Fault Tree-based Software Safety Analysis of Function Block

Fault Tree-based Software Safety Analysis of Function Block Diagrams June 12, 2007 Kwang Yong Koh Dept. of Nuclear and Quantum Engineering KAIST

Table of Contents Introduction Related Work Failure Modes of FBDs Template-Based FT Generation from FBDs Case Study (DNBR_Lo_Trip) Summary and Conclusion References

Introduction Software safety has become a critical issue in nuclear power plant domain because traditional analog systems are being replaced by Programmable Logic Controller (PLC) based software [1]. As PLCs are often used to implement safety–critical embedded software, rigorous safety demonstration of PLC code is necessary. Function block diagram (FBD) is a standard application programming language for the PLCs [2]. Software HAZOP and Software Fault Tree Analysis (SFTA) [3] on the FBD design are usually performed before executable code is automatically generated. Manual application of FTA on FBDs is not only labor-intensive and timeconsuming, but also potentially error-prone because quality of analysis heavily depends on the capability of analyst.

Introduction (Cont’d) In an effort to efficiently and correctly do safety analysis of FBD programs, we define fault tree templates for each FBD function blocks and propose a semiautomatic FTA process. We applied the proposed method to do software safety analysis on partial FBD programs of fully-digitalized reactor protection system (RPS) which is called the IDi. PS, and currently being developed under the KNICS project [4].

Related Work Function Block Diagram (FBD) FBD is widely used because of its graphical notations and usefulness in applications with a high degree of data flow among control components. FBD defines system behavior in terms of flow of signals among function blocks. A collection of function blocks is wired together in a manner of a circuit diagram. Fig. 1 shows ten function block groups of IEC standard and representative examples of each group.

Related Work (Cont’d) Fig. 1. Function block groups and representative examples

Related Work (Cont’d) Software Fault Tree Analysis (SFTA) In system engineering research, Apostolakis et al. [5] proposed a modeling and analysis method for software controlled embedded systems using Dynamic Flowgraph Methodology (DFM). Developed to specify and analyze industrial process, this method was applied on Titan II Space Launch Vehicle Digital Flight Control System [6] and later extended to support dependability analysis [7] and hazard analysis [8]. Research on software fault tree analysis, unfortunately, is not as mature as the hardware counterpart. [9– 11] extracted software fault tree template definitions for various Ada programming language constructs. The templates, equivalent to failure semantics of the Ada statements, offer analyst suggestions on how various statements might cause or contribute to the failure. It provides a semiautomatic approach that relieves the extra effort required in manual fault tree generation.

Related Work (Cont’d) Sullivan [12] proposed a fault tree construction method from an architecture description language called Reliability Imbedded Design Language (RIDL) and developed an analysis tool, called Galileo [13]. RIDL is a specification language that could specify redundant modules and components. However, this research also did not reflect the internal behavior of module and component level. Oh et al. [14] proposed an approach to fault tree analysis which combines faultoriented and cause/effect-oriented viewpoints, and suggested the templates which combine two different views. It is however little bit impractical and inefficient in real safety analysis work.

Failure Modes of FBDs have inputs which are passed through various function blocks, and outputs in which the combinations of the block operations result. Therefore, to completely analyze FBDs and improve software safety, one must investigate all safety factors and identify the possible failure modes in FBDs related to the safety factors. In [14], Oh et al. defined and categorized the possible failure modes in FBDs which can occur from a combination of function blocks, or from a single function block. Though they are relatively well defined based on the characteristics of each function block, they are still little bit inefficient or impractical. We therefore modified and redefined them based on software failure mode taxonomy work in [15].

Failure Modes of FBDs (Cont’d) Fig. 2 Failure modes for various FBD blocks

Template-Based FT Generation from FBDs SFTA with Various Fault Tree Templates for FBDs Oh [14] proposed an approach to fault tree analysis which combines fault-oriented and cause/effect-oriented viewpoints, and suggested the templates which combine two different views. It is however impractical and inefficient in real safety analysis work in terms of following two aspects: 1) sizes of templates for most function blocks are unnecessarily large because dispensable nodes are added to the templates for the corresponding function blocks, hence it makes analyst do safety analysis difficult, and 2) a conventional cut-set analysis is not applicable to the approach which is proposed in [14] because the approach uses the combined viewpoints, or more precisely, the mixed one while the cut-set analysis is really based on only the failure modes of events (i. e. faultoriented viewpoint).

Template-Based FT Generation from FBDs (Cont’d) In this study, the templates for the FBs are refined to be more fault-oriented in order for the templates to be implemented easily in the SFTA. The types of function blocks used for the FBD modules are divided into 5 classes: Logic Operation FB (AND/ OR), Comparison FB (GE/GT/LE/LT/EQ), Selection FB (SEL), Algebraic Operation FB (ADD/SUB/MUL/DIV/ABS), and Timer FB (TON). Beside of the templates for the function blocks, the fault tree template at the final output port and also the templates for the input variables at a leaf node are devised.

Template-Based FT Generation from FBDs (Cont’d) Fig. 3 Fault tree template for the AND function block

Template-Based FT Generation from FBDs (Cont’d) Fig. 4 Fault tree template for the TON function block

Template-Based FT Generation from FBDs (Cont’d) Fault Tree Generation Procedure The top event template is put at the top of the fault tree with the undesired event as the top event, and the templates of the blocks directly connected to the output block are attached. Each branch is expanded until there are no dependent FBD routines or function blocks left. When all templates are attached, terminal node templates are added to the remaining cause nodes that are leaf nodes of the generated tree. When expanding fault trees, analyst may choose to simplify the fault tree by eliminating irrelevant branches.

Case Study (DNBR_Lo_Trip) _4_BP_T_IN TEMP_TRIP _4_BP_T_TRIP_VAL TRIP_LOGIC TEMP_TRIP_LOGIC _4_TRIP_LOGIC

Case Study (Cont’d) _4_BP_T_IN TEMP_TRIP _4_BP_T_TRIP_VAL TRIP_LOGIC TEMP_TRIP_LOGIC _4_TRIP_LOGIC

Summary and Conclusion As FBDs are often used to implement safety–critical software, such techniques are needed to achieve desired quality assurance and to satisfy regulatory requirements. In this work, we propose a fault tree analysis technique on function block diagrams. We also define fault tree templates for each FBD function block and propose a semiautomatic FTA process to do safety analysis of FBD programs efficiently and correctly. Our technique was applied to the representative trip logic of IDi. PS, which is currently being developed in Korea, and it shows that it is applicable to realworld systems. Nuclear engineers found the proposed template-based fault tree analysis approach was proved to be useful in identifying faults leading to the undesired trip result in RPS. A future research plan is to make the templates more context-sensitive to the FBD specification in order for the generated fault tree to be more compact.

References [1] U. NRC. Digital Instrumentation and Control Systems in Nuclear Power Plants: safety and reliability issues. National Academy Press, 1997. [2] IEC, IEC Standard 61131 -3: PLC programming languages, 1993. [3] N. G. LEVERSON, Safeware: System Safety and Computers, Addison-Wesley, 1995. [4] J. H. Park, D. Y. Lee, C. H. Kim, “Development of KNICS RPS Prototype, ” Proceedings of ISOFIC 2005, Session 6, pp. 160 -161, Tongyeong, Korea, Nov. 1~4 , 2005. [5] Garret C, Guarro S, Apostolakis G. , “The dynamic flowgraph methodology for assessing the dependability of embedded software systems, ” IEEE Transaction on System, Man and Cybernetics, Vol. 25, No. 5, pp. 824 -840, 1995. [6] Yau M, Guarro S, Apostolakis G. , “Demonstration of the dynamic flowgraph methodology using the Titan II space launch vehicle digital flight control system, ” RESS, Vol. 49, No. 3 pp. 335– 353, 1995. [7] Yau M, Apostolakis G, Guarro S. , “The use of prime implicants in dependability analysis of software controlled systems, ” RESS, Vol. 62, No. 1, pp. 23 -32, 1998. [8] Garrett C, Apostolakis G. , “Automated hazard analysis of digital control systems, ” RESS, Vol. 77, No. 1, pp. 1– 17, 2002. [9] Cha S, Leveson N, Shimeall T. , “Safety verification in Murphy using fault tree analysis, ” Proceedings 10 th international conference on software engineering, pp. 377– 386, Singapore, April, 1988. [10] Leveson N, Cha S, Shimall T. , “Safety verification of Ada programs using software fault trees, ” IEEE Software, Vol. 8, No. 4, pp. 48– 59, 1991. [11] Min SY, Jang YK, Cha S, Kwon YR, Bae DH. , “Safety verification of Ada 95 programs using software fault trees, ” Proceedings of computer safety, reliability and security: 18 th international conference, SAFECOMP’ 99, pp. 226– 238, Toulouse, France, September, 1999. [12] Vemuri K, Dugan J, Sullivan K. , “Automatic synthesis of fault tees for computer-based systems, ” IEEE Transaction on Reliability, Vol. 48, No. 4, pp. 394– 402, 1999. [13] Sullivan K, Dugan J, Coppit D. , “The Galileo fault tree analysis tool, ” Proceedings of the 29 th annual international symposium on fault-tolerant computing, pp. 232– 235, June 1999. [14] OH Y, YOO J, CHA S, SON H, “Software Safety Analysis of Function Block, ” RESS, Vol. 88, pp. 215 -228, 2005. [15] LI B, LI M, GHOSE S, SMIDTS C, “Integrating Software into PRA, ” Proceedings of 14 th International Symposium on Software Reliability Engineering, ISSRE 2003, pp. 17– 20, 2003.