Verification of Fault-Tolerant System Architectures Using Model Checking

Model checking is a formal method that has proven useful for verifying e.g. logic designs of safety systems used in nuclear plants. However, redundant subsystems are implemented in nuclear plants in order to achieve a certain level of fault-tolerance. A formal system-level analysis that takes into account both the detailed logic design of the systems and the potential failures of the hardware equipment is a difficult challenge. In this work, we have created new methodology for modelling hardware failures, and used it to enable the verification of the fault-tolerance of the plant using model checking. We have used an example probabilistic risk assessment (PRA) model of a fictional nuclear power plant as reference and created a corresponding model checking model that covers several safety systems of the plant. Using the plant-level model we verified several safety properties of the nuclear plant. We also analysed the fault-tolerance of the plant with regard to these properties, and used abstraction techniques to manage the large plant-level model. Our work is a step towards being able to exhaustively verify properties on a single model that covers the entire plant. The developed methodology follows closely the notations of PRA analysis, and serves as a basis for further integration between the two approaches.

[1]  Pierre Bieber,et al.  Combination of Fault Tree Analysis and Model Checking for Safety Assessment of Complex System , 2002, EDCC.

[2]  Tommi Karhela,et al.  A toolset for model checking of PLC software , 2013, 2013 IEEE 18th Conference on Emerging Technologies & Factory Automation (ETFA).

[3]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[4]  Mark-Alexander Sujan,et al.  Computer Safety, Reliability, and Security , 2014, Lecture Notes in Computer Science.

[5]  Antoine Rauzy,et al.  The AltaRica Formalism for Describing Concurrent Systems , 1999, Fundam. Informaticae.

[6]  Mats Per Erik Heimdahl,et al.  Model-Based Safety Analysis of Simulink Models Using SCADE Design Verifier , 2005, SAFECOMP.

[7]  Ian Sutherland,et al.  Model Checking and Fault Tolerance , 1997, AMAST.

[8]  J. Holmberg,et al.  Guidelines for reliability analysis of digital systems in PSA context: Phase 1, Status Report , 2010 .

[9]  Keijo Heljanko,et al.  Increasing Confidence in Liveness Model Checking Results with Proofs , 2013, Haifa Verification Conference.

[10]  Ilkka Niemelä,et al.  Model checking of safety-critical software in the nuclear engineering domain , 2012, Reliab. Eng. Syst. Saf..

[11]  Stefania Gnesi,et al.  Model checking fault tolerant systems , 2002, Softw. Test. Verification Reliab..

[12]  Marco Bozzano,et al.  The FSAP/NuSMV-SA Safety Analysis Platform , 2007, International Journal on Software Tools for Technology Transfer.

[13]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[14]  Gerard J. Holzmann,et al.  Validating requirements for fault tolerant systems using model checking , 1998, Proceedings of IEEE International Symposium on Requirements Engineering: RE '98.

[15]  Jan-Erik Holmberg,et al.  RELIABILITY ANALYSIS OF DIGITAL SYSTEMS IN A PROBABILISTIC RISK ANALYSIS FOR NUCLEAR POWER PLANTS , 2012 .

[16]  Andrea Bondavalli,et al.  Dependable Computing EDCC-4 , 2002, Lecture Notes in Computer Science.