# 정형 요구사항 명세 기반 원자력 소프트웨어 개발 방법론

Dependable Software Laboratory

KONKUK University, Korea http://dslab.konkuk.ac.kr

### Contents

- Introduction
  - Safety-Critical Software in Nuclear Power Plants
  - Software Development Process (Existing vs. Proposed)
- Software Development Process for NPPs
  - Development Process
  - Verification Process
  - Safety Analysis Process
- Conclusion and Future Work

# Introduction

- 1. Safety-Critical Software in Nuclear Power Plants
- 2. Software Development Process (Existing vs. Proposed)

## Safety-Critical Software in Nuclear Power Plants

- RPS (Reactor Protection System)
- ESF-CCS (Engineering Safety Features Component Control System)



## **Existing Software Development Process**

For Most NPPs in Korea (e.g. Wolsung NPP)



### Proposed Software Development Process

- For KNICS RPS for APR-1400 [1] (http://www.knics.re.kr)
  - APR-1400 : Next generation nuclear reactor being developed in Korea



# **Software Development Process for NPPs**

- 1. Development Process
- 2. Verification Process
- 3. Safety-Analysis Process

# **Development Process**

- 1. Formal Requirements Specification
- 2. Automatic Design Synthesis



### 1. Formal Requirements Specification

- NuSCR [3]
  - Formal requirements specification language
  - Customized SCR [2] for nuclear applications
    - Listened to opinions offered by domain experts
  - 4 constructs
    - SDT (Structured Decision Table)
    - FSM (Finite State Machine)
    - TTS (Timed Transition System)
    - FOD (Function Overview Diagram)

| Conditions                  |   |   |
|-----------------------------|---|---|
| $k_X_MIN <= f_X <= k_X_MAX$ | Т | F |
|                             |   |   |
| Actions                     |   |   |
| f_X_Valid := 0              | Х |   |
| f_X_Valid := 1              |   | X |
| SDT                         |   |   |



### 1. Formal Requirements Specification

- NuSRS (ver 2.0)
  - CASE tool supporting
    - NuSCR specification
    - Self-Checking (on-going)
    - SMV program translation (NuSCR → SMV)
    - SMV verification (CTL Model Checking)
  - Case Study
    - KNICS-RPS-SRS101, Rev,00, 2003. (by NuSRS 1.0)
    - KNICS-RPS-SVR131-01, Rev.00, 2005. (by NuSRS 2.0)



### 2. Automatic Design Synthesis

- NuSCRtoFBD Synthesis Procedure [8]
  - Synthesizes FBD programs from NuSCR specification automatically
    - More than twice FBD blocks than manually coded and optimized ones
  - Unused in the project, because unable to develop CASE tools in advance
  - However, can be used as a baseline for FBD programming in design phase

- NuSCRtoFBD (ver 1.0)
  - CASE tool supporting
    - Automatic FBD synthesis from NuSCR
      - Reads NuSCR specification in XML format
      - Stores FBD programs in standard XML format (on-going)
    - Algorithm is being optimized



#### NuSCRtoFBD (ver. 1.0)

- Synthesized from KNICS RPS BP SRS (KNICS-RPS-SVR131-01, Rev.00, 2005)

# **Verification Process**

- 1. Model Checking Requirements
- 2. Model Checking Design
- 3. Equivalence Checking Designs



### 1. Model Checking Requirements

- Formal verification for requirements specification
  - Target : NuSCR formal specification
  - Tool : Cadence SMV [5]
  - Technique : CTL model checking
- NuSRS (ver. 2.0)
  - Automatic translation
    from NuSCR into SMV programs [10]
  - Seamless execution of SMV
  - Case Study
    - KNICS-RPS-SVR131-01, Rev.00, 2005
    - Found 157 errors (25 critical)







#### FBD Verification using

- SMV model checking & VIS Equivalence checking

### 2. Model Checking Design

- Formal verification for design specification
  - Target : FBD program
  - Tool : Cadence SMV [5]
  - Technique : LTL model checking
- FBD Verifier (ver. 1.0 / 2.0)
  - Automatic translation from FBD programs into Verilog programs [11]
  - Seamless execution of SMV
  - Case Study
    - KNICS-RPS-SDS231, Rev.01, 2006
    - Found 60 errors (13 critical)

#### FBD Verifier 1.0



#### 1. Read FBD programs in XML format



**Engineering Tools** by PLC vendors

#### 3. Perform SMV model checking



Counterexample viewer in FBD Verifier 1.0



**Cadence SMV** 

### 3. Equivalence Checking Designs

- Formal verification for design specifications
  - Target : Two FBD programs
  - Tool : VIS Verification System [4]
  - Technique : Equivalence checking, Simulation

- VIS Analyzer (ver. 1.0)
  - Seamless execution of VIS (VIS has no GUI)
  - Visualization of VIS's process and verification results [12]
  - Unused in the project, because unable to develop CASE tools in advance
  - Case Study
    - KNICS-RPS-SDS101, Rev.00, 2005
    - No official result

| Trip Logic                                                    | Error Type | Compared FBD (Num. of Errors) | Original FBD<br>(Num. of Errors) |  |
|---------------------------------------------------------------|------------|-------------------------------|----------------------------------|--|
| Fixed Set-Point Rising Trip without Operating Bypass          | Syntactic  | 0                             | 0                                |  |
|                                                               | Logical    | 0                             | 1                                |  |
| Manual Reset Variable Set-Point Trip without Operating Bypass | Syntactic  | 0                             | 3                                |  |
|                                                               | Logical    | 6                             | 2 18                             |  |

### **Engineering Tools** by PLC vendors



1. Read two FBD programs in XML format

#### FBD Verifier 1.0



3. Read two Verilog programs

#### VIS Analyzer 1.0 (Source)



VIS Analyzer 1.0 (Result)









#### VIS Analyzer (ver. 1.0)

- Visualized and reorganized result - counterexample



#### VIS Analyzer (ver. 3.0)

- Visualized and reorganized result - counterexample

# **Safety Analysis Process**

- 1. Fault Tree Analysis for Requirements
- 2. Fault Tree Analysis for Design



# 1. Fault Tree Analysis for Requirements

- Fault Tree Analysis
  - Performed manually
  - Totally depends on analyst's experience and ability
- We provided FTA templates and CASE tool (NuFTA) for NuSCR [13]



# 2. Fault Tree Analysis for Design

We provided FTA templates and FBD [15]



# **Conclusion and Future Work**

#### Conclusion

- We proposed software development processes using formal methods
  - Target: KNICS RPS for APR-1400
  - Development process
    - NuSCR formal requirements specification
    - Automatic FBD design synthesis
  - Verification process
    - Model checking NuSCR requirements
    - Model checking FBD design
    - Equivalence checking FBD designs
  - Safety analysis process
    - FTA templates for NuSCR requirements
    - FTA templates for FBD programs
  - Case Study
    - KNICS-RPS-SVR131-01, Rev.00, 2005
    - KNICS-RPS-SDS231, Rev.01, 2006



#### **Future Work**

#### 1. Integrated Tool-set

#### Tool Enhancement

- Self-checking : completeness & consistency (NuSRS)
- Synchronous Verilog issue in model checking FBD programs using SMV (FBD Verifier)
- Optimization of FBD synthesis algorithm (NuscrtoFBD)
- Add other functions to VIS Analyzer (VIS Analyzer)

#### 3. Traceability Analysis

- From requirements to design
- From requirements' FTA to design's FTA

#### 4. FBD Testing

- Measures (coverage criteria)
- Testing tool support

#### 5. Application to Other Domains

#### 정형 요구사항명세 기반 원자력 소프트웨어 개발 방법론



#### References

- [1] KNICS (Korea Nuclear Instrumentation & Control System R&D Center). http://www.knics.re.kr.
- [2] Kathryn L. Heninger, "Specifying Software Requirements for Complex Systems: New Techniques and Their Application," *IEEE Trans actions on Software Engineering*, SE Vol.6, No.1, pp2-13, 1980.
- [3] Junbeom Yoo, Taihyo Kim, Sungdeok Cha, Jang-Su Lee, Han Seong Son, "A Formal Software Requirements Specification Method f or Digital Nuclear Plants Protection Systems," *Journal of Systems and Software*, Vol.74, No.1, pp.73-83, 2005.
- [4] VIS (Verification Interacting with Synthesis), http://embedded.eecs.berkeley.edu/research/vis.
- [5] SMV (Symbolic Model Verifier), http://www.kenmcmil.com/smv.html.
- [6] Sungdeok Cha, "Pet Formalisms versus Industry-Proven Survivors: Issues on Formal Methods Education," *Journal of Research and Practice in Information Technology*, Vol.32, No.1, pp39-46, 2000.
- [7] Mats P.E. Heimdahl and Nancy G. Leveson, "Completeness and Consistency in Hierarchical State-Based Requirements," IEEE Tran sactions on Software Engineering, Vol.22, No.6, pp363-377, 1996.
- [8] Junbeom Yoo, Sungdeok Cha, Chang Hwoi Kim, Duck Yong Song, "Synthesis of FBD-based PLC Design from NuSCR Formal Specification," *Reliability Engineering and System Safety*, Vol.87, No.2, pp287-294, 2005.
- [9] US NRC, Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues, *National Academy Pre* ss. 1997
- [10] Jaemyung Cho, Junbeom Yoo, Sungdeok Cha, "NuEditor A Tool Suite for Specification and Verification of NuSCR," In proceeding of Second ACIS International Conference on Software Engineering Research, Management and Applications (SERA2004), pp298-30 4, LA, USA, May 5-7, 2004.
- [11] Junbeom Yoo, Sungdeok Cha, and Eunkyoung Jee, "A Verification Framework for FBD based Software in Nuclear Power Plants," In the proceeding of 15th Asia Pacific Software Engineering Conference (APSEC), pp.385-392, Beijing, China, Dec. 3-5, 2008.
- [12] Junbeom Yoo, Sungdeok Cha, and Eunkyoung Jee, "Verification of PLC Programs written in FBD with VIS," *Nuclear Engineering a nd Technology*, Vol.41, No.2, 2009, to be published.
- [13] Taeho Kim, Junbeom Yoo, Sungdeok Cha, "A Synthesis Method of Software Fault Tree from NuSCR Formal Specification using Te mplates," *Journal of Korea Institute of Information Scientists and Engineers (in Korean)*, SE Vol.32, No.12, pp1178-1192, 2005.
- [14] Younju Oh, Junbeom Yoo, Sungdeok Cha, Han Seong Son, "Software Safety Analysis of Function Block Diagrams using Fault Tree s," *Reliability Engineering and System Safety*, Vol.88, No.3, pp215-228, 2005.
- [15] Gee-Yong Park, Kwang Yong Koh, Eunkyoung Jee, Poong Hyun Seong, Kee-Choon Kwon and Dae Hyung Lee, "Fault Tree Analys is of KNICS RPS Software," *Nuclear Engineering and Technology*, Vol.40, No.5, pp397-408, 2008.