INTRODUCTION

When solving control tasks, a design system is naturally divided into the control system and the control object. In the operation process, they influence one another. The software implementing the control process is the control software (CSW) and is designed as a control system or as its part. The control object might be of a different nature and purpose. For example, in a cyber-physical system [1, 2], CSW forms an impact on the physical environment by interacting with it through sensors and actuators. Thus, the program of a programmable logic controller (PLC) [3] controls the technological process at the plant. In this case, the CSW is part of the hardware-software control system. Another example is a database management system, in which the CSW performs various handling operations with a data by managing their extract and storage. In this case, the control object is represented by the body of data that is not physical in essence but is a kind of software like the control system. When solving computational tasks, the designed system contains only software components. According to the work [4], a discrete information converter is represented as an automaton model consisting of interacting components, which are an operational automaton and a control automaton. The operational automaton transforms information, whereas the control automaton manages the actions of transforming it, that is, describes the computation control process. Focusing the control task in software development is typical of the approach known as software cybernetics [5]. In this approach, the control and the operational automata are implemented as software components at any level of abstraction, which is determined bythe task being solved [6]. Thus, the CSW can be developed as a separate part of the designed system when solving not only the control but also computational tasks.

The CSW is a reactive system [7, 8]. It is engaged in continuous cyclic interaction with the control object at the pace of its ongoing processes. The operation cycle of the reactive system consists of receiving input data and recording them in the input variables of the program, which calculates and updates the internal and output variables, and transfer of the values of the output variables to the control object.

High reliability and safety [9] requirements may be imposed on systems during their design. Some of the requirements inevitably turn into the CSW’s correctness requirements. Correctness means compliance with the given set of behavioral properties. The compliance checking procedure is called verification [10]. Strong compliance guarantees are ensured by formal verification methods [11]. One of these methods is model checking [12–15]. It requires having a model that is coherent with the actual behavior of the CSW.

This study continues the series of articles on developing and verifying PLC control programs on the basis of LTL-specification [16–25]. This approach proposes to develop the program behavior LTL-specification that can be verified directly by the model-checking method. Moreover, the specification is constructive; i.e., it can be used to unambiguously built a program in a certain programming language (ST [16, 22], LD [23], IL [24], CFC [18]) of the IEC standard 61131-3 [26] and the behavior model in the source language of verifier Cadence SMV (http://www.mcmil.net/smv.html). The LTL-specification has sufficient expressiveness for describing any computational process [17]. For LTL-specifications of counter machines see [19, 20]. In addition, it is proposed to use the LTL-specification for describing the consistent behavior of sensors [25] that is necessary for checking some program properties.

Novelty. This work proposes a more concise modification of the LTL-specification. A strict formal justification of its constructiveness and expressiveness is provided. The transition to nuXmv (https://nuxmv.fbk.eu), a more advanced tool for verifying finite and infinite systems, is performed.

Content of work. Section 1 exposes the control program development concept and presents the architectural features of the designed CSW. Section 2 contains used behavior models represented by the transition systems. The notions of complete and pseudo-complete transition systems are introduced. Section 3 exposes the syntax and semantics of the LTL language. Section 4 introduces a declarative and an imperative LTL-specification. The declarative specification is intended for describing the software behavior, whereas the imperative specification is intended for building the program code. The theorem of the equivalence of these LTL-specifications is proved. Section 5 assesses the expressiveness of the declarative LTL-specification in terms of Turing completeness. The Minsky counter machine is presented as an algorithm model equivalent to the Turing machine by computational capabilities. An example of a counter machine for squaring a number is provided. The theorem of the Turing completeness of declarative LTL-specification is proved. Section 6 formulates the verification problem. A constraint is imposed on the problem to make it solvable. Section 7 contains an example of the development and verification using the tool nuXmv of a declarative LTL-specification for the number-squaring PLC program. Section 8 presents a scheme of building an ST program by the imperative LTL-specification. The ST code of the number-squaring program is provided. Then, a conclusion is drawn. The application shows the building of the LTL-specification proposed in the Turing completeness theorem.

1 CONTROL PROGRAM DEVELOPMENT CONCEPT

A control program works in cycles. In each control cycle, the value of a variable either changes or remains unchanged. In this article, the emphasis is placed only on changes in variable values because they are the ones that bear the key semantic charge in control tasks. In control processes, it is always known why the state of a control object needs changing, why, for example, a particular device must be on or off. The reasons for changing variable values are declared as an LTL-specification. In addition, the specification describes the way these changes occur.

On the whole, the behavior of a program is the sum of the behaviors of all of its variables . This set contains input and internal/output variables. Originally, the behavior of all of the variables from is not declared and is absolutely nondetermined. Then, only internal/output variables are subject to declaration. The declaration imposes certain constraints on their behavior, after which it becomes strictly determined. The remaining nondeterminism of the input variables is necessary for preserving the diversity in the behavior of the determined program because the behavior of the input variables determines the behavior of the internal/output variables. To lose none of the program run scenarios, it is necessary to feed to the program input any permissible values in any succession, which is implemented by the nondetermined behavior of the inputs.

To analyze and declare the causes of changes in a variable, it is often required to know its previous value. For example, to determine the button press instant (pulse leading edge), it is necessary to know whether the button was pressed in the previous operating cycle. For this purpose, the set of auxiliary variables is introduced that store the previous values of the respective variables from . The behavior of the auxiliary variables is not declared and is always known. When the variables from are used, it can be considered that the leading underscore sign “_” is the pseudooperator of turning to the previous value of a respective variable from . By comparing the values of variables and (where ), it can be judged whether the value of variable has changed.

Then, the declaration in the form of an LTL-specification is verified and the program is built according to this specification. The constructed program has two features:

(1) The value of each variable changes not more than once per control cycle.

(2) The value of each variable changes only in one place of the program in some simple operator unit.

These two features allow having a clear and transparent idea about the way the value of a particular variable changes with the transition of the program from one state to another. It is established for each variable that its new value is clearly dependent on the previous values, which were obtained during the program execution in the previous operation cycle run, and on the new variable values calculated at the program execution in the current operation cycle run. The condition for changing the variable value only in one place of the program facilitates debugging and allows simply estimating the degree of readiness of the program and of the volume of its text. It is obvious that, during one operation cycle run, the value of any variable rises, declines, or remains unchanged relative to the value obtained in the previous operation cycle run. If we do not turn to the variable for assigning some value to it, the variable will retain its previous value.

2 TRANSITION SYSTEM AS PROGRAM BEHAVIOR MODEL

Assume that the program has main variables , …, and auxiliary variables , …, , which take values from the respective domains , …, . The infinite (in general) set will be the space of all possible states of the program. Set contains input and internal/output variables. Vector of variable values describes a specific state of the program and contains the current values of input variables and the values of internal/output variables calculated on the basis of the former. Variables , …, store the previous values of variables , …, . Each control cycle has the corresponding state transition. If the state remains unchanged, it is considered that a loop-like transition to this same state occurs.

All possible transitions form the program behavior. Let us accept as the program behavior model the transition system where is the set of states, infinite in general, is the set of initial states, is the total relation of transitions, is the set of atom assertions about the values of variables , …, and , …, , and is the function of state labeling by atom assertions. The totality of the relation of transitions means that there exists transition from any state .

The transition system graph is the one whose vertices and arcs are the states from and the transitions from, respectively. In the system of transitions, a path is the infinite sequence , where , . The path forms an infinite route in the graph of the transition system. The transition system LTS presets the set of paths originating from the initial states as

where is the set of all infinite words from alphabet and is the ith state of path .

The behavior model of the program with a nondetermined behavior of all of its variables , …, , , …, will be the complete transition system , where . Unlike LTS, the cLTS system has a transition relation that presets the complete graph of transitions by states. In fact, absolute nondeterminism always makes it possible to switch from any one state to any other state, including the state itself. It should be noted that the program with a nondetermined behavior of all of its variables (absolutely nondetermined program) contains the behavior of any other program with this same set of variables . Here, , so that cLTS contains any path starting from any state.

If the constraint in the form of the earlier described behavior of variables is imposed on the complete transition system cLTS, the result will be the pseudo-complete transition system , where , . The pseudo-complete transition system pLTS contains the behavior of any other program that retains the previous values of variables in variables .

With the declaration of the behavior of variables , certain limitations are imposed on the pseudo-complete transition system pLTS. As a result, the behavior model of the LTS program is derived from the pseudo-complete transition system pLTS by eliminating transitions that violate the preset behavior declaration.

3 LTL LOGIC LANGUAGE

Linear temporal logic (LTL) or linear-time temporal logic is an expansion of classical propositional logic with the help of modal operators that allow considering the temporal aspect in event sequences [12–15]. LTL is an important means of formal verification, where it is used to describe requirements on hardware and software systems [8, 27].

We shall use LTL for the following tasks:

• describing requirements on the pseudo-complete transition system pLTS to form the behavior model of the LTS program from that system;

• describing requirements on the behavior model of the LTS program to verify these requirements.

At , the LTL formulae behave according to the following grammar:

In addition to classical Boolean operators, an LTL formula might contain temporal operators as well: means that formula must be fulfilled in the next state, requires that be fulfilled in some future state, guarantees that will be fulfilled in the current and all future states. Formula means that must be fulfilled in the current or future state, whereas must be fulfilled in all the previous states. Operators and are binary: . That being said, operator is a special case of applying operator , namely, .

Let us define by induction the feasibility relation of the LTL formula for the arbitrary state of some path of the system of transitions, where , :

Let us also define the semantics of relation on paths and systems of transitions:

Formula is fulfilled on path , when it is fulfilled in the initial state of this path but on path set , when it is fulfilled on all of its paths. Formula is fulfilled in the state of the transition system LTS when is fulfilled for all of the paths in LTS that start with state . Formula is fulfilled in the transition system LTS when is fulfilled for any initial state . Let us use to define the set of all of the paths in LTS for which formula holds, that is, .

4 LTL-SPECIFICATION OF PROGRAM BEHAVIOR

5 EXPRESSIVENESS OF DECLARATIVE LTL-SPECIFICATION

Let us evaluate the expressive capabilities of the declarative LTL-specification in terms of Turing completeness. To prove the theorem of the Turing completeness of the declarative LTL-specification, let us choose the Minsky counter machine [28–30] as a formal model of the algorithm. In terms of computational capabilities, this machine is equivalent to the Turing machine but seems more convenient for describing the behavior of programs: the Minsky machine has a more visually compelling program form, that is, a type of computer program written in a high-level language.

The Minsky counter machine M is the set , where is the finite nonempty set of control states of the machine; is the initial control state; is the conclusive or final control state; is the finite nonempty set of counters that can take values from ; is the set of rules of transitions between the control states of the machine; is the rule of transitions for the control state , where .

States , are divided in two types. Type 1 control states have transition rules of the form

13

where and . For type 2 control machines, the following transition rules are determined:

14

where . There are no transition rules contemplated for the final state . After entering the final state , the machine stops running.

The state (configuration) of the counter machine is set , where and , ; here, , … , are the values of the respective counters , … , .

The execution of the Minsky machine is the sequence of states , inductively determined according to the transition rules. The counter machine has one execution from the initial state because no more than one transition rule is contemplated for each control state.

After some set of counter values is fed to the input, the machine starts from the control state q₁ and either stops in the control state q_n, with the output set of counter values, or loops and thus implements a partial numerical function.

Let us consider as an example a three-counter Minsky 3cM machine that implements the function of squaring number , where . The rule of transition between the control states of the 3cM machine are as follows [29]:

15

The counter machine 3cM has eight control states , where is the initial control state and  is the final control state. The set of counters is . It is assumed that, in the initial state, counter takes value , whereas the other two counters and have zero initial values. In the final state, the calculation result will be contained in counter at the zero values of counters and .

For the graphic representation of the rules of transitions between the control states of machine 3cM, see Fig. 6. In this figure, designation “” for counter corresponds to its increase by one, whereas “” indicates the tentative subtraction of one with transition to another control state along the right-hand arrow in the case of a zero value of counter .

[See PDF for image]

Fig. 6.

Graphical representation of number-squaring counter machine 3cM.

Theorem 2 (Turing completeness of LTL-specification). The behavior of any Minsky counter machine, i.e., the set of all its possible executions, can be specified using a declarative LTL-specification.

Proof. By way of proof, let us describe the general process of constructing the declarative LTL-specification of the behavior of a program that models the operation of an arbitrary Minsky counter machine.

Assume that there is some Minsky m-counter machine represented as a set of transition rules.

The program will contain the main variables and auxiliary variables .

Variable is intended for storing the number of the current control state and variables are intended for storing machine counter values. Thus, vector describes the current state of the machine. All program variables take values from . According to the transition rules, any transition of the Minsky machine corresponds to a transition between two program states. If none of the transition rules is followed for the current state of the machine, the machine remains in the same state. In this case, a loop transition to the same program state occurs in the program.

The program initialization formula describing the set of initial states will have the following form:

Then, let us execute the LTL formalization of transition rules for type 1 control states as follows:

16

The LTL formalization of transition rules for type 2 states takes the following form:

17

Let us split each type (16) formula into two LTL formulae:

18

Formulae (17) are fragmented as follows:

19

All of the counters have one and the same specification building procedure. Let us show how to build a specification for an arbitrary counter . Having grouped all of the formulae where counter is present, we obtain

20

Let us conjunctively combine the formulae in group (20) and add the formula describing the absence of change in the variable. We obtain the LTL-specification for :

21

Let us also show how to build a specification for variable . Let us group all of the formulae where this variable is present, and we obtain

22

Let us eliminate from group (22) the formulae in which , where .

Then, we shall conjunctively combine the remaining formulae and add the formula describing the absence of change in the variable. We obtain the imperative LTL-specification for :

23

Let us use the imperative LTL-specifications (21) and (23) to build the equivalent declarative LTL-specifications for and , respectively:

24

25

The declarative LTL-specification of the behavior of the program modeling the performance of the counter machine is an initialization formula and a set of formulae describing the behavior of variable (25) and all variables in the form (24). Formulae (25) and (24) comply with the variability condition (3) and orthogonality condition (4).

The procedure of building a declarative LTL-specification of the counter machine 3cM is described in the Appendix. Specification has the following form:

It should be noted that the latter formula of the LTL-specification can be simplified as follows:

The counter machine 3cM has eight control states , which is why variable . It is seen from the simple formula that the value of changes at . This indicates that the 3cM machine always switches to another control state. The only exception is the final control state in which the machine stops.

6 VERIFICATION OF THE DECLARATIVE LTL-SPECIFICATION

7 DEVELOPMENT AND VERIFICATION OF LTL-SPECIFICATION OF PLC PROGRAM

Let us implement the reactive system as a PLC program based on the number-squaring counter machine . The motivation for using this example is to show some abstract behavior of a control automaton without reference to the actual equipment and technological process. In this case, it might be considered that the technological process of production is the calculation of a squared number: input number acts as the original workpiece and is the finished product. The scheme of the system is presented in Fig. 7. The PLC responds to input signals from the buttons and feeds output signals to the indicators. The control automaton with state is a control system for process calculating squared numbers. The control object is a set of four variables, including n, a, b, and c. The control automaton exerts a control effect on this set of variables by increasing (inc) and decreasing (dec) their values. The control automaton can also read their values in any PLC operation cycle.

[See PDF for image]

Fig. 7.

Reactive system represented as a PLC program.

Assume that there is a control panel (see Fig. 8) with four buttons “Start”, “Reset”, “+1”, and “–1”; nine status lights “q0”–“q8”; and four indicators for showing values of counters , , and , and entry number . Buttons “+1” and “–1” set number that will be squared. The pressing of buttons “+1” and “–1” increases and, respectively, decreases by 1. Both buttons will respond only for the control automaton in the initial state . The other automaton states are inherited from counter machine . The “Start” button launches the calculation process for the current on condition that the automaton is in state . After the launch the value of variable is placed in variable , whereas and have zero values. The “Reset” button switches the automaton to the starting state from the final state that the automaton enters after finishing the calculation of number . That being said, counter resets to 0. Lamps “q0”–“q8” show the current status of the control automaton (the active status number is stored in variable).

[See PDF for image]

Fig. 8.

PLC control panel.

For the PLC interface, see Fig. 9. Here, buttons “Start”, “Reset”, “+1”, and “–1” are associated with Boolean variables PBStart, PBReset, PBPls, and PBMns, respectively. Program variables q,, , , and play the role of the PLC outputs leading to the corresponding lamps and indicators.

[See PDF for image]

Fig. 9.

PLC interface.

Since verification is done with the help of nuXmv, the specification and its properties will be recorded in the language of this verifier. In the nuXmv syntax, the declarative LTL-specification of the number squaring PLC program has the following form:

-- S0:

  q=0 & n=0 & a=0 & b=0 & c=0 & _q=q & _n=n & _a=a & _b=b & _c=c &

  !PBStart & !PBReset & !PBPls & !PBMns & !_PBStart & !_PBReset & !_PBPls & !_PBMns &

-- Sn:

  G X( !(n = _n) -> _q=0 & _n<bndn &

                   !_PBPls & PBPls & !PBMns & !PBStart & (n = _n + 1) |

                   _q=0 & _n>0 &

                   !_PBMns & PBMns & !PBPls & !PBStart & (n = _n - 1) ) &      G X( (n = _n) -> !(_q=0 & _n<bndn & !_PBPls & PBPls & !PBMns & !PBStart |

                        _q=0 & _n>0 & !_PBMns & PBMns & !PBPls & !PBStart) ) &

-- Sa:

  G X( !(a = _a) -> _q=0 & PBStart & !(_a=n) & (a = n) |

                    _q=7 & _a<bnda & (a = _a + 1) |

                    _q=1 & _a>0 & (a = _a - 1) |

                    _q=3 & _a>0 & (a = _a - 1) ) &     G X( (a = _a) -> !(_q=0 & PBStart & !(_a=n) | _q=7 & _a<bnda |

                     _q=1 & _a>0 | _q=3 & _a>0 ) ) &

-- Sb:

  G X( !(b = _b) -> _q=4 & _b<bndb & (b = _b + 1) |

                    _q=6 & _b>0 & (b = _b - 1) ) &      G X( (b = _b) -> !(_q=4 & _b<bndb | _q=6 & _b>0) ) &

-- Sc:

  G X( !(c = _c) -> _q=2 & _c<bndc & (c = _c + 1) |

                    _q=5 & _c<bndc & (c = _c + 1) |

                    _q=8 & _c>0 & PBReset & (c = 0) ) &

  G X( (c = _c) -> !(_q=2 & _c<bndc | _q=5 & _c<bndc | _q=8 & _c>0 & PBReset) ) &

-- Sq:

  G X( !(q = _q) -> _q=1 & (_a>0) & (q=2) |

                    _q=1 & !(_a>0) & (q=8) |

                    _q=2 & (q=3) |

                    _q=3 & (_a>0) & (q=4) |

                    _q=3 & !(_a>0) & (q=6) |

                    _q=4 & (q=5) |

                    _q=5 & (q=2) |

                    _q=6 & (_b>0) & (q=7) |

                    _q=6 & !(_b>0) & (q=1) |

                    _q=7 & (q=6) |

                    _q=8 & PBReset & (q=0) |

                    _q=0 & PBStart & (q=1) ) &

G X( (q = _q) -> !(_q=1 & (_a>0) | _q=1 & !(_a>0) | _q=2 | _q=3 & (_a>0) |

                   _q=3 & !(_a>0) | _q=4 | _q=5 | _q=6 & (_b>0) |

                   _q=6 & !(_b>0) | _q=7 | _q=8 & PBReset | _q=0 & PBStart) )

In the nuXmv verifier language, symbols “&”, “|”, “!”, and “–” mean logical operators “”, “”, “”, and “”, respectively.

It should be noted that the behavior specification of input variables PBStart, PBReset, PBPls, and PBMns is not performed because these variables might take any values at each new step of a PLC operation cycle. The constraints for variables , , , and are preset with the help of the corresponding constants , , , and .

It is seen that the program behavior specification is written as one large LTL formula. Let us denote it as .

Let us preset in the nuXmv syntax the specification of the properties of the number-squaring PLC program as a set of LTL formulae P1,…,P7:

G( q=8 -> c=n*n & a=0 & b=0 )                                   – P1;

G( a+b <= n )                                                   – P2;

G( c <= n*n )                                                   – P3;

G( !(q=0) -> F(q=8) )                                           – P4;

G( q=0 & X(PBStart) -> F(q=8) )                                 – P5;

G( q=8 -> X(q=8 | PBReset & q=0 & a=0 & b=0 & c=0) )            – P6;   G( ((q=2 | q=5) -> c<bndc) & (q=4 -> b<bndb) & (q=7 -> a<bnda) )  – P7.

Property P1 asserts that, in the final state , the result of calculating is in variable , whereas variables and are zero.

Property P2 asserts that the sum of and never exceeds .

Property P3 asserts that, during the calculation, the value of variable never exceeds .

Property P4 asserts that, if the calculation process has started (the automaton is not in the initial state ), then it will necessarily finish (in the future, the automaton will enter the final state ).

Property P5 asserts that if the “Start” button is pressed in the initial state , then the calculation process will be launched and finish in its final state .

Property P6 asserts that if the calculation process reaches the final state , then it either continues to remain in this state or enters the initial state at , , and after the “Reset” button is pressed.

Property P7 checks the variables for constraints: in states and , variable is smaller than ; in state , variable is smaller than ; and in state , variable is smaller than .

Each property is checked separately; i.e., the feasibility check , where is the specification of the behavior of the number-squaring program, is performed.

Let us describe the pseudo-complete transition system pLTS and the verifiable formula in the nuXmv syntax:

MODULE main   VAR

   q : 0..8; _q : 0..8;                   -- State q

   n : 0..15; _n : 0..15;                 -- Number n

   a : 0..15; _a : 0..15;                 -- Counter a

   b : 0..15; _b : 0..15;                 -- Counter b

   c : 0..255; _c : 0..255;               -- Counter c

   PBStart : boolean; _PBStart : boolean; -- Push Button "Start"      PBReset : boolean; _PBReset : boolean;  -- Push Button "Reset"      PBPls : boolean; _PBPls : boolean;      -- Push Button "+1"      PBMns : boolean; _PBMns : boolean;      -- Push Button "-1"

DEFINE

   bndn := 15; bnda := 15; bndb := 15; bndc := 255; -- Bounds   ASSIGN – pLTS

   next(_q) := q; next(_n) := n; next(_a) := a; next(_b) := b; next(_c) := c;        next(_PBStart) := PBStart; next(_PBPls) := PBPls;

        next(_PBReset) := PBReset; next(_PBMns) := PBMns;   LTLSPEC (Spec -> Prop)

After the keyword LTLSPEC, the last line contains the formula to be checked for feasibility relative to the pseudo-complete transition system pLTS. In this line, Spec is the LTL-specification of the number-squaring program and Prop is any property from P1, …, P7.

Properties P1, .., P7 were checked for feasibility on a personal computer with an Intel Core i5-3570 3.4 GHz processor and 8-GB RAM. Properties P4 and P5 were checked for about two minutes and the other properties were checked for a few seconds.

8 BUILDING OF PLC PROGRAM BY LTL-SPECIFICATION

Let us use declarative LTL-specification from Section 7 to build the code of the number-squaring program in the ST language. For this purpose, it will be required to convert the declarative LTL-specification to imperative. In turn, the imperative LTL-specification (5), (6) for variable from the set has the following ST code-building pattern:

The ST program built on the basis of this pattern in the CoDeSys environment (https://codesys.com) has the following form:

PROGRAM PLC_PRG   VAR_INPUT

    PBStart, PBReset, PBPls, PBMns : BOOL := FALSE;   END_VAR

VAR_OUTPUT

    q, n, a, b, c : BYTE := 0;   END_VAR

VAR

   _q, _n, _a, _b, _c : BYTE : = 0;

   _PBStart, _PBReset, _PBPls, _PBMns : BOOL := FALSE;

END_VAR

VAR CONSTANT

   bndn, bnda, bndb : BYTE := 15;

   bndc : BYTE := 255;

END_VAR

IF _q=0 AND _n<bndn AND PBPls AND NOT _PBPls AND NOT PBMns AND NOT PBStart THEN n:=_n+1;    ELSIF _q=0 AND _n>0 AND PBMns AND NOT _PBMns AND NOT PBPls AND NOT PBStart THEN n:=_n-1;    END_IF;

IF _q=0 AND PBStart AND NOT(_a=n) THEN a:=n;

ELSIF _q=7 AND _a<bnda THEN a:=_a+1;

ELSIF _q=1 AND _a>0 THEN a:=_a-1;

ELSIF _q=3 AND _a>0 THEN a:=_a-1;

END_IF;

IF _q=4 AND _b<bndb THEN b:=_b+1;

ELSIF _q=6 AND _b>0 THEN b:=_b-1

END_IF;

IF _q=2 AND _c<bndc THEN c:=_c+1;

ELSIF _q=5 AND _c<bndc THEN c:=_c+1;    ELSIF _q=8 AND _c>0 AND PBReset THEN c:=0;    END_IF;

IF _q=1 AND _a>0 THEN q:=2;    ELSIF _q=1 AND NOT(_a>0) THEN q:=8;    ELSIF _q=2 THEN q:=3;    ELSIF _q=3 AND _a>0 THEN q:=4;    ELSIF _q=3 AND NOT(_a>0) THEN q:=6;    ELSIF _q=4 THEN q:=5;

ELSIF _q=5 THEN q:=2;    ELSIF _q=6 AND _b>0 THEN q:=7;    ELSIF _q=6 AND NOT(_b>0) THEN q:=1;    ELSIF _q=7 THEN q:=6;    ELSIF _q=8 AND PBReset THEN q:=0;    ELSIF _q=0 AND PBStart THEN q:=1;    END_IF;

(* Pseudo operator section: saving previous values of variables *)

_q:=q; _a:=a; _b:=b; _c:=c; _n:=n;

_PBStart:=PBStart; _PBReset:=PBReset; _PBPls:=PBPls; _PBMns:=PBMns;

When a program code is generated according to the LTL-specification, the IF-ELSIF units must be arranged as follows: a certain variable without the pseudooperator “_” can be used in the IF-ELSIF unit of another variable only if the IF-ELSIF unit of the former variable is already found earlier in the text.

For example, in the presented program, the IF-ELSIF unit of variable must precede the IF-ELSIF unit of variable , because, in the rules of forming a new value of , variable participates without the pseudooperator “_”; i.e., the new value of is generated from the new value of .

When the PLC program is built, each variable from the LTL-specification must be defined in a suitable variable description section, such as “inputs”, “outputs”, and “local variables”. Then, each such LTL-specification variable is initialized according to the specification and, specifically, according to the S0 LTL type of initialization formula. The PLC inputs are described in the VAR_INPUT section, the outputs are described in the VAR_OUTPUT section, and the other variables are described in the VAR section. Initialization is done in the variable declaration sections.

In addition, for a pseudo-complete transition system, the idea of the leading underscore pseudooperator operator “_” must be implemented. For this purpose, a place for a pseudooperator section is allocated at the very end of the PLC program. Assignments , where , are added to this section. That being said, it is also necessary to determine in the section describing variables with the same initial value as for variable .

In the LTS behavior model, the transition from one state to another will correspond to the execution of the PLC program up to the pseudooperator section. In other words, the state will be a vector of values of all program variables, which was obtained before the execution of assignments that implement pseudooperator “_”. The initial state is the state of the PLC program after initialization. The new state of the PLC program is constructed as follows: (1) the pseudooperator section is executed (except for the first time), (2) input variables (PLC inputs) take new values, and (3) the PLC program is executed from the beginning to the pseudooperator section. In this case, the behavior of the ST program is guaranteed to correspond to the original declarative LTL-specification.

CONCLUSION

This paper presents the declarative LTL-specification proposed for use in describing the behavior of the control programs. This specification allows describing the reasons and rules for changing the program variable values. The proposed behavior declaration method seems to be natural and convenient for control systems.

A transition system LTS is used as the program model. The pseudo-complete transition system pLTS contains the behavior of all the programs with the given set of variables. The declarative LTL-specification forms the behavior model of the program LTS by selecting only the necessary paths from the pseudo-complete transition system pLTS.

The declarative LTL-specification of the program can be directly verified by model checking using the nuXmv tool. For this purpose, it is necessary to set the nuXmv model of the pseudo-complete transition system. In the general case, the verification problem is undecidable for infinite models. To make the problem decidable, it is proposed to constrain the model by making the set of states finite. In this case, the transition system becomes the Kripke structure.

The declarative LTL-specification is constructive in the sense that the control program can be constructed from it. For this purpose, an auxiliary imperative LTL-specification is presented, for which its equivalence to the declarative LTL-specification is then proved. The imperative LTL-specification describes the behavior of a program in an imperative style that corresponds, for example, to the style of the ST programming language. Due to this, it is possible to directly translate the imperative LTL-specification into the ST program. The translation approach is tentatively described as a template. The translation scheme in question ensures complete compliance of the behavior of the resulting ST program with the original declarative LTL-specification.

The declarative LTL-specification is Turing complete. This is proved by a technique that allows constructing a declarative LTL-specification for an arbitrary Minsky counter machine, which is a formalism equal to a Turing machine. Turing completeness guarantees that absolutely any computational algorithm is described by the declarative LTL-specification. The LTL-specification building method is showcased by the number-squaring counter machine.

The results obtained during operation confirm the theoretical validity of the approach to development and verification of control programs based on the LTL-specification.

FUNDING

This work was supported as part of a state assignment by the Institute of Automation and Electrometry of the Siberian Branch of the Russian Academy of Sciences, project no. 122031600173-8, and by Yaroslavl State University, project VIP-016.

CONFLICT OF INTEREST

The authors of this work declare that they have no conflicts of interest.

Publisher’s Note.

Allerton Press remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

AI tools may have been used in the translation or editing of this article.