A safety-focused verification using software fault trees

When developing safety-critical software such as reactor protection systems (RPS) in nuclear power plants, a demonstration of software trust (e.g., safety) is not only absolutely essential but also usually mandated by government authorities. While automated generation of fault trees has become possible with increased use of formal specifications, industrial use of fault trees has been limited primarily to safety demonstrations that the system is free from behavior captured in the root node. In this paper, we propose to extend the use of automated fault tree for verification purposes. As a fault tree represents an abstract and partial behavioral model of software on credible causes leading to a hazard, it must still satisfy various properties (e.g., fairness, correctness). Verification of a fault tree is useful when developing safety-critical software because (1) it strengthens a safety-focused software development process; (2) it provides an opportunity to detect potentially critical errors early; and (3) it is less likely to experience a state explosion problem. This paper demonstrates how to convert a fault tree into a semantically equivalent logic formula so that they can be subject to formal verification using tools like Verification Interacting with Synthesis (VIS). We evaluated the feasibility of FTA's applicability as a verification tool on a prototype model of a nuclear power reactor protection system (RPS) software to be deployed in plants under construction in Korea.

[1]  Anders P. Ravn,et al.  From Safety Analysis to Software Requirements , 1998, IEEE Trans. Software Eng..

[2]  Stuart Anderson,et al.  Validating Safety Models with Fault Trees , 1993, SAFECOMP.

[3]  Yiannis Papadopoulos,et al.  Qualitative temporal analysis: Towards a full implementation of the Fault Tree Handbook , 2009 .

[4]  Nancy G. Leveson,et al.  Requirements Specification for Process-Control Systems , 1994, IEEE Trans. Software Eng..

[5]  S. Yun,et al.  NuFTA : A CASE Tool for Automatic Software Fault Tree Analysis , 2010 .

[6]  Arun Kumar Misra,et al.  Hybrid reliable load balancing with MOSIX as middleware and its formal verification using process algebra , 2011, Future Gener. Comput. Syst..

[7]  Constance L. Heitmeyer,et al.  Automated consistency checking of requirements specifications , 1996, TSEM.

[8]  David Coppit,et al.  Formal Semantics for Computational Engineering: A Case Study on Dynamic Fault Trees , 2000 .

[9]  Junbeom Yoo,et al.  FBDVerifier: Interactive and Visual Analysis of Counterexample in Formal Verification of Function Block Diagram , 2010, J. Res. Pract. Inf. Technol..

[10]  Lars Grunske,et al.  Automatic generation of analyzable failure propagation models from component-level failure annotations , 2005, Fifth International Conference on Quality Software (QSIC'05).

[11]  David Coppit,et al.  The Galileo fault tree analysis tool , 1999, Digest of Papers. Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing (Cat. No.99CB36352).

[12]  John A. McDermid,et al.  Analysis and synthesis of the behaviour of complex programmable electronic systems in conditions of failure , 2001, Reliab. Eng. Syst. Saf..

[13]  Wei-Tek Tsai,et al.  A process for software requirements safety analysis , 1994, Proceedings of 1994 IEEE International Symposium on Software Reliability Engineering.

[14]  Peter Liggesmeyer,et al.  A New Component Concept for Fault Trees , 2003, SCS.

[15]  Frank Ortmeier,et al.  Formal Fault Tree Analysis - Practical Experiences , 2007, Electron. Notes Theor. Comput. Sci..

[16]  Jang-Soo Lee,et al.  A formal software requirements specification method for digital nuclear plant protection systems , 2005, J. Syst. Softw..

[17]  Nancy G. Leveson,et al.  Safeware: System Safety and Computers , 1995 .

[18]  Tiziano Villa,et al.  VIS: A System for Verification and Synthesis , 1996, CAV.

[19]  Junbeom Yoo,et al.  Formal Modeling and Verification of Safety-Critical Software , 2009, IEEE Software.

[20]  Stephan Merz,et al.  Model Checking , 2000 .

[21]  Junbeom Yoo,et al.  Software safety analysis of function block diagrams using fault trees , 2005, Reliab. Eng. Syst. Saf..

[22]  Gerhard Schellhorn,et al.  Formal Fault Tree Semantics , 2002 .

[23]  Junbeom Yoo,et al.  VIS Analyzer: A Visual Assistant for VIS Verification and Analysis , 2010, 2010 13th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing.

[24]  Kazuhiro Ogata,et al.  From fault tree analysis to formal system specification and verification with OTS/CafeOBJ , 2007 .

[25]  Junbeom Yoo,et al.  Automatic generation of goal-tree from statecharts requirements specification , 2003 .

[26]  Nancy G. Leveson,et al.  Analyzing Software Safety , 1983, IEEE Transactions on Software Engineering.

[27]  Jang-Soo Lee,et al.  Safety Analysis of Safety-Critical Software for Nuclear Digital Protection System , 2007, SAFECOMP.

[28]  David Coppit,et al.  Combining various solution techniques for dynamic fault tree analysis of computer systems , 1998, Proceedings Third IEEE International High-Assurance Systems Engineering Symposium (Cat. No.98EX231).

[29]  Doo-Hwan Bae,et al.  Safety Verification of Ada95 Programs Using Software Fault Trees , 1999, SAFECOMP.

[30]  Junbeom Yoo,et al.  A Verification Framework for FBD Based Software in Nuclear Power Plants , 2008, 2008 15th Asia-Pacific Software Engineering Conference.

[31]  Bernhard Kaiser,et al.  State/event fault trees - A safety analysis model for software-controlled systems , 2007, Reliab. Eng. Syst. Saf..

[32]  Kurt Jensen Coloured Petri Nets , 1992, EATCS Monographs in Theoretical Computer Science.

[33]  Lars Grunske,et al.  Model-Driven safety evaluation with state-event-based component failure annotations , 2005, CBSE'05.

[34]  Mark Ryan,et al.  Logic in Computer Science: Modelling and Reasoning about Systems , 2000 .

[35]  Lars Michael Kristensen,et al.  Coloured Petri Nets - Modelling and Validation of Concurrent Systems , 2009 .

[36]  John A. McDermid,et al.  An integrated tool set for software safety analysis , 1993, J. Syst. Softw..

[37]  Girish Keshav Palshikar Temporal fault trees , 2002, Inf. Softw. Technol..

[38]  Yiannis Papadopoulos,et al.  Model-based synthesis of fault trees from Matlab-Simulink models , 2001, 2001 International Conference on Dependable Systems and Networks.

[39]  J. B. Dugan,et al.  Automatic synthesis of fault trees for computer-based systems , 1999 .

[40]  Poong Hyun Seong,et al.  FAULT TREE ANALYSIS OF KNICS RPS SOFTWARE , 2008 .

[41]  Yuri Gurevich,et al.  Logic in Computer Science , 1993, Current Trends in Theoretical Computer Science.

[42]  W E Vesely,et al.  Fault Tree Handbook , 1987 .

[43]  Nancy G. Leveson,et al.  Safety analysis tools for requirements specifications , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[44]  David Coppit,et al.  Formal semantics of models for computational engineering: a case study on dynamic fault trees , 2000, Proceedings 11th International Symposium on Software Reliability Engineering. ISSRE 2000.

[45]  Junbeom Yoo,et al.  A Synthesis Method of Software Fault Tree from NuSCR Formal Specification using Templates , 2005 .

[46]  Thomas A. Henzinger,et al.  Timed Transition Systems , 1991, REX Workshop.

[47]  David Harel,et al.  On visual formalisms , 1988, CACM.

[48]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[49]  Nancy G. Leveson,et al.  Safety verification of Ada programs using software fault trees , 1991, IEEE Software.

[50]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.