Junbeom Yoo

A formal software requirements specification method for digital nuclear plant protection systems

This article describes NuSCR, a formal software requirements specification method for digital plant protection system in nuclear power plants. NuSCR improves the readability and specifiability by providing graphical or tabular notations depending on the type of operations. NuSCR specifications can be formally analyzed for completeness, consistency, and against the properties specified in temporal logic. We introduce the syntax and semantics of NuSCR and demonstrate the effectiveness of the approach using reactor protection system, digital protection system being developed in Korea, as a case study.

Software safety analysis of function block diagrams using fault trees

Abstract As programmable logic controllers (PLCs) are often used to implement safety–critical embedded software, safety demonstration of PLC code is needed. In this paper, we propose a fault tree analysis technique on Function Block Diagrams (FBDs) which is one of the most widely used PLC programming languages. FBD is currently being used to develop Reactor Protection System (RPS) for a nuclear power plant in South Korea. Our approach to fault tree analysis, which combines fault-oriented and cause/effect-oriented viewpoints, is easy to understand and offers systematic guidelines to ensure safety of PLC code. Domain experts found the approach to be useful through a case study on RPS, and this paper compares completeness and comprehensiveness of the semi-automatically generated fault trees using the proposed approach against the one manually prepared by nuclear safety engineers.

Synthesis of FBD-based PLC design from NuSCR formal specification

Abstract NuSCR is a formal specification language to document requirements for real-time embedded software with nuclear engineering applications in mind. Domain experts actively participated in selecting how to best represent various aspects. It uses tabular notations to specify required computations and automata to document state- or time-dependent behavior. As programmable logic controllers (PLCs) are widely used to implement real-time embedded software, synthesis of PLC code from a formal specification is desirable if transformation rules can be rigorously defined. In addition to improved productivity, results of safety analysis performed on requirements remain valid. In this paper, we demonstrate how NuSCR specification can be translated into semantically equivalent function block diagram (FBD) code. The process, except the initial phase where user provides information on missing or implicit details, is automated. Since executable code can be automatically generated using CASE tools from FBD, much of software development is automated. Proposed technique is currently being used in developing reactor protection system (RPS) for nuclear power plants in Korea, and experience to date has been positive. We demonstrate the proposed approach using the fixed set-point rising trip which is one of the most complex trip logics included in the RPS.

NuEditor – a tool suite for specification and verification of NuSCR

NuEditor is a tool suite supporting specification and verification of software requirements written in NuSCR. NuSCR extends SCR (Software Cost Reduction) notation that has been used in specifying requirements for embedded safety-critical systems such as a shutdown system for nuclear power plant. SCR almost exclusively depended on fine-grained tabular notations to represent not only computation-intensive functions but also time- or state-dependent operations. As a consequence, requirements became excessively complex and difficult to understand. NuSCR supports intuitive and concise notations. For example, automata is used to capture time or state-dependent operations, and concise tabular notations are made possible by allowing complex but proven-correct equations be used without having to decompose them into a sequence of primitive operations. NuEditor provides graphical editing environment and supports static analysis to detect errors such as missing or conflicting requirements. To provide high-assurance safety analysis, NuEditor can automatically translate NuSCR specification into SMV input so that satisfaction of certain properties can be automatically determined based on exhaustive examination of all possible behavior. NuEditor has been programmed to generate requirements as an XML document so that other verification tools such as PVS can also be used if needed. We have used NuEditor to specify a trip logic of RPS(Reactor Protection System) BP(Bistable Processor) and verify its correctness. It is a part of software-implemented nuclear power plant shutdown system. Domain experts found NuSCR and NuEditor to be useful and qualified for industrial use in nuclear engineering.

Control and data flow testing on function block diagrams

As programmable logic controllers(PLCs) have been used in safety-critical applications, testing of PLC applications has become important. The previous PLC-based software testing technique generates intermediate code, such as C, from function block diagram(FBD) networks and uses the intermediate code for testing purposes. In this paper, we propose a direct testing technique on FBD without generating intermediate code. In order to test FBD, we define testing granularity in terms of function blocks and propose an algorithm that transforms an FBD network to a flow graph. We apply existing control and data flow testing coverage criteria to the flow graph in order to generate test cases. To demonstrate the effectiveness of the proposed method, we use a trip logic of BP(Bistable Processor) at RPS(Reactor Protection System) in DPPS(Digital Plant Protection System) which is currently being developed at KNICS[1] in Korea.

Systematic evaluation of fault trees using real-time model checker UPPAAL

Abstract Fault tree analysis, the most widely used safety analysis technique in industry, is often applied manually. Although techniques such as cutset analysis or probabilistic analysis can be applied on the fault tree to derive further insights, they are inadequate in locating flaws when failure modes in fault tree nodes are incorrectly identified or when causal relationships among failure modes are inaccurately specified. In this paper, we demonstrate that model checking technique is a powerful tool that can formally validate the accuracy of fault trees. We used a real-time model checker UPPAAL because the system we used as the case study, nuclear power emergency shutdown software named Wolsong SDS2, has real-time requirements. By translating functional requirements written in SCR-style tabular notation into timed automata, two types of properties were verified: (1) if failure mode described in a fault tree node is consistent with the systems behavioral model; and (2) whether or not a fault tree node has been accurately decomposed. A group of domain engineers with detailed technical knowledge of Wolsong SDS2 and safety analysis techniques developed fault tree used in the case study. However, model checking technique detected subtle ambiguities present in the fault tree.

PLC-based safety critical software development for nuclear power plants

This paper proposes a PLC(Programmable Logic Controller)-based safety critical software development technique for nuclear power plants’ I&C software controllers. To improve software safety, we write the software requirements specification using a formal specification notation named NuSCR [1]. NuSCR specification is then mechanically transformed into semantically equivalent Function Block Diagram(FBD), a widely used PLC programming language. Finally, we manually refine the FBD programs so that redundant function blocks are identified and removed. As CASE tool supplied by PLC vendors automatically compiles the resulting FBD programs into PLC machine code, PLC software development is completed when the final FBD programs are essentially tested.

An effective technique for the software requirements analysis of NPP safety-critical systems, based on software inspection, requirements traceability, and formal specification

A thorough requirements analysis is indispensable for developing and implementing safety-critical software systems such as nuclear power plant (NPP) software systems because a single error in the requirements can generate serious software faults. However, it is very difficult to completely analyze system requirements. In this paper, an effective technique for the software requirements analysis is suggested. For requirements verification and validation (V&V) tasks, our technique uses software inspection, requirement traceability, and formal specification with structural decomposition. Software inspection and requirements traceability analysis are widely considered the most effective software V&V methods. Although formal methods are also considered an effective V&V activity, they are difficult to use properly in the nuclear fields as well as in other fields because of their mathematical nature. In this work, we propose an integrated environment (IE) approach for requirements, which is an integrated approach that enables easy inspection by combining requirement traceability and effective use of a formal method. The paper also introduces computer-aided tools for supporting IE approach for requirements. Called the nuclear software inspection support and requirements traceability (NuSISRT), the tool incorporates software inspection, requirement traceability, and formal specification capabilities. We designed the NuSISRT to partially automate software inspection and analysis of requirement traceability. In addition, for the formal specification and analysis, we used the formal requirements specification and analysis tool for nuclear engineering (NuSRS).

Testing of Timer Function Blocks in FBD

Testing for time-related behaviors of PLC software is important and should be performed carefully. We propose a structural testing technique on function block diagram (FBD) networks including timer function blocks. In order to test FBD networks including timer function blocks, we generate templates for timer function blocks and transform a unit FBD into a flow-graph using the proposed templates. We apply existing testing techniques to the generated flowgraph and describe how the characteristics of timer function blocks are reflected in the testing process. By the proposed method, FBD networks including timer function blocks can be tested thoroughly without the intermediate code which was essential in the previous FBD testing. To demonstrate the effectiveness of the proposed method, we use a trip logic of bistable processor of digital plant protection systems which is being developed in Korea.