Information Systems Frontiers

, Volume 18, Issue 5, pp 927–952 | Cite as

Two CEGAR-based approaches for the safety verification of PLC-controlled plants

  • Johanna Nellen
  • Kai Driessen
  • Martin Neuhäußer
  • Erika Ábrahám
  • Benedikt Wolters


In this paper we address the safety analysis of chemical plants controlled by programmable logic controllers (PLCs). We consider a specification of the control program of the PLCs, extended with the specification of the dynamic plant behavior. The resulting hybrid models can be transformed to hybrid automata, for which advanced techniques for reachability analysis exist. However, the hybrid automata models are often too large to be analyzed. We propose two counterexample-guided abstraction refinement (CEGAR) approaches to keep the size of the hybrid models moderate.


Safety verification Hybrid systems CEGAR Bounded model checking Reachability analysis 


  1. Ábrahám, E., Becker, B., Klaedtke, F., & Steffen, M. (2005). Optimizing bounded model checking for linear hybrid systems. In Proc. of the 6th Int. Conf. on Verification, Model Checking, and Abstract Interpretation (VMCAI’05), LNCS, vol. 3385. doi: (pp. 396–412): Springer.
  2. Althoff, M., & Dolan, J. M. (2014). Online verification of automated road vehicles using reachability analysis. IEEE Transaction on Robotics, s30(4), 903–918.CrossRefGoogle Scholar
  3. Althoff, M., Stursberg, O., & Buss, M. (2008). Reachability analysis of nonlinear systems with uncertain parameters using conservative linearization. In Proc. of the 47th IEEE conf. on decision and control (CDC’08) (pp. 4042–4048): IEEE Computer Society Press.Google Scholar
  4. Alur, R., Courcoubetis, C., Halbwachs, N., Henzinger, T. A., Ho, P. H., Nicollin, X., Olivero, A., Sifakis, J., & Yovine, S. (1995). The algorithmic analysis of hybrid systems. Theoretical Computer Science, s138, 3–34.CrossRefGoogle Scholar
  5. Alur, R., Dang, T., & Ivancic, F. (2002). Reachability analysis of hybrid systems via predicate abstraction. In Proc.of the 5th int.workshop on hybrid systems: Computation and control (HSCC’02), LNCS vol. 2289 (pp. 35–48): Springer.Google Scholar
  6. Alur, R., Dang, T., & Ivancic, F. (2003). Counter-example guided predicate abstraction of hybrid systems. In Proc. of TACAS’13, LNCS, vol. 2619. doi: 10.1007/3-540-36577-X_15 (pp. 208–223): Springer.
  7. Asarin, E., Dang, T., & Girard, A. (2007). Hybridization methods for the analysis of nonlinear systems. Acta Informatica, s43(7), 451–476.CrossRefGoogle Scholar
  8. Asarin, E., Dang, T., & Maler, O. (2002). The d/dt tool for verification of hybrid systems. In Proc. of CAV’02, LNCS, (Vol. 2404 pp. 746–770): Springer.Google Scholar
  9. Balluchi, A., Casagrande, A., Collins, P., Ferrari, A., Villa, T., & Sangiovanni-Vincentelli, A. L. (2006). Ariadne: a framework for reachability analysis of hybrid automata. In Proc. of MTNS’06.Google Scholar
  10. Baresi, L., Carmeli, S., Monti, A., & Pezzè, M. (1998). PLC Programming languages: a formal approach. In Proc.of automation ’98. ANIPLA.Google Scholar
  11. Bauer, N. (2004). Formale analyse von sequential function charts. Ph.D. thesis, Universität Dortmund.Google Scholar
  12. Bauer, N., Huuck, R., Lukoschus, B., & Engell, S. (2004). A unifying semantics for sequential function charts. In In the final report of the softspez DFG priority program, LNCS, (Vol. 3147 pp. 400–418): Springer.Google Scholar
  13. Biere, A. (2009). Bounded model checking. In biere, A., Heule, M., van Maaren, H., & Walsh, T. (Eds.) Handbook of Satisfiability, Frontiers in Artificial Intelligence and Applications, (Vol. 185 pp. 457–481): IOS Press.Google Scholar
  14. Biere, A., Cimatti, A., Clarke, E. M., & Zhu, Y. (1999). Symbolic model checking without BDDs. In Tools and algorithms for construction and analysis of systems (TACAS), LNCS, (Vol. 1579 pp. 193–207): Springer.Google Scholar
  15. Bogomolov, S., Donzé, A., Frehse, G., Grosu, R., Johnson, T. T., Ladan, H., Podelski, A., & Wehrle, M. (2013). Abstraction-based guided search for hybrid systems. In Proc.of SPIN’13, LNCS, (Vol. 7976 pp. 117–134): Springer.Google Scholar
  16. Bogomolov, S., Frehse, G., Greitschus, M., Grosu, R., Pasareanu, C., Podelski, A., & Strump, T. (2014). Assume-guarantee abstraction refinement meets hybrid systems. In Proc.of HVC’14, LNCS, (Vol. 8855 pp. 116–131): Springer.Google Scholar
  17. Bouissou, O., Chapoutot, A., & Mimram, S. (2013). Computing flowpipe of nonlinear hybrid systems with numerical methods. coRR sabs/1306.2305. arXiv;1306.2305.
  18. Chen, X., Ábrahám, E., & Sankaranarayanan, S. (2013). Flow*: an analyzer for non-linear hybrid systems. In Proc. of CAV’13, LNCS, (Vol. 8044 pp. 258–263): Springer.Google Scholar
  19. Clarke, E., Fehnker, A., Han, Z., Krogh, B., Ouaknine, J., Stursberg, O., & Theobald, M. (2003a). Abstraction and counterexample-guided refinement in model checking of hybrid systems. International Journal of Foundations of Computer Science, s14(04), 583–604. doi: 10.1142/S012905410300190X.
  20. Clarke, E., Fehnker, A., Han, Z., Krogh, B., Stursberg, O., & Theobald, M. (2003b). Verification of hybrid systems based on counterexample-guided abstraction refinement. In Proc. of TACAS’03, LNCS. doi: 10.1007/3-540-36577-X_14, (Vol. 2619 pp. 192–207): Springer.
  21. Clarke, E., Grumberg, O., Jha, S., Lu, Y., & Veith, H. (2000). Counterexample-guided abstraction refinement. In Proc. of CAV’00, LNCS. doi: 10.1007/10722167_15, (Vol. 1855 pp. 154–169): Springer.
  22. Clarke, E., & Kroening, D. (2003). Hardware verification using ANSI-c programs as a reference. In Proc. ASP-DAC’03 (pp. 308–311).Google Scholar
  23. Clarke, E.M., Biere, A., Raimi, R., & Zhu, Y. (2001). Bounded model checking using satisfiability solving. Formal Methods in System Design, s19(1), 7–34. doi: 10.1023/A:1011276507260.CrossRefGoogle Scholar
  24. Dierks, H., Kupferschmid, S., & Larsen, K. (2007). Automatic abstraction refinement for timed automata. In Proc. of FORMATS’07, LNCS. doi: 10.1007/978-3-540-75454-1_10, (Vol. 4763 pp. 114–129): Springer.
  25. Duggirala, P., Mitra, S., Viswanathan, M., & Potok, M. (2015). C2e2: A verification tool for Stateflow models. In Proc.of the 21th int.conf.on tools and algorithms for the construction and analysis of systems (TACAS’15), LNCS, (Vol. 9035 pp. 68–82): Springer.Google Scholar
  26. Eggers, A. (2014). Direct handling of ordinary differential equations in constraint-solving-based analysis of hybrid systems. Ph.D. thesis, Universität Oldenburg, Germany.Google Scholar
  27. Engell, S., Lohmann, S., & Stursberg, O. (2005). Verification of embedded supervisory controllers considering hybrid plant dynamics. International Journal of Software Engineering and Knowledge Engineering, s15(2), 307–312.CrossRefGoogle Scholar
  28. Fehnker, A., Clarke, E., Jha, S., & Krogh, B. (2005). Refining abstractions of hybrid systems using counterexample fragments. In Proc. of HSCC’05, LNCS. doi: 10.1007/978-3-540-31954-2_16, (Vol. 3414 pp. 242–257): Springer.
  29. Fränzle, M., & Herde, C. (2006). HySAT: An efficient proof engine for bounded model checking of hybrid systems. Formal Methods in System Design, s30(3), 179–198. doi: 10.1007/s10703-006-0031-0.Google Scholar
  30. Frehse, G. (2008). PHAVEr: Algorithmic verification of hybrid systems past HyTech. International Journal on Software Tools for Technology Transfer, s10, 263–279.CrossRefGoogle Scholar
  31. Frehse, G., Guernic, C. L., Donzé, A., Cotton, S., Ray, R., Lebeltel, O., Ripado, R., Girard, A., Dang, T., & Maler, O. (2011). Spaceex: Scalable verification of hybrid systems. In Proc.of CAV’11, LNCS, (Vol. 6806 pp. 379–395): Springer.Google Scholar
  32. Frey, G., & Litz, L. (2000). Formal methods in PLC programming. In Proc. of SMC’00, (Vol. 4 pp. 2431–2436).Google Scholar
  33. Giorgetti, N., Pappas, G., & Bemporad, A. (2005). Bounded model checking of hybrid dynamical systems. In Proc. of CDC’05 (pp. 672–677).Google Scholar
  34. Girard, A., & Pappas, G. J. (2007). Approximation metrics for discrete and continuous systems. TAC’07’, s52(5), 782–798.Google Scholar
  35. Hagemann, W., Möhlmann, E., & Rakow, A. (2014). Verifying a PI controller using SoapBox and Stabhyli: Experiences on establishing properties for a steering controller. In 1St int. workshops on applied verification for continuous and hybrid systems (ARCH’14), EPic series in computer science, vol. 34. Easychair.Google Scholar
  36. Hassapis, G., Kotini, I., & Doulgeri, Z. (1998). Validation of a SFC software specification by using hybrid automata. In Proc. of INCOM’98 (pp. 65–70): Pergamon.Google Scholar
  37. Henzinger, T. A. (1996). The theory of hybrid automata. In Proc. of LICS’96) (pp. 278–292).Google Scholar
  38. Henzinger, T. A., Kopke, P. W., Puri, A., & Varaiya, P. (1998). What’s decidable about hybrid automata? Journal of Computer and System Sciences, s57(1), 94–124. doi: 10.1006/jcss.1998.1581.CrossRefGoogle Scholar
  39. HyCreate (2013). A tool for overapproximating reachability of hybrid automata .
  40. Immler, F. (2015). Tool presentation: Isabelle/hol for reachability analysis of continuous systems. In frehse, G., & Althoff, M. (Eds.) ARCH14-15. 1st and 2nd International Workshop on Applied veRification for Continuous and Hybrid Systems, EPiC Series in Computer Science, vol. 34, pp. 180–187. EasyChair.Google Scholar
  41. Int. Electrotechnical Commission (2003). Programmable controllers, Part 3: Programming Languages, 61131–3.Google Scholar
  42. Jha, S. K., Krogh, B. H., Weimer, J. E., & Clarke, E. M. (2007). Reachability for linear hybrid automata using iterative relaxation abstraction. In Proc. of HSCC’07, LNCS (pp. 287–300): Springer.Google Scholar
  43. Kong, S., Gao, S., Chen, W., & Clarke, E.M. (2015). dReach: δ-reachability analysis for hybrid systems. In Proc.of TACAS’15, LNCS, (Vol. 9035 pp. 200–205): Springer.Google Scholar
  44. Kurzhanskiy, A., & Varaiya, P. (2006). Ellipsoidal toolbox. Tech. rep., EECS UC Berkeley.Google Scholar
  45. Lukoschus, B. (2005). Compositional verification of industrial control systems - Methods and case studies. Ph.D. thesis, Christian-Albrechts-Universität zu Kiel.Google Scholar
  46. Minopoli, S., & Frehse, G. (2014). Non-convex invariants and urgency conditions on linear hybrid automata. In Legay, A., & Bozga, M. (Eds.) Formal Modeling and Analysis of Timed Systems, LNCS. doi: 10.1007/978-3-319-10512-3_13, (Vol. 8711 pp. 176–190): Springer.
  47. Mitchell, I., & Tomlin, C. (2000). Level set methods for computation in hybrid systems. In Proc. of HSCC’00, LNCS, (Vol. 1790 pp. 310–323): Springer.Google Scholar
  48. Nellen, J., & Ábrahám, E. (2012). Hybrid sequential function charts. In Proc. of MBMV’12, pp. 109–120. Verlag dr. Kovac.Google Scholar
  49. Nellen, J., & Ábrahám, E. (2014). A CEGAR approach for the reachability analysis of PLC-controlled chemical plants. In Proc.of FMi’14.Google Scholar
  50. Nellen, J., Ábrahám, E., Chen, X., & Collins, P. (2014). Counterexample generation for hybrid automata. In Proc. of FTSCS’13, CCIS, (Vol. 419 pp. 88–106): Springer.Google Scholar
  51. Nellen, J., Ábrahám, E., & Wolters, B. (2015). A CEGAR tool for the reachability analysis of PLC-controlled plants using hybrid automata. In Bouabana-tebibel, T., & Rubin, S.H. (Eds.) forMalisms for reuse and systems integration, advances in intelligent systems and computing, (Vol. 346 pp. 55–78): Springer.Google Scholar
  52. Platzer, A., & Quesel, J.D. (2008). Keymaera: A hybrid theorem prover for hybrid systems. In Proc. of IJCAR’08, LNCS. doi: 10.1007/978-3-540-71070-7_15, (Vol. 5195 pp. 171–178): Springer.
  53. Prabhakar, P., Duggirala, P., Mitra, S., & Viswanathan, M. (2013). Hybrid automata-based CEGAR for rectangular hybrid systems. In Proc. of VMCAI’13, LNCS. doi: 10.1007/978-3-642-35873-9_6, (Vol. 7737 pp. 48–67): Springer.
  54. Ratschan, S., & She, Z. (2005). Safety verification of hybrid systems by constraint propagation based abstraction refinement. In Proc. of HSCC’05, LNCS, (Vol. 3414 pp. 573–589): Springer.Google Scholar
  55. Roohi, N., Prabhakar, P., & Viswanathan, M. (2016). Hybridization based CEGAR for hybrid automata with affine dynamics. In Proc. of TACAS’16, LNCS. TO APPEAR, Vol. 9636: Springer.Google Scholar
  56. Scheibler, K., Kupferschmid, S., & Becker, B. (2013). Recent improvements in the SMT solver iSAT. In Proc. MBMV, 231-241. Institut für Angewandte Mikroelektronik und Datentechnik, Fakultät für Informatik und Elektrotechnik, Universität Rostock.Google Scholar
  57. Segelken, M. (2007). Abstraction and counterexample-guided construction of ω-automata for model checking of step-discrete linear hybrid models. In Proc. of CAV’07, LNCS. doi: 10.1007/978-3-540-73368-3_46, (Vol. 4590 pp. 433–448): Springer.
  58. Strichman, O. (2004). Accelerating bounded model checking of safety properties. Formal Methods in System Design, s24(1), 5–24. doi: 10.1023/B:FORM.0000004785.67232.f8.
  59. Testylier, R., & Dang, T. (2013). NLTOOLBOX: A library for reachability computation of nonlinear dynamical systems. In Proc. of the 11th int.symposium on automated technology for verification and analysis (ATVA’13), LNCS, (Vol. 8172 pp. 469– 473): Springer.Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  • Johanna Nellen
    • 1
  • Kai Driessen
    • 1
  • Martin Neuhäußer
    • 2
  • Erika Ábrahám
    • 1
  • Benedikt Wolters
    • 1
  1. 1.RWTH Aachen UniversityAachenGermany
  2. 2.Siemens AGNürnbergGermany

Personalised recommendations