Abstract. This paper presents an iterative approach to the verification of programmable logic controllers. We explore the modeling method for timing, environment and controller logics in a system, in which predicate abstraction and counterexample-guided refinement strategies are employed. We use a representative example to illustrate the proposed approach and verify it by the model checker CBMC. The experimental results show the validity of the approach.
IntroductionProgrammable Logic Controller systems (PLCs) are widely used in industry [1]. Typical applications range from household appliances chemical process control to railway automation systems and emergency shutdown systems in nuclear power plants. As PLCs are increasingly utilized in safety-critical systems, the correctness of PLC systems is critical. Traditional verification techniques use simulation to validate the design. Unfortunately, generating test vectors is labor. The use of formal methods is an alternative approach to validate system designs.Application of formal methods for PLC software has been proposed [2][3]. In the previous work,formal models are extracted from the PLC programs for verification. Model checking works on a model of system with a logical specification of a desired behavior of the system model. It checks whether the model adheres to the specification by effectively searching the entire state space of the model. With the increased scale and complexity of systems, state space explosion problem imposes a major vexing problem in automated program verification [4][5][6]. Predicate abstraction constitutes a promising strategy of reducing state space [4]. Based on predicate abstraction, the counter-example-guided abstraction refinement (CEGAR) framework [5][6][7] plays a key role in application of model checking. It is successfully applied to a few software verification projects to verify device drivers, C programs and Java software [5][6][7]. This paper presents an iterative approach to verifying programmable logic controllers. System modeling for timing constraints, environment and controller logics is explored. Predicate abstraction and counterexample-guided refinement strategies are employed. A representative example is used to illustrate our modeling and verification process. The proposed strategy is validated by the analysis and the experiment.The rest of the paper is structured as follows. We first introduce the architecture of PLC systems, explore the modeling method for PLC systems, then present the verification method and a case study to illustrate the verification process. Finally we conclude the paper.