FBDVerifier: Interactive and Visual Analysis of Counterexample in Formal Verification of Function Block Diagram

Copyright© 2010, Australian Computer Society Inc. General permission to republish, but not for profit, all or part of this material is granted, provided that the JRPIT copyright notice is given and that reference is made to the publication, to its date of issue, and to the fact that reprinting privileges were granted by permission of the Australian Computer Society Inc. Model checking is often applied to verify safety-critical software implemented in programmable logic controller (PLC) language such as a function block diagram (FBD). Counterexamples generated by a model checker are often too lengthy and complex to analyze. This paper describes the FBDVerifier which allows domain experts to perform automated model checking and intuitive visual analysis of counterexamples without having to know technical details on temporal logic or the model checker. Once the FBD program is automatically translated into a semantically equivalent Verilog model and model checking is performed using SMV, users can enter various expressions to investigate why verification of certain properties failed. When applied to FBD programs implementing a shutdown system for a nuclear power plant, domain engineers were able to perform effective FBD verification and detect logical errors in the FBD design. 1. INTRODUCTION Formal methods, especially model checking, are widely accepted as a useful technique when verifying behaviour of safety-critical embedded software. Such a trend is also true in the nuclear industry where Programmable Logic Controller (PLC) based software is increasingly replacing traditional analog systems (NRC, 1997). As an example, Korea Nuclear Instrumentation & Control System R&D Center (KNICS) has developed a reactor protection system (RPS) in Function Block Diagram (FBD) which is one of the widely used PLC programming languages defined in the IEC standard. Model checking has been applied to FBD design as a part of its safety assurance program. When performing model checking, despite the advantage that the process is fully automated, one encounters the following challenges: (1) state explosion, and (2) counterexample analysis often requires tracking values of several hundred variables over several hundred or thousand steps (See Figure 6 for an example). Although efficient counterexample analysis has not received as much research attention as the state explosion problem, it is one of the most significant and practical obstacles that domain engineers face on real-world projects. In addition, temporal logic theory and notation often causes engineers to avoid using model checking techniques altogether. For example, our target system, KNICS RPS, has a natural …