Jussi Lahtinen

Model checking of safety-critical software in the nuclear engineering domain

Instrumentation and control (I&C) systems play a vital role in the operation of safety-critical processes. Digital programmable logic controllers (PLC) enable sophisticated control tasks which sets high requirements for system validation and verification methods. Testing and simulation have an important role in the overall verification of a system but are not suitable for comprehensive evaluation because only a limited number of system behaviors can be analyzed due to time limitations. Testing is also performed too late in the development lifecycle and thus the correction of design errors is expensive. This paper discusses the role of formal methods in software development in the area of nuclear engineering. It puts forward model checking, a computer-aided formal method for verifying the correctness of a system design model, as a promising approach to system verification. The main contribution of the paper is the development of systematic methodology for modeling safety critical systems in the nuclear domain. Two case studies are reviewed, in which we have found errors that were previously not detected. We also discuss the actions that should be taken in order to increase confidence in the model checking process.

Comparison between IEC 60880 and IEC 61508 for certification purposes in the nuclear domain

In the nuclear domain, regulators have strict requirements for safetycritical software. In this paper requirements in three documents (two software standards and the Common Position of nuclear domain regulators) were compared. The aim of the work was to find out how these requirements compare to each other in terms of strictness and scope, and to evaluate the usefulness of the documents for certification purposes. Another goal was to determine whether it is possible to choose only one of the standards as the basis of software certification. The nuclear domain software standard IEC 60880 provides requirements for the purpose of achieving highly reliable software. The standard is similar to the part 3 of IEC 61508 standard in the sense that it covers requirements for all software lifecycle activities. The Common Position document Licensing of safety critical software for nuclear reactors states the requirements from the perspective of European nuclear regulators. The comparison was twofold. First, the absolute shall requirements of a few key themes were extracted from all three documents. The strictness of these requirements was analyzed against each other. Second, to evaluate the documents usefulness for certification, the extent in which these themes were covered by each document was analyzed by expert judgment. The main result was that the use of IEC 60880 alone is not sufficient for software certification.

Automatic Test Set Generation for Function Block Based Systems Using Model Checking

Many nuclear instrumentation and control (I&C) systems are designed using a function block diagram description of the system. Strict requirements pertain to the verification of these systems. Different verification techniques, including structure-based testing, are demanded by standards and the regulators. Unfortunately, the traditional structure-based test techniques intended for software code are not directly applicable to function block diagrams. However, coverage criteria for function block diagrams have recently been developed. In this work we have used these coverage criteria and developed a technique for generating structure-based test sets for function block based designs. The test set is automatically generated but the technique requires that a model checking model of the system is available. The technique utilises model checking to determine the concrete test cases. We have also described how tests can be generated so that multiple test requirements can be fulfilled at once, thus decreasing the number of generated test cases. We have implemented our approach as a proof-of-concept tool, and demonstrated the technique on a case study system.

Software Safety Standards for the Basis of Certification in the Nuclear Domain

In the nuclear domain, regulators have strict requirements for safety-critical software. As a part of Finnish nuclear research program SAFIR2010 an on-going project called CERFAS aims to define necessary software certification services for nuclear industry needs. Main areas of the service development activities are process assessment and product evaluation. Several additional modules and methods are needed and will be developed during the project. The certification service is closely based on software safety standards. The nuclear domain software standard IEC 60880 provides requirements for the purpose of achieving highly reliable software. The standard is similar to the part 3 of IEC 61508 standard in the sense that it covers requirements for all software life-cycle activities. In this paper, we introduce Software Certification Service, SCS, and compare the two software safety standards to each other in terms to find out whether one of these standards or both of them may provide basis for software certification in the nuclear domain.

Verifying large modular systems using iterative abstraction refinement

Digital instrumentation and control (I&C) systems are increasingly used in the nuclear engineering domain. The exhaustive verification of these systems is challenging, and the usual verification methods such as testing and simulation are typically insufficient. Model checking is a formal method that is able to exhaustively analyse the behaviour of a model against a formally written specification. If the model checking tool detects a violation of the specification, it will give out a counter-example that demonstrates how the specification is violated in the system. Unfortunately, sometimes real life system designs are too big to be directly analysed by traditional model checking techniques. We have developed an iterative technique for model checking large modular systems. The technique uses abstraction based over-approximations of the model behaviour, combined with iterative refinement. The main contribution of the work is the concrete abstraction refinement technique based on the modular structure of the model, the dependency graph of the model, and a refinement sampling heuristic similar to delta debugging. The technique is geared towards proving properties, and outperforms BDD-based model checking, the k-induction technique, and the property directed reachability algorithm (PDR) in our experiments.

Verification of Fault-Tolerant System Architectures Using Model Checking

Model checking is a formal method that has proven useful for verifying e.g. logic designs of safety systems used in nuclear plants. However, redundant subsystems are implemented in nuclear plants in order to achieve a certain level of fault-tolerance. A formal system-level analysis that takes into account both the detailed logic design of the systems and the potential failures of the hardware equipment is a difficult challenge. In this work, we have created new methodology for modelling hardware failures, and used it to enable the verification of the fault-tolerance of the plant using model checking. We have used an example probabilistic risk assessment (PRA) model of a fictional nuclear power plant as reference and created a corresponding model checking model that covers several safety systems of the plant. Using the plant-level model we verified several safety properties of the nuclear plant. We also analysed the fault-tolerance of the plant with regard to these properties, and used abstraction techniques to manage the large plant-level model. Our work is a step towards being able to exhaustively verify properties on a single model that covers the entire plant. The developed methodology follows closely the notations of PRA analysis, and serves as a basis for further integration between the two approaches.