# Towards Interactive Verification of Programmable Logic Controllers using Modal Kleene Algebra and KIV

Roland Glück, Florian Benedikt Krebs

ST-BT

Braga, September 28, 2015





- 1. Introduction
- 2. PLC Crash Course
- 3. Modal Kleene Algebra and Linear Temporal Logic
- 4. Function Block Diagrams in Modal Kleene Algebra
- 5. Case Study: Mutual Exclusion
- 6. Conclusion and Outlook













• cost saving



- cost saving
- reliable





- cost saving
- reliable
- strong





- cost saving
- reliable
- strong
- very strong





- cost saving
- reliable
- strong
- very strong
- insensitive





- cost saving
- reliable
- strong
- very strong
- insensitive
- dangerous
- $\Rightarrow$  careful control is indispensable





# **PLC - Purpose and Function**

- Programmable Logic Controllers (PLCs) used for controlling various plants
- robots, pumps, valves, mechanical and automated devices, ...
- PLC works in cyclic way (1 150 ms):
  - reads input channels (sensors, switches, internal variables)
  - computes new values

writes new values to associated output channels/registers (actuators, internal variables)





# **Data Types and Safety**

- possible data types: bool, int, float, date, ...
- with usual operations (numerical, comparision, ...)
- special part for safety critical operations with reduced instruction set
- from now on only Boolean data and operations

# **Programming Languages**

Programming done via:

- Instruction List (IL): assembly-like
- Ladder Diagram (LD): similar to circuit diagrams
- Sequential Function Chart (SFC): inspired by state diagrams
- Structured Text (ST): resembles C syntax
- Function Block Diagram (FBD): see next



www.dlr.de - Slide 7 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

# AND, OR and Negation in FBD







www.dlr.de - Slide 7 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

## AND, OR and Negation in FBD



 $OUT4 \equiv (IN1 \land \neg IN2) \lor IN5 \lor M10$ 



# Flip-Flops (Purpose and Function)

- Flip-Flops show dynamic behavior
- two inputs and one output
- TRUE-signal on set input sets output persistently to TRUE
- TRUE-signal on reset input resets output persistently to FALSE
- (until next signal on set/reset input)
- set/reset dominant depending on winner at set/reset conflict
- storing/clearing depending on input signals





www.dlr.de - Slide 9 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

# Flip-Flops (Truth Table)

| Sn    | Rn    | $Q_{n+1}$              |
|-------|-------|------------------------|
| TRUE  | FALSE | TRUE                   |
| FALSE | TRUE  | FALSE                  |
| FALSE | FALSE | Qn                     |
| TRUE  | TRUE  | TRUE (set dominant)    |
| TRUE  | TRUE  | FALSE (reset dominant) |

> 20 C

www.dlr.de - Slide 10 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015





Flip-Flops (FBD)



www.dlr.de - Slide 11 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

# **Kleene Algebra**

### Definition

A Kleene algebra is a structure  $(M, +, 0, \cdot, 1, *)$  where  $(M, +, 0, \cdot, 1)$  is an idempotent semiring and  $*: M \to M$  has the following properties:

$$1 + xx^* \le x^* \qquad \qquad x + yz \le z \Rightarrow y^*x \le z$$
  
$$1 + x^*x \le x^* \qquad \qquad x + yz \le y \Rightarrow xz^* \le y$$

- + models choice, composition, \* iteration
- natural order defined by  $x \leq y \Leftrightarrow_{df} x + y = y$
- examples: formal languages, relations, ...





### Tests

given an idempotent semiring  $S = (M, +, 0, \cdot, 1)$  subsets of M can be modeled by tests:

### Definition

Given an idempotent semiring  $S = (M, +, 0, \cdot, 1)$  an element  $p \in M$  is called a *test* if an element  $\neg p$  (the *complement* of p) exists with the properties  $p + \neg p = 1$  and  $p \cdot \neg p = 0$ =  $\neg p \cdot p$ .

- set of tests denoted by **test**(*S*)
- in relational context: subsets of identity



# **Boxes and Diamonds**

(pre)image or (pre I post)condition modeled by diamond/box operators:

### Definition

A modal semiring is a structure  $S = (M, +, 0, \cdot, 1, |\cdot\rangle, \langle\cdot|)$  where  $S' = (M, +, 0, \cdot, 1)$  is an idempotent semiring and  $|\cdot\rangle$  and  $\langle\cdot|$  are functions of the type  $M \to (\mathbf{test}(S') \to \mathbf{test}(S'))$  with the properties  $|x\rangle p \le q \Leftrightarrow \neg qxp \le 0 \Leftrightarrow \langle x|p \le \neg q, |xy\rangle p = |x\rangle |y\rangle p$  and  $\langle xy|p = \langle y|\langle x|p \text{ for all } x \in M \text{ and } p, q \in S'.$ 

- $|a\rangle p$ : transition into p is possible
- $[a]p =_{df} \neg [a] \neg p$ : transition into p is inevitable





www.dlr.de - Slide 14 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

# Modal Kleene Algebra

putting all together:

### Definition

A modal Kleene algebra (MKA for short) is a structure  $(M, +, 0, \cdot, 1, |\cdot\rangle, \langle\cdot|, *)$  where  $(M, +, 0, \cdot, 1, |\cdot\rangle, \langle\cdot|)$  is a modal semiring and  $(M, +, 0, \cdot, 1, *)$  is a Kleene algebra.





# Modal Kleene Algebra and Linear Temporal Logic

work by Möller, Höfner and Struth (2006):

- model transition system by a general MKA element a
- transforming sets of traces into sets of successors
- left total function modeled by  $|a\rangle p = |a]p$  for all tests p
- formulae in linear temporal logic (LTL) correspond to expressions in MKA
- LTL formula is valid iff corresponding MKA expression evaluates to 1



#### www.dlr.de - Slide 16 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

# **Explicit Correspondence**

$$\begin{bmatrix} \bot \end{bmatrix} = 0 [\neg \psi] = \neg [\psi] [\psi_1 \land \psi_2] = [\psi_1] \cdot [\psi_2] [\psi_1 \lor \psi_2] = [\psi_1] + [\psi_2] [\psi_1 \to \psi_2] = [\psi_1] \rightarrow [\psi_2] \quad (p \to q =_{df} \neg p + q) [\Box \psi] = [a^*] \psi [\Diamond \psi] = [a^*] \psi [\circ \psi] = [a^*] \psi [\circ \psi] = [a^*] \psi [\psi_1 \cup \psi_2] = [([\psi_1] \cdot a)^*) [\psi_2]$$





www.dlr.de - Slide 17 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

## Variables and Overall Behavior

FBDs in MKA:





www.dlr.de - Slide 17 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

## Variables and Overall Behavior

FBDs in MKA:

- inputs/outputs/internal variables correspond to tests
- for every signal/variable p introduce two tests p\_0 and p\_1
- indicating a value of FALSE and TRUE, resp.
- clearly  $\neg p\_0 = p\_1$  and  $\neg p\_1 = p\_0$
- characterize behavior of elementary gates (OR, AND, Flip-Flops, ...)
- elementary gates do not change noninvolved signals/variables
- remember left total functionality
- write overall behavior a as product of elementary gates



www.dlr.de - Slide 18 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

## **Elementary Gates**

- AND-gate ANDk with inputs in1, in2 ..., inn :
  - in1\_1  $\cdot$  in2\_1  $\cdot \dots \cdot$  inn\_1  $\leq$  andk $\rangle$ andk\_1
  - $in1_0 + in2_0 + \dots + inn_0 \le |andk\rangle andk_0$ .
- OR-gate ORk with inputs in1, in2 ..., inn :
  - $in1_1 + in2_1 + \cdots + inn_1 \le |ork\rangle ork_1$
  - $in1_0 \cdot in2_0 \cdot \dots \cdot inn_0 \leq |ork\rangle ork_0$ .
- negation of sk : switch sk\_1 and sk\_0





www.dlr.de - Slide 19 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

# **Flip-Flops**

- set dominant flip-flop RSk with set input s, reset input r, output q and internal marker m:
  - s\_1 + m\_1 \cdot r\_0 \le |rsk\rangle q\_1
  - $s_1 + m_1 \cdot r_0 \leq |rsk\rangle m_1$
  - $s_0 \cdot r_1 + m_0 \cdot s_0 \le |rsk\rangle q_0$
  - $s_0 \cdot r_1 + m_0 \cdot s_0 \le |rsk\rangle m_0$





www.dlr.de - Slide 20 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

# Example Construction (not Complete!)



```
out2_1 + in2_1 \le |or1\rangle or1_1

out2_0 \cdot in2_0 \le |or1\rangle or1_0

in1_0 \le |or1\rangle in1_0

in1_1 \le |or1\rangle in1_1

|or1\rangle p = |or1|p
```

$$\label{eq:constraint} \begin{split} & \texttt{or1\_1} + \texttt{out1\_0} \cdot \texttt{in1\_0} \leq \texttt{|sr1}\texttt{out1\_0} \\ & \texttt{in1\_1} \cdot \texttt{or1\_0} + \texttt{out1\_1} \cdot \texttt{or1\_0} \leq \texttt{|sr1}\texttt{out1\_1} \end{split}$$

 $cycle = or1 \cdot sr1$ 





www.dlr.de - Slide 21 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

# **Mutual Exclusion**



・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・

www.dlr.de - Slide 22 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

## **Behavior and Desired Properties**

• behavior given by cycle = or1 • sr1 • or2 • sr2





#### www.dlr.de • Slide 22 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs • Braga, September 28, 2015

## **Behavior and Desired Properties**

- behavior given by cycle = or1 sr1 or2 sr2
- desired properties in LTL:
  - $out1_0 \cdot out2_0 \rightarrow \Box (out1_1 \rightarrow out2_0)$
  - $out1_0 \cdot out2_0 \rightarrow \Box (out2_1 \rightarrow out1_0)$



#### www.dlr.de - Slide 22 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs · Braga, September 28, 2015

### **Behavior and Desired Properties**

- behavior given by cycle = or1 sr1 or2 sr2
- desired properties in LTL:
  - $out1_0 \cdot out2_0 \rightarrow \Box (out1_1 \rightarrow out2_0)$
  - $out1_0 \cdot out2_0 \rightarrow \Box (out2_1 \rightarrow out1_0)$
- in MKA (recall  $p \rightarrow q =_{df} \neg p + q$ ):
  - $\operatorname{out1_0} \cdot \operatorname{out2_0} \rightarrow |\operatorname{cycle}^*](\operatorname{out1_1} \rightarrow \operatorname{out2_0}) = 1$
  - $\operatorname{out1_0} \cdot \operatorname{out2_0} \rightarrow |\operatorname{cycle}^*](\operatorname{out2_1} \rightarrow \operatorname{out1_0}) = 1$



www.dlr.de - Slide 23 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs - Braga, September 28, 2015

# **Proof Sketch**

to show:  $out1_0 \cdot out2_0 \rightarrow |cycle^*](out1_1 \rightarrow out2_0) = 1$ 





www.dlr.de • Slide 23 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs • Braga, September 28, 2015 **Proof Sketch** 

to show:  $out1_0 \cdot out2_0 \rightarrow [cycle^*](out1_1 \rightarrow out2_0) = 1$ 

proof sketch:

• first: out1\_0 • out2\_0 + out1\_0 • out2\_1 + out1\_1 • out2\_0 is an invariant of cycle





www.dlr.de • Slide 23 of 26 > PLC Verification with MKA and KIV > Roland Glück, Florian Benedikt Krebs • Braga, September 28, 2015 **Proof Sketch** 

to show:  $out1_0 \cdot out2_0 \rightarrow [cycle^*](out1_1 \rightarrow out2_0) = 1$ 

proof sketch:

- first: out1\_0 out2\_0 + out1\_0 out2\_1 + out1\_1 out2\_0 is an invariant of cycle
- MKA: out1\_0 · out2\_0 + out1\_0 · out2\_1 + out1\_1 · out2\_0 is an invariant of cycle\*

> na a



to show:  $out1_0 \cdot out2_0 \rightarrow [cycle^*](out1_1 \rightarrow out2_0) = 1$ 

proof sketch:

- first: out1\_0 out2\_0 + out1\_0 out2\_1 + out1\_1 out2\_0 is an invariant of cycle
- MKA: out1\_0 · out2\_0 + out1\_0 · out2\_1 + out1\_1 · out2\_0 is an invariant of cycle\*
- MKA:  $p \leq q \land qx \neg q = 0 \land q \leq r \Rightarrow p \rightarrow [x]r = 1$





to show:  $out1_0 \cdot out2_0 \rightarrow [cycle^*](out1_1 \rightarrow out2_0) = 1$ 

proof sketch:

- first: out1\_0 out2\_0 + out1\_0 out2\_1 + out1\_1 out2\_0 is an invariant of cycle
- MKA: out1\_0 · out2\_0 + out1\_0 · out2\_1 + out1\_1 · out2\_0 is an invariant of cycle\*
- MKA:  $p \leq q \land qx \neg q = 0 \land q \leq r \Rightarrow p \rightarrow [x]r = 1$
- finish:
  - $\operatorname{out1_0} \cdot \operatorname{out2_0} \leq \operatorname{out1_0} \cdot \operatorname{out2_0} + \operatorname{out1_0} \cdot \operatorname{out2_1} + \operatorname{out1_1} \cdot \operatorname{out2_0}$
  - $\operatorname{out1_0} \cdot \operatorname{out2_0} + \operatorname{out1_0} \cdot \operatorname{out2_1} + \operatorname{out1_1} \cdot \operatorname{out2_0} \le \operatorname{out1_1} \to \operatorname{out2_0}$



= DOG

to show:  $out1_0 \cdot out2_0 \rightarrow |cycle^*](out1_1 \rightarrow out2_0) = 1$ 

proof sketch:

- first: out1\_0 out2\_0 + out1\_0 out2\_1 + out1\_1 out2\_0 is an invariant of cycle
- MKA: out1\_0 · out2\_0 + out1\_0 · out2\_1 + out1\_1 · out2\_0 is an invariant of cycle\*
- MKA:  $p \leq q \land qx \neg q = 0 \land q \leq r \Rightarrow p \rightarrow [x]r = 1$
- finish:
  - $\operatorname{out1_0} \cdot \operatorname{out2_0} \leq \operatorname{out1_0} \cdot \operatorname{out2_0} + \operatorname{out1_0} \cdot \operatorname{out2_1} + \operatorname{out1_1} \cdot \operatorname{out2_0}$
  - $\operatorname{out1_0} \cdot \operatorname{out2_0} + \operatorname{out1_0} \cdot \operatorname{out2_1} + \operatorname{out1_1} \cdot \operatorname{out2_0} \le \operatorname{out1_1} \to \operatorname{out2_0}$
- proof done interactively in KIV



#### Conclusion





#### Conclusion

We saw:

• Programmable Logic Controllers





#### Conclusion

- Programmable Logic Controllers
- Modal Kleene Algebra





### Conclusion

- Programmable Logic Controllers
- Modal Kleene Algebra
- Linear Temporal Logic





## Conclusion

- Programmable Logic Controllers
- Modal Kleene Algebra
- Linear Temporal Logic
- interactive proving with KIV





## Conclusion

- Programmable Logic Controllers
- Modal Kleene Algebra
- Linear Temporal Logic
- interactive proving with KIV
- and all working together

500



#### Outlook





#### Outlook

We plan:

• verification of real safety systems





### Outlook

- verification of real safety systems
- typical features:
  - 32 64 signals from sensors
  - plus up to 16 signals from safety doors
  - 50 100 elementary gates





## Outlook

- verification of real safety systems
- typical features:
  - 32 64 signals from sensors
  - plus up to 16 signals from safety doors
  - 50 100 elementary gates
- characterization of other gates in MKA

500



## Outlook

- verification of real safety systems
- typical features:
  - 32 64 signals from sensors
  - plus up to 16 signals from safety doors
  - 50 100 elementary gates
- characterization of other gates in MKA
- embracing numerical operations





### Outlook

- verification of real safety systems
- typical features:
  - 32 64 signals from sensors
  - plus up to 16 signals from safety doors
  - 50 100 elementary gates
- characterization of other gates in MKA
- embracing numerical operations
- timer

500



### Outlook

- verification of real safety systems
- typical features:
  - 32 64 signals from sensors
  - plus up to 16 signals from safety doors
  - 50 100 elementary gates
- characterization of other gates in MKA
- embracing numerical operations
- timer
- automated construction of input files



# Obrigado pela atenção

> 20 C



# Obrigado pela atenção

# **Perguntas?**

