Kim Björkman

Model checking of safety-critical software in the nuclear engineering domain

Instrumentation and control (I&C) systems play a vital role in the operation of safety-critical processes. Digital programmable logic controllers (PLC) enable sophisticated control tasks which sets high requirements for system validation and verification methods. Testing and simulation have an important role in the overall verification of a system but are not suitable for comprehensive evaluation because only a limited number of system behaviors can be analyzed due to time limitations. Testing is also performed too late in the development lifecycle and thus the correction of design errors is expensive. This paper discusses the role of formal methods in software development in the area of nuclear engineering. It puts forward model checking, a computer-aided formal method for verifying the correctness of a system design model, as a promising approach to system verification. The main contribution of the paper is the development of systematic methodology for modeling safety critical systems in the nuclear domain. Two case studies are reviewed, in which we have found errors that were previously not detected. We also discuss the actions that should be taken in order to increase confidence in the model checking process.

Solving dynamic flowgraph methodology models using binary decision diagrams

Dynamic flowgraph methodology (DFM) is a computationally challenging approach to the reliability analysis of dynamic systems with feedback loops. To improve the computational efficiency of DFM modelling, we propose a new approach, based on binary decision diagrams (BDDs), to solving DFM models. The objective of DFM analysis is to identify the root causes of a postulated top event. The result is a set of prime implicants that represent system faults resulting from diverse combinations of software logic errors, hardware failures, human errors and adverse environmental conditions. Two approaches to solving prime implicants have been implemented in software called YADRAT. The first approach is based on meta-products, and the second on zero-suppressed BDDs (ZBDD). Both approaches have been used previously in fault tree analysis. In this work, the ideas of prime implicant computations are adapted to a dynamic reliability analysis approach combined with multi-valued logic. The computational efforts required for the two approaches are compared by analysing three example systems. The results of the comparison show that BDDs are applicable in DFM computation and that in particular the ZBDD-based approach can solve moderately sized DFM models in a reasonable time.