Automatically Deriving Symbolic Invariants for PLC Programs Written in IL

  • Sebastian Biallas
  • Jörg Brauer
  • Stefan Kowalewski
  • Bastian Schlich
Conference paper


In this paper, we propose a new approach to automatically derive invariants from Programmable Logic Controller programs by symbolically rewriting Instruction List code. These invariants describe the relations between all variables and capture the behavior of the program. Usually, invariants are created by users and verified using formal verification techniques such as model checking or static analysis. The process of manually deriving invariants, however, is error-prone and lengthy. Our approach generates these invariants automatically and removes the need to use formal verification techniques to verify them. Users only need to inspect the generated invariants and compare them to the expected program behavior. Using three example programs of different sizes, we show that the generated invariants are easy to understand and that the approach indeed scales for larger programs.


Program Verification Invariants PLC Instruction List 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    M. Bani Younis and G. Frey. Formalization of existing PLC programs: A survey. In CESA, 2003.Google Scholar
  2. 2.
    L. Baresi, M. Mauri, A. Monti, and M. Pezze. PLCTools: Design, formal validation, and code generation for programmable logic controllers. In SMC, pages 2437–2442, 2000.Google Scholar
  3. 3.
    S. Bornot, R. Huuck, B. Lukoschus, and Y. Lakhnech. Utilizing static analysis for programmable logic controllers. In ADPM, pages 183–187, 2000.Google Scholar
  4. 4.
    A. Cimatti, E. M. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore, M. Roveri, R. Sebastiani, and A. Tacchella. NuSMV version 2: An opensource tool for symbolic model checking. In CAV (2002), volume 2404 of LNCS, pages 241– 268. Springer, 2002.Google Scholar
  5. 5.
    R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Effciently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst., pages 451–590, 1991.Google Scholar
  6. 6.
    E. A. Emerson. Handbook of Theoretical Computer Science, volume B, chapter Temporal and Modal Logics, pages 995–1072. The MIT Press, 1991.Google Scholar
  7. 7.
    C. A. R. Hoare. An axiomatic basis for computer programming. Comm. of the ACM, 12(10):576–585.Google Scholar
  8. 8.
    R. Huuck. Software Verification for Programmable Logic Controllers. Dissertation, University of Kiel, Germany, April 2003.Google Scholar
  9. 9.
    International Electrotechnical Commission. IEC 61131-3 Ed. 1.0: Programmable Controllers — Part 3: Programming languages. International Electrotechnical Commission, Geneva, Switzerland, 1993.Google Scholar
  10. 10.
    International Electrotechnical Commission. IEC 61508: Functional Safety of Electrical, Electronic and Programmable Electronic Safety-Related Systems. International Electrotechnical Commission, Geneva, Switzerland, 1998.Google Scholar
  11. 11.
    S. K. Lahiri and S. Qadeer. Back to the future: revisiting precise program verification using SMT solvers. In POPL, pages 171–182. ACM, 2008.Google Scholar
  12. 12.
    T. Mertke and G. Frey. Formal verification of PLC-programs generated from signal interpreted petri nets. In 2001 IEEE International Conference on Systems, Man, and Cybernetics, volume 4, pages 2700–2705. IEEE Computer Society Press, 2001.Google Scholar
  13. 13.
    T. Mertke and T. Menzel. Methods and tools to the verification safety-related control software. In SMC, pages 2455–2457, 2000.Google Scholar
  14. 14.
    G. Nelson. Verifying reachability invariants of linked structures. In POPL, pages 83–47. ACM, 1983.Google Scholar
  15. 15.
    O. Pavlovic, R. Pinger, and M. Kollmann. Automated formal verification of PLC programms written in IL. In VERIFY, number 259 inWorkshop Proce., pages 152–163., 2007.Google Scholar
  16. 16.
    PLCopen TC5. Safety Software Technical Specification, Version 1.0, Part 1: Concepts and Function Blocks. PLCopen, Germany, 2006.Google Scholar
  17. 17.
    B. Schlich, J. Brauer, J. Wernerus, and S. Kowalewski. Direct model checking of PLC programs in IL. In DCDS, 2009. To appear.Google Scholar
  18. 18.
    D. Soliman and G. Frey. Verification and validation of safety applications based on PLCopen Safety Function Blocks using Timed Automata in UPPAAL. In DCDS, 2009. To appear.Google Scholar
  19. 19.
    A. Sülflow and R. Drechsler. Verification of plc programs using formal proof techniques. In FORMS/FORMAT, pages 43–50. L’Harmattan, 2008.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Sebastian Biallas
    • 1
  • Jörg Brauer
    • 1
  • Stefan Kowalewski
    • 1
  • Bastian Schlich
    • 2
  1. 1.Embedded Software LaboratoryRWTH Aachen UniversityAachenGermany
  2. 2.Industrial Software Systems, ABB Corporate ResearchAachenGermany

Personalised recommendations