PLC Static Analysis

I am a software developer (with absolutely no experience in the world of PLCs), and doing some research on PLC static analysis tools.

Basically my question is, do any tools exist to conduct static analysis of PLC (ladder logic) code? Looking for common bugs or flaws, incorrect practices, security vulnerabilities and so on. Specifically for RsLogix5000 Allen Bradley PLCS. Google research only turned up two products.

https://arcade.embedded.rwth-aachen.de/doku.php?id=arcade
Which appears to be free, but does not support RsLogix5000

http://www.itris-automation.com/plc-checker/
Supports RsLogix but is 'cloud based' so appears such things exist but is there anything else? Freeware especially.

Thanks!

No, but let us know when you're ready to release your freeware.

For AB I use the Emulate (but you have to buy it) for larger programs. But for smaller logic I simply use myself, scanning the logic just like the PLC will and trying to detect any potential problems. For the larger programs there are some simulators that will simulate tank levels and flow etc but they are very expensive. For the larger programs I will sometimes write a SIM routine and put some code in to do basic simulation. For example if a water inlet valve is open then add 1 to the level input every few milli-seconds.

Welcome to the forum.

Personally, my company and i both agree on this, never let the cloud touch
the plc and production equipment, to much risk involved with the system being hacked and causing major damage.

I never store information on the cloud. Too much risk on my part by storing company information on it.

regards,
james

Thanks for the replies everyone.

Follow up question: Are there any utilities available that can open up and work with PLC code? I'm looking at some files in *.ACD, *.apa, *.mer, and *.dnt formats. I'm thinking these are proprietary file formats for RsLogix, is that correct?

The .apa extension is an application for panel view software and the .mer file is the compiled application.

The .acd file is logix 5000

I think the .dnet is device net files

regards,
james

James is correct. And yes, all proprietary Rockwell files, and you can't open them without the proprietary Rockwell software: FactoryTalk View Studio for the .apa/.mer files, RSLogix5000 (or Studio5000, depending on revision) for the .ACD, and RSNetworx for the .dnt files.

Make sure you sit down before you open the quote.

Thanks again!

We're looking at Logix Designer (http://www.rockwellautomation.com/r...t-pages/LogixDesigner_orderingInformation.pdf) and there are many versions available. Does anyone know if either the 'Service' or 'Lite' editions would be able to export the .acd project into .l5k (xml) formats? Specifically the functionality described here - http://literature.rockwellautomation.com/idc/groups/literature/documents/rm/1756-rm084_-en-p.pdf.

Also a question on the controllers - just for viewing the contents of the .acd (the ladder logic and such) how critical is it that the Logix Designer version supports the particular controller that the .acd was developed for? i.e. can an .acd developed for ControlLogix5500 be viewed in the Lite edition which only supports Compact Logix5370, Compact GuardLogix5300?

I hope these questions make sense.. I really don't know much about this stuff but have been tasked with information gathering Thanks!

I can't help you on the first question, but no - if the project file has a CPU defined that your version doesn't support, you won't be able to open the file.

Greetings awillard ...

I'll be perfectly frank and admit that I do not even know what the term "static analysis" means ...

but even so, here's a suggestion that MIGHT help you along – at little or no expense - at least in the very initial steps of your research and development process ...

based on what's been posted so far, I'm guessing that you need a sample ACD file – and a corresponding L5K file – to begin your research for this project ...

Rockwell (Allen-Bradley) supplies a selection of Sample programs with their RSLogix5000 software packages ... I've chosen (at random) one of those samples – and provided you with some files which you might find "interesting" ...

(1) TemperatureControl.acd – the original sample file in RSLogix5000 Version 16 format ...

(2) TemperatureControl.L5K – the same sample file saved in an Export format that I personally generated (using File - Save As) for your examination ... this is a "flat file" that you can open with Windows Notepad, etc. ...

(3) TemperatureControl.pdf – a Rockwell supplied "overview file" – available from the Samples folder ...

(4) TemperatureControl Printout.pdf – the original sample file which I personally just simply printed out in a PDF format since you apparently don't have RSLogix5000 available to open the ACD file ...

I'll be perfectly frank ... if I understand what you're trying to develop, then I think that you're going to be wasting your time on this particular "static analysis" project ... (this way lies madness) ... hopefully the files that I've provided here will give you something to look at – BEFORE you invest a lot of money buying software ...

please note that the program that I chose is a VERY (VERY!) small program as PLC programs go ... again, this is just a "demonstration type" sample program ... hopefully this will give you something tangible to examine – to sort of "test the waters" before you dive into a VERY deep and VERY wide pool ...

if this little sample doesn't discourage you – then I'm sure that the forum members will be able to dredge up some additional samples for you to examine ...

I sincerely wish you good luck with your project ...

.

I'll be perfectly frank and admit that I do not even know what the term "static analysis" means

Click to expand...

Basically, static analyzers check your code for

common bugs or flaws, incorrect practices, security vulnerabilities and so on

Click to expand...

...the way compilers do it but deeper. For example, in Structured Text, the condition IF cond = TRUE THEN makes sense from the compiler's point of view and it won't report any errors. On the other hand, it's a tautology to check if a boolean is true like that because the IF statement is a check for 'true' itself. So a static analyzer (or a lint kind of tool) would report something like "Comparison with a constant boolean detected. Consider changing 'IF cond = TRUE THEN' to 'IF cond THEN'."

Simply put, you are not going to do any "Static Analysis" of PLC code.
It isn't a computer programming language that can be relatively easily linted or valgrind'ed for syntax or memory errors.

The editors themselves prevent all forms of syntax errors, and instruction errors.
Most editors can also automatically warn for Duplicate Output detection, or shorted branches, but those aren't necessarily errors.

You aren't going to find or develop any way of detecting or determining logical errors either that I can see; once again, if the processor goes into run, then the code is logical and correct as far as the processor is concerned. That doesn't mean that it will run the equipment in the desired manner, but there is nothing wrong with the program.

As others have said above, most PLC languagues are specifically designed to avoid a lot of the issues that standard computer languages face. They are generally designed to be simple A) so that people can easily read them, and B) so that they can run for 20 years without a fault, instead of needing reboots constantly.

There are no issues with memory leaks or garbage collection, because all variables must be declared. There is no dynamic memory allocation, and arrays must be declared with constants instead of variables.

Some platforms have pointers or a peek/poke mechanism, but they still only allow you to access the user program. The system data and firmware are typically protected and stored in different memory.

I don't want to say that there is NOTHING that could be found via static analysis. I just don't know if many customers would see the value in it.