Application of Tabular Methods to the Speciflcation and Veriflcation of a Nuclear Reactor Shutdown System

This paper describes the use of tabular methods at Ontario Power Generation Inc. (OPGI) 1 on the Darlington Nuclear Generating Station Shutdown System (SDS) Trip Computer Software Redesign Project. We flrst motivate the selection of tabular methods and provide an overview of the Systematic Design Veriflcation (SDV) procedure. After reviewing some preliminary concepts, the paper describes how the Software Engineering Standards and Methods (SESM) Tool suite is used with SRI's automated proof assistant, PVS, to provide tool support for the use of tabular methods in the software engineering process. Examples based upon the Systematic Design Veriflcation of an actual SDS subsystem are used to illustrate the beneflts and limitations of the current implementation of the formal method. Finally, the paper discusses related work, draws conclusions regarding the efiectiveness of the method and examines how its limitations can be addressed by further theoretical and applied work.

[1]  Constance L. Heitmeyer,et al.  Automated consistency checking of requirements specifications , 1996, TSEM.

[2]  Bruno Dutertre,et al.  Formal Requirements Analysis of an Avionics Control System , 1997, IEEE Trans. Software Eng..

[3]  Ben L. Di Vito,et al.  Formalizing space shuttle software requirements: four case studies , 1998, TSEM.

[4]  M. Viola Ontario Hydro's Experience with New Methods for Engineering Safety Critical Software , 1995, SAFECOMP.

[5]  Mark Saaltink,et al.  The Z/EVES System , 1997, ZUM.

[6]  Jeffrey M. Thompson,et al.  Structuring Formal Control Systems Specifications for Reuse: Surviving Hardware Changes , 2000 .

[7]  Poong Hyun Seong,et al.  Mathematical Verification of a Nuclear Power Plant Protection System Function with Combined CPN and PVS , 1999 .

[8]  Myla Archer,et al.  TAME: A Specialized Specification and Verification System for Timed Automata , 1996 .

[9]  Constance L. Heitmeyer,et al.  SCR*: A Toolset for Specifying and Analyzing Software Requirements , 1998, CAV.

[10]  Mark Lawford,et al.  Practical Application of Functional and Relational Methods for the Specification and Verification of Safety Critical Software , 2000, AMAST.

[11]  David Lorge Parnas,et al.  The Use of Precise Specification in the Development of Software , 1977, IFIP Congress.

[12]  David Lorge Parnas,et al.  Tabular Representations in Relational Documents , 1997, Relational Methods in Computer Science.

[13]  Mark Lawford,et al.  Right on Time: Pre-verifled Software Components for Constructuion of Real-Time Systems , 2002 .

[14]  Myla Archer,et al.  Using Abstraction and Model Checking to Detect Safety Violations in Requirements Specifications , 1998, IEEE Trans. Software Eng..

[15]  Constance L. Heitmeyer,et al.  SCR: a toolset for specifying and analyzing requirements , 1995, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[16]  David Lorge Parnas,et al.  Tabular Representation of Relations , 1992 .

[17]  Dave Thomas,et al.  Ubiquitous Automation , 2002, IEEE Softw..

[18]  David Lorge Parnas,et al.  Functional Documents for Computer Systems , 1995, Sci. Comput. Program..

[19]  Kathryn L. Heninger Specifying Software Requirements for Complex Systems: New Techniques and Their Application , 2001, IEEE Transactions on Software Engineering.

[20]  John Kelly,et al.  Experiences Using Lightweight Formal Methods for Requirements Modeling , 1998, IEEE Trans. Software Eng..

[21]  Steve Sims,et al.  TAME: A PVS Interface to Simplify Proofs for Automata Models , 1998 .

[22]  Nancy G. Leveson,et al.  Completeness and Consistency in Hierarchical State-Based Requirements , 1996, IEEE Trans. Software Eng..

[23]  André Arnold,et al.  Finite transition systems , 1994 .

[24]  Natarajan Shankar,et al.  Integration in PVS: Tables, Types, and Model Checking , 1997, TACAS.

[25]  David Lorge Parnas,et al.  Assessment of safety-critical software in nuclear power plants , 1991 .

[26]  P. Thomas Fletcher,et al.  Tool Support for Production Use of Formal Techniques , 1999, World Congress on Formal Methods.

[27]  Natarajan Shankar,et al.  Modular Verification of SRT Division , 1996, CAV.

[28]  Alan Wassyng,et al.  Lessons Learned from a Successful Implementation of Formal Methods in an Industrial Project , 2003, FME.

[29]  Natarajan Shankar,et al.  Subtypes for Specifications: Predicate Subtyping in PVS , 1998, IEEE Trans. Software Eng..

[30]  Constance L. Heitmeyer,et al.  The SCR Method for Formally Specifying, Verifying, and Validating Requirements: Tool Support , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[31]  Nancy G. Leveson,et al.  Requirements Specification for Process-Control Systems , 1994, IEEE Trans. Software Eng..

[32]  Ryszard Janicki,et al.  On a formal semantics of tabular expressions , 2001, Sci. Comput. Program..

[33]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[34]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.