Controllers (PLC) are widely used for industrial automation including safety systems at CERN. The incorrect behaviour of the PLC control system logic can cause significant financial losses by damage of property or the environment or even injuries in some cases. Therefore ensuring their correct behaviour is essential. While testing has been for many years the traditional way of validating the PLC control system logic, it is often not sufficient as the sole verification method: testing, even when automated, can not be exhaustive, thus can not guarantee the correctness of a logic. Some types of requirements, such as safety (i.e. an unsafe state can never be reached) or invariant (formulas which shall be true over all possible system runs), can be very difficult, if not impossible, to test. Model checking is a formal verification technique which complements the testing activities in order to fully validate and verify a PLC control system logic. Model checking assesses the satisfaction of a formalised requirement on a mathematical model of the system under analysis. It checks the requirement's satisfaction with every input combination, with every possible execution trace. In addition, if a violation is found, a trace leading to the violated requirement is provided. The main hurdle to the widespread usage of model checking within the PLC community is twofold: (1) the mathematical model representing the system under analysis can be difficult to write and requires in-depth understanding of the model checking tools; and (2) many real-life PLC logics are too complex and face the state-space explosion problem, i.e. the number of

**MOPV042** 

248

possible input combinations and execution traces is too big to be exhaustively explored.

In 2019 CERN developed the PLCverif platform with the goals of easing the usage of model checking tools for the PLC developers community by automating the translation of the PLC programs to their mathematical models and to implement several abstraction algorithms to limit the state-space explosion problem. Since September 2020, the platform has been released under an open source license to foster the usage and the development of the tool within the PLC community. The objective of this paper is to give a status of the PLCverif platform focusing on the latest developments improving the usability and performance of the tool.

The rest of the paper is organized as follows: Section PLCverif Overview gives an overview of PLCverif to better understand the scope and the architecture of the platform. Section Open Source Release focuses on the open source release of PLC verif by describing the process of releasing the source code and presenting the code organization. Finally sections Latest developments and On-going Challenges and Developments present respectively the latest and ongoing developments.

### PLCverif OVERVIEW

This section gives an overview of the PLCverif platform [1] before presenting the latest developments.

### Verification Workflow

Out of the box, PLCverif offers a model checking workflow for the analysis of PLC programs. The verification workflow is shown in Fig. 1 and it has the following main steps:

- 1. PLC program parsing. PLCverif parses the PLC program (located in one or several files) to be analysed. By choosing the entry point of the verification, the analysis can be limited to a part of the program. The parsed PLC program is automatically translated into a mathematical, control flow-based representation, producing so-called Control Flow Automata (CFA). This precise description will serve as the basis for the analysis.
- 2. Requirement representation. The user should describe the precise requirement to be checked. This, however, does not mean that the user needs to describe the requirement using mathematical formulae. Currently, two requirement description methods are supported:
  - Assertion-based requirements: special comments in the source code (e.g. //#ASSERT On<>Off)

ignacio.david.lopez.miguel@cern.ch

18th Int. Conf. on Acc. and Large Exp. Physics Control SystemsISBN: 978-3-95450-221-9ISSN: 2226-0358



Figure 1: Formal verification workflow of PLCverif

can describe expressions (invariants) which are expected to be always satisfied at a given location of the program. The verification job will then check if the violation of any of the selected assertions is possible.

• Pattern-based requirements: the user chooses a requirement pattern that is a precisely-phrased plain text sentence with some placeholders, e.g. "If  $\alpha$ *is true at the end of the PLC cycle, then*  $\beta$  *should always be true at the end of the same cycle.*". The gaps in the requirement pattern ( $\alpha$  and  $\beta$  in the previous example) shall be filled with expressions over the PLC variables. For each requirement pattern, a defined temporal logic representation is defined which will be used in the next steps.

If needed, new types of requirement representations can be defined, adapted to the specific needs.

- 3. **CFA reductions.** The formal, precise CFA representation of the program, including also the requirement, may need to be reduced in order to make the verification feasible and efficient. These reductions will not change the verification result for the given requirement; however, they may remove parts of the program which do not influence the result of the currently checked requirement [2].
- 4. External model checking. The model checking itself is performed by widely used model checker tools. In this step, (i) the reduced CFA is translated into the input syntax of the chosen model checker tool, (ii) the model checker tool is executed, and (iii) its output, notably the counterexample if available, is parsed to PLCverif's internal representation.

Currently the following external model checkers are supported: NuSMV [3], nuXmv [4], Theta [5] and

CBMC [6]. These model checkers have different strengths and weaknesses. In addition, not every feature is supported by every model checker.

5. **Reporting.** The last step of the formal verification workflow is to produce verification reports. Some of these reports are in human-readable form and target the user of PLCverif. Other reports are machine-readable and serve as descriptions for the execution environment or as artifacts for later summary reports.

### **OPEN SOURCE RELEASE**

PLCverif is available publicly since September 2020 along with its source code under an EPL-2.0<sup>1</sup> license on GitLab<sup>2</sup>. This section presents the reasons for open sourcing PLCverif, as well as the process to choose the open source license and the code organization as found in the GitLab repository.

### **Motivations**

PLCverif has been entirely developed at CERN and therefore fits CERN's needs. Nevertheless, the platform could be beneficial to two different communities outside CERN: the PLC developers community and the model checker community. For PLC developers, PLCverif could be used out of the box if the language used is among the ones already supported, i.e. Siemens Statement List (STL) and Siemens Structure Control Language (SCL). The current coverage<sup>3</sup> of Siemens STL and SCL in PLCverif is currently at 66% and 40%, respectively, for S7-300/400 PLCs, and at 55% and 25%, respectively, for S7-1200/1500 PLCs. This covers most of the functionalities of PLC programs developed at CERN as the instructions implemented represent the core of those languages. However, support for a missing instruction could be easily added if needed. Similarly, the support of a new programming language could also be developed taking as a reference the current implementation for the Siemens languages. For the model checking community, PLCverif offers the possibility to be integrated in a platform verifying real-life PLC code: it is a great opportunity for this community to test new algorithms or improvements of existing model checkers.

### License Selection

From the different open source licenses available, the choice has been made to release the PLCverif platform source code under the Eclipse Public License 2.0 (EPL<sup>4</sup>). This license is similar to the GNU General Public License (GPL<sup>5</sup>) but allows to link the code to proprietary applications: it then allows to use and extend the tool, even for

<sup>2</sup> https://gitlab.com/plcverif-oss

<sup>1</sup> https://www.eclipse.org/legal/epl-2.0/

<sup>&</sup>lt;sup>3</sup> Coverage was calculated as the number of instructions that are implemented in PLCverif vs. the number of instructions in a given grammar for a given PLC. Binary arithmetic operations like addition or subtraction, and binary logic operations like conjuntion or disjuntion are not taken into account when the coverage for SCL is calculated. That is the main reason why the figures for SCL are much lower than for STL.

<sup>&</sup>lt;sup>4</sup> See footnote 1.

<sup>&</sup>lt;sup>5</sup> https://www.gnu.org/licenses/gpl-3.0.en.html

commercial purposes. The reason for choosing the EPL-2.0 license was driven by the fact that is a weak copyleft license, but also that most of the components used by PLCverif are already under the EPL-2.0 (more details in [1]).

# GitLab Repository

The PLCverif platform has been developed within the Eclipse ecosystem: it is mainly written in Java (Java 11), Xtend and Xtext. The modularity is assured via the split of the code among several distinct projects and Eclipse plugins. The main projects of the platform are:

- PLCverif Backend<sup>6</sup> is the core of the PLCverif platform and is responsible for all the CFA manipulations represented in Fig. 1. It is also responsible for interacting with the external model checkers via dedicated Eclipse plugins.
- Siemens Support<sup>7</sup> is responsible for the parsing of the Siemens STL and SCL code, i.e. transforms the PLC user code into the PLCverif internal CFA representation.
- PLCverif Frontends<sup>8,9</sup> are the visible parts from a user point of view. The GUI project provides a graphical application embedding a PLC code editor, a specification requirement editor and a report visualization part. The CLI project is the way to execute the PLCverif workflow via the command line allowing the execution of headless verification jobs such as in a CI/CD (Continuous Integration / Continuous Deployment) pipeline for PLC code.

# LATEST DEVELOPMENTS

Since the publication of [1] in 2019, several improvements have been made. Some of them are summarized below:

- The C code used to run CBMC was originally produced directly converting the intermediate model to a C code using *goto* instructions. CBMC is however not efficient with this kind of programs since it is not able to find loops. This method has been changed in order to produce a structured C code without *gotos*, being able to efficiently use the option *-partial-loops* of CBMC. With this option, CBMC will execute loops only partially. The disadvantage of this option is that the counterexample might be spurious.
- In order to confirm the feasibility of a counterexample produced by PLCverif when a property is violated, it is common to try to reproduce that situation in a real PLC or via simulation. In order to automate this process, it is now possible to automatically generate a file with the

values of all the variables that can be used as an input to the simulator or to the real PLC.

- Safety programs in Siemens are written in function block diagram (FBD) language. After exporting them with *OpennessScripter*<sup>10</sup>, an XML file is produced. A new feature in PLCverif has been developed in order to import those XML files into PLCverif translating them into STL code.
- The coverage of Siemens programs was increased both for STL and SCL. More built-in functions from TIA portal were included.
- Support of latest Theta version was included. Theta is being actively developed and new releases have been launched. In order to keep up with the latest improvements, PLCverif has been adapted to correctly parse Theta output. Currently, PLCverif supports Theta v2.21.0.
- The intermediate model Control Flow Instance had the limitation that it could not be used with dynamic indexing arrays. However, Theta supports this feature and PLCverif has been adapted to generate Theta programs with dynamic indexes.
- The grammar implemented in PLCverif to parse Siemens PLC programs has been extended to include partial support of Schneider PLC programs.
- Upgrade to Java 11. PLCverif was originally developed in Java 8. However, in order not to lose support and to be able to run the latest versions of some model checkers (Theta), it was needed to upgrade to Java 11.

# ON-GOING CHALLENGES AND DEVELOPMENTS

# Simplification of Numeric Variables

As observed in the large code base of CERN industrial PLC systems, one of the main challenges to perform PLC model checking is the state-space explosion originated by the inclusion of numeric variables. PLCverif represents input variables as non-deterministic in the intermediate model. This means that a 16-bit integer is going to have  $2^{16} \approx 7 \cdot 10^4$  possible values that the model checker needs to explore.

There exist some techniques to handle this type of variables, such as counterexample-guided-abstraction refinement (CEGAR) [7] or Satisfiability Modulo Theories (SMT). However, other approaches to directly simplify the PLCverif intermediate model are under investigation, highly improving the performance of the NuSMV model checker [8].

# Iterative Verification

It is common practice to have different modules within PLC projects (see [9] for an example). Some of these projects

<sup>&</sup>lt;sup>6</sup> https://gitlab.com/plcverif-oss/cern.plcverif

<sup>7</sup> https://gitlab.com/plcverif-oss/cern.plcverif.plc. step7

<sup>8</sup> https://gitlab.com/plcverif-oss/cern.plcverif.gui

<sup>9</sup> https://gitlab.com/plcverif-oss/cern.plcverif.cli

<sup>&</sup>lt;sup>10</sup>TIA Portal Openness API.

are too large to be verified by PLCverif yet. However, if the program is split into parts, the verification cases are smaller and can be successfully executed. If it would be possible to combine all the results together, it would be feasible to verify these large programs. To this end, different compositional verification approaches have been analysed but no generic method has been found yet to be applied to PLC projects.

Nonetheless, other abstraction techniques are under consideration, such as abstracting away the different modules. With this approach, a verification case is executed with all the functions abstracted away (all their outputs are going to be non-deterministic). If the property is satisfied, the original program satisfies that property too. On the other hand, if it is violated, one needs to check if the abstracted functions can produce the outputs leading to the violation. If it is not possible, a function is concretized (it comes back to its original form) and a new verification case is executed. This process is continued until a feasible counterexample is found or until all functions are concretized (coming back to the original program). Different strategies and improvements can be investigated for this method.

### Counterexample Analysis

When a program is verified and the result is a violation of the property, a counterexample is given by PLCverif. If the program is composed of several variables and they interact with each other (see [9] for an example), the counterexample is going to be large. Therefore, it will be difficult to analyse what part of the code made the property fail.

Some investigations have been done in this direction in order to point the user to possible locations in the code that have an impact on the final assertion. This way, the user would not need to go through all the code but just focus on the highlighted parts.

#### Other

Since the release of PLCverif, there has been some progress in the development of more efficient model checkers. As already explained previously, the latest version of Theta has been integrated into PLCverif. However, although CBMC is efficient, it is a SAT-based model checker that uses few abstraction techniques. Therefore, an SMT-based model checker like ESBMC [10] could improve the performance of CBMC.

### CONCLUSION

This paper presented the latest developments of the PLCverif platform to formally verify PLC programs. The developments can be grouped into two main lines of work:

• Promoting and easing the use of PLCverif by making it open source, by supporting more PLC manufacturers (i.e. Schneider Electric), and by guiding the user to the root cause of an issue when a property is violated (counterexample analysis). • Improving the performance of the verification time by simplifying numerical variables without loosing meaningful information and by implementing an iterative verification process allowing to verify even more complex applications.

All the different developments presented in this paper are in different stages of maturity and are in the pipeline to be included into PLCverif. In addition some new developments will be carried on to support Schneider safety programs and to integrate new model checkers such as ESBMC.

# REFERENCES

- [1] E. B. Viñuela, D. Darvas, and V. Molnár, "PLCverif Reengineered: An Open Platform for the Formal Analysis of PLC Programs," in *Proc. ICALEPCS'19*, (New York, NY, USA), ser. International Conference on Accelerator and Large Experimental Physics Control Systems, JA-CoW Publishing, Geneva, Switzerland, Aug. 2020, pp. 21– 27, ISBN: 978-3-95450-209-7. DOI: 10.18429 / JACoW – ICALEPCS2019–MOBPP01.
- [2] D. Darvas, B. Fernández Adiego, A. Vörös, T. Bartha, E. Blanco Viñuela, and V. M. González Suárez, "Formal verification of complex properties on PLC programs," in *Formal Techniques for Distributed Objects, Components, and Systems*, ser. Lecture Notes in Computer Science, E. Ábrahám and C. Palamidessi, Eds., vol. 8461, Springer, 2014, pp. 284–299, ISBN: 978-3-662-43612-7. DOI: 10.1007/978-3-662-43613-4\_18.
- [3] A. Cimatti *et al.*, "NuSMV 2: An OpenSource Tool for Symbolic Model Checking," in *Computer Aided Verification*, E. Brinksma and K. G. Larsen, Eds., Berlin, Heidelberg: Springer Berlin Heidelberg, 2002, pp. 359–364, ISBN: 978-3-540-45657-5. https://nusmv.fbk.eu/
- [4] R. Cavada *et al.*, "The nuXmv Symbolic Model Checker," in *Computer Aided Verification - 26th International Conference*, A. Biere and R. Bloem, Eds., ser. Lecture Notes in Computer Science, vol. 8559, Vienna, Austria: Springer, Jul. 2014, pp. 334–342, ISBN: 978-3-319-08866-2. DOI: 10.1007/978-3-319-08867-9.
- [5] T. Tóth, Á. Hajdu, A. Vörös, Z. Micskei, and I. Majzik, "Theta: a Framework for Abstraction Refinement-Based Model Checking," in *Proceedings of the 17th Conference* on Formal Methods in Computer-Aided Design, D. Stewart and G. Weissenbacher, Eds., 2017, pp. 176–179, ISBN: 978-0-9835678-7-5. DOI: 10.23919/FMCAD.2017.8102257.
- [6] E. Clarke, D. Kroening, and F. Lerda, "A tool for checking ANSI-C programs," in *Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2004)*, K. Jensen and A. Podelski, Eds., ser. Lecture Notes in Computer Science, vol. 2988, Springer, 2004, pp. 168–176, ISBN: 3-540-21299-X. https://www.cprover.org/cbmc/
- [7] E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith, "Counterexample-Guided Abstraction Refinement," in *Computer Aided Verification*, E. A. Emerson and A. P. Sistla, Eds., Berlin, Heidelberg: Springer Berlin Heidelberg, Jan. 2000, pp. 154–169.
- [8] I. D. Lopez-Miguel, B. Fernandez Adiego, J.-C. Tournier, J. A. Rodriguez-Aguilar, and E. Blanco Viñuela, "Simplification of Numeric Variables for PLC Model Checking," in 19th ACM-IEEE International Conference on Formal

18th Int. Conf. on Acc. and Large Exp. Physics Control Systems ISBN: 978-3-95450-221-9 ISSN: 2226-0358 ICALEPCS2021, Shanghai, China JACoW Publishing doi:10.18429/JACoW-ICALEPCS2021-MOPV042

WEPV042, this conference.

[10] M. R. Gadelha, F. R. Monteiro, J. Morse, L. C. Cordeiro, B. Fischer, and D. A. Nicole, "ESBMC 5.0: An industrialstrength C model checker," in 33rd ACM/IEEE Int. Conf. on Automated Software Engineering (ASE'18), New York, NY, USA: ACM, 2018, pp. 888-891. DOI: 10.1145/3238147. 3240481.