Model checking of I&C software in the Loviisa NPP automation renewal project

Antti Pakonen, Janne Valkonen, Sami Matinaho, Markus Hartikainen

    Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientific

    Abstract

    Model checking is a formal method for verifying hardware and software designs. A software tool called a model checker is used to exhaustively verify that a system model fulfils stated properties. The exhaustiveness means that design errors can be found in systems that have already undergone V&V based on more traditional methods like testing and simulation. In this paper, we discuss the application of model checking in the verification of instrumentation and control (I&C) application software. As a practical example, we look at the third party verification service VTT has provided for Fortum in the Loviisa nuclear power plant automation renewal project. We also introduce the tools developed by VTT and Fortum for the model checking of I&C software based on function block diagrams. The experience of VTT (and others) has shown that the method is very powerful in the evaluation of function block based control software, particularly in safety-critical applications. Indeed, in Finland, model checking is already a well-established part of nuclear industry practices, as VTT has been evaluating the I&C systems of the Olkiluoto 3 plant for STUK, as well as supporting Fortum in the licensing of renewed systems for Loviisa. Fortum has also cooperated with VTT on the development of model checking tools. A graphical toolset based on the open source modelling and simulation platform Simantics has already been put to use in VTT projects. A long term objective is the commercialisation of the tools as part of the Apros product family, as well as integration into different engineering and modelling tools.
    Original languageEnglish
    Title of host publicationAutomaatio XXI Proceedings
    Publication statusPublished - 2015
    MoE publication typeB3 Non-refereed article in conference proceedings
    EventAutomaatio XXI - Helsinki, Finland
    Duration: 17 Mar 201518 Mar 2015

    Publication series

    SeriesSuomen Automaatioseuran julkaisusarja
    Volume44

    Seminar

    SeminarAutomaatio XXI
    CountryFinland
    CityHelsinki
    Period17/03/1518/03/15

    Fingerprint

    Model checking
    Automation
    Nuclear industry
    Formal methods
    Software design
    Application programs
    Nuclear power plants
    Hardware
    Testing

    Keywords

    • model checking
    • verification and validation
    • digital I&C
    • nuclear power

    Cite this

    Pakonen, A., Valkonen, J., Matinaho, S., & Hartikainen, M. (2015). Model checking of I&C software in the Loviisa NPP automation renewal project. In Automaatio XXI Proceedings Suomen Automaatioseuran julkaisusarja, Vol.. 44
    Pakonen, Antti ; Valkonen, Janne ; Matinaho, Sami ; Hartikainen, Markus. / Model checking of I&C software in the Loviisa NPP automation renewal project. Automaatio XXI Proceedings. 2015. (Suomen Automaatioseuran julkaisusarja, Vol. 44).
    @inproceedings{cd5a95238354496a8582501475938547,
    title = "Model checking of I&C software in the Loviisa NPP automation renewal project",
    abstract = "Model checking is a formal method for verifying hardware and software designs. A software tool called a model checker is used to exhaustively verify that a system model fulfils stated properties. The exhaustiveness means that design errors can be found in systems that have already undergone V&V based on more traditional methods like testing and simulation. In this paper, we discuss the application of model checking in the verification of instrumentation and control (I&C) application software. As a practical example, we look at the third party verification service VTT has provided for Fortum in the Loviisa nuclear power plant automation renewal project. We also introduce the tools developed by VTT and Fortum for the model checking of I&C software based on function block diagrams. The experience of VTT (and others) has shown that the method is very powerful in the evaluation of function block based control software, particularly in safety-critical applications. Indeed, in Finland, model checking is already a well-established part of nuclear industry practices, as VTT has been evaluating the I&C systems of the Olkiluoto 3 plant for STUK, as well as supporting Fortum in the licensing of renewed systems for Loviisa. Fortum has also cooperated with VTT on the development of model checking tools. A graphical toolset based on the open source modelling and simulation platform Simantics has already been put to use in VTT projects. A long term objective is the commercialisation of the tools as part of the Apros product family, as well as integration into different engineering and modelling tools.",
    keywords = "model checking, verification and validation, digital I&C, nuclear power",
    author = "Antti Pakonen and Janne Valkonen and Sami Matinaho and Markus Hartikainen",
    note = "CA2: BA2141 Project code: 102392 AU2: Pakonen, Antti AU2: Valkonen, Janne",
    year = "2015",
    language = "English",
    isbn = "13 978-952-5183-46-7",
    series = "Suomen Automaatioseuran julkaisusarja",
    booktitle = "Automaatio XXI Proceedings",

    }

    Pakonen, A, Valkonen, J, Matinaho, S & Hartikainen, M 2015, Model checking of I&C software in the Loviisa NPP automation renewal project. in Automaatio XXI Proceedings. Suomen Automaatioseuran julkaisusarja, vol. 44, Automaatio XXI, Helsinki, Finland, 17/03/15.

    Model checking of I&C software in the Loviisa NPP automation renewal project. / Pakonen, Antti; Valkonen, Janne; Matinaho, Sami; Hartikainen, Markus.

    Automaatio XXI Proceedings. 2015. (Suomen Automaatioseuran julkaisusarja, Vol. 44).

    Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientific

    TY - GEN

    T1 - Model checking of I&C software in the Loviisa NPP automation renewal project

    AU - Pakonen, Antti

    AU - Valkonen, Janne

    AU - Matinaho, Sami

    AU - Hartikainen, Markus

    N1 - CA2: BA2141 Project code: 102392 AU2: Pakonen, Antti AU2: Valkonen, Janne

    PY - 2015

    Y1 - 2015

    N2 - Model checking is a formal method for verifying hardware and software designs. A software tool called a model checker is used to exhaustively verify that a system model fulfils stated properties. The exhaustiveness means that design errors can be found in systems that have already undergone V&V based on more traditional methods like testing and simulation. In this paper, we discuss the application of model checking in the verification of instrumentation and control (I&C) application software. As a practical example, we look at the third party verification service VTT has provided for Fortum in the Loviisa nuclear power plant automation renewal project. We also introduce the tools developed by VTT and Fortum for the model checking of I&C software based on function block diagrams. The experience of VTT (and others) has shown that the method is very powerful in the evaluation of function block based control software, particularly in safety-critical applications. Indeed, in Finland, model checking is already a well-established part of nuclear industry practices, as VTT has been evaluating the I&C systems of the Olkiluoto 3 plant for STUK, as well as supporting Fortum in the licensing of renewed systems for Loviisa. Fortum has also cooperated with VTT on the development of model checking tools. A graphical toolset based on the open source modelling and simulation platform Simantics has already been put to use in VTT projects. A long term objective is the commercialisation of the tools as part of the Apros product family, as well as integration into different engineering and modelling tools.

    AB - Model checking is a formal method for verifying hardware and software designs. A software tool called a model checker is used to exhaustively verify that a system model fulfils stated properties. The exhaustiveness means that design errors can be found in systems that have already undergone V&V based on more traditional methods like testing and simulation. In this paper, we discuss the application of model checking in the verification of instrumentation and control (I&C) application software. As a practical example, we look at the third party verification service VTT has provided for Fortum in the Loviisa nuclear power plant automation renewal project. We also introduce the tools developed by VTT and Fortum for the model checking of I&C software based on function block diagrams. The experience of VTT (and others) has shown that the method is very powerful in the evaluation of function block based control software, particularly in safety-critical applications. Indeed, in Finland, model checking is already a well-established part of nuclear industry practices, as VTT has been evaluating the I&C systems of the Olkiluoto 3 plant for STUK, as well as supporting Fortum in the licensing of renewed systems for Loviisa. Fortum has also cooperated with VTT on the development of model checking tools. A graphical toolset based on the open source modelling and simulation platform Simantics has already been put to use in VTT projects. A long term objective is the commercialisation of the tools as part of the Apros product family, as well as integration into different engineering and modelling tools.

    KW - model checking

    KW - verification and validation

    KW - digital I&C

    KW - nuclear power

    M3 - Conference article in proceedings

    SN - 13 978-952-5183-46-7

    T3 - Suomen Automaatioseuran julkaisusarja

    BT - Automaatio XXI Proceedings

    ER -

    Pakonen A, Valkonen J, Matinaho S, Hartikainen M. Model checking of I&C software in the Loviisa NPP automation renewal project. In Automaatio XXI Proceedings. 2015. (Suomen Automaatioseuran julkaisusarja, Vol. 44).