Model checking of I&C software in the Loviisa NPP automation renewal project

Antti Pakonen, Janne Valkonen, Sami Matinaho, Markus Hartikainen

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientific

Abstract

Model checking is a formal method for verifying hardware and software designs. A software tool called a model checker is used to exhaustively verify that a system model fulfils stated properties. The exhaustiveness means that design errors can be found in systems that have already undergone V&V based on more traditional methods like testing and simulation. In this paper, we discuss the application of model checking in the verification of instrumentation and control (I&C) application software. As a practical example, we look at the third party verification service VTT has provided for Fortum in the Loviisa nuclear power plant automation renewal project. We also introduce the tools developed by VTT and Fortum for the model checking of I&C software based on function block diagrams. The experience of VTT (and others) has shown that the method is very powerful in the evaluation of function block based control software, particularly in safety-critical applications. Indeed, in Finland, model checking is already a well-established part of nuclear industry practices, as VTT has been evaluating the I&C systems of the Olkiluoto 3 plant for STUK, as well as supporting Fortum in the licensing of renewed systems for Loviisa. Fortum has also cooperated with VTT on the development of model checking tools. A graphical toolset based on the open source modelling and simulation platform Simantics has already been put to use in VTT projects. A long term objective is the commercialisation of the tools as part of the Apros product family, as well as integration into different engineering and modelling tools.
Original languageEnglish
Title of host publicationAutomaatio XXI Proceedings
Publication statusPublished - 2015
MoE publication typeB3 Non-refereed article in conference proceedings
EventAutomaatio XXI - Helsinki, Finland
Duration: 17 Mar 201518 Mar 2015

Publication series

SeriesSuomen Automaatioseuran julkaisusarja
Volume44

Seminar

SeminarAutomaatio XXI
CountryFinland
CityHelsinki
Period17/03/1518/03/15

Fingerprint

Model checking
Automation
Nuclear industry
Formal methods
Software design
Application programs
Nuclear power plants
Hardware
Testing

Keywords

  • model checking
  • verification and validation
  • digital I&C
  • nuclear power

Cite this

Pakonen, A., Valkonen, J., Matinaho, S., & Hartikainen, M. (2015). Model checking of I&C software in the Loviisa NPP automation renewal project. In Automaatio XXI Proceedings Suomen Automaatioseuran julkaisusarja, Vol.. 44
Pakonen, Antti ; Valkonen, Janne ; Matinaho, Sami ; Hartikainen, Markus. / Model checking of I&C software in the Loviisa NPP automation renewal project. Automaatio XXI Proceedings. 2015. (Suomen Automaatioseuran julkaisusarja, Vol. 44).
@inproceedings{cd5a95238354496a8582501475938547,
title = "Model checking of I&C software in the Loviisa NPP automation renewal project",
abstract = "Model checking is a formal method for verifying hardware and software designs. A software tool called a model checker is used to exhaustively verify that a system model fulfils stated properties. The exhaustiveness means that design errors can be found in systems that have already undergone V&V based on more traditional methods like testing and simulation. In this paper, we discuss the application of model checking in the verification of instrumentation and control (I&C) application software. As a practical example, we look at the third party verification service VTT has provided for Fortum in the Loviisa nuclear power plant automation renewal project. We also introduce the tools developed by VTT and Fortum for the model checking of I&C software based on function block diagrams. The experience of VTT (and others) has shown that the method is very powerful in the evaluation of function block based control software, particularly in safety-critical applications. Indeed, in Finland, model checking is already a well-established part of nuclear industry practices, as VTT has been evaluating the I&C systems of the Olkiluoto 3 plant for STUK, as well as supporting Fortum in the licensing of renewed systems for Loviisa. Fortum has also cooperated with VTT on the development of model checking tools. A graphical toolset based on the open source modelling and simulation platform Simantics has already been put to use in VTT projects. A long term objective is the commercialisation of the tools as part of the Apros product family, as well as integration into different engineering and modelling tools.",
keywords = "model checking, verification and validation, digital I&C, nuclear power",
author = "Antti Pakonen and Janne Valkonen and Sami Matinaho and Markus Hartikainen",
note = "CA2: BA2141 Project code: 102392 AU2: Pakonen, Antti AU2: Valkonen, Janne",
year = "2015",
language = "English",
isbn = "13 978-952-5183-46-7",
series = "Suomen Automaatioseuran julkaisusarja",
booktitle = "Automaatio XXI Proceedings",

}

Pakonen, A, Valkonen, J, Matinaho, S & Hartikainen, M 2015, Model checking of I&C software in the Loviisa NPP automation renewal project. in Automaatio XXI Proceedings. Suomen Automaatioseuran julkaisusarja, vol. 44, Automaatio XXI, Helsinki, Finland, 17/03/15.

Model checking of I&C software in the Loviisa NPP automation renewal project. / Pakonen, Antti; Valkonen, Janne; Matinaho, Sami; Hartikainen, Markus.

Automaatio XXI Proceedings. 2015. (Suomen Automaatioseuran julkaisusarja, Vol. 44).

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientific

TY - GEN

T1 - Model checking of I&C software in the Loviisa NPP automation renewal project

AU - Pakonen, Antti

AU - Valkonen, Janne

AU - Matinaho, Sami

AU - Hartikainen, Markus

N1 - CA2: BA2141 Project code: 102392 AU2: Pakonen, Antti AU2: Valkonen, Janne

PY - 2015

Y1 - 2015

N2 - Model checking is a formal method for verifying hardware and software designs. A software tool called a model checker is used to exhaustively verify that a system model fulfils stated properties. The exhaustiveness means that design errors can be found in systems that have already undergone V&V based on more traditional methods like testing and simulation. In this paper, we discuss the application of model checking in the verification of instrumentation and control (I&C) application software. As a practical example, we look at the third party verification service VTT has provided for Fortum in the Loviisa nuclear power plant automation renewal project. We also introduce the tools developed by VTT and Fortum for the model checking of I&C software based on function block diagrams. The experience of VTT (and others) has shown that the method is very powerful in the evaluation of function block based control software, particularly in safety-critical applications. Indeed, in Finland, model checking is already a well-established part of nuclear industry practices, as VTT has been evaluating the I&C systems of the Olkiluoto 3 plant for STUK, as well as supporting Fortum in the licensing of renewed systems for Loviisa. Fortum has also cooperated with VTT on the development of model checking tools. A graphical toolset based on the open source modelling and simulation platform Simantics has already been put to use in VTT projects. A long term objective is the commercialisation of the tools as part of the Apros product family, as well as integration into different engineering and modelling tools.

AB - Model checking is a formal method for verifying hardware and software designs. A software tool called a model checker is used to exhaustively verify that a system model fulfils stated properties. The exhaustiveness means that design errors can be found in systems that have already undergone V&V based on more traditional methods like testing and simulation. In this paper, we discuss the application of model checking in the verification of instrumentation and control (I&C) application software. As a practical example, we look at the third party verification service VTT has provided for Fortum in the Loviisa nuclear power plant automation renewal project. We also introduce the tools developed by VTT and Fortum for the model checking of I&C software based on function block diagrams. The experience of VTT (and others) has shown that the method is very powerful in the evaluation of function block based control software, particularly in safety-critical applications. Indeed, in Finland, model checking is already a well-established part of nuclear industry practices, as VTT has been evaluating the I&C systems of the Olkiluoto 3 plant for STUK, as well as supporting Fortum in the licensing of renewed systems for Loviisa. Fortum has also cooperated with VTT on the development of model checking tools. A graphical toolset based on the open source modelling and simulation platform Simantics has already been put to use in VTT projects. A long term objective is the commercialisation of the tools as part of the Apros product family, as well as integration into different engineering and modelling tools.

KW - model checking

KW - verification and validation

KW - digital I&C

KW - nuclear power

M3 - Conference article in proceedings

SN - 13 978-952-5183-46-7

T3 - Suomen Automaatioseuran julkaisusarja

BT - Automaatio XXI Proceedings

ER -

Pakonen A, Valkonen J, Matinaho S, Hartikainen M. Model checking of I&C software in the Loviisa NPP automation renewal project. In Automaatio XXI Proceedings. 2015. (Suomen Automaatioseuran julkaisusarja, Vol. 44).