Software certification experience in the Canadian nuclear industry: Lessons for the future

The computer controlled shutdown systems for the Nuclear Power Generating Station at Darlington, Canada, have been subject to licensing scrutinization on a number of occasions. After the first licence was approved in 1990, the licensee, Ontario Hydro, was given a number of years by the regulator to redesign the shutdown systems so that they would be more maintainable. This paper briefly describes the original certification process, lessons learned, and the subsequent development and certification of the shutdown systems. The development, internal certification processes and the regulator's certification process are briefly described. Although twenty years has elapsed since this work started, and there are new analysis techniques and tools that could be applied today, the original process itself has withstood the test of time extraordinarily well. This paper describes principles that explain why it was so successful, and how we can develop more modern approaches from this experience.

[1]  Mark Lawford,et al.  Practical Application of Functional and Relational Methods for the Specification and Verification of Safety Critical Software , 2000, AMAST.

[2]  Michael Kass,et al.  Structured Assurance Case Methodology for Assessing Software Trustworthiness , 2010, 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement Companion.

[3]  Mark Lawford,et al.  A Tabular Expression Toolbox for Matlab/Simulink , 2011, NASA Formal Methods.

[4]  Alan Wassyng,et al.  Software tools for safety-critical software development , 2006, International Journal on Software Tools for Technology Transfer.

[5]  David Lorge Parnas,et al.  Assessment of safety-critical software in nuclear power plants , 1991 .

[6]  Constance L. Heitmeyer,et al.  SCR*: A Toolset for Specifying and Analyzing Software Requirements , 1998, CAV.

[7]  Alan Wassyng,et al.  Lessons Learned from a Successful Implementation of Formal Methods in an Industrial Project , 2003, FME.

[8]  T. S. E. Maibaum,et al.  Software Certification: Is There a Case against Safety Cases? , 2010, Monterey Workshop.

[9]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[10]  Alan Wassyng,et al.  Formal Verification of Nuclear Systems: Past, Present, and Future , 2012 .

[11]  Constance L. Heitmeyer,et al.  SCR: a toolset for specifying and analyzing requirements , 1995, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[12]  Peter G. Bishop,et al.  A Methodology for Safety Case Development , 2000, SSS.

[13]  Alan Wassyng,et al.  Integrated software methodologies – An engineering approach , 2010 .

[14]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[15]  Edmund M. Clarke,et al.  Model Cheking , 1997, Foundations of Software Technology and Theoretical Computer Science.

[16]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..