qualification of pvs for systematic design verification
play

Qualification of PVS for Systematic Design Verification of a Nuclear - PowerPoint PPT Presentation

Aug 28, 2023 •385 likes •902 views

Qualification of PVS for Systematic Design Verification of a Nuclear Shutdown System Mark Lawford & Many Others McMaster Centre for Software Certification (McSCert) McMaster University Hamilton, ON, Canada Dagstuhl Seminar 15182

  1. Qualification of PVS for Systematic Design Verification of a Nuclear Shutdown System Mark Lawford & Many Others McMaster Centre for Software Certification (McSCert) McMaster University Hamilton, ON, Canada Dagstuhl Seminar 15182 “Qualification of Formal Methods Tools” April 26-29, 2014 Dagstuhl, Germany Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 1 / 40

  2. Outline Outline Prelude 1 Background: How did we get to qualification of PVS? 2 The process & associated implicit “assurance case” 3 Qualification of PVS for Darlington SDS Redesign Current work on Tools and Conclusions 4 Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 2 / 40

  3. Prelude It was In 1997, the year before IEC-61508-3 Ed 1.0 came out. Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 3 / 40

  4. Prelude It was In 1997, the year before IEC-61508-3 Ed 1.0 came out. I turned down an NSERC Postdoctoral award to go work on an industrial problem related to my thesis work - verification of real-time controls software. For the next two years I wound up learning about theorem provers and had to qualify and use PVS for the Systematic Design Verification of the Nuclear Generating Station that was on the way to my parent’s place. If it was 2010 or 2011, I could have used IEC-61508-3 (ed 2.0) and IEC 61508-4 (ed 2.0) and life would have been much easier. Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 3 / 40

  5. Prelude It was In 1997, the year before IEC-61508-3 Ed 1.0 came out. I turned down an NSERC Postdoctoral award to go work on an industrial problem related to my thesis work - verification of real-time controls software. For the next two years I wound up learning about theorem provers and had to qualify and use PVS for the Systematic Design Verification of the Nuclear Generating Station that was on the way to my parent’s place. If it was 2010 or 2011, I could have used IEC-61508-3 (ed 2.0) and IEC 61508-4 (ed 2.0) and life would have been much easier. My memory of events may be fuzzy. Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 3 / 40

  6. Background: How did we get to qualification of PVS? In the late 1980s industry kicked the first two soft- ware based SDS com- puter controlled safety systems in Canadia Nu- clear industry over the wall to the regulator and said “approve it!” Each system had ap- prox. 84 monitored variables 27 controlled variables Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 4 / 40

  7. Background: How did we get to qualification of PVS? In the late 1980s industry kicked the first two soft- ware based SDS com- puter controlled safety systems in Canadia Nu- clear industry over the wall to the regulator and said “approve it!” Each system had ap- prox. 84 monitored variables 27 controlled variables Regulator response: Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 4 / 40

  8. Background: How did we get to qualification of PVS? In the late 1980s industry kicked the first two soft- ware based SDS com- puter controlled safety systems in Canadia Nu- clear industry over the wall to the regulator and said “approve it!” Each system had ap- prox. 84 monitored variables 27 controlled variables Regulator response: Software? Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 4 / 40

  9. Background: How did we get to qualification of PVS? In the late 1980s industry kicked the first two soft- ware based SDS com- puter controlled safety systems in Canadia Nu- clear industry over the wall to the regulator and said “approve it!” Each system had ap- prox. 84 monitored variables 27 controlled variables Regulator response: Software? WTF? Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 4 / 40

  10. Background: How did we get to qualification of PVS? Regulator Reaction to the Originial Darlington SDS Regulator brought in David Parnas as a consultant. He concluded: The software was developed (and documented), but the requirements documents were not detailed enough. Despite this deficiency, a surprisingly rigorous and comprehensive testing regime had already been developed. Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 5 / 40

  11. Background: How did we get to qualification of PVS? Regulator Reaction to the Originial Darlington SDS Regulator brought in David Parnas as a consultant. He concluded: The software was developed (and documented), but the requirements documents were not detailed enough. Despite this deficiency, a surprisingly rigorous and comprehensive testing regime had already been developed. Dave’s recommendation: develop tabular requirements specification/design for each existing 1 code module from requirements documents and domain experts create tables from the code for each program function by 2 eliminating intermediate variables independent verification team then tries to (manually) prove tables 3 are equivalent Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 5 / 40

  12. Background: How did we get to qualification of PVS? Outcome of the First Darlington Licensing How OPG met regulator expectations Tables were created from both requirements & code in excel spreadsheets Independent team tried to show their were equivalent by manually transforming and composing tables to create new tables in excel spreadsheets. Extensive review of the transformations was used to eliminate single point of failure in process. Regulator was satisfied that system would operate safely but was not maintainable System was licensed for fixed number of years on condition that the software would be redesigned to be maintainable Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 6 / 40

  13. Background: How did we get to qualification of PVS? Outcome of the First Darlington Licensing How OPG met regulator expectations Tables were created from both requirements & code in excel spreadsheets Independent team tried to show their were equivalent by manually transforming and composing tables to create new tables in excel spreadsheets. Extensive review of the transformations was used to eliminate single point of failure in process. Regulator was satisfied that system would operate safely but was not maintainable System was licensed for fixed number of years on condition that the software would be redesigned to be maintainable OPG realized they needed a rigorous approach in order to cost effectively develop safety critical software. Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 6 / 40

  14. Background: How did we get to qualification of PVS? What Original Darlington Experience Taught Us Dialog with the regulator is essential: To make the process affordable and deterministic for industry To make it possible for the regulator to “assessing” a system with a reasonable amount of effort. Verification in one step from code to (low-level) requirements was often too large and complex. reverse engineering tabular specifications for requirements and the code was very expensive and labour intensive Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 7 / 40

  15. Background: How did we get to qualification of PVS? What Original Darlington Experience Taught Us Dialog with the regulator is essential: To make the process affordable and deterministic for industry To make it possible for the regulator to “assessing” a system with a reasonable amount of effort. Verification in one step from code to (low-level) requirements was often too large and complex. reverse engineering tabular specifications for requirements and the code was very expensive and labour intensive Automation and tool support is essential! Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 7 / 40

  16. Background: How did we get to qualification of PVS? What Original Darlington Experience Taught Us Dialog with the regulator is essential: To make the process affordable and deterministic for industry To make it possible for the regulator to “assessing” a system with a reasonable amount of effort. Verification in one step from code to (low-level) requirements was often too large and complex. reverse engineering tabular specifications for requirements and the code was very expensive and labour intensive Automation and tool support is essential! ⇒ Tool qualification on the redesign! Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 7 / 40

  17. The process & associated implicit “assurance case” The Darlington SDS Redesign Project OPG worked with the regulator to get agreement on: what would be an acceptable development process what evidence would be sufficient for licensing For the SDS Redesign Project formal techniques were integrated in the forward development process. Forward development process produced evidence for certification/evaluation Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 8 / 40

  18. The process & associated implicit “assurance case” Using Information Hiding 60 modules 280 access programs 40,000 lines of code (including comments) 33,000 FORTRAN 7,000 assembler 84 monitored variables 27 controlled variables Lawford et al. (McSCert) Dagstuhl 15182 2015/04/28 9 / 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UMBC A B M A L T F O U M B C I M Y O R T 1 (11/26/07) I E S R C E O V

UMBC A B M A L T F O U M B C I M Y O R T 1 (11/26/07) I E S R C E O V

VLSI Design Verification and Test Simulation CMPE 646 Design Verification Simulation used for 1) design verification : verify the correctness of the design and 2) test verification. Design verification: Specification Critical or

426 views • 15 slides
Design Verification with e The language e Contains all the constructs necessary

Design Verification with e The language e Contains all the constructs necessary

Design Verification with e The language e Contains all the constructs necessary for a complete verification tool Allows objects in the verification environment to be extended Needs to express constraints Coverage

946 views • 80 slides
Report - BY CA M A H E N D R A SA N G H V I 2 Few samples of observation which one can

Report - BY CA M A H E N D R A SA N G H V I 2 Few samples of observation which one can

Clauses of Tax Audit Report - BY CA M A H E N D R A SA N G H V I 2 Few samples of observation which one can consider to clarify in Form 3CB are: Sr Qualification Type Observation/Qualification No. 1. Records produced for verification of

1.15k views • 89 slides
CMPE 646: VLSI Design Verification and Test Course: CMPE 646: VLSI Design Verification and Test,

CMPE 646: VLSI Design Verification and Test Course: CMPE 646: VLSI Design Verification and Test,

CMPE 646: VLSI Design Verification and Test Course: CMPE 646: VLSI Design Verification and Test, Fall 2006. 3 credits. Course Instructor: Dr. Jim Plusquellic, Professor of Computer Science & Electrical Engineering Office: ECS 212,

760 views • 3 slides
SYSTEMATIC METHODS FOR SOLVENT DESIGN: TOWARDS BETTER REACTIVE PROCESSES Eirini Siougkrou

SYSTEMATIC METHODS FOR SOLVENT DESIGN: TOWARDS BETTER REACTIVE PROCESSES Eirini Siougkrou

SYSTEMATIC METHODS FOR SOLVENT DESIGN: TOWARDS BETTER REACTIVE PROCESSES Eirini Siougkrou National Technical University of Athens KT Consortium annual meeting, DTU 8 June 2017 Outline Systematic methods for solvent design A

539 views • 42 slides
Design, development and qualification of advanced fuels for an industrial ADS prototype F.

Design, development and qualification of advanced fuels for an industrial ADS prototype F.

Design, development and qualification of advanced fuels for an industrial ADS prototype F. Delage, A. Fernandez-Carretero, C. Matzerath-Boccaccini, X.-N. Chen, E. DAgata, F. Klaassen, W. Maschek, J.P. Ottaviani, A. Rineiski, V. Sobolev, J.P.

343 views • 11 slides
Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design

Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design

Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design Verification Design Standards Design Verification Verification Methods Approaches State Machines Program Tracing Program Correctness

499 views • 3 slides
Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/

627 views • 27 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (April 13, 2000 6:35 pm) I E S R

UMBC A B M A L T F O U M B C I M Y O R T 1 (April 13, 2000 6:35 pm) I E S R

Advanced VLSI Design VLSI Simulation CMPE 414/CMSC 691x Overview Design Automation is essential in dealing with the complexity of IC design and verification. There are a wide range of tools available: Analysis and verification tools to

388 views • 16 slides
Lurking and Learning: Progression through the Design and Innovation Qualification Nicole Lotz,

Lurking and Learning: Progression through the Design and Innovation Qualification Nicole Lotz,

Lurking and Learning: Progression through the Design and Innovation Qualification Nicole Lotz, Derek Jones, and Georgy Holden Background eSTEeM funded project coming to a close in Summer Progression in OpenDesignStudio Social learning

143 views • 12 slides
Australian Learning & Qualification Program Agenda 1. New Leadership Qualification 2.

Australian Learning & Qualification Program Agenda 1. New Leadership Qualification 2.

Australian Learning & Qualification Program Agenda 1. New Leadership Qualification 2. Implementation and next steps Leadership Qualification (LQ) ALQP replaces AALP New name is Australian Learning & Qualification Program

773 views • 54 slides
A Comparison of Analysis Techniques for Systematic Instructional Design BY RICHARD RD THRI

A Comparison of Analysis Techniques for Systematic Instructional Design BY RICHARD RD THRI

A Comparison of Analysis Techniques for Systematic Instructional Design BY RICHARD RD THRI RIPP, M M.A. FEBRUARY 15, 2017 PRESENTED IN EME 7634: ADVANCED INSTRUCTIONAL DESIGN AT UNIVERSITY OF CENTRAL FLORIDA ASSI SIGNMENT NT 3: A ANAL

706 views • 13 slides
PROGRAM VERIFICATION SCHEMATIC DESIGN DESIGN DEVELOPMENT CONSTRUCTION DOCUMENTS CONSTRUCTION

PROGRAM VERIFICATION SCHEMATIC DESIGN DESIGN DEVELOPMENT CONSTRUCTION DOCUMENTS CONSTRUCTION

9-22-16: 10-6-16 BUILDING PRELIMINARY REVIEW BOARD OF COMMISSION DOCUMENTS COMPLETE REGENTS MEETING. AUTHORITY TO 9-22-16: CONSTRUCT DESIGN REPORT COMPLETE PROGRAM VERIFICATION SCHEMATIC DESIGN DESIGN DEVELOPMENT CONSTRUCTION

334 views • 6 slides
Flight Readiness Review Presentation Vanderbilt Aerospace Design Lab Vanderbilt Aerospace Design

Flight Readiness Review Presentation Vanderbilt Aerospace Design Lab Vanderbilt Aerospace Design

Flight Readiness Review Presentation Vanderbilt Aerospace Design Lab Vanderbilt Aerospace Design Lab: FRR 3/6/2017 Meeting Agenda Mission Overview Vehicle Design & Verification Payload Design & Verification Launch Results Ground

980 views • 66 slides
Verification and Validation for Safety in Robots Kerstin Eder Design Automation and Verification

Verification and Validation for Safety in Robots Kerstin Eder Design Automation and Verification

Verification and Validation for Safety in Robots Kerstin Eder Design Automation and Verification Trustworthy Systems Laboratory Verification and Validation for Safety in Robots, Bristol Robotics Laboratory Verification and Validation for Safety

1.29k views • 72 slides
Whole Systems Energy Transparency Kerstin Eder Design Automation and Verification,

Whole Systems Energy Transparency Kerstin Eder Design Automation and Verification,

Whole Systems Energy Transparency Kerstin Eder Design Automation and Verification, Microelectronics Verification and Validation for Safety in Robots, Bristol Robotics Laboratory Department of COMPUTER SCIENCE Whole More power Systems to

1.25k views • 96 slides
Computer-Supported Program Verification with PVS Wolfgang Schreiner

Computer-Supported Program Verification with PVS Wolfgang Schreiner

Computer-Supported Program Verification with PVS Wolfgang Schreiner Wolfgang.Schreiner@risc.uni-linz.ac.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.uni-linz.ac.at Wolfgang

606 views • 41 slides
Lost in Translation: The PVS Prover Landscape N. Shankar shankar@csl.sri.com URL:

Lost in Translation: The PVS Prover Landscape N. Shankar shankar@csl.sri.com URL:

Lost in Translation: The PVS Prover Landscape N. Shankar shankar@csl.sri.com URL: http://www.csl.sri.com/shankar/ Computer Science Laboratory SRI International Menlo Park, CA 1 Overview The goal of this

433 views • 17 slides
Recent PVS Language Developments Sam Owre owre@csl.sri.com URL: http://www.csl.sri.com/~owre/

Recent PVS Language Developments Sam Owre owre@csl.sri.com URL: http://www.csl.sri.com/~owre/

Recent PVS Language Developments Sam Owre owre@csl.sri.com URL: http://www.csl.sri.com/~owre/ Computer Science Laboratory SRI International Menlo Park, CA August 21, 2006 Sam Owre AFM06 tutorial: 1 Recent PVS

518 views • 28 slides
Meta-heuristic optimization Nenad Mladenovi c , Mathematical Institute, Serbian Academy of

Meta-heuristic optimization Nenad Mladenovi c , Mathematical Institute, Serbian Academy of

Meta-heuristic optimization Nenad Mladenovi c , Mathematical Institute, Serbian Academy of Sciences and Arts, Belgrade, Serbia Department of Mathematics, Brunel University London UK. Optimization problems (continuous-discrete,

459 views • 25 slides
The Correctness of a Code Generator for a Functional Language Nathana el Courant September 8,

The Correctness of a Code Generator for a Functional Language Nathana el Courant September 8,

The Correctness of a Code Generator for a Functional Language Nathana el Courant September 8, 2017 Nathana el Courant Verified code generation September 8, 2017 1 / 21 Context PVS: interactive proof assistant Specification language

383 views • 27 slides
caputRecorder R1-4 Tim Mooney May, 2015 This work is supported by the U.S. Department of Energy,

caputRecorder R1-4 Tim Mooney May, 2015 This work is supported by the U.S. Department of Energy,

caputRecorder R1-4 Tim Mooney May, 2015 This work is supported by the U.S. Department of Energy, Basic Energy Sciences, Office of Science, under contract DE-AC02-06CH11357. Argonne National Laboratory A U.S. Department of Energy Office of

439 views • 9 slides
MilliQan - A Search for Milli-Charged Particles Jim Brooke Thanks to C. Hill (OSU) and M. Citron

MilliQan - A Search for Milli-Charged Particles Jim Brooke Thanks to C. Hill (OSU) and M. Citron

MilliQan - A Search for Milli-Charged Particles Jim Brooke Thanks to C. Hill (OSU) and M. Citron (UCSB) ock for letting me borrow slides ! horizontal plane is Clearance to gallery boundaries is ~30 Millikans Oil Drop Experiment Produce

1.2k views • 50 slides
Automatically Finding Theory Morphisms for Knowledge Management uller 1 Florian Rabe 1,2 Michael

Automatically Finding Theory Morphisms for Knowledge Management uller 1 Florian Rabe 1,2 Michael

1 Automatically Finding Theory Morphisms for Knowledge Management uller 1 Florian Rabe 1,2 Michael Kohlhase 1 Dennis M Computer Science, FAU Erlangen-N urnberg LRI, Universit e Paris Sud August 13, 2018 Introduction 2 Introduction

188 views • 14 slides

More recommend