

# Formal verification of critical PLC programs and neural network controllers at CERN

Borja Fernández Adiego

Contains joint work of several members and former members of the **BE-ICS group at CERN** 

# Roadmap



• CERN has the biggest particle accelerator complex in the world and many critical and complex industrial installations

• CERN has the biggest particle accelerator complex in the world and many critical and complex industrial installations



• CERN has the biggest particle accelerator complex in the world and many critical and complex industrial installations



• CERN has the biggest particle accelerator complex in the world and many critical and complex industrial installations





Images from cds.cern.ch

• CERN has the biggest particle accelerator complex in the world and many critical and complex industrial installations







Images from cds.cern.ch

• CERN has the biggest particle accelerator complex in the world and many critical and complex industrial installations









Superconducting magnet test benches

Images from cds.cern.ch

 "BE-ICS provides the technology, frameworks, engineering and CERN-wide support for systems and projects in all domains using standard industrial control solutions" <u>https://be-dep-ics.web.cern.ch</u>

- "BE-ICS provides the technology, frameworks, engineering and CERN-wide support for systems and projects in all domains using standard industrial control solutions" <u>https://be-dep-ics.web.cern.ch</u>
- BE-ICS is in charge of the design and development of industrial control and safety systems







Superconducting magnet test benches



Images from <u>cds.cern.ch</u>

 "BE-ICS provides the technology, frameworks, engineering and CERN-wide support for systems and projects in all domains using standard industrial control solutions" <u>https://be-dep-ics.web.cern.ch</u>



Images from <u>cds.cern.ch</u>









• At CERN, more than 3000 PLCs (Programmable Logic Controllers) are installed to control and/or protect the installations



#AuMoSt aux := TRUE;

# Roadmap











If "Input1", "Input2", "Input3" and "Input4" are BOOL, then we need to check 2<sup>4</sup> = 16 combinations



- If "Input1", "Input2", "Input3" and "Input4" are BOOL, then we need to check 2<sup>4</sup> = 16 combinations
- If they are **INT** (16-bit), then **2**<sup>16\*4</sup> ≈ **1.8**\*10<sup>19</sup> combinations



- If "Input1", "Input2", "Input3" and "Input4" are BOOL, then we need to check 2<sup>4</sup> = 16 combinations
- If they are **INT** (16-bit), then **2**<sup>16\*4</sup> ≈ **1.8**\*10<sup>19</sup> combinations
- for large systems (many variables), such requirements **cannot** (practically) **be checked by using testing techniques**



- If "Input1", "Input2", "Input3" and "Input4" are BOOL, then we need to check 2<sup>4</sup> = 16 combinations
- If they are **INT** (16-bit), then **2**<sup>16\*4</sup> ≈ **1.8**\*10<sup>19</sup> combinations
- for large systems (many variables), such requirements **cannot** (practically) **be checked by using testing techniques**
- Peer reviews and testing can (normally) catch most of the "problems" (e.g. code bugs), but not the CORNER CASES



- If "Input1", "Input2", "Input3" and "Input4" are BOOL, then we need to check 2<sup>4</sup> = 16 combinations
- If they are **INT** (16-bit), then **2**<sup>16\*4</sup> ≈ **1.8**\*10<sup>19</sup> combinations
- for large systems (many variables), such requirements **cannot** (practically) **be checked by using testing techniques**
- Peer reviews and testing can (normally) catch most of the "problems" (e.g. code bugs), but not the CORNER CASES
  - E.g. Ariane 5 rocket explosion (more than 500 millions US\$ cost due to a software flaw in control software)



- If "Input1", "Input2", "Input3" and "Input4" are BOOL, then we need to check 2<sup>4</sup> = 16 combinations
- If they are **INT** (16-bit), then **2**<sup>16\*4</sup> ≈ **1.8**\*10<sup>19</sup> combinations
- for large systems (many variables), such requirements **cannot** (practically) **be checked by using testing techniques**
- Peer reviews and testing can (normally) catch most of the "problems" (e.g. code bugs), but not the CORNER CASES
  - E.g. Ariane 5 rocket explosion (more than 500 millions US\$ cost due to a software flaw in control software)

Solution: Model checking

Techniques based on mathematics and formal logic (precise semantics)

# Techniques based on mathematics and formal logic (precise semantics)



#### Techniques based on mathematics and formal logic (precise semantics)

Textual languages



B-method, VDM, TLA+,... **B**-method MACHINE Switch **SETS** STATE = {closed, open} VARIABLES state **INVARIANT** state : STATE **INITIALISATION** state := open **OPERATIONS** toggle =IF state = open THEN state := closed ELSE state := open END; END

# Techniques based on **mathematics** and **formal logic (precise semantics)**



| Textual languages                                                                                                                                                                                                                                           | Mathematical languages                                                                                                             |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------|
| B-method, VDM, TLA+,<br>B-method                                                                                                                                                                                                                            | Temporal logic,<br>propositional logic, Z<br>notation,                                                                             |
| MACHINE<br>Switch<br>SETS<br>STATE = {closed, open}<br>VARIABLES<br>state<br>INVARIANT<br>state : STATE<br>INITIALISATION<br>state := open<br>OPERATIONS<br>toggle =<br>IF state = open<br>THEN<br>state := closed<br>ELSE<br>state := open<br>END ;<br>END | Temporal logic<br>$AG((a \land b) \rightarrow c)$<br>Propositional logic<br>$(A \rightarrow B) \vdash (\neg B \rightarrow \neg A)$ |

#### **Graphical languages Textual languages** Mathematical languages Temporal logic, Petri nets, automata, ... B-method, VDM, TLA+,... e.g. system model propositional logic, Z (model checking) **B**-method Petri net notation,... MACHINE e.g. properties Switch (model checking) $\rightarrow$ SETS Temporal logic STATE = {closed, open} VARIABLES state $AG((a \land b) \rightarrow c)$ **INVARIANT** state : STATE **INITIALISATION** Automata state := open **OPERATIONS** Propositional logic toggle =in ← IntNonDet() *IF state = open* $(A \rightarrow B) \vdash (\neg B \rightarrow \neg A)$ THEN in>10 in≤10 state := closed ELSE state := open out1 ← False out1 ← True END; out2 ← False out2 ← True END

# Techniques based on mathematics and formal logic (precise semantics)

### What are Formal Methods?

#### **Textual languages** Mathematical languages Graphical languages Temporal logic, Petri nets, automata, ... B-method, VDM, TLA+,... e.g. system model propositional logic, Z (model checking) **B**-method Petri net notation,... MACHINE e.g. properties Switch (model checking) SETS STATE = {closed, open} Temporal logic VARIABLES state $AG((a \land b) \rightarrow c)$ **INVARIANT** state : STATE **INITIALISATION** Automata state := open **OPERATIONS** Propositional logic toggle =in ← IntNonDet() *IF state = open* $(A \rightarrow B) \vdash (\neg B \rightarrow \neg A)$ THEN in>10 in≤10 state := closed ELSE state := open out1 ← False out1 ← True END; out2 ← False out2 ← True They can be used for **specification**, **verification**, END

### Techniques based on mathematics and formal logic (precise semantics)

simulation, test case generation, etc.

### Where are Formal Methods being used?

Formal specification

Formal verification

### Where are Formal Methods being used?

Formal specification





Correctness, Modelling and Performance of Aerospace Systems <a href="http://www.compass-toolset.org">http://www.compass-toolset.org</a>

# amazon

Using **TLA+** to create a clear and concise specification, leading to a subsequent code reduction <a href="https://cacm.acm.org/magazines/2015/4/184701-how-amazon-web-services-uses-formal-methods/fulltext">https://cacm.acm.org/magazines/2015/4/184701-how-amazon-web-services-uses-formal-methods/fulltext</a>



Use of the formal specification language **VDM** to specify industrial applications https://www.researchgate.net/publication/2879682\_The\_IFAD\_VDM-SL\_toolbox Formal verification

FACEBOOK Meta

Integration of their static analyser INFER into their software development

process <a href="https://www.inf.ed.ac.uk/teaching/courses/sp/2019/lecs/distefano-scaling-2019.pdf">https://www.inf.ed.ac.uk/teaching/courses/sp/2019/lecs/distefano-scaling-2019.pdf</a>



NASA AMES Robust Software Engineering group https://www.nasa.gov/isd-robust-software-engineering Use of the model checker SPIN to verify the model of a software http://spinroot.com/gerard/pdf/spin04.pdf



Verification of **neural-network**-based **control** systems in non-towered airports to avoid collisions at landing

https://www.researchgate.net/publication/356096882\_Formal\_Analysis\_of\_Neural\_Network-Based\_Systems\_in\_the\_Aircraft\_Domain





And many more ...



Formal Verification of Critical Aerospace Software <u>https://hal.archives-ouvertes.fr/hal-01184099/document</u>

# Why aren't Formal Methods widely used?

| Pros                         | Cons                                      |
|------------------------------|-------------------------------------------|
| Unambiguity                  | High cost                                 |
| (well-defined semantics)     | (time)                                    |
| <i>Precision</i>             | <i>Limitation of computational models</i> |
| (e.g. software verification) | (state space explosion in model checking) |
|                              | Usability                                 |

### Why aren't Formal Methods widely used?

| Pros                                             | Cons                                                                                   |
|--------------------------------------------------|----------------------------------------------------------------------------------------|
| Unambiguity<br>(well-defined semantics)          | High cost<br>(time)                                                                    |
| <i>Precision</i><br>(e.g. software verification) | <i>Limitation of computational models</i><br>(state space explosion in model checking) |
|                                                  | Usability                                                                              |
|                                                  |                                                                                        |

- Using formal methods is **more "expensive"** than traditional alternatives in engineering
- Real-life system models may be too large to be handled by simulators or model checkers
- We should **apply them when the cost of a failure is higher than the cost of using them** (tool support)

**IEC 61508**: Functional safety of electrical/electronic/programmable electronic safety-related systems

### **IEC 61508**: Functional safety of electrical/electronic/programmable electronic safety-related systems

#### Table A.1 – Software safety requirements specification

| ( | S | ee | 7. | 2) |  |
|---|---|----|----|----|--|
|   |   |    |    |    |  |

| Technique/Measure * |                                                                                                     | Ref.         | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|---------------------|-----------------------------------------------------------------------------------------------------|--------------|-------|-------|-------|-------|
| 1a                  | Semi-formal methods                                                                                 | Table B.7    | R     | R     | HR    | HR    |
| 1b                  | Formal methods                                                                                      | B.2.2, C.2.4 |       | R     | R     | HR    |
| 2                   | Forward traceability between the system safety<br>requirements and the software safety requirements | C.2.11       | R     | R     | HR    | HR    |
| 3                   | Backward traceability between the safety<br>requirements and the perceived safety needs             | C.2.11       | R     | R     | HR    | HR    |
| 4                   | Computer-aided specification tools to support<br>appropriate techniques/measures above              | B.2.4        | R     | R     | HR    | HR    |

### **IEC 61508**: Functional safety of electrical/electronic/programmable electronic safety-related systems

### Table A.1 – Software safety requirements specification

(See 7.2)

|    |                                                                                                     |                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                              | 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|----|-----------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|    | Technique/Measure *                                                                                 |                                                                                                                                                                                                                                                                                                                                                                    | SIL 1                                                                                                                                                                                                                                                                                                                                                                                         | SIL 2                                                                                                                                                                                                                                                                                                                                                                                                                        | SIL 3                                                                                                                                                                                                                                                                                                                                                                                                                        | SIL 4                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 1a | Semi-formal methods                                                                                 | Table B.7                                                                                                                                                                                                                                                                                                                                                          | R                                                                                                                                                                                                                                                                                                                                                                                             | R                                                                                                                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                                                                                                                           | HR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 1b | Formal methods                                                                                      | B.2.2, C.2.4                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                                                                                                                                                                                                                                                                                               | R                                                                                                                                                                                                                                                                                                                                                                                                                            | R                                                                                                                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 2  | Forward traceability between the system safety<br>requirements and the software safety requirements | C.2.11                                                                                                                                                                                                                                                                                                                                                             | R                                                                                                                                                                                                                                                                                                                                                                                             | R                                                                                                                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                                                                                                                           | HR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 3  | Backward traceability between the safety<br>requirements and the perceived safety needs             | C.2.11                                                                                                                                                                                                                                                                                                                                                             | R                                                                                                                                                                                                                                                                                                                                                                                             | R                                                                                                                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                                                                                                                           | HR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 4  | Computer-aided specification tools to support<br>appropriate techniques/measures above              | B.2.4                                                                                                                                                                                                                                                                                                                                                              | R                                                                                                                                                                                                                                                                                                                                                                                             | R                                                                                                                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                                                                                                                           | HR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|    | 1b                                                                                                  | 1a         Semi-formal methods           1b         Formal methods           2         Forward traceability between the system safety requirements and the software safety requirements           3         Backward traceability between the safety requirements and the perceived safety needs           4         Computer-aided specification tools to support | 1a     Semi-formal methods     Table B.7       1b     Formal methods     B.2.2, C.2.4       2     Forward traceability between the system safety requirements and the software safety requirements     C.2.11       3     Backward traceability between the safety requirements and the perceived safety needs     C.2.11       4     Computer-aided specification tools to support     B.2.4 | 1a     Semi-formal methods     Table B.7     R       1b     Formal methods     B.2.2, C.2.4        2     Forward traceability between the system safety<br>requirements and the software safety requirements     C.2.11     R       3     Backward traceability between the safety<br>requirements and the perceived safety needs     C.2.11     R       4     Computer-aided specification tools to support     B.2.4     R | 1a     Semi-formal methods     Table B.7     R       1b     Formal methods     B.2.2, C.2.4        2     Forward traceability between the system safety<br>requirements and the software safety requirements     C.2.11     R       3     Backward traceability between the safety<br>requirements and the perceived safety needs     C.2.11     R       4     Computer-aided specification tools to support     B.2.4     R | 1a     Semi-formal methods     Table B.7     R     R     HR       1b     Formal methods     B.2.2, C.2.4      R     R       2     Forward traceability between the system safety requirements and the software safety requirements     C.2.11     R     R     HR       3     Backward traceability between the safety requirements and the perceived safety needs     C.2.11     R     R     HR       4     Computer-aided specification tools to support     B.2.4     R     R     HR |

### IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems

#### Table A.1 – Software safety requirements specification

| .2) |       |
|-----|-------|
|     |       |
|     |       |
|     |       |
|     | · < ) |

| Technique/Measure * |                                                                                                     | Ref.                                                                                                                                                                                                                                                                                                                                             | SIL 1                                                                                                                                                                                                                                                                                                                 | SIL 2                                                                                                                                                                                                                                                                                                                                                                                                                        | SIL 3                                                                                                                                                                                                                                                                                                                         | SIL 4                                                                                                                                                                                                                                                                                                                                   |
|---------------------|-----------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1a                  | Semi-formal methods                                                                                 | Table B.7                                                                                                                                                                                                                                                                                                                                        | R                                                                                                                                                                                                                                                                                                                     | R                                                                                                                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                                      |
| 1b                  | Formal methods                                                                                      | B.2.2, C.2.4                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                                                                                                                                                                                                       | R                                                                                                                                                                                                                                                                                                                                                                                                                            | R                                                                                                                                                                                                                                                                                                                             | HR                                                                                                                                                                                                                                                                                                                                      |
| 2                   | Forward traceability between the system safety<br>requirements and the software safety requirements | C.2.11                                                                                                                                                                                                                                                                                                                                           | R                                                                                                                                                                                                                                                                                                                     | R                                                                                                                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                                      |
| 3                   | Backward traceability between the safety<br>requirements and the perceived safety needs             | C.2.11                                                                                                                                                                                                                                                                                                                                           | R                                                                                                                                                                                                                                                                                                                     | R                                                                                                                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                                      |
| 4                   | Computer-aided specification tools to support<br>appropriate techniques/measures above              | B.2.4                                                                                                                                                                                                                                                                                                                                            | R                                                                                                                                                                                                                                                                                                                     | R                                                                                                                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                            | HR                                                                                                                                                                                                                                                                                                                                      |
|                     | 1b<br>2<br>3                                                                                        | 1a       Semi-formal methods         1b       Formal methods         2       Forward traceability between the system safety requirements and the software safety requirements         3       Backward traceability between the safety requirements and the perceived safety needs         4       Computer-aided specification tools to support | 1aSemi-formal methodsTable B.71bFormal methodsB.2.2, C.2.42Forward traceability between the system safety<br>requirements and the software safety requirementsC.2.113Backward traceability between the safety<br>requirements and the perceived safety needsC.2.114Computer-aided specification tools to supportB.2.4 | 1a     Semi-formal methods     Table B.7     R       1b     Formal methods     B.2.2, C.2.4        2     Forward traceability between the system safety<br>requirements and the software safety requirements     C.2.11     R       3     Backward traceability between the safety<br>requirements and the perceived safety needs     C.2.11     R       4     Computer-aided specification tools to support     B.2.4     R | 1aSemi-formal methodsTable B.7R1bFormal methodsB.2.2, C.2.4R2Forward traceability between the system safety<br>requirements and the software safety requirementsC.2.11RR3Backward traceability between the safety<br>requirements and the perceived safety needsC.2.11RR4Computer-aided specification tools to supportB.2.4RR | 1aSemi-formal methodsTable B.7RRHR1bFormal methodsB.2.2, C.2.4RR2Forward traceability between the system safety<br>requirements and the software safety requirementsC.2.11RRHR3Backward traceability between the safety<br>requirements and the perceived safety needsC.2.11RRHR4Computer-aided specification tools to supportB.2.4RRHR |

### Table A.5 – Software design and development – software module testing and integration

#### (See 7.4.7 and 7.4.8)

|    | Technique/Measure *                                                                                                  | Ref.                        | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|----|----------------------------------------------------------------------------------------------------------------------|-----------------------------|-------|-------|-------|-------|
| 1  | Probabilistic testing                                                                                                | C.5.1                       |       | R     | R     | R     |
| 2  | Dynamic analysis and testing                                                                                         | B.6.5<br>Table B.2          | R     | HR    | HR    | HR    |
| 3  | Data recording and analysis                                                                                          | C.5.2                       | HR    | HR    | HR    | HR    |
| 4  | Functional and black box testing                                                                                     | B.5.1<br>B.5.2<br>Table B.3 | HR    | HR    | HR    | HR    |
| 5  | Performance testing                                                                                                  | Table B.6                   | R     | R     | HR    | HR    |
| 6  | Model based testing                                                                                                  | C.5.27                      | R     | R     | HR    | HR    |
| 7  | Interface testing                                                                                                    | C.5.3                       | R     | R     | HR    | HR    |
| 8  | Test management and automation tools                                                                                 | C.4.7                       | R     | HR    | HR    | HR    |
| 9  | Forward traceability between the software design specification<br>and the module and integration test specifications | C.2.11                      | R     | R     | HR    | HR    |
| 10 | Formal verification                                                                                                  | C.5.12                      |       |       | R     | R     |

### IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems

#### Table A.1 – Software safety requirements specification

| (S | ee | 7.2 | ) |
|----|----|-----|---|
|    |    |     |   |

| Technique/Measure * |                                                                                                     | Ref.         | SIL 1 | SIL 2 | SIL 3 | SIL 4 |   |
|---------------------|-----------------------------------------------------------------------------------------------------|--------------|-------|-------|-------|-------|---|
| 1a                  | Semi-formal methods                                                                                 | Table B.7    | R     | R     | HR    | HR    |   |
| 1b                  | Formal methods                                                                                      | B.2.2, C.2.4 |       | R     | R     | HR    |   |
| 2                   | Forward traceability between the system safety<br>requirements and the software safety requirements | C.2.11       | R     | R     | HR    | HR    |   |
| 3                   | Backward traceability between the safety<br>requirements and the perceived safety needs             | C.2.11       | R     | R     | HR    | HR    |   |
| 4                   | Computer-aided specification tools to support<br>appropriate techniques/measures above              | B.2.4        | R     | R     | HR    | HR    |   |
|                     | •                                                                                                   |              |       |       |       |       | £ |

### Table A.5 – Software design and development – software module testing and integration

#### (See 7.4.7 and 7.4.8)

|    | Technique/Measure *                                                                                                  | Ref.                        | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|----|----------------------------------------------------------------------------------------------------------------------|-----------------------------|-------|-------|-------|-------|
| 1  | Probabilistic testing                                                                                                | C.5.1                       |       | R     | R     | R     |
| 2  | Dynamic analysis and testing                                                                                         | B.6.5<br>Table B.2          | R     | HR    | HR    | HR    |
| 3  | Data recording and analysis                                                                                          | C.5.2                       | HR    | HR    | HR    | HR    |
| 4  | Functional and black box testing                                                                                     | B.5.1<br>B.5.2<br>Table B.3 | HR    | HR    | HR    | HR    |
| 5  | Performance testing                                                                                                  | Table B.6                   | R     | R     | HR    | HR    |
| 6  | Model based testing                                                                                                  | C.5.27                      | R     | R     | HR    | HR    |
| 7  | Interface testing                                                                                                    | C.5.3                       | R     | R     | HR    | HR    |
| 8  | Test management and automation tools                                                                                 | C.4.7                       | R     | HR    | HR    | HR    |
| 9  | Forward traceability between the software design specification<br>and the module and integration test specifications | C.2.11                      | R     | R     | HR    | HR    |
| 10 | Formal verification                                                                                                  | C.5.12                      |       |       | R     | R     |

### IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems

#### Table A.1 – Software safety requirements specification

| Technique/Measure * |                                                                                                     | Ref.         | SIL 1 | SIL 2 | SIL 3 | SIL 4 |  |
|---------------------|-----------------------------------------------------------------------------------------------------|--------------|-------|-------|-------|-------|--|
| 1a                  | Semi-formal methods                                                                                 | Table B.7    | R     | R     | HR    | HR    |  |
| 1b                  | Formal methods                                                                                      | B.2.2, C.2.4 |       | R     | R     | HR    |  |
| 2                   | Forward traceability between the system safety<br>requirements and the software safety requirements | C.2.11       | R     | R     | HR    | HR    |  |
| 3                   | Backward traceability between the safety<br>requirements and the perceived safety needs             | C.2.11       | R     | R     | HR    | HR    |  |
| 4                   | Computer-aided specification tools to support<br>appropriate techniques/measures above              | B.2.4        | R     | R     | HR    | HR    |  |

#### (See 7.2)

### Table A.5 – Software design and development – software module testing and integration

#### SIL 1 SIL 2 SIL 3 Technique/Measure \* SIL 4 Ref. Probabilistic testing C.5.1 ----R R R 2 Dynamic analysis and testing B.6.5 R HR HR HR Table B.2 Data recording and analysis C.5.2 HR HR HR HR 3 Functional and black box testing B.5.1 HR HR HR HR B.5.2 Table B.3 5 Performance testing Table B.6 R R HR HR 6 C.5.27 R R HR HR Model based testing Interface testing C.5.3 R R HR HR C.4.7 R HR HR HR Test management and automation tools 8 9 Forward traceability between the software design specification C.2.11 R R HR HR and the module and integration test specifications 10 Formal verification C.5.12 --------R R

#### (See 7.4.7 and 7.4.8)

IEC 61511: Functional safety – Safety instrumented systems for the process industry sector

### IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems

#### Table A.1 – Software safety requirements specification

|    | Technique/Measure *                                                                                 | Ref.         | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|----|-----------------------------------------------------------------------------------------------------|--------------|-------|-------|-------|-------|
| 1a | Semi-formal methods                                                                                 | Table B.7    | R     | R     | HR    | HR    |
| 1b | Formal methods                                                                                      | B.2.2, C.2.4 |       | R     | R     | HR    |
| 2  | Forward traceability between the system safety<br>requirements and the software safety requirements | C.2.11       | R     | R     | HR    | HR    |
| 3  | Backward traceability between the safety<br>requirements and the perceived safety needs             | C.2.11       | R     | R     | HR    | HR    |
| 4  | Computer-aided specification tools to support<br>appropriate techniques/measures above              | B.2.4        | R     | R     | HR    | HR    |

#### (See 7.2)

### Table A.5 – Software design and development – software module testing and integration

|    | Technique/Measure *                                                                                               | Ref.                        | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|----|-------------------------------------------------------------------------------------------------------------------|-----------------------------|-------|-------|-------|-------|
| 1  | Probabilistic testing                                                                                             | C.5.1                       |       | R     | R     | R     |
| 2  | Dynamic analysis and testing                                                                                      | B.6.5<br>Table B.2          | R     | HR    | HR    | HR    |
| 3  | Data recording and analysis                                                                                       | C.5.2                       | HR    | HR    | HR    | HR    |
| 4  | Functional and black box testing                                                                                  | B.5.1<br>B.5.2<br>Table B.3 | HR    | HR    | HR    | HR    |
| 5  | Performance testing                                                                                               | Table B.6                   | R     | R     | HR    | HR    |
| 6  | Model based testing                                                                                               | C.5.27                      | R     | R     | HR    | HR    |
| 7  | Interface testing                                                                                                 | C.5.3                       | R     | R     | HR    | HR    |
| 8  | Test management and automation tools                                                                              | C.4.7                       | R     | HR    | HR    | HR    |
| 9  | Forward traceability between the software design specification and the module and integration test specifications | C.2.11                      | R     | R     | HR    | HR    |
| 10 | Formal verification                                                                                               | C.5.12                      |       |       | R     | R     |

#### (See 7.4.7 and 7.4.8)

**IEC 61511**: Functional safety – Safety instrumented systems for the process industry sector

several references to model checking. For example from IEC 61511-2:2016 Annex B:

"... specification should be implemented in the graphical language of the **model checking** workbench environment..."

### IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems

#### Table A.1 – Software safety requirements specification

|    | Technique/Measure *                                                                                 | Ref.         | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|----|-----------------------------------------------------------------------------------------------------|--------------|-------|-------|-------|-------|
| 1a | Semi-formal methods                                                                                 | Table B.7    | R     | R     | HR    | HR    |
| 1b | Formal methods                                                                                      | B.2.2, C.2.4 |       | R     | R     | HR    |
| 2  | Forward traceability between the system safety<br>requirements and the software safety requirements | C.2.11       | R     | R     | HR    | HR    |
| 3  | Backward traceability between the safety<br>requirements and the perceived safety needs             | C.2.11       | R     | R     | HR    | HR    |
| 4  | Computer-aided specification tools to support<br>appropriate techniques/measures above              | B.2.4        | R     | R     | HR    | HR    |

#### (See 7.2)

### Table A.5 – Software design and development – software module testing and integration

|    | Technique/Measure *                                                                                               | Ref.                        | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|----|-------------------------------------------------------------------------------------------------------------------|-----------------------------|-------|-------|-------|-------|
| 1  | Probabilistic testing                                                                                             | C.5.1                       |       | R     | R     | R     |
| 2  | Dynamic analysis and testing                                                                                      | B.6.5<br>Table B.2          | R     | HR    | HR    | HR    |
| 3  | Data recording and analysis                                                                                       | C.5.2                       | HR    | HR    | HR    | HR    |
| 4  | Functional and black box testing                                                                                  | B.5.1<br>B.5.2<br>Table B.3 | HR    | HR    | HR    | HR    |
| 5  | Performance testing                                                                                               | Table B.6                   | R     | R     | HR    | HR    |
| 6  | Model based testing                                                                                               | C.5.27                      | R     | R     | HR    | HR    |
| 7  | Interface testing                                                                                                 | C.5.3                       | R     | R     | HR    | HR    |
| 8  | Test management and automation tools                                                                              | C.4.7                       | R     | HR    | HR    | HR    |
| 9  | Forward traceability between the software design specification and the module and integration test specifications | C.2.11                      | R     | R     | HR    | HR    |
| 10 | Formal verification                                                                                               | C.5.12                      |       |       | R     | R     |

#### (See 7.4.7 and 7.4.8)

IEC 61511: Functional safety – Safety instrumented systems for the process industry sector

several references to model checking. For example from IEC 61511-2:2016 Annex B:

"... specification should be implemented in the graphical language of the **model checking** workbench environment..."

Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property

Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property

Clarke and Emerson (1982) and Queille and Sifakis (1982)



**Specifications** 



Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property



Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property



Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property



Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property

Clarke and Emerson (1982) and Queille and Sifakis (1982)



Was born for hardware design, today it is used extensively for software verification as well

Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property

**PLCverif** (for PLC programs) VAR TNPUT in1 : BOOL in2: BOOL: in3 : BOOL; in4: BOOL; END VAR VAR OUTPUT If **Output1** is FALSE Formal **Formal** out1 : BOOL out2 : BOOL; END VAR then **Output2** is TRUE model requirement logic for out1 IF in1 OR NOT in2 THEM out1 := NOT in3 OR in4 out1 := FALSE; END\_IF; // logic for out2 out2 := (in1 OR NOT FUNCTION **Model Checker Model Checking lectures** Was born for hardware design, today it is used extensively for (Aachen university) https://www.youtube.com/watch?v=Y5Hg4MvUX software verification as well **Property failed** c4&list=PLwabKnOFhE38C0o6z bhlF uOUlbIDTih **Property OK** Trace leading to the violation

Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property

Clarke and Emerson (1982) and Queille and Sifakis (1982) **PLCverif** (for PLC programs) VAR TNPUT in1 : BOOL in2: BOOL: in3 : BOOL; in4: BOOL; END VAR VAR OUTPUT If **Output1** is FALSE Formal **Formal** out1 : BOOL out2 : BOOL; END VAR then **Output2** is TRUE model requirement logic for out1 IF in1 OR NOT in2 THEM out1 := NOT in3 OR in4 out1 := FALSE; END\_IF; Control-flow // logic for out2 out2 := (in1 OR NOT automaton (CFA) FUNCTION **Model Checker** Model Checking lectures Was born for hardware design, (Aachen university) today it is used extensively for https://www.youtube.com/watch?v=Y5Hg4MvUX software verification as well **Property failed** c4&list=PLwabKnOFhE38C0o6z bhlF uOUlbIDTih **Property OK** Trace leading to the violation

Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property

**PLCverif** (for PLC programs) VAR TNPUT in1 : BOOL in2: BOOL: in3 : BOOL; in4: BOOL; END VAR VAR OUTPUT If **Output1** is FALSE Formal **Formal** out1 : BOOL out2 : BOOL; END VAR then **Output2** is TRUE model requirement logic for out1 IF in1 OR NOT in2 THEM out1 := NOT in3 OR in4 out1 := FALSE; END\_IF; Control-flow // logic for out2 out2 := (in1 OR NOT automaton (CFA) FUNCTION Temporal Logic **Model Checker**  $AG (EoC \rightarrow (!Out1 \& Out2 ))$ Model Checking lectures Was born for hardware design, today it is used extensively for (Aachen university) https://www.youtube.com/watch?v=Y5Hg4MvUX software verification as well **Property failed** c4&list=PLwabKnOFhE38C0o6z bhlF uOUlbIDTih **Property OK** Trace leading to the violation

Given a **global model** of the system and a **formal property**, the **model checking algorithm checks exhaustively** that the model meets the property

**PLCverif** (for PLC programs) VAR TNPUT in1 : BOOL in2: BOOL: in3 : BOOL; in4: BOOL; END VAR VAR OUTPUT If **Output1** is FALSE Formal **Formal** out1 : BOOL; out2 : BOOL; END VAR then **Output2** is TRUE model requirement // logic for out1 IF in1 OR NOT in2 THEN out1 := NOT in3 OR in4 out1 := FALSE; END\_IF; Control-flow // logic for out2 out2 := (in1 OR NOT in2) AND (NOT in3 or in4 automaton (CFA) FUNCTION Temporal Logic **O**theta FC1\_in1 : FC1\_in2 : FC1 out1 : boolean; -- froze **Model Checker** loc = init\_pv & (TRUE) : loop\_start; TRUE: loc;  $AG (EoC \rightarrow (!Out1 \& Out2 ))$ it(FC1\_in1) := FALSE; CBMC loc = loop start & (TRUE) : (TRUE, FALSE); TRUE : FCl\_in1; it(FC1 out1) := FALSE : FC1 out1 Model Checking lectures Was born for hardware design, today it is used extensively for (Aachen university) https://www.youtube.com/watch?v=Y5Hg4MvUX software verification as well **Property failed** c4&list=PLwabKnOFhE38C0o6z bhlF uOUlbIDTih **Property OK** Trace leading to the violation

| PV PLCverif<br>File Preferences Help                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| □ □ □ ↓ ↓ ↓ □ ↓ □ ↓ □ ↓ • ↓ • ↓ • ↓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 4                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| 🔁 Project Explorer 📃 🗖                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | Demo.scl 🔀                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| <ul> <li>PLCverif project SCL file</li> <li>Verification case</li> <li>Verification case</li> <li>1_PBCS_Workshop_DemoSCL</li> <li>&gt;&gt; output</li> <li>&gt;&gt; src-gen</li> <li>Demo.scl</li> <li>verifCase1.vc3</li> <li>verifCase2.vc3</li> <li>verifCase3.vc3</li> <li>verifCase3.vc3</li> <li>2_PBCS_Workshop_DemoSCL</li> <li>&gt;&gt; 2_PBCS_Workshop_DemoSCL</li> <li>&gt;&gt; 3_PBCS_Workshop_DemoSCL</li> <li>&gt;&gt; 4_PBCS_Workshop_DemoSCL</li> <li>&gt;&gt; baseline_1500_local [baseline_1500_local master]</li> <li>&gt;&gt; baseline_1500_onoff [baseline_1500_onoff master]</li> <li>&gt;&gt; baseline_1500_pco [baseline_1500_pco master]</li> <li>&gt;&gt; BECOproject</li> <li>&gt;&gt;&gt; BESeminar</li> </ul> | <pre>// FUNCTION declaration<br/>@ FUNCTION FC1 : VOID<br/>@ VAR_INPUT<br/>in1 : BOOL;<br/>in2: BOOL;<br/>in3 : BOOL;<br/>in4: BOOL;<br/>END_VAR<br/>@ VAR_OUTPUT<br/>out1 : BOOL;<br/>out2 : BOOL;<br/>END_VAR<br/>BEGIN<br/>// logic for out1<br/>@ IF in1 OR NOT in2 THEN<br/>out1 := NOT in3 OR in4;<br/>ELSE<br/>out1 := FALSE;<br/>END_IF;<br/>// logic for out2<br/>out2 := (in1 OR NOT in2) AND (NOT in3 or in4);<br/>END_FUNCTION</pre> |







Demo.scl
 verifCase1.vc3
 verifCase2.vc3
 verifCase3.vc3
 2\_PBCS\_Workshop\_DemoSCL
 3\_PBCS\_Workshop\_DemoSCL
 4\_PBCS\_Workshop\_DemoSafety

 BECOproject

 BESeminar

 BESeminar2

> 📂 DemoProject

> 对 DemoSIF1

E Outline

An outline is not available.

> baseline\_1500\_local [baseline\_1500\_local master]
 > baseline\_1500\_onoff [baseline\_1500\_onoff master]
 > baseline\_1500\_pco [baseline\_1500\_pco master]

> 🚰 > demoproject\_plcverif [demoproject\_plcverif master]

> 🚔 > demo-unicos [demo-unicos master]

> 🚟 > demo1 [demo1 master]

> Z DemoSummerStudent
 > Z DemoTheta
 > Z ESO\_Program
 > Z ESO\_Program2

Pv PLCverif

#### File Preferences Help 🔚 🕞 🖳 🛷 🏷 📄 🛷 🛍 💁 📲 🖓 🕶 🏷 Project Explorer verifCase2.vc3 (verification case) verifCase2 verification report 🔀 Demo.scl 📄 🔄 📴 PLCverif project... 📄 SCL file... ■ 🔗 file:///C:/dev/PLCverif/workspace/1\_PBCS\_Workshop\_DemoSCL/output/verifCase2.report.html $\sim$ Verification case... PLCverif — Verification report $\bigtriangledown$ ✓ ↓ 1\_PBCS\_Workshop\_DemoSCL Generated on 2021-12-06 11:50:27 | PLCverif v3.0 | (C) CERN BE-ICS-AP | Show/hide expert details > 🗁 output > 🗁 src-gen

| ID:                   | verifCase2                                                                                                                   |
|-----------------------|------------------------------------------------------------------------------------------------------------------------------|
| Name:                 |                                                                                                                              |
| Description:          |                                                                                                                              |
| Source file(s):       | C:\dev\PLCverif\workspace\1 PBCS Workshop DemoSCL\Demo.scl     C:\dev\PLCverif\workspace\.builtin Siemens S7-300\builtin.scl |
| Requirement:          | If not FC1.out1 is true at the end of the PLC cycle, then FC1.out2 should always be true at the end of the same cycle.       |
| Result:               | Violated                                                                                                                     |
| Verification backend: | NusmvBackend (nuxmv-Classic-dynamic-df)                                                                                      |
| Total run time:       | 449 ms                                                                                                                       |
| Backend run time:     | 346 ms                                                                                                                       |

### Counterexample

v

- -

|             | Variable | End of<br>Cycle 1 |
|-------------|----------|-------------------|
| INPUT BOOL  | FC1.in1  | true              |
| INPUT BOOL  | FC1.in2  | false             |
| INPUT BOOL  | FC1.in3  | true              |
| INPUT BOOL  | FC1.in4  | false             |
| OUTPUT BOOL | FC1.out1 | false             |
| OUTPUT BOOL | FC1.out2 | false             |

Pv PLCverif File Preferences Help

> 🚔 > demo-unicos [demo-unicos master]

> 🚰 > demoproject\_plcverif [demoproject\_plcverif master]

> 📸 > demo1 [demo1 master]

> 📂 DemoSummerStudent > 📂 DemoTheta > 📂 ESO\_Program > 📂 ESO\_Program2

> 📂 DemoProject

> 对 DemoSIF1

🔪 🖾 FSO Project

An outline is not available.

🔚 Outline 🖾

| rite Preferences Help                                                                                 |                               |                                                                                                                                        |
|-------------------------------------------------------------------------------------------------------|-------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
| 🖩 🖷 🖳   🖉 ♡>   🗈 🛷 💼   🂁 ▾   🖗 ▾   🏷                                                                  |                               |                                                                                                                                        |
| Project Explorer                                                                                      | Demo.scl 📄 verifCas           | e2.vc3 (verification case) 💿 verifCase2 verification report 🔀                                                                          |
| 😑 😫 🔁 PLCverif project 📄 SCL file                                                                     |                               | lev/PLCverif/workspace/1_PBCS_Workshop_DemoSCL/output/verifCase2.report.html                                                           |
| ■ Verification case                                                                                   | PLCverif —                    | - Verification report                                                                                                                  |
| ✓                                                                                                     |                               |                                                                                                                                        |
| > 🔁 output<br>> 🔁 src-gen                                                                             | Generated on 2021-12-06 11:50 | 27   PLCverif v3.0   (C) CERN BE-ICS-AP   <u>Show/hide expert details</u>                                                              |
| Demo.scl                                                                                              | ID:                           | verifCase2                                                                                                                             |
| verifCase1.vc3 verifCase2.vc3                                                                         | Name:                         |                                                                                                                                        |
| verifCase3.vc3                                                                                        | Description:                  |                                                                                                                                        |
| <ul> <li></li></ul>                                                                                   | Source file(s):               | <u>C:\dev\PLCverif\workspace\1 PBCS Workshop DemoSCL\Demo.scl</u> <u>C:\dev\PLCverif\workspace\.builtin Siemens S7-300\builtin.scl</u> |
| > 🚰 4_PBCS_Workshop_DemoSafety                                                                        | Requirement:                  | If not FC1.out1 is true at the end of the PLC cycle, then FC1.out2 should always be true at the end of the same cycle.                 |
| > baseline_1500_local [baseline_1500_local master] > baseline_1500_onoff [baseline_1500_onoff master] | Result:                       | Violated                                                                                                                               |
| baseline_1500_pto [baseline_1500_pto master]                                                          | Verification backend:         | NusmvBackend (nuxmv-Classic-dynamic-df)                                                                                                |
| > 🗃 BECOproject                                                                                       | Total run time:               | 449 ms                                                                                                                                 |
| > 🚰 BESeminar<br>> ጅ BESeminar2                                                                       | Backend run time:             | 346 ms                                                                                                                                 |

Counterexample

v

- -

|             | Variable | End of<br>Cycle 1 |
|-------------|----------|-------------------|
| INPUT BOOL  | FC1.in1  | true              |
| INPUT BOOL  | FC1.in2  | false             |
| INPUT BOOL  | FC1.in3  | true              |
| INPUT BOOL  | FC1.in4  | false             |
| OUTPUT BOOL | FC1.out1 | false             |
| OUTPUT BOOL | FC1.out2 | false             |

PLCverif references: <u>https://gitlab.com/plcverif-oss</u> and <u>www.cern.ch/plcverif</u>

### Some references

### Some references

### **Real case studies**



B. Fernández et al. "**Applying model checking to industrial-sized PLC programs"**. In IEEE Transactions on Industrial Informatics https://ieeexplore.ieee.org/document/7295624

B. Fernandez et al. "Applying model checking to critical PLC applications : An ITER case study" in Proc. of the 17<sup>th</sup> ICALEPCS https://cds.cern.ch/record/2305319/files/thpha161.pdf



B. Fernandez et al. "Applying model checking to highly-configurable safety critical software: The SPS-PPS PLC program" in Proc. of the 18<sup>th</sup> ICALEPCS <u>https://cds.cern.ch/record/2809709/files/document.pdf</u>

| -  | _7/ | ۵ |
|----|-----|---|
| -  | _// | / |
| 12 |     |   |
|    | -   |   |

 B. Fernandez et al. "Cause-and-Effect Matrix specifications for safety critical systems at CERN" in Proc. of the 17<sup>th</sup> ICALEPCS <u>https://accelconf.web.cern.ch/icalepcs2019/papers/mopha041.pdf</u>

### Some references

### **Real case studies**



B. Fernández et al. "Applying model checking to industrial-sized PLC programs". In **IEEE Transactions on Industrial Informatics** https://ieeexplore.ieee.org/document/7295624

B. Fernandez et al. "Applying model checking to critical PLC applications : An ITER case study" in Proc. of the 17th ICALEPCS https://cds.cern.ch/record/2305319/files/thpha161.pdf



B. Fernandez et al. "Applying model checking to highly-configurable safety critical software: The SPS-PPS PLC program" in Proc. of the 18th ICALEPCS https://cds.cern.ch/record/2809709/files/document.pdf

End of

Cvcle 2

R EDGE inline

R\_EDGE\_inlined\_1.RET\_VAL false

End of

Cvcle 3

false false

false

false true true



B. Fernandez et al. "Cause-and-Effect Matrix specifications for safety critical systems at CERN" in Proc. of the 17th ICALEPCS https://accelconf.web.cern.ch/icalepcs2019/papers/mopha041.pdf

> TRUE instan

TRUE FRET\_R

### **Research** activities

Ignacio D. Lopez-Miguel et al. "Simplification of numeric variables for PLC model checking". In Proc. of the MEMOCODE '21 https://dl.acm.org/doi/abs/10.1145/3487212.3487334



Milán Mondok. "Evaluating compositional verification options for PLCverif". In CERN internal note https://cds.cern.ch/record/2780057/files/compositional verification.pdf

B. Fernández et al. "Modelling and formal verification of timing aspects in large PLC programs". In Proc. of IFAC World Congress'14 http://cds.cern.ch/record/1956687/files/CERN-ACC-2014-0226.pdf

D. Darvas et al. "A formal specification method for PLC-based applications" in Proc. of the 15<sup>th</sup> ICALEPCS https://accelconf.web.cern.ch/ICALEPCS2015/papers/wepqf091.pdf

| _   |   | -  |    |  |
|-----|---|----|----|--|
| ~   |   | ٦ĸ | i  |  |
|     |   | C  | ì. |  |
| - ا | - |    | 1  |  |
| 12  |   | -  |    |  |
|     |   |    |    |  |

Zsófia Ádám et al. "From Natural Language Requirements to the Verification of Programmable Logic Controllers: Integrating FRET into PLCverif". In NASA Formal Methods Symposium https://link.springer.com/chapter/10.1007/978-3-031-33170-1 21

|                                                                             | LTLSIM                  | Countor     | ovamplo        |  |
|-----------------------------------------------------------------------------|-------------------------|-------------|----------------|--|
|                                                                             |                         | Counter     | Counterexample |  |
| SCOPE CONDITIONS COMPONENT* SHALL* TIMING (RESPONSES*)                      | Requirements in FRETish |             | Variable       |  |
|                                                                             | ·                       | bool        | R_EDGE_inl     |  |
|                                                                             |                         | bool        | R_EDGE_in      |  |
|                                                                             | 0 1                     | bool        | R_EDGE_in      |  |
| the CPC_FB_OnOff shall always satisfy if (instance.MMoSt & instance.AuAuMoR | TRUE                    | bool        | R_EDGE_in      |  |
| & PLC_END) then at the next occurrence of PLC_END, instance.AuMoSt          | instan<br>FALSE •       | bool        | R_EDGE_in      |  |
|                                                                             |                         | INPUT BOOL  | instance.Au    |  |
|                                                                             | instan                  | LOCAL BOOL  | instance.Au    |  |
|                                                                             | FALSE •                 | INPLIT BOOL | instance Au    |  |



Mihály Dobos-Kovács. "Counterexample analysis of formal verification methods". In CERN internal note https://cds.cern.ch/record/2779411/files/MihalyDobosKovacs\_report.pdf

### Roadmap



Many applications of machine learning at CERN

٠









Why NN-based controllers?

Why NN-based controllers?

#### Tasks hard to specify

• Autonomous driving



Several rule exceptions

Why NN-based controllers?

#### Tasks hard to specify

### Computationally fast

- Autonomous driving
- Matrix multiplication



Several rule exceptions



### Why NN-based controllers?

#### Tasks hard to specify

## Computationally fast

• Autonomous driving



#### Versatile

- Non-linearities
- No need to linearize



Several rule exceptions





### Why NN-based controllers?

#### Tasks hard to specify

• Autonomous driving

### Computationally fast

• Matrix multiplication

#### Versatile

- Non-linearities
- No need to linearize



Several rule exceptions





### Only data needed

- No physical modelling required
- Collect data



### Why NN-based controllers?

#### Tasks hard to specify

• Autonomous driving



#### Versatile

- Non-linearities
- No need to linearize

#### Only data needed

- No physical modelling required
- Collect data





Several rule exceptions







### Why NN-based controllers?

#### Tasks hard to specify

• Autonomous driving



Several rule exceptions

### Computationally fast

• Matrix multiplication

#### Versatile

- Non-linearities
- No need to linearize

### Only data needed

- No physical modelling required
- Collect data





 $x_i$ 



System/

Plant





[2] Pisarov, Jelena & Mester, Gyula. (2020). The Future of Autonomous Vehicles. FME Transactions. 49. 29-35. 10.5937/fme2101029P.

NN

 $y_i$ 

Why verification of NNs?

Why verification of NNs?

Why verification of NNs?



Why verification of NNs?





Why verification of NNs?





Why verification of NNs?







Why verification of NNs?







Why verification of NNs?

• Guaranteeing properties





• Explainability



- Induced draft cooling towers (IDCTs)
- **Provide cold water** for different LHC subsystems (e.g. cryogenics, chillers, air handling units, etc.)



- Induced draft cooling towers (IDCTs)
- **Provide cold water** for different LHC subsystems (e.g. cryogenics, chillers, air handling units, etc.)
- Control actions:
  - Mode selection:
    - 1. Ventilation
    - 2. Showering
    - 3. Bypass
  - Fan speed



- Induced draft cooling towers (IDCTs)
- **Provide cold water** for different LHC subsystems (e.g. cryogenics, chillers, air handling units, etc.)
- Control actions:
  - Mode selection:
    - 1. Ventilation
    - 2. Showering
    - 3. Bypass
  - Fan speed
- Control objective:
  - Keep outlet water temperature within strict limits
  - Utilize minimum amount of energy



- Induced draft cooling towers (IDCTs)
- **Provide cold water** for different LHC subsystems (e.g. cryogenics, chillers, air handling units, etc.)
- Control actions:
  - Mode selection:
    - 1. Ventilation
    - 2. Showering
    - 3. Bypass
  - Fan speed
- Control objective:
  - Keep outlet water temperature within strict limits
  - Utilize minimum amount of energy





- Induced draft cooling towers (IDCTs)
- **Provide cold water** for different LHC subsystems (e.g. cryogenics, chillers, air handling units, etc.)
- Control actions:
  - Mode selection:
    - 1. Ventilation
    - 2. Showering
    - 3. Bypass
  - Fan speed
- Control objective:
  - Keep outlet water temperature within strict limits
  - Utilize minimum amount of energy





**Case study – NN description** 

# **Case study – NN description**



# **Case study – NN description**



Properties to be verified

Operational modes reachability









# **Case study**

Properties to be verified



# **Case study**

## Properties to be verified



## **Case study**

## Properties to be verified





NN design



PLC source code



Different methods were applied and compared:





PLC source code



Different methods were applied and compared:

 nnenum: an open-source NN verification tool for ReLU NNs from Stony Brook University <u>https://github.com/stanleybak/nnenum</u>

| K Keras | NN design |
|---------|-----------|
| K Keras | NN design |



PLC source code

nnenum



Different methods were applied and compared:

- nnenum: an open-source NN verification tool for ReLU NNs from Stony Brook University <u>https://github.com/stanleybak/nnenum</u>
- 2. PLCverif: an open-source formal verification tool for PLC programs from CERN <u>https://gitlab.com/plcverif-oss</u>

|                                            | nnenum          |
|--------------------------------------------|-----------------|
| K Keras                                    | NN design       |
| TIAN TANK TANK TANK TANK TANK TANK TANK TA | PLC source code |
|                                            |                 |

Different methods were applied and compared:

- nnenum: an open-source NN verification tool for ReLU NNs from Stony Brook University <u>https://github.com/stanleybak/nnenum</u>
- 2. PLCverif: an open-source formal verification tool for PLC programs from CERN <u>https://gitlab.com/plcverif-oss</u>
- **3. Z3**: an open-source **theorem prover** from Microsoft Research <u>https://github.com/Z3Prover/z3</u>
- 4. Testing: traditional testing techniques



Ignacio D. Lopez-Miguel et al. "Verification of Neural Networks Meets PLC Code: An LHC Cooling Tower Control System at CERN". In EANN 2023: Engineering Applications of Neural Networks conference https://link.springer.com/chapter/10.1007/978-3-031-34204-2\_35

|                                               | menu            |
|-----------------------------------------------|-----------------|
| K Keras                                       | NN design       |
| TIA<br>TIA<br>TIA<br>TIA<br>TIA<br>TIA<br>V17 | PLC source code |
|                                               | Executable      |

nnon





- (declare-const X\_0 Real)
  (declare-const X 1 Real)
- (declare-const X\_2 Real)
- (declare-const Y\_0 Real)
- (declare-const Y\_1 Real)
- (declare-const Y\_2 Real)
- $(assert (>= X_0 20.0))$
- (assert (<= X\_0 25.0))
- (assert (>= X\_1 23))
- (assert (<= X\_1 27))
- $(assert (>= X_2 8.0))$
- (assert (<= X\_2 21.0))
- (assert (>= Y\_0 Y\_1))
- (assert (>= Y\_0 Y\_2))



(declare-const X\_0 Real) (declare-const X\_1 Real) (declare-const X\_2 Real) (declare-const Y\_0 Real) (declare-const Y\_1 Real) (declare-const Y\_2 Real) (declare-const Y\_2 Real) (declare-const Y\_2 Real) (assert (>= X\_0 20.0)) (assert (<= X\_0 25.0)) (assert (<= X\_1 23)) (assert (<= X\_1 27)) (assert (>= X\_2 8.0)) (assert (>= X\_2 21.0)) (assert (>= Y\_0 Y\_1)) (assert (>= Y\_0 Y\_2))

















### Goal

Find an example that satisfies all conditions, i.e., a set of  $\{x_0, x_1, x_2\}$  such that  $(y_0 \ge y_1 \land y_0 \ge y_2)$ 





#### Goal





#### Goal

Find an example that satisfies all conditions, i.e., a set of  $\{x_0, x_1, x_2\}$  such that  $(y_0 \ge y_1 \land y_0 \ge y_2)$ 





## Goal

Find an example that satisfies all conditions, i.e., a set of  $\{x_0, x_1, x_2\}$  such that  $(y_0 \ge y_1 \land y_0 \ge y_2)$ 

### Execution



#### **Pros:**

- Very efficient
- Scalable

#### Cons:

- Limited to certain architectures
- No loops
- No complex properties

# Roadmap



- Formal verification (e.g. model checking) can be used to verify critical software (critical PLC programs)
- There are not commercial tools (yet) for PLC programs, this is why we developed **PLCverif**



• **PLCverif has been applied to many critical PLC programs** at CERN and outside CERN

- Formal verification (e.g. model checking) can be used to verify critical software (critical PLC programs)
- There are not commercial tools (yet) for PLC programs, this is why we developed **PLCverif**



- PLCverif has been applied to many critical PLC programs at CERN and outside CERN
- Still many challenges:
  - State space explosion problem (verification performance)
  - Properties specification
  - Automatic generation of models
  - **Counterexample analysis** (what do we do when we find a problem?)

- **1.** Important to verify neural networks in critical systems to:
  - guarantee properties such as robustness, stability, safety, etc.
  - have a **better understanding** of the behavior of the NN

- **1.** Important to verify neural networks in critical systems to:
  - guarantee properties such as robustness, stability, safety, etc.
  - have a **better understanding** of the behavior of the NN

| "Simulation".input1      | Floating-point nu | 21.3                 | 21.3 | M 📥 |
|--------------------------|-------------------|----------------------|------|-----|
| "Simulation".input2      | Floating-point nu | 23.0                 | 23.0 | M 🚹 |
| *Simulation*.input3      | Floating-point nu | 8.0                  | 8.0  |     |
| "NN_Result_DB".fan_speed | Floating-point nu | 0.00262890317651313  |      |     |
| "NN_Result_DB".modes[0]  | Floating-point nu | 6.01462636744791E-08 |      |     |
| "NN_Result_DB".modes[1]  | Floating-point nu | 0.00348845387816139  |      |     |
| "NN_Result_DB".modes[2]  | Floating-point nu | 0.996511485975575    |      |     |

2. We use **simulators** (e.g. Siemens PLCSIM advanced) **to confirm the property violations** (counterexamples)

- **1.** Important to verify neural networks in critical systems to:
  - guarantee properties such as robustness, stability, safety, etc.
  - have a **better understanding** of the behavior of the NN

| "Simulation".input1      | Floating-point nu | 21.3                 | 21.3 | M 🔺 |
|--------------------------|-------------------|----------------------|------|-----|
| "Simulation".input2      | Floating-point nu | 23.0                 | 23.0 | M 📥 |
| "Simulation".input3      | Floating-point nu | 8.0                  | 8.0  |     |
| "NN_Result_DB".fan_speed | Floating-point nu | 0.00262890317651313  |      |     |
| "NN_Result_DB".modes[0]  | Floating-point nu | 6.01462636744791E-08 |      |     |
| "NN_Result_DB".modes[1]  | Floating-point nu | 0.00348845387816139  |      |     |
| "NN_Result_DB".modes[2]  | Floating-point nu | 0.996511485975575    |      |     |

- 2. We use **simulators** (e.g. Siemens PLCSIM advanced) **to confirm the property violations** (counterexamples)
- 3. We analyzed **different verification tools**

|               | performance | $\operatorname{scalability}$ | expressiveness | same types?    | plug-and-play? |
|---------------|-------------|------------------------------|----------------|----------------|----------------|
| PLCverif      | low         | low                          | high           | $\mathbf{yes}$ | yes            |
| nnenum        | very high   | $\mathbf{high}$              | low            | no             | no             |
| $\mathbf{Z3}$ | medium      | medium                       | low            | no             | no             |
| Testing       | high        | very low                     | medium         | no             | no             |

- 1. Important to verify neural networks in critical systems to:
  - guarantee properties such as robustness, stability, safety, etc.
  - have a **better understanding** of the behavior of the NN

| Simulation".input1       | Floating-point nu | 21.3                 | 21.3 |  |
|--------------------------|-------------------|----------------------|------|--|
| Simulation".input2       | Floating-point nu | 23.0                 | 23.0 |  |
| Simulation".input3       | Floating-point nu | 8.0                  | 8.0  |  |
| "NN_Result_DB".fan_speed | Floating-point nu | 0.00262890317651313  |      |  |
| NN_Result_DB".modes[0]   | Floating-point nu | 6.01462636744791E-08 |      |  |
| "NN_Result_DB".modes[1]  | Floating-point nu | 0.00348845387816139  |      |  |
| "NN_Result_DB".modes[2]  | Floating-point nu | 0.996511485975575    |      |  |

- 2. We use simulators (e.g. Siemens PLCSIM advanced) to confirm the property violations (counterexamples)
- 3. We analyzed different verification tools

|               | performance | scalability     | expressiveness | same types?    | plug-and-play? |
|---------------|-------------|-----------------|----------------|----------------|----------------|
| PLCverif      | low         | low             | high           | $\mathbf{yes}$ | yes            |
| nnenum        | very high   | $\mathbf{high}$ | low            | no             | no             |
| $\mathbf{Z3}$ | medium      | medium          | low            | no             | no             |
| Testing       | high        | very low        | medium         | no             | no             |



Ignacio D. Lopez-Miguel et al. "Verification of Neural Networks Meets PLC Code: An LHC Cooling Tower Control System at CERN". In EANN 2023: Engineering Applications of Neural Networks conference https://link.springer.com/chapter/10.1007/978-3-031-34204-2\_35

4. We have applied to a real case study for industrial controls at CERN



"Traditional" PLC-based controllers

**NN-based controllers** 

Towards reliable and safe control software

### "Traditional" PLC-based controllers

### **NN-based controllers**



Towards reliable and safe control software

## "Traditional" PLC-based controllers

### **NN-based controllers**



Towards reliable and safe control software