Fig 2 - uploaded by Igor Buzhinsky
Content may be subject to copyright.
Source publication
Model checking has been successfully used for detailed formal verification of instrumentation and control (I&C) systems, as long as the focus has been on the application logic, alone. In safety-critical applications, fault tolerance is also an important aspect, but introducing I&C hardware failure modes to the formal models comes at a significant c...
Contexts in source publication
Context 1
... of specifying a full failure model allowing all the processors and communication links fail (as in [22]), we can simplify the model (see Fig. 2) by keeping our focus on verifying single fault tolerance in open-loop models. To illustrate the idea, we use the U.S. EPR PS (see Section II-B) as an example: 1) First of all, it suffices to fully model only one division (APU+ALU). If the divisions are identical, any verifi- cation result for the included (non-failing, see below) ALU ...
Context 2
... failure model is implemented in NuSMV by inserting modules on one division to all signals (1) from the SCDS to the APUs and (2) from the APUs to the included ALU (see Fig. 2). Module FAULT_BIN is used for Boolean and FAULT_ANA for integer signals. At any time instant, the module can nondeterministically enter a fault mode, and replace the actual signal value with a nondeterministic variable. The status of the signal is also nondeterministic, meaning that the failure can be either self announcing (status = ...
Context 3
... of specifying a full failure model allowing all the processors and communication links fail (as in [22]), we can simplify the model (see Fig. 2) by keeping our focus on verifying single fault tolerance in open-loop models. To illustrate the idea, we use the U.S. EPR PS (see Section II-B) as an example: 1) First of all, it suffices to fully model only one division (APU+ALU). If the divisions are identical, any verification result for the included (non-failing, see below) ALU ...
Context 4
... failure model is implemented in NuSMV by inserting modules on one division to all signals (1) from the SCDS to the APUs and (2) from the APUs to the included ALU (see Fig. 2). Module FAULT_BIN is used for Boolean and FAULT_ANA for integer signals. At any time instant, the module can nondeterministically enter a fault mode, and replace the actual signal value with a nondeterministic variable. The status of the signal is also nondeterministic, meaning that the failure can be either self announcing (status = ...
Similar publications
This work presents a security analysis of the QUIC handshake protocol based on symbolic model checking. As a newly proposed secure transport protocol, the purpose of QUIC is to improve the transport performance of HTTPS traffic and enable rapid deployment and evolution of transport mechanisms. QUIC is currently in the IETF standardization process a...
Citations
... It is also very important to assure that the safety-critical system (SCS) is working correctly. The SCS requires fault tolerance [22], which ensures that the system continues to function properly even if one or more components fail. Redundancy can provide tolerance for a single failure. ...
... Pakonen and Buzhinsky. (2019) [22], provided a method for employing model checking to verify the fault tolerance for instrument and control systems (I&C). As an example for a SCS, [22]utilizes the reactor protection system of the projected US.EPR nuclear power plant. ...
... (2019) [22], provided a method for employing model checking to verify the fault tolerance for instrument and control systems (I&C). As an example for a SCS, [22]utilizes the reactor protection system of the projected US.EPR nuclear power plant. The protection system for a fault-tolerant I&C system is arranged into four redundant independent divisions and is located in separate buildings. ...
The complexity of digital embedded systems has been increasing in different safety-critical applications such as industrial automation, process control, transportation, and medical digital devices. The correct operation of these systems relies too heavily on the behavior of the embedded digital device. As a result, any mistake or error made during the design stage of the embedded device can change the overall functionality of the critical system and cause catastrophic consequences. To detect these errors and eliminate their effects on the system, new error detection approaches must be innovated and used in the design of the digital system. However, these methods require enormous costs and time. One of these methods being employed to solve this issue is called Verification and Validation (V&V) which confirms that the system behavior meets the requirements early in the development process, before moving on to the implementation phase. Because of their benefits and importance in the building of complex digital systems, the employment of formal V&V methods has recently attracted a lot of attention. This paper focuses on presenting various studies on formal verification approaches and how the V&V can be achieved for developing high dependable digital embedded systems.
... It is also very important to assure that the safety-critical system (SCS) is working correctly. The SCS requires fault tolerance [22], which ensures that the system continues to function properly even if one or more components fail. Redundancy can provide tolerance for a single failure. ...
... Pakonen and Buzhinsky. (2019) [22], provided a method for employing model checking to verify the fault tolerance for instrument and control systems (I&C). As an example for a SCS, [22]utilizes the reactor protection system of the projected US.EPR nuclear power plant. ...
... (2019) [22], provided a method for employing model checking to verify the fault tolerance for instrument and control systems (I&C). As an example for a SCS, [22]utilizes the reactor protection system of the projected US.EPR nuclear power plant. The protection system for a fault-tolerant I&C system is arranged into four redundant independent divisions and is located in separate buildings. ...
The complexity of digital embedded systems has been increasing in different safety-critical applications such as industrial automation, process control, transportation, and medical digital devices. The correct operation of these systems relies too heavily on the behavior of the embedded digital device. As a result, any mistake or error made during the design stage of the embedded device can change the overall functionality of the critical system and cause catastrophic consequences. To detect these errors and eliminate their effects on the system, new error detection approaches must be innovated and used in the design of the digital system. However, these methods require enormous costs and time. One of these methods being employed to solve this issue is called Verification and Validation (V&V) which confirms that the system behavior meets the requirements early in the development process, before moving on to the implementation phase. Because of their benefits and importance in the building of complex digital systems, the employment of formal V&V methods has recently attracted a lot of attention. This paper focuses on presenting various studies on formal verification approaches and how the V&V can be achieved for developing high dependable digital embedded systems
... A technique to mitigate it, i.e., BDDs (Binary Decision Diagrams), is implemented in NuSMV method. As a case study, named method has been applied to foster the single-failure tolerance of nuclear reactor protection system [15]. FS adequacy has been approached here in terms of its completeness: FS encompasses not only the application logics, but also a hardware plane (hardware component failures, communication delays). ...
In this paper, the question on the expediency of checking the model, the model checking method is applied to, is discussed. To this end, corresponding technique has been proposed. Named technique is based on differentiation between the concepts of analytical plane of model perception and the concepts of corresponding implementation plane. The technique is grounded on the following constituents: Kripke structure-for analytical interpretation of formal specification; Temporal Logic of Actions and corresponding formalism-as the instruments for shifting from the analytical plane to the implementation one; TLC model checker-to examine the correctness of formal specification-with respect to the concepts of implementation plane. To prove the proposed technique, the case study has been conducted. To this end, the algorithms from the spacecraft domain have been considered. To verify the resulting specifications, two alternative implementations of TLC model checker have been applied.
... According to the Finnish regulatory guides on nuclear safety [14], a safety function must be tolerant to arbitrary failures in a single division (N+1 requirement). Combining this assumption with redundancy and symmetry leads to the possibility of the following modeling assumptions, which were proposed in our previous works [9], [10]: ...
... The obtained results comply with our works [9], [10] on checking similar systems with discrete time semantics. Checking a model with communication delays is more computationally difficult and usually susceptible to BMC only. ...
... In [9], [10], an approach was proposed to verify nuclear I&C systems under the presence of hardware failures, asynchrony and communication delays. In Section II-B, we already mentioned the key modeling ideas of this approach that are essential for this paper. ...
Certain safety-critical systems, such as nuclear instrumentation and control (I&C) systems, must be ensured to be correct. One of the approaches of doing this is formal verification and, in particular, model checking, which thoroughly examines the state space of the formal model of the system. To make model checking computationally feasible, many simplifying assumptions, often referred to as abstractions, are made. One of such abstractions is the assumption of discrete time. However, when I&C systems are considered working in the real world, where communication delays and failures are possible, this assumption becomes less realistic, calling for the need for richer formalisms. In this paper, using timed automata, we extend our previous model checking approach for nuclear I&C systems to account for continuous time. We apply our approach to a reactor protection system case study and show that continuous-time verification is in general feasible, although proving the satisfaction of certain system properties still remains a computational challenge.
... Окремої уваги заслуговує метод верифікації TLC (TLA Checker), що базується на використанні темпоральної логіки дій TLA (Temporal Logic of Actions) Л. Лемпорта (Leslie Lamport) -лауреата премії Тюрінга [6]. Метод знайшов широке застосування в індустрії: під час перевірки проєктних рішень вебсервісів компанії Amazon [7], у атомній енергетиціпід час перевірки логіки роботи системи захисту атомного реактору [8], під час проєктування системи керування рухом залізничного транспорту тощо [9]. Попри чисельні публікації у напрямі дослідження і застосування названого методу, питання мультипоточної імплементації альтернативних реалізацій методу у контексті одержуваного від цього корисного ефекту лишається невисвітленим. ...
... They may also be insightful in other aforementioned domains where fault tolerance is achieved with redundant architectures. This paper is an extended version of the work [19]. Compared to [19], we supplement our verification approach with the ability to handle multiple interconnected I&C systems and evaluate it on a more complex case study-composed of two four-redundant systems, and a third two-redundant system, performing two different safety functions for reactor shutdown. ...
... This paper is an extended version of the work [19]. Compared to [19], we supplement our verification approach with the ability to handle multiple interconnected I&C systems and evaluate it on a more complex case study-composed of two four-redundant systems, and a third two-redundant system, performing two different safety functions for reactor shutdown. In addition, we study different ways of expressing temporal requirements to be verified for such systems, and also perform formal checks of symmetry of function units with respect to their input variables, which is used as the basis for failure model simplification. ...
... To avoid confusion, we note that the PS described above has the same structure as the one from [19], and its complexity is comparable, but its inputs, outputs and implementation (APUs and ALUs) are different as the PS used here is responsible for reactor trip rather than emergency core cooling. ...
Model checking has been successfully used for detailed formal verification of instrumentation and control (I&C) systems, as long as the focus has been on the application logic alone. In safety-critical applications, fault tolerance is also an important aspect, but introducing I&C hardware failure modes to the formal models comes at a significant computational cost. Previous attempts have led to state space explosion and prohibitively long processing times. In this paper, we present an approach to model and formally verify protection functions allocated to one or several I&C systems, accounting for hardware component failures and delays in communication within and between the systems. Formal verification is done with model checking, whose feasibility on such complex systems is achieved by utilizing the symmetry of I&C systems: the components of the overall model that do not influence the checked requirements are eliminated, and the failing components are fixed. Generation of such abstracted models, as well as subsequent verification of their requirements and symmetry with the NuSMV symbolic model checker, is handled by a software tool. In addition, we explore how to specify formal requirements for systems of the considered class. Based on a case study built around a semi-fictitious nuclear power plant protection system that achieves reliability by means of redundancy, we demonstrate how failure tolerance of even detailed system designs can be formally verified.
... 1.9.4.1.3). 7. Within this thesis, only software faults in automation systems have been covered. Accounting for hardware faults and other hardware phenomena, such as communication delays, has not been accounted for, yet it is an important issue in safety-critical systems[127]. ...
Mission-critical systems play an important role in our lives by regulating the production processes of consumer goods and controlling transportation and power plants. Recently, these systems have become more complex due to the advent of Industry 4.0, which has brought about the Internet of Things as well as smart homes and factories. At the same time, automation systems must be correct to fulfill their purpose and safe to interact with humans and prevent disasters from happening.
To successfully ensure reliability (correctness and safety), in addition to conventional approaches of testing and simulation, formal methods should be applied. These methods, including model checking and formal model synthesis, increase the safety of systems by means of exhaustive analysis. This thesis considers combined use of three different types of formal methods: verification, synthesis and testing, and as a result it proposes several automated formal reliability assurance approaches for control software.
Specifically, it examines three sub-areas of combined use of formal methods. Firstly, the thesis proposes model checking based methods to generate finite-state models of plants and control software. Secondly, it considers the use of generated models in open-loop and closed-loop model checking of automation systems. Thirdly, it explores how model checking can be used to test closed-loop systems.
The following key results were obtained: (1) two SAT solver based methods were developed to generate plant and controller finite-state models with the minimum possible number of states; (2) new practical plant model generation methods were developed that are more scalable than the ones known before and support plant modularity; (3) a comprehensive verification methodology was proposed to verify manually created formal models by comparing them with formally synthesized models; and (4) a closed-loop verification approach was proposed that combines testing and model checking.
From a practical point of view, these results extend the capabilities of modern formal methods to assure the reliability of mission-critical systems. In addition, the approaches proposed in the thesis increase the level of automation of this process. The practical applicability of the developed approaches was shown, in particular for verification of nuclear instrumentation and control systems.
