# A Verification Framework for FBD based Software in Nuclear Power Plants

JUNBEOM YOO

KONKUK University, Korea jbyoo@konkuk.ac.kr http://dslab.konkuk.ac.kr

## **Other Authors**

### Sungdeok Cha

- Professor in Korea University



### Enukyoung Jee

- PhD Candidate in KAIST



# Contents

- Introduction
  - Safety-Critical Software in Nuclear Power Plants
  - Software Development Process
- Background
  - FBD
- Verification Framework
  - VIS Equivalence Checking
  - SMV Model Checking
  - Case Study
- Conclusion & Future Work

### Introduction

- Safety-Critical Software in Nuclear Power Plants
  - RPS (Reactor Protection System)
  - ESF-CCS (Engineering Safety Features Component Control System)



## Introduction

- A Software Development Process for RPS in KNICS APR-1400 NPP
  - (<u>http://www.knics.re.kr/english/eindex.html</u>)



## Background

- FBD (Function Block Diagram)
  - IEC 61131-3 standard declared 5 programming languages for PLC (ST, LD, IL, SFC, FBD)
  - KNICS consortium decided to use FBD to program KNICS RPS software
  - Sequential Interconnections between function blocks



## **Verification Framework**

- In design phase,
- Two different formal verifications to verify FBD programs efficiently,
- Based on our experience on KNICS RPS for 7 years
  - Equivalence Checking : VIS verification system (ver.2.0)
  - Model Checking : Cadence SMV model checker



# 1. SMV Model Checking

- <u>SMV Model Checking</u> with LTL properties
  - Cadence SMV model checker (<u>http://www.kenmcmil.com/smv.html</u>)
    - An extension of SMV from CMU
    - CTL / LTL model checking
    - Two front-ends
      - SMV input programs (for CTL/LTL properties)
      - Verilog program (for LTL properties)
  - FBD Verifier 1.0 (<u>http://dslab.konkuk.ac.kr/Nuclear-Design/FBD\_Verifier.htm</u>)
    - Translates FBD into Verilog automatically
    - Properties are inserted into Verilog programs (through "assert" statement)
    - Executes Cadence SMV with translated Verilog program seamlessly

- 1. Read an FBD program in standard XML format
- 2. Translate the FBD into an equivalent Verilog program

| 3 PLC                                                  |              | Verilog         |                |                                          | ſ          |
|--------------------------------------------------------|--------------|-----------------|----------------|------------------------------------------|------------|
| 📁 ss Jee\FBD Verifier 1.0 (200611 by jeon)\FBD2V\examp | Ie\FIX_RISIN | D:\Research\(7) | Miss Jee\FBD V | erifier 1.0 (200611 by jeon)\FBD2V\examp | Ie\FIX_RIS |
| IN1 :=                                                 |              | module main (   | clk, HYS,      | MAXCNT, PHYS, PV_OUT);                   | -          |
| ADD (                                                  |              | input clk       |                | —                                        |            |
| IN1 :=                                                 |              | input           | [7:0]          | HYS;                                     |            |
| TSP,                                                   |              | input           | [7:0]          | MAXCNT;                                  |            |
| IN2 :=                                                 |              | input           | [7:0]          | PHYS;                                    |            |
| HYS))                                                  |              | reg             | [7:0]          | PTRIP_CNT;                               | 1          |
|                                                        |              | reg             |                | PTRIP_LOGIC;                             |            |
| TRIP LOGIC :=                                          |              | reg             | [7:0]          | PTSP;                                    |            |
| SEL (                                                  |              | input           | [7:0]          | PV OUT;                                  |            |
| G :=                                                   |              | reg             | [7:0]          | TRIP_CNT;                                |            |
| AND (                                                  |              | reg             |                | TRIP LOGIC;                              |            |
| IN1 :=                                                 |              | reg             | [7:0]          | TSP;                                     |            |
| LT (                                                   |              |                 |                |                                          |            |
| IN1 :=                                                 |              | wire            | [8:0]          | PTRIP_CNT_out;                           |            |
| PV OUT,                                                |              | wire            |                | PTRIP LOGIC 1;                           |            |
| IN2 :=                                                 |              | wire            | [7:0]          | PTSP 1;                                  |            |
| PTSP),                                                 |              | wire            | [8:0]          | TRIP_CNT_out;                            |            |
| IN2 :=                                                 |              | wire            |                | TRIP LOGIC 1;                            |            |
| PTRIP_LOGIC),                                          |              | wire            | [7:0]          | TSP 1;                                   |            |
| INO :=                                                 |              | wire            |                | TRIP_LOGIC_out;                          |            |
| PTRIP LOGIC,                                           |              | wire            | [8:0]          | TSP_out;                                 |            |
| IN1 :=                                                 |              | wire            |                | PTRIP LOGIC out;                         |            |
| 0)                                                     |              | wire            | [8:0]          | PTSP_out;                                |            |
| 102.°C                                                 | _            |                 |                |                                          |            |
| PTSP :=                                                |              | //constan       |                |                                          |            |
| SEL (                                                  |              | assign HYS = 1; |                |                                          |            |
| G :=                                                   | •            | assign MA       | XCNT = 5;      |                                          |            |
|                                                        |              |                 |                |                                          |            |

#### 3. Execute Cadence SMV model checker

| 74 FIX_RISING                                                  | â, v                                                                        |                                |                                             |              |                |              |    |        |          |      |
|----------------------------------------------------------------|-----------------------------------------------------------------------------|--------------------------------|---------------------------------------------|--------------|----------------|--------------|----|--------|----------|------|
| <u>F</u> ile <u>P</u> rop                                      | <u>V</u> iew                                                                | <u>G</u> oto                   | H <u>i</u> story                            | Abstract     | tion           |              |    |        | ŀ        | lelp |
| Browser                                                        | Prope                                                                       | rtiae                          | <u>R</u> esults                             | <u>C</u> one | Usina          | <u>G</u> rou | ne |        |          |      |
|                                                                | FIQPE                                                                       | Tues                           | Results                                     | Goue         | osi <u>n</u> g |              | P2 |        |          |      |
| □ : (top lev<br>- PTRI<br>- PTRI<br>- PTRI<br>- PTRI<br>- PTRI | IP_LOGIC<br>IP_LOGIC<br>IP_LOGIC<br>IP_LOGIC<br>IP_LOGIC<br>P<br>P_1<br>P_2 | )<br>2_1<br>2_2<br>2_3         | ayer                                        |              |                |              |    |        |          |      |
| ₽-PTS                                                          |                                                                             |                                |                                             |              |                |              |    |        |          | -    |
| Source                                                         | Trace                                                                       | Log                            |                                             |              |                |              |    |        |          | ى    |
| <u>s</u> ource                                                 | Trace                                                                       | F.a                            |                                             |              |                |              |    |        |          | - d  |
| Fil <u>e</u> Sho                                               | <u>w</u>                                                                    |                                |                                             |              |                |              |    |        |          |      |
| module ma<br>//con<br>`defi<br>`defi<br>`defi<br>`defi         | nstants<br>ine<br>ine                                                       | HYS<br>PHYS<br>PTSP_K<br>TSP_K | 0                                           |              | ,              |              |    | <br>   | 51_040,7 |      |
| -                                                              | clk;                                                                        |                                |                                             |              |                |              |    |        |          |      |
| reg<br>reg<br>input<br>reg<br>reg                              | ;                                                                           | [7:0]<br>[7:0]<br>[7:0]        | PTRIP_<br>PTSP;<br>PV_OUT<br>TRIP_L<br>TSP; | ·<br>·;      |                |              |    |        |          |      |
| wire                                                           |                                                                             |                                | TRIP L                                      | OGIC 1;      |                |              |    |        |          |      |
| wire<br>wire                                                   |                                                                             | [7:0]                          | TSP_1;<br>TRIP_L                            | .OGIC_2;     |                |              |    |        |          |      |
| wire<br>wire                                                   |                                                                             | [7:0]                          | TSP_2;<br>TRIPI                             | OGIC 3;      |                |              |    |        |          |      |
| wire                                                           |                                                                             | [7:0]                          | TSP_3;                                      | -            |                |              |    |        |          |      |
| outpu<br>outpu                                                 |                                                                             | [7:0]                          | TRIP_L<br>TSP ou                            | OGIC_ou      | t;             |              |    |        |          |      |
| Gaepa                                                          |                                                                             | [ 1.0]                         | ou                                          |              |                |              |    | <br>   |          |      |
|                                                                |                                                                             |                                |                                             |              |                |              |    | i-sear | ch:      |      |

# Case Study

- SMV model checking for KNCIS RPS BP & CP
  - Performed to up-to-date whole KNICS-RPS-SDS231 Rev.02

| System | # of pages of<br>requirements<br>Spec. (Natural lang.) | # of<br>function blocks | # of<br>variables | # of<br>lines in<br>Verilog model |
|--------|--------------------------------------------------------|-------------------------|-------------------|-----------------------------------|
| BP     | 190                                                    | 1,335                   | 1,038             | 7,862                             |
| СР     | 163                                                    | 1,623                   | 820               | 3,085                             |

- Found a few, not many important verification results

| System               |                  | BP  | СР         |
|----------------------|------------------|-----|------------|
| # of Properties      |                  | 216 | 83         |
|                      | Incorrect Logic  | 14  | 6          |
|                      | Omission         | 0   | 2          |
| Found Errors         | Ambiguous Logic  | 4   | 0          |
|                      | Incorrect FBD    | 13  | 5          |
|                      | Incorrect Design | 16  | 0          |
| Total # of Errors    |                  |     | 13         |
| Distinct # of Errors |                  | 10  | <b>3</b> 1 |

# 2. VIS Equivalence Checking

- <u>Behavioral Equivalence Checking</u> between two FBD programs
  - VIS verification system 2.0 (http://embedded.eecs.berkeley.edu/research/vis//)
    - Widely used in hardware design,
      - Simulation
      - CTL model checking
      - Equivalence checking
      - Etc.
    - Reads Verilog program
    - But, no graphical interface
  - VIS Analyzer 1.0 (http://dslab.konkuk.ac.kr/Nuclear-Design/VIS\_Analyzer.htm)
    - Seamless execution of VIS verifications
      - $vl2mv \rightarrow read\_blif\_mv \rightarrow flatten\_hierarchy \rightarrow seq\_verify$ , simulate
    - Automatic reorganization of verification result through VIS simulation

#### 1. Read two Verilog programs

Ready

| Automatic Vis Equivalence Checker                                                                                                                                                          | - d 🛛 🖂                                                                                                                                                                          |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <u>File Run Help</u>                                                                                                                                                                       |                                                                                                                                                                                  |
| Verilog sources Result Result Table                                                                                                                                                        |                                                                                                                                                                                  |
| Verilog 1                                                                                                                                                                                  | Verilog 2                                                                                                                                                                        |
| C:\KC2007\TeX\home\VIS\vis-2.0\examples\RPS\FBD_Verifier\th_X_Pretrip_Manua                                                                                                                | C:\KC2007\TeX\home\VIS\vis-2.0\examples\RPS\FBD_Verifier\th_X_Pretrip_Mech.v                                                                                                     |
| <pre>typedef enum {30, S1} th_X_Pretrip_state;<br/>typedef enum {T0, T1, T2, T3, T4, T5, T6, T7,<br/>T8, T9, T10, T11, T12, T13, T14, T15, T16,<br/>T17, T18, T19, T20} timer_state;</pre> | typedef enum {S0, S1, S2} th_X_Pretrip_state;<br>typedef enum {T0, T1, T2, T3, T4, T5, T6, T7,<br>T8, T9, T10, T11, T12, T13, T14, T15, T16,<br>T17, T18, T19, T20} timer_state; |
| <pre>`define k_Pretrip_Setpoint 30 `define k_X_Pretrip_Hys 10 //`define k_Trip_Delay 20 =</pre>                                                                                            | <pre>`define k_Pretrip_Setpoint 30 `define k_X_Pretrip_Hys 10 //`define k_Trip_Delay 20</pre>                                                                                    |
| <pre>// th_X_Pretrip module module th_X_Pretrip(clk, f_X, th_X_Pretrip);</pre>                                                                                                             | <pre>// th_X_Pretrip module module th_X_Pretrip(clk, f_X, th_X_Pretrip);</pre>                                                                                                   |
| input clk;                                                                                                                                                                                 | input clk;                                                                                                                                                                       |
| <pre>input[0:6] f_X;</pre>                                                                                                                                                                 | <pre>input[0:6] f_X;</pre>                                                                                                                                                       |
| output th_X_Pretrip;                                                                                                                                                                       | output th_X_Pretrip;                                                                                                                                                             |
| //integer wire f_X;                                                                                                                                                                        | //integer wire f_X;                                                                                                                                                              |
| //integer f_X;                                                                                                                                                                             | //integer f_X;                                                                                                                                                                   |
| wire th_X_Pretrip;                                                                                                                                                                         | wire th_X_Pretrip;                                                                                                                                                               |
| th_X_Pretrip_state reg state;                                                                                                                                                              | th_X_Pretrip_state reg state;                                                                                                                                                    |
| reg th_Prev_X_Pretrip;                                                                                                                                                                     | reg th_Prev_X_Pretrip;                                                                                                                                                           |
| timer_state reg timer;                                                                                                                                                                     | timer_state reg timer;                                                                                                                                                           |
| initial state = S1;                                                                                                                                                                        | initial state = SO;                                                                                                                                                              |
| <pre>initial th_Prev_X_Pretrip = 1;</pre>                                                                                                                                                  | <pre>initial th_Prev_X_Pretrip = 1;</pre>                                                                                                                                        |
| initial timer = TO;                                                                                                                                                                        | initial timer = TO;                                                                                                                                                              |
| <pre>assign th_X_Pretrip = (state==30 &amp;&amp; f_X &lt;=<br/>`k_Pretrip_Setpoint - `k_X_Pretrip_Hys)?1:</pre>                                                                            | <pre>wire Cond_a_1;<br/>wire Cond_b_1;<br/>wire Cond_c_1;</pre>                                                                                                                  |
| (state== 30 && f_X >                                                                                                                                                                       | <pre>assign Cond_a_1 = (f_X &gt;= `k_Pretrip_Setpoint);</pre>                                                                                                                    |
| `k_Pretrip_Setpoint - `k_X_Pretrip_Hys &&                                                                                                                                                  | assign Cond_b_1 = ((f_X >=                                                                                                                                                       |
| timer != T5)?1:                                                                                                                                                                            | <pre>`k_Pretrip_Setpoint) &amp;&amp; (timer == T5)); ((agging Cond of 1 = (f X &lt; `k_Pretrip_Setpoint);</pre>                                                                  |
| (state==31 && f_X <                                                                                                                                                                        | <pre>//assign Cond_c_l = (f_X &lt; `k_Pretrip_Setpoint</pre>                                                                                                                     |
|                                                                                                                                                                                            |                                                                                                                                                                                  |

13



### 4. Display a full trace for counterexample

| le <u>R</u> un <u>H</u> elp<br>Verilog sou | rces Result Result | Table       |             |             |            |
|--------------------------------------------|--------------------|-------------|-------------|-------------|------------|
| # state                                    | input              | File1Output | File2Output | File1 State | File2State |
| )                                          | Initial            | Initial     | Initial     | S1 1 T0     | S0 1 T0    |
|                                            | 61                 | 1           | 1           | S1 1 T1     | S1 1 T1    |
| 2                                          | 61                 | 1           | 1           | S1 1 T2     | S1 1 T2    |
| 3                                          | 61                 | 1           | 1           | S1 1 T3     | S1 1 T3    |
| 1                                          | 61                 | 1           | 1           | S1 1 T4     | S1 1 T4    |
| 5                                          | 61                 | 1           | 1           | S1 1 T5     | S1 1 T5    |
| ò                                          | 61                 | 0           | 0           | S0 0 T5     | S2 0 T5    |
| 7                                          | 52                 | 0           | 0           | S0 0 T0     | S2 0 T0    |
| 3                                          | 52                 | 1           | 0           | Null        | Null       |

# **Case Study**

- VIS equivalence checking for KNCIS RPS BP
  - We didn't meet the schedule, so a few official verification results are left only.
    - Requirements: KNICS-RPS-SRS101 Rev.00 (prototype)
    - Original FBD: KNICS-RPS-SDS101 Rev.00 (prototype)
    - Compared FBD: Synthesized automatically from the requirements spec.

Found several errors

| Trip Logic                           | Error Type | <b>Compared FBD</b><br>( <b>Num. of Errors</b> ) | Original FBD<br>(Num. of Errors) |
|--------------------------------------|------------|--------------------------------------------------|----------------------------------|
| Fixed Set-Point Rising Trip          | Syntactic  | 0                                                | 0                                |
| without Operating Bypass             | Logical    | 0                                                | 1                                |
| Manual Reset Variable Set-Point Trip | Syntactic  | 0                                                | 3                                |
| without Operating Bypass             | Logical    | 6                                                | 2                                |

# **Conclusion & Future Work**

- We proposed a software verification framework
  - Target: KNICS RPS
    - HW: PLC (Programmable Logic Controller)
    - SW: FBD (Function Block Diagram)
  - Two verification techniques together
    - SMV Model Checking (Cadence SMV + FBD Verifier)
    - VIS Equivalence Checking (VIS 2.0 + VIS Analyzer)
  - They performed the formal verification of KNICS RPS sufficiently.
- We're planning
  - A combined tool-set (FBD Verifier + VIS analyzer) with enhanced GUIs
  - Enhance through applying to other systems (e.g. ESF-CCS)

