The document describes a formal process for developing programmable logic controller (PLC) software to improve safety verification. The process involves:
1) Formalizing requirements and using them to specify function block designs.
2) Verifying the designs meet requirements and testing them symbolically.
3) Constructing and verifying structured text programs that implement the designs.
4) Testing the final code.
The process is demonstrated by formally developing a CHECK function block that transforms sensor readings within set limits and triggers alarms.
STATISTICAL ANALYSIS FOR PERFORMANCE COMPARISONijseajournal
Ā
Performance responsiveness and scalability is a make-or-break quality for software. Nearly everyone runs into performance problems at one time or another. This paper discusses about performance issues faced during Pre Examination Process Automation System (PEPAS) implemented in java technology. The challenges faced during the life cycle of the project and the mitigation actions performed. It compares 3 java technologies and shows how improvements are made through statistical analysis in response time of the application. The paper concludes with result analysis.
Industrial perspective on static analysisChirag Thumar
Ā
by BA Wichmann, AA. Canning, D.L. Clutterbuck, LA Winsborrow,
N.J. Ward and D.W.R. Marsh
Static analysis within industrial applications
provides a means of gaining higher assurance
for critical software. This survey notes several
problems, such as the lack of adequate
standards, difficulty in assessing benefits,
validation of the model used and acceptance
by regulatory bodies. It concludes by outlining
potential solutions and future directions.
STATISTICAL ANALYSIS FOR PERFORMANCE COMPARISONijseajournal
Ā
Performance responsiveness and scalability is a make-or-break quality for software. Nearly everyone runs into performance problems at one time or another. This paper discusses about performance issues faced during Pre Examination Process Automation System (PEPAS) implemented in java technology. The challenges faced during the life cycle of the project and the mitigation actions performed. It compares 3 java technologies and shows how improvements are made through statistical analysis in response time of the application. The paper concludes with result analysis.
Industrial perspective on static analysisChirag Thumar
Ā
by BA Wichmann, AA. Canning, D.L. Clutterbuck, LA Winsborrow,
N.J. Ward and D.W.R. Marsh
Static analysis within industrial applications
provides a means of gaining higher assurance
for critical software. This survey notes several
problems, such as the lack of adequate
standards, difficulty in assessing benefits,
validation of the model used and acceptance
by regulatory bodies. It concludes by outlining
potential solutions and future directions.
Improved control and monitor two different PLC using LabVIEW and NI-OPC server IJECEIAES
Ā
This paper proposes an improved control and monitors between two different PLCs, the Mitsubishi, and Omron. The main advantage is interoperability and communication between both PLC. The use of NI OPC server as the software interface reached interoperability and communication. There were developed two field applications to test interoperability. Laboratory virtual instrument engineering workbench (LabVIEW) uses as the software application for creating the user interface to control and monitor. This improvement show OPC server technology solves data compatibility issue between different driver controllerās and reducing development cost. Regardless of whether there are more than two different PLCs, it's enough to use the NI OPC server. So the benefit of the NI OPC server is not limited to two types of PLC used right now but can also use the other manufacturers. Besides, the improvement of the previous study is the use of the LabVIEW makes data from the OPC server displayed more realistic. The use of LabVIEW allows additional monitoring functions, one of which is LabVIEW vision. Data utilization becomes more flexible, and so it can use for more complex purposes. It is envisaged that this is very useful for Integrator engineer to implement this method in industrial automation.
Automated Formal Verification of SystemC/C++ High-Level Synthesis ModelsSergio Marchese
Ā
The use of SystemC/C++ system models significantly increases the productivity of hardware design flows. SystemC/C++ source code is more compact than RTL, simulates faster, and can target a wide range of microarchitectures, depending on performance, area and timing requirements. On the functional verification front, due to a lack of tools and methodologies benefits are less evident. Top-level test vectors used to validate behavioral model provide limited coverage. Failures are hard to debug. Verification of the generated RTL code comes late in the development process and is not efficient. This paper shows how automated formal verification solutions well established in RTL development, once adapted and extended to analyze and verify SystemC/C++ code prior to high-level synthesis, provide a much needed boost to verification quality and productivity. Experiences in industrial applications are reported.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Improved control and monitor two different PLC using LabVIEW and NI-OPC server IJECEIAES
Ā
This paper proposes an improved control and monitors between two different PLCs, the Mitsubishi, and Omron. The main advantage is interoperability and communication between both PLC. The use of NI OPC server as the software interface reached interoperability and communication. There were developed two field applications to test interoperability. Laboratory virtual instrument engineering workbench (LabVIEW) uses as the software application for creating the user interface to control and monitor. This improvement show OPC server technology solves data compatibility issue between different driver controllerās and reducing development cost. Regardless of whether there are more than two different PLCs, it's enough to use the NI OPC server. So the benefit of the NI OPC server is not limited to two types of PLC used right now but can also use the other manufacturers. Besides, the improvement of the previous study is the use of the LabVIEW makes data from the OPC server displayed more realistic. The use of LabVIEW allows additional monitoring functions, one of which is LabVIEW vision. Data utilization becomes more flexible, and so it can use for more complex purposes. It is envisaged that this is very useful for Integrator engineer to implement this method in industrial automation.
Automated Formal Verification of SystemC/C++ High-Level Synthesis ModelsSergio Marchese
Ā
The use of SystemC/C++ system models significantly increases the productivity of hardware design flows. SystemC/C++ source code is more compact than RTL, simulates faster, and can target a wide range of microarchitectures, depending on performance, area and timing requirements. On the functional verification front, due to a lack of tools and methodologies benefits are less evident. Top-level test vectors used to validate behavioral model provide limited coverage. Failures are hard to debug. Verification of the generated RTL code comes late in the development process and is not efficient. This paper shows how automated formal verification solutions well established in RTL development, once adapted and extended to analyze and verify SystemC/C++ code prior to high-level synthesis, provide a much needed boost to verification quality and productivity. Experiences in industrial applications are reported.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A seminar on Duchenne Muscular Dystrophy was organized in Surat, where doctors threw light on the disease and methods of itās treatment. Here NeuroGen was covered by some of prestigious regional newspapers of Surat. The snippets of the newspapers are presented in the following slides
SIMULATION-BASED APPLICATION SOFTWARE DEVELOPMENT IN TIME-TRIGGERED COMMUNICA...IJSEA
Ā
This paper introduces a simulation-based approach for design and test of application software for timetriggered
communication systems. The approach is based on the SIDERA simulation system that supports
the time-triggered real-time protocols TTP and FlexRay. We present a software development platform for
FlexRay based communication systems that provides an implementation of the AUTOSAR standard
interface for communication between host application and FlexRay communication controllers. For
validation, we present an application example in the course of which SIDERA has been deployed for
development and test of software modules for an automotive project in the field of driving dynamics
control.
LabVIEW - Teaching Aid for Process ControlIDES Editor
Ā
Process Instrumentation deals with measurement
and control process parameters to achieve the required quality.
While teaching process related subjects, it is observed that
students are not able to understand process equipment and
controls associated with it theoretically. So to make the subjects
understandable and interesting, simulation of processes are
carried out with displays as used with distributed control
system (DCS). Simulations are used across virtually in
engineering to improve the development process and design
quality, identify design errors earlier, cut down on physical
prototypes, and reduce time to market. Here dryer, boiler
control simulations are carried out to study dynamic behavior.
Application software LabVIEW is used with control design
and data logging with supervisory (DSC) module.
UVM BASED REUSABLE VERIFICATION IP FOR WISHBONE COMPLIANT SPI MASTER COREVLSICS Design
Ā
The System on Chip design industry relies heavily on functional verification to ensure that the designs are bug-free. As design engineers are coming up with increasingly dense chips with much functionality, the functional verification field has advanced to provide modern verification techniques. In this paper, we
present verification of a wishbone compliant Serial Peripheral Interface (SPI) Master core using a System Verilog based standard verification methodology, the Universal Verification Methodology (UVM). The reason for using UVM factory pattern with parameterized classes is to develop a robust and reusable
verification IP. SPI is a full duplex communication protocol used to interface components most likely in embedded systems. We have verified an SPI Master IP core design that is wishbone compliant and compatible with SPI protocol and bus and furnished the results of our verification. We have used
QuestaSim for simulation and analysis of waveforms, Integrated Metrics Center, Cadence for coverage analysis. We also propose interesting future directions for this work in developing reliable systems.
UVM BASED REUSABLE VERIFICATION IP FOR WISHBONE COMPLIANT SPI MASTER COREVLSICS Design
Ā
The System on Chip design industry relies heavily on functional verification to ensure that the designs are bug-free. As design engineers are coming up with increasingly dense chips with much functionality, the functional verification field has advanced to provide modern verification techniques. In this paper, we present verification of a wishbone compliant Serial Peripheral Interface (SPI) Master core using a System Verilog based standard verification methodology, the Universal Verification Methodology (UVM). The reason for using UVM factory pattern with parameterized classes is to develop a robust and reusable verification IP. SPI is a full duplex communication protocol used to interface components most likely in embedded systems. We have verified an SPI Master IP core design that is wishbone compliant and compatible with SPI protocol and bus and furnished the results of our verification. We have used QuestaSim for simulation and analysis of waveforms, Integrated Metrics Center, Cadence for coverage analysis. We also propose interesting future directions for this work in developing reliable systems.
UVM BASED REUSABLE VERIFICATION IP FOR WISHBONE COMPLIANT SPI MASTER COREVLSICS Design
Ā
The System on Chip design industry relies heavily on functional verification to ensure that the designs are bug-free. As design engineers are coming up with increasingly dense chips with much functionality, the functional verification field has advanced to provide modern verification techniques. In this paper, we
present verification of a wishbone compliant Serial Peripheral Interface (SPI) Master core using a System Verilog based standard verification methodology, the Universal Verification Methodology (UVM). The reason for using UVM factory pattern with parameterized classes is to develop a robust and reusable
verification IP. SPI is a full duplex communication protocol used to interface components most likely in embedded systems. We have verified an SPI Master IP core design that is wishbone compliant and compatible with SPI protocol and bus and furnished the results of our verification. We have used
QuestaSim for simulation and analysis of waveforms, Integrated Metrics Center, Cadence for coverage analysis. We also propose interesting future directions for this work in developing reliable systems.
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
Ā
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
Ā
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Ā
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Final project report on grocery store management system..pdfKamal Acharya
Ā
In todayās fast-changing business environment, itās extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
2. Figure 1. Steps oftheflrrnal-d,:ve!vpmentpro'TSS.
tation and implementation.! vVe also used
the Obj3 system,2 which supports the latĀ
est version of Obj with an interpreter and
and a functional programming environĀ
ment, to automate parts of s pecification
testing and formal verification.
FORMAL DEVELOPMENT
The process we have created builds on
work done earlier on the development of
PLC software for safety-critical processĀ
control applications in the chemical indusĀ
ny.3 Developers of this kind of software use
a catalog of predefined function blocks in
designing process-control software. Their
task is supported by a gTaphical editor that
lets them invoke function-block instances
from the function-block library, place
them, and interconnect them
Our earlier work was to provide checkĀ
ing and compilation functions through
formal semantics of both individual funcĀ
tion blocks and complete diagrams. Using
these semantics, we defined a collection of
consistency conditions for interconnectĀ
ing functiļæ½n blocks and structuring them
in a hierarchy.3 (The figure on p. 64shows
a view of the graphical editor.)
Ve focused on the consistency and corĀ
recrness of rile entire application under the
assumption that if the function blocks are
62
proved correct, the entire systemis correct.
VV1mt we did not do was make the torĀ
mal-development process explicit. This is
what we are concerned with here.
In rills fonnal-development process, we
crcate individual function blocks and demĀ
onstrate their adequacy and correcmess.
Ne represent and implement each
function block in a function block diagram
and structured text, both of which are deĀ
fined by the International Elecn'otechniĀ
cal Comnllssion's standard TEl: 1131-3
(previously mc 6SA). In a function-block
diagram, each software module represents
part of thc systcm's overall functionality.
Structured text is a Pascal-like language
thatllses modules and tasks to describe the
structure and to implement the behavior
of function blocks.
The formal-development process
lets developers validate and verity the
correcrness and adequacy of individual
function blocks at different stages of deĀ
velopment. Developers can use this proĀ
cess together with the function-block
catalog and a technique called diverse
back translation, which is described in the
box on the facing page. This technique,
required hy German licensing authoriĀ
ties, helpsincrease confidence in a design.
Developersuseit oncetheyare finishedwith
ourfom1al process.
Process overview. Figure 1 shows the
major process steps;
ā¢ F01771alize rcquin!ments. The develĀ
oper creates a reference point for detectĀ
ing oIIllssions, inconsistencies, or ambiguĀ
ities and tor deriving properties of the
requirements with fOffilal reasoning.
ā¢ Specifjdesifll. The developer uses the
formalized requirements to LTeate funcĀ
tion blocks. A black-box view of the block
is fonned from specifications of its funcĀ
tional properties and safety constraint);.
The developer identifies suitable funcĀ
tion blocks in the catalog and interconĀ
nects them to torm a more complex proĀ
g=. Using a high-level Petri-net model
of function-block diagrams, which inĀ
cludes algebraic interlace specifications,
the developer can apply existing techĀ
niques, such as structural induction, term
rewriting, invariant analysis, and net simĀ
ulation, to deternllne the static and dyĀ
nanllC properties of both concurrent aļæ½d
distributed programs.
ā¢ Verifydesign. The developer uses the
specifiL'3tions created in the previous step
to verify that the design conforms with
critical requirements.
ā¢ Test design. The developer can also
use the functional and safety specifications
to demonstrate the design's adequacy, in a
sense answering the proverbial question,
"Are we building the right thing'" This
specification-based testing is actually a
form of rapid prototyping that lets develĀ
opers ny out their designs in variolls use
scenarios and remove requirements or deĀ
sign errors before taking more expensive
development steps. It also lets them test
entireclasses of programs, rather than one
instance of a class of implementations, as
in program testing.
ā¢ Com1:rU(t program. If both design
verification and testing produce acceptĀ
able results. the developer can proceed to
build a structured-text prog=-a clearĀ
box, or transparent, view of the function
block. An important part of this step is to
annotate the program with verification
conditions that represent assertions about
program behavior.
ā¢ Verify program. The de veloper
proves the validity of the assertions eiriler
manually or with appropriate tools. The
JANUARY 1994
3. developer can derive verification condiĀ
tions automatically from either the design
specification or program by usingverificaĀ
tion-condition generators. These generaĀ
tors rely on logical deduction systems that
use axioms and deduction rules based on
Hoare logic4 to map one set of fonnulas
into another.
We used proof techniques developed
byJoseph Goguen5 and the Obj3 system2
to verity the consistency between critical
requirements and the corresponding deĀ
sign specification. We used a variant of
Hoare-style proof rules6 to verity that a
stmctured-text program confonns to its
specification.
Hoare logic proved to be highly suitĀ
able for PLCs bccause these systems rely
on simple programming constructs (like
variables and constants), elementary data
types (like Boolean, integer, real, bit seĀ
quence, character, and string), conditional
and assignment statements, statemcnt seĀ
quences, and Boolean and arithmetic exĀ
pressions- all of which are easilyhandled
by Hoare logic. N"asty constructs like unĀ
bounded loops, recursion, or subproĀ
grams, which complicate proofs in Hoare
logic, are avoided because they often comĀ
promise crucial real-time requirements
like predictability and timeliness.
ā¢ Test code. The process concludes
whcn the developer tests the code that reĀ
sults from compiling the structured-text
pmgram.The developer can use the design
specification to generate suitable test data.
This approach follows Rogerio de
Lemos and colleagues' concept of splitĀ
ting requirements into mission
(functionality) and safety categories.7
Such a split gives developcrs freedom to
choose different formalisms to express
each part, but there must be a way to verĀ
ity the consistency of both.
To enable a seamless integration ofdifĀ
ferent process steps, we uniformly use an
algebraic specification technique for
stating functional properties and (firstĀ
order)safetyconstraints as well as design
and program spccifications. We also use
term rewrit'ng both in design and proĀ
gram verifi'_'3tion and in specificationĀ
based testint,.
Obvious]y, PLC software developers
IEEE SOFTWARE
will have to work harder to follow this
method, as opposed to conventional apĀ
proaches that rely on informal or semiforĀ
mal requirements and designs proĀ
grammcd directly in terms of ladder
diagrams (abstractions
Obj and Obj3. We used Obj through the
entire development process to fom1alize
requirements (step I), caphlre design reĀ
quirements (step 2), verity the correctness
of design specifications and execute them
symholically (step 3), and
and formalizations ofelecĀ
trical current-flow diaĀ
grams) or insnuction lists
(mainly assembly-level
vendor and machine-speĀ
cific procedural lanĀ
guages).
But they will find it
well worth the effurt. First,
thousands of control proĀ
grams use standard fimcĀ
tion blocks. Fonnal inter-
WITH THIS
METHOD, YOU
CAN REUSE
FUNOION
BLOCKS AS
WELL AS
to state the implemenĀ
tation,s pre- and post- I
conditionsin Hoare logic
(step 4).
Obj is rigorously
based on order-sorted
logic; its code consists of
equations and condiĀ
tional equations. Obj's
basic building blocks are
objects, declarations, and
theories. Objects, which
THEIR PROOFS.
face specifications make it
possible to systematically reuse fimction
blocks and the proofs to verity them.
Also, formal development providcs
more evidence about the logical consisĀ
tency between the ļæ½Jlecification and proĀ
gram for all possible input data.
Finally, because developers gain
deeper insight into the problem early on,
the cost to detect errors in later developĀ
ment stages and maintenance is lower.
DIVERSE BACK TRANSLATION
represent initial orderĀ
sorted algebl'3s - sorted sets with an inĀ
clusion relationshipand a family of operaĀ
tions - are named entities that encapsuĀ
late specific kinds of data. This data can be
manipulated only through the operations
an object provides. Declarations introĀ
duce the kinds ofobjects and their operaĀ
tions. Theories support parameterized
programming by specitying both the synĀ
tactic snucture and semantic properties of
This technique, which is required by German licensing authorities, was developed
for the Halden experimenllli nuclear-power-plant project byTOV Rheinland.t
Developers read machine programs from memory and give them to teams. Without
contactingeach other, the teams manuallydisassemble and decompile the code with the
finalgoal of regaining the specification.Asafety license is granted to thesoftware ifits
original specification agrees with the reengineered specifications.
The methotl is generally extremely cumbersome, time consuming, and expensive.
Thereis a tremendous semantic gap between a specification formulated in terms of user
fimctions and the usual machineinstructions to carrythem out. Usingthe process de-
I
scribed in the main text helps, however, because the design is dircc'tiy mapped onto seĀ
, quences ofprocedure invocations and the corresponding object code consists only of
thesecalls and parameter passing. Consequently, thereis little effurt tointerpret the
code, reconstruct graphical design specifications, and verifytheirconsistencywith forĀ
malized requirements specifications.
We are pursuing new research aimed at providing automated support for diverse
back translation usingthe semantics defined in the main text.
REFERENCES
I. H. Krebs and U. Haspel, "EinVerfahren zur Software-Verifikation: Regelungstechn"che PrllXis, Feb. 1984,
pp. 73-78 (inGerman).
63
4. Analog
data from
the technical
process
==
==
ADC
PARIN
-
CHECK
DIGX X-
--H EVAL
ICF
XB
XE
UA Lj SVISE
EUAE
----1,----- UL
LA -
LAE
r-- LL
COND I
Figure 2. Function-bkckdescription of" p,ugrmn tosupm!isejJrocm dota.
modules and module interlaces.
Obj3 is the latest in a series of systems
that supportObj by interpreting the equaĀ
tions as re""Tite rules. We use Obj3 to forĀ
mali:l;e function-block requirements, deĀ
sign specifications, and the structured-text
program specification in terms ofObj decĀ
larations and (conditional) equations. We
then used Obj3's interpreter to automate
parts of verification and testing.
The Obj3 environment offers unique
semantics and underlying equational calĀ
culus, which let you provc theorems and
equations from specifications and derive
one set of terms from another using equaĀ
tions as rewrite rules (called reducti on
rules in Obj3). This term-re""Titing capaĀ
bilitywasparticularlyuseful in manipulatĀ
ing the specifications needed to reason
about the properties of specifications and
programs, verilYtheircorrectness, and exĀ
ecute them symbolically.
EXAMPLE
'10 illustrate our method, we apply it to
the CHECK function block in Figure 2.
This blocktransforms a digitized and norĀ
malized signal DIGX produced by an anĀ
alog-to-digital converter from analog raw
data into a measuring value provided on
output x. Ttl compute this value, we use
measuring-range limits XB and XE as paĀ
rameters.
A'i Figure 2 shows, CIIECK has eight
DTC;X
XB
XE
digitized measuremelllvalue X
lower bound ofX
upper bound ofX
CF channel fault signal
UAE beyond range alarm enaoleu
CL upperalarm bound
LAF, below range alarm enableu
LL lo",er alann hound
and four outputs:
X corresponding integer value ofX
UA heyond range alann signal
LA below range alaTIn signal
COND condition coue
if a channel fault, CF, is indicated, the
most recent proper value is delivered on
output X, not a newly computed value.
inputs UL and LL define the upper and
lower limits at which an alann is raised
through outputs UA and LA, respectively,
prOļæ½ded inputs UAE and LAE, respccĀ
tivelv, are active.
Output Cond produces a notification
aboutCHECK's processing state. A value
of 1 indicates a channel fault, 2 means that
the measuring value exceeded the upper
limit, and 3 tells the operator that the meaĀ
suring value remained under the lower
limit. Error notifications are ordered acĀ
cording to this priority.
The example we have chosen has tvw
characteristics: First, the requirements
that capmre the functional relationship
between X and certain input values of
CHECK are mixed; for example, safety
demands impose lower and upper bounds
on X or require alarm signals wlder cer-
PRST
To printer/tap
Recenter
LeftTop
Config
Profile
Adopt
Create
tain error conditions. Second, CHECK is
as<;umed to produce an output under any
condition. The implicit assumption here
is that CHECK and all other function
blocks of the PLC software are ļæ½eriodiĀ
cally triggered by a control signal; thatis,
a function block is ready to compute new
output data whenever it is triggered.
Forma6ze requirements. Formalizing reĀ
quirements for CHECK requires tranSlatĀ
ingtheconcepts of the problem domaininto
mnstructs suitable for Obj specifications.
Obj provides a collection of built-in
objects including BOOL, INT, and
PROPC, which specify the laws of BoolĀ
ean algehra, integer arithmetic, and propĀ
ositional calculus, respectively. There are
also two Boolean-valued operators, _==_
and _=1=_ and a polymorphic conditional
choice construct, iCthen_else_fi, which
applies to every sort s in its second and
third arguments,
Thebehavior of a functionblockis natĀ
uraly represented by Obj3 operations,
while types of 1/0 data are represented by
sorts. For example, we might associate sort
Eml widl binaly-value inputs and outputs,
usebit sequencestorepresent digitized data,
and employ integers to model measuring
and range values.
One data sort y may be a subsort of anĀ
other sort S (written subsOtt s 5). This
means that s data can be USEd as an arguĀ
ment of an operation that expects S data.
The interpreter in tbe Obj3 environ-
II inputs:
ļæ½--ļæ½--ļæ½-----------ļæ½ļæ½=.ļæ½ļæ½ļæ½-==-ļæ½---ļæ½--ļæ½------====ļæ½ļæ½--ļæ½ļæ½---ļæ½
64 JANUA'1Y 1994
5. ment implicitly convertss data to Sdata.
In our example, objectTIMEprovides
distinguishable clock ticks:
obj TIME is sort TIme
opO : .... Time
optick : TIme -' Time
endo
In nontrivial cases, developers define
the properties of the operations provided
by modules, mutually relating the behavĀ
ior of such properties using equations and
conditional equations. Because fi.mction
blocks are regularly triggered, they synĀ
chronously process streams a(0), a(l), ...
of time-varying data. To make the nmcĀ
tion block'sinterfaceprecise, you can view
names of inputs and outputs as abbreviaĀ
tions for access nmctions that map time
values to the typed data observed on
CHECK's inputs and outputs.
obj CHECK-INPUT is protecting !NT
protecting BITS
protecting TTMF.
opdigx : TIme -' Bits
opxb : TIme -' Int
oplae : Time -' Baal
endo
Because the results of computations
may refer to results of pre,ļæ½ous computaĀ
tional steps, we assume that each output is
initialized with a suitable value to ensure
that allcomputations ofCHECKare wellĀ
defined. Vhen we try to initialize output
Cond, we see dlat the infonnal problem
specification gives no indication ahout the
state in which no stated faults occurred.
Thuļæ½, we encode the OK indication as
value 0 to the output specification, which
is represented by operation cond (op
cond) in object CHECK-OUTPUT,
ob) CHECK-OUTPUTis
protecting :--ruM
protecting BITS
protectingTIME
op x : Time -' Int
op 11a : Time .... Bool
op la : TIme .... Int
op cond: Time .... Nat
eq x(O) = minnUlll
eq ua(O) = false
eq la(O) = false
cq cond(O) = 0
endo
IEEE SOFTWARE
More interesting is the following reĀ
quirement for output Cond for arbitrary
times greater than 0:
cond(tick(1'Ā» = 0 if not cf(I) and
not ua(I) and not la(I)
cond(tickCTĀ» = 1 if cf(I)
cond(tick(lĀ» = 2 if not cf(I) and ua(T)
cnnd(tickCTĀ» = 3 if notcf(I) and
not ua(T) and la(I)
The definition of tbis requirement is
incomplete because it depends on the defĀ
initions of output func1lons ua and lao Ve
examine tbis in the next step.
Spedfy,verļæ½ CIId test design. The design
specification gives meaning to the operaĀ
tions of CIIECK that compute its outĀ
puts. Once these functions are abstractly
defined, we can apply specification-veriiiĀ
cation techniques to verilY that there is no
ambiguity, incompleteness, and inconsisĀ
tency from design errors and oversights.
Additionally, we can apply tenn-rewriting
techniques to enhance the user's or
designer's confidence in a design by testĀ
ing the design specification.
The definition of the output functions,
however, requires a careful interpretation
of the problem statement and sufficient
knowledge about the problem domain.
are
Two output definitions for CHECK
eq ua(tick(TĀ»= ul(tick(TĀ» x(tick(TĀ») and
uae(tick(I)
cq x(tick(I) = xb(tick(TĀ» + bi(digx(tickCT)))
* (xe(tick(l) - xb(tick(I)))
,
if notcf(tick(TĀ»
cq x(tick(I) = x(I) ifcf(tick(I)
where cq and eq are Obj kcy words that
stand for conditional equation and equaĀ
tion. Infonna!ly the first definition states
that ua is true if and only if both the acmal
value of x exceeds the upper range limit ul
and input uae is True at the same time.
The second definition reflects what we
know about normalizing measuring valĀ
ues. It uses an auxiliary operation, bi,
whichmaps bitsequencesintotheir correĀ
sponding number value.
In the rest of this article, we apply
Goguen's proof techniques to fonnally
verilY that the designspecification satisfies
the requirements and any other proposiĀ
tions about design properties. These re-
quirements or propositions are expressed
as equational theorems in Ohj3. A proof
consists of a sequence of rewrite steps
using premises and specification equaĀ
tions. Its goal is to conclude the theorem
from the given specification and a set of
premises, which are again equations.
TheObj3 environment helps developĀ
ers perform routine work automatically.
The modularity ofObj is useful in strucĀ
turing user-directed proofs in modules
and hierarchies.
To illustrate how Obj3 works, we give
protocol excerpts from a session in which
we verified the correctness of function x
with respect to dle following requirement:
0; xCT)= true if xb(T) ,,; xe(T)
using structural induction over the bit seĀ
quences provided by DigX.
Bccause the requirement is expressed
as a conditionalequation, we must assume
the condition is true. Hence we assert
obj CHEC.K-BEHAV is using
CHECK-VARS
ops t t' : -' lIme .
cq t= tick(t').
eq xb(t); xe(t)= true .
eq 0 ,,; x(t') = true.
endo
and attempt to verifY the base cases with
I digx(t) I ļæ½ 1 for some arbitrary Bit B and
dļæ½t) = true or false.
The first case is trivial (the first two
lines show Obj3's prompt of the user's
input.The last linepresents the computed
result:
OBJ reduce 0 ;x(t)
result Hool: tme
because x(t) reduces to xC!'), for which the
condition holds by input assumption.
For cf(t) = false, a reduction yields
OB.l reduce 0,,; x(t)
result Hool: 0; xb(t) + bi(B) * (xe(t) - xb(tĀ»
The resulting expression cannot be
further reduced, because xb(t), xe(t), and
x(t) arc constants whose structure is unĀ
known but must be known to use equaĀ
tions ofdatatype lIlt. Because of the input
assumption xb(t) :::; xe(t), however, we can
conclude that xe(t)-xb(t) is a natural numĀ
ber, say m.
Further we know that bi(B) is a natural
number, say n. Hence, we know that n * m
is also a natural nwnber.
65
6. Q = (COND = 0 and not ua and not la and not d) or
(COND == 1 and d) or
(COND == 2 and not cfand ua) or
(COND == 3 and not cf and not ua and la)
[AI
{true}
Ifnot (cfor ua or la)
Then COND := 0
Else
{efor ua or la}
lfef
Then COND ;= 1
Else
{(cf or ua or la) and not d)
Ifua
Then COND := 2
Else
(cfor ua or la) and notcfand not ua}
Ifla
Fi
Then COND := 3
Fi
{Q}
{Q}
Fi
(Q)
Fi
(Q)
[81
(not Cdor ua or laĀ» implies Q{COND/O}
Ā«cfor ua or la) and cf) implies Q{CONDIII
, Ā«cfor ua or la) and not cf and ua)implies Q{CONDI2}
Ā«efor ua or la) and not cfand not ua and la) implies Q{COND/3}
leI
OB] reduce Ā«efor ua or la) and d) implies Q{COND/1}.
reduce in PROG-VERIFICATION:
(efor ua or la) andcfimplies Q(COND/1}
rewrites: 206
result BooI: true
101
Figure J. Part oja structured-text program to implement tbe design specification ofCHECK (A) The
function Crmd, (B) local erificatioll cOl1ditiom d7ved1m, the precondition I'me and yme postconditirfll
cOl1'esponding to tbe requh'emmtf01' output Cond, (C) the (onditirms to he verifiedfin' (B), and (D) the proof
ofthe secondcondition of(C).
Hecause 0 ; Tv1 + N holds for two arbiĀ
trary natural numbers Tv1 and N, the base
case is verified and we can assert
xb(t) + 1 * (xe(t) - xb(tĀ» = xe(t)
After asserting the induction assump-
tion, the indul-110Il step yields
OB] reduoe x(t)
result Bool: true
for cfCt) = false
Other properties and output func.tions
are treated similarly.
Because Obj specifications are executĀ
able, the design specification can also he
taken as a prototype of the CHECKfuncĀ
tion blocktovalidate itsfunctioningUllder
6 6
the conditions of a specific application.
Simple tests of the function hi are
OBJ reduce bill 0 1)
result Nat: 5
Ul:IJ reduce birO)
result Nat: 0
ConstJud, verify, and test program. ProĀ
gram construction involves building a
structured-text program from the design
and adding assertions about program inĀ
puts and outputs in the form of pre- and
postconditions. Programconstruction is a
creative step, yet it is often relatively sysĀ
tematic. Equational statements of the de-
sign specification are transfonned into a
sequence of program statements such as
if-then-e1se clauses, assignment stateĀ
ments, and Boolean and atithmetic exĀ
pressions. Figure 3 shuws a section df a
structured-text program intendcd to imĀ
plement the design specification of
CHECK. Figure 3a shows function
Condo Figure 3b shows the local verificaĀ
tion comlitions derived from the preconĀ
dition true and some posteonditions corĀ
responding to the requirementfor output.
The specification for output Cond (secĀ
ond column of p. 65) has been translated
into the nested if-then-else clause in FigĀ
ure 3b.
The goal of program verification is to !
verify a program's conformance to its
specification in a finite number of steps by
applying appropriateHoare proof rules to
the statements of that program. Hoare's
technique lets us verify the partial correctĀ
ness of a program S with respect to asserĀ
tions P and Q that may or may not be ļæ½
satisfied hy the variables OCCUlTing in S. An
annotated expression of the form {PIS[Q)
inf0l11lally means that, if assertion P holds
before the execution of 51, assertion Q
holds when the execution of 5 tenninates.
For example, for a conditional statement
s= IfCThen 51 Else 52 Fi
'With precondition P and postcondition R,
we can detive pre- and postconditions for
51 and S'2 using the general rule for condiĀ
tional statements4;
{P and C] Sj (R)
{P md not C] S2 {R}
If we can find proofS for these assertions,
we also have a proof for {P}S{R}.
In the stepwise proof we proceed as
follows:
I. Start /i'om the postcondition and
tollow the program path in reverse.
2. For each statement S on this path,
apply an appropriate proof rule to transĀ
form the postcondition of this statement
into the weakest precondition. This preĀ
condition becomes the postcondition of
the preceding statement. That is, you deĀ
rive pre- and posteonditions for the I
CHECK statements using appropriate
proof rules to end up with a structmedĀ
text program whose individual statements
are annotated with verification conditions.
JANUARY 1094
7. Figure 3c gives dle conditions to be
verified for me programin Figure 3b. The
expression Q{COND/l} denotes the
same as condition Q except that variable
Cond in Q is substiruted wim 1. Figurc 3d
shows me proof of me conditions, which
comes down to a term reduction in Obj3.
(VVe used an Obj specification not given
here do dUs reduction.)
Thus, having proved all verification
conditions generated for CHECK, we
have proved me correctness of me entire
program wim respect to its requirements
and design specifications.
To validate (test) me resulting proĀ
gram, we used standard techniques such as
dynamic code testing and static program
analysis. The selection of test procedure
(mutation, back-to-back, random, boundĀ
ary checking, and so on) depends on me
domain requiremcnts and function-block
characteristics.
ļæ½ere are many advantages tousingforĀ
ā¢ mal specification and validation techĀ
niques in me development ofPLC software
for safety-related applications. The main
one is that bomPLC developers and certifiĀ
cation authorities can use these techniques
to show a program's dependability.
Our emphasis was on demonstrating
dle functional correctness of reusable
function blocks to become members of a
domain-specific catalog of standard buildĀ
ing blocks and, merefore, justifY me extra
effort necessary to guarantee safety. Ve
hope it became clear mat manual proofu of
verification conditions, even for relatively
simple programs, are tedious and errorĀ
prone. The notations and techniques we
used - Obj, term rewriting, and Hoare
logic - are wcll-understood, supported
by effective tools, and have been successĀ
fully used in similar experiments bom for
hardware and software specification and
verification.
By interconnecting verified function
blocks, correctness proofu are reduced to
verifYing me horiwntal and vertical conĀ
sistency of me functional composition plus
any analyses of how individual blocks inĀ
terplay.
Still missing is a full a=lmt of timing
properties, which occur often in me type
IEEE SOFTWARE
of process-control applications considered
here. Tinling characteristics are covered
reasonably well for individual function
blocks, but we arc still looking at how to
handle me rinling characteristics of me enĀ
tire program. Specifically, we are experiĀ
menting wim various logic and formalĀ
isms, including time notions like duration
calculus, real-time logic, timed communiĀ
cating sequential processes, and timed
Petri nets.
As an alternative to considering tinled
logic and to gain experience wim a prediĀ
cate-logic approach, we specified a simple
timer to be used in an emergencyshut-down
system and verified its correctness using a
verifier written inhigher orderlogic.
R
The timer is a monostable element,
which cannot be retriggered and has a
selectable delay. 'hen me timer is in
me nonexcited state and detects a rising
edge at its input, it switches its output to
the logical true state for a specified
delay.
The timer relies on time readings of a
radio receiver, which provides monotoniĀ
cally increasing time values broadcast by
official agencies mrough me satellites of
me GlobalPositioning System or wough
terrestrial stations in vari()Uļæ½ cOlmtries.
Furilier experiments are underway to gain
better data for eompating me practicality
and ease of use in bom me Obj3 and HOL
approaches. ā¢
ļæ½lļæ½ļæ½ļæ½ļæ½Cļæ½rinCiPles ofOB]2,Ā·Ā· m Pro... AC1 Symp. PrindplerofPmgmmming Languager,=-lPressļæ½ New York, 19t15, pp. 52-66.
I
2. J. Goguen and T. Winkler, Introducing OB]3, Tech. Report SRI-l:SL-RR-9, SRI Int't, Menlo Park,
ļæ½ļæ½
II
3. V Halang and Il. Kramer, Achieving High Integrity of Process Control Software by Graphical Design
and Fonnal Verification. Software Engineering].,].n. 1912, pp. 53-64.
4. C. Hoare, An Axiomatic Basis for Computer Prof,'Tarnming, Cvmm. AC/'vl, Oct. 1969, pp. Si6-580.
5. J Goguen, OB) as a T heorem Prover with Applications to Hardware Verification,' Tech. Report SRIĀ
CSL-88-4R2, SRI Int'I, Menlo Park, l:alif., 1988.
6. R. Rackhollse, Prognlfn COIJXlrIUflO'llilltd H:rifoation, Prentice-Hall, Englewood Cliffs, NJ., 1986.
7. R. dt: Lemos, A Saeed, and T. Anderson, A Train Set as a Case Study for the Requirements Analysis of
Safety-Critical Systems. The Cmnputrr].,Jan.l9l2, pp. 30-4D.
8. 11. Gordon, NlechaniLing Programming Logics in Higher Order Logic, in Current Trends in Hardware
I/e-nfication andAuwmatedTheorem Proving, G. Birmistlc and P.A Suhrahmanyam, eds., Springer-Verlag,
Berlin, 1989, pp. 387-439.
-olfgang A. Halangholds the chair of infonnation technology at FernUniversicit
J ragen, where his research interests an: predictable ļæ½ystem behavior and rigorous softĀ
ware verification and safety licensing. He is founder and editor-in-chief of Real-Time .ļæ½'V.I'Ā
tcmsand has ,'littcn mare than 100 publications on real-time systems. He is coauthor
with Alexander SlOyenku ufConTructing Predhtable Reol-time Systems(Kluwer Acadmic
Publishers. 1911) and with Bernd Kramer and others ofA Safety T.imlJahle Comp1ltingArĀ
chitecture.
Halang received a PhD in mathematics from Ruhr-Universitat Bochum and a PhD
in computer science from the Universitat Dorbnund.
BerndKramerholdsthe chair afdata-processing technology at FernUniversitat
Hagen and is director ofthe associated InsLitute fur New'Iec:hnologies in Electrical EnĀ
ginet:ring. His research interests include fanna] specification, design and analysis techĀ
niques for distributed systems, advanced communicationtechniques, and development
methods for high-integritysofrniare. He is author ofC'uncepts, Syntax, ilnd Sema1ltit'Soj
SEGR4S(R. OIJenbourg, 1989) and coauthor with Wolfgang Halang and others of A
SafetyLiansable Camputing .4hitfcturr (World Scientific, 1YY3).
Kramer received a diploma and a PhD in computer science, both from the TechĀ
nische Universitiit Berlin.
Address questions about this drtide to Kramer at FernUniversitit Hagen, Fachbereich Elel'tratechnik, 58084
Hagen, Gennany; bernd.kraemerĀ®fernuni-hagen.de.
67