Professional Documents
Culture Documents
Abstract — challenges and solutions related to international standards to V&V process and applied
Programmable Logic Controller (PLC) and PLC based techniques [3-5].
Instrumentation and Control systems (PICS) verification Fault insertion testing (FIT) is one of the V&V
and validation (V&V) are discussed. A particular case of techniques. FIT is applied to meet the IEC 61508
safety critical PICS developed using FPGA (FPICS) is
standard requirements and to be certified and confirm
analyzed. Fault insertion testing (FIT) is one of the V&V
techniques and FIT is applied to meet the IEC 61508 safety integrity level.
standard requirements and to be certified and confirm Due to hardware (HW) and software (SW) fault
safety integrity level (SIL3). The concept of ability of SW insertion a few tasks can be solved: (a) improving test
and HW (as components of FPICS) to FIT (FIT-ability), coverage, diagnostic coverage for HW and SW
some theoretical issues and procedures, specific features of components and configurations and general metrics of
FPICS SIL-certification techniques are discussed. The test quality; (b) confirmation of fault-tolerance
suggested FIT techniques and tools are described basing on procedures and means effectiveness and actual level of
experience of SIL-certificating some modules of FPGA- FPICS safety.
based platform RadICS for NPP FPICS. Particularity of the
To improve FIT considering complexity of safety
technique is joint application of FIT for hardware (FPGA
design) and software (VHDL code) considering FIT-ability important projects and their typical restrictions we
issue. suggested the concept FIT-ability for hardware design in
our previous works, in particular [1,2].
Keywords— I&C systems ; fault insertion testing (FIT); The objective of the paper is to generalize the concept
hardware FIT; software FIT; FIT procedures; FIT tools of ability to FIT for SW and HW components and to
discuss experience of SIL-certificating some modules of
I. INTRODUCTION platform RadICS for NPP FPICS.
At present time, widely used programmable logic
controllers (PLCs), which are the core of the automated II. MAIN CONCEPTS OF SW & HW FIT-ABILITY
control systems of technological processes and A. FIT –ability of I&C
productions. PLC are applied more and more intensively
Prototype-based FIT-ability is an ability to insertion
in safety critical domains, first of all, in instrumentation
faults regarding to actual physical scheme (HW FIT-
and control systems (I&C) of nuclear power plants (NPP)
ability) or code (SW FIT-ability). Metrics for FIT
- PLC – Based safety critical I&C systems (PICS). An
assessment are the number and complexity (time and
example of such PLC is systems that are being developed
cost) of fault insertion and reinsertion operations.
on the basis of FPGA technology (FPGA PLC-based
For SIL-oriented process of FPICS certification
safety critical I&C systems (FPICS). It caused by a few
concept of SW&HW FIT-ability may be specified as
advantages of FPICS in comparing with SW-based ones
ability to fulfillment of fault insertion (injection) testing
implemented using microprocessors and microcontrollers
according with FMEA or FMEDA results on different
with universal and fixed architecture. In particular,
level of system hierarchy: (system SW implemented with
application of FPGA technology ensures more high
HDL code (Chip) - FMEDA, application SW -
reliability, safety and security, the best flexibility and
configuration files that are generated by the Integrated
maintainability.
Development Environment) - FMEA, (Module, Cabinet,
However, FPGA design, PLC and FPICS for safety
System) FMEDA.
critical applications such as NPPs have specific risks
As stated above FPICS has for levels for HW and SW
which should be tolerated during verification and
FIT (see Figure 1, FIT , FMEA/FMEDA )
validation (V&V). There are strong requirements of the
203
Authorized licensed use limited to: University Kassel. Downloaded on October 09,2023 at 23:10:59 UTC from IEEE Xplore. Restrictions apply.
2. Building of the IFCS table taking into account the TABLE V. TABLE OF IF_SWCS
restrictions set FITR (Table II). Attributes of SW fault
TABLE II. TABLE OF IFCS Subset insertion
types of Points, Ipfi Means, Imfi
HW faults, Attributes of fault insertion
failure,
fHWi Points, Ipfi Means, Imfi fswi
f HW 1 Ipf1 Imf1 fsw1 Ipf1 Imf1
… … … … … …
IpfF I mfF fswz IpfF I mfF
3. For selected points (Ipfi) and fault means (Imfi) should 4. For selected points (Ipfi) and fault means (Imfi) should
be determined HW FIT techniques into account the be determined SW FIT techniques (SW FITT) and SW
restrictions set FITR. FIT tools, which should be developed during the SW FIT
B. SW FIT procedure test design.
To develop SW FIT procedure according to analysis IV. INDUSTRIAL CASE
of system FIT and FMEA it’s need to fulfill the following
operations. A. FPICS example
1. Separation of the plurality of failure types into subsets An example of FPICS is the FPGA-based platform
(Table III). RadICS developed by Research and Production
TABLE III. TABLE OF FF_SWCS
Corporation Radiy. The procedures described are part of
the process of its SIL 3 – sertification. The platform is
SW Components presented on Figure 2. [7].
Faults,
SW Com1 ….. SW ComM
fswi
fsw1 + +
… +
fswF +
204
Authorized licensed use limited to: University Kassel. Downloaded on October 09,2023 at 23:10:59 UTC from IEEE Xplore. Restrictions apply.
Choosing of the IFCSmin depends on insertion costs
for pairs (pfi, mij). Let’s assume that insertion cost for all
points is equal, and insertion costs of “stuck off” (mi1)
more than “out&GND” (mi2). In this case the best variant
is the following:
C. HW FIT-tool
Figure 3. Implementation of fault fhw1 “LM. DOU HL switch
To fulfill HW FIT a special HW tool VTP (Validation
stuck on “
Electrical circuit for the implementation of the fault Test Panel) was developed. The tool allows
(fhw5) “LM. DIU Shorted field contact” is illustrated by simultaneously insert one or more faults, to set the fault
Figure 4. type and indicate required data, check uncontrolled
insertion risks. VTP is a part of the IVV system
integrating National Instruments modules and software
S
tool LabView. Several generations of HW FIT tools have
been developed (see Figures 5÷7).
m32, 0 0 0 0 1 0 0 0 0 0
S6
switch
S7
S8
out&GND
S9
stuck on
S10
S11
S12
S13
DOU LR 2 LAN
stuck on out&GND 1 P1
Potentiometers
fhw5, m51, 0 0 0 0 0 0 0 0 0 1
P2
2 P3
P4
3
P5
Shorted
P6
field m52, 0 0 0 0 0 0 0 1 0 0
contact out&GND
Figure 7. FIT control panel
In general we have the 108 variants of the irIFCSs: D. An Example of SW FIT procedure
Let's consider an example of the SW FIT-procedure
irIFCS = {irIFCS1={(p2,m11),(p3, m21),(p1, m31),(p5,
implementation for one of the RPCT generated SW
m41),(p10, m51)},…, irIFCS108={(p1,m12) (p6, m22),(p5,
parameter – command code. Examples of types of failure
m32),(p7, m42),(p8, m52)}}.
identified by FMEA analysis are the following:
205
Authorized licensed use limited to: University Kassel. Downloaded on October 09,2023 at 23:10:59 UTC from IEEE Xplore. Restrictions apply.
- fsw1 - Command code is WRONG but VALID (code - to insert wrong data into network data frames, which
fragment is highlighted in red): are transmitted between the logic module and the. To
- Command Code ≠ Command Code that was insert wrong data network penetration attack – “Men-
specified in the UAL project; in-the-Middle” is implemented by the tool” [6]
- Command Code is within the legal range. (Figure 11);
Figure 8;
- fsw2 - Command code is WRONG and INVALID (code
fragment is highlighted in red):
- Command Code ≠ Command Code specified in the
UAL project;
- Command Code is out of the legal range.
Figure 9;
- fsw3 – Tuning Station (TS) sends a WRONG but
VALID value to the LM different than the one entered Figure 11. Network penetration attack – “Men-in-the-Middle”
by the user. Figure 10. - to insert fault(s) into Electronic Design (ED) of the
Therefore, the location of defects (p) is determined by FSC Logic Module. Faults are inserted into LM ED
the SW FIT-ability of the RPCT output file being with dedicated ED block so-called – “saboteur”. The
examined, and the value (m) is: the number of command saboteur block was developed, verified and added into
code for fsw1 and fsw2; tuning value for fsw3 and fsw4. LM ED during SW FIT tests design.
CONCLUSIONS
LM#1 FIS ATS [1] Kharchenko, V., Odarushchenko, O., Sklyar, V., Ivasyuk, A., 2013
“Fault Insertion Testing: FIT-Ability, Optimal Procedure and Tool
for FPGA Based Systems SIL Certification”,Proceedings of East-
West Design&Test Symosium (EWDTS”2013), September 27-30,
2013, Rostov-on-Don, Russia, pp.188-192.
Figure 10. SW FIT – “ Tuning Station (TS) sends a WRONG but [2] Kharchenko, V., Odarushchenko, O., Sklyar, V., Ivasyuk, A., 2014
VALID value to the LM” “Fault Insertion Testing of FPGA-Based NPP I&C Systems: SIL
Certification Issues”, Proceedings of the 2014 22th International
E. SW FIT tool Conference on Nuclear Engineering ICONE 22, July 7-11, 2014,
To insertion various types of failure into the SW Prague, Czech Republic, Paper No. ICONE22-31163, 5 pages.
[3] Cotroneo, D., 2013, “Innovative Technologies for Dependable
components, special SW FIT tools were developed. OTS-Based Critical Systems: Challenges and Achievements of the
This tools are used to test the design and mitigation CRITICAL STEP Project”, Springer, Milan, p. 215.
measures which shall prevent the impact of RPCT [4] Hsueh, M., Tsai, T., Iyer. R., 1997, “Fault Injection Techniques
application project aspects which can potentially be and Tools”, IEEE Computer, Vol. 30(4), pp. 75-82.
[5] Leveugle., R., 2000, “Fault Injection in VHDL Descriptions and
the source of FPICS faults. SW FIT tools allow to Emulations”, Proceedings of DFT'2000 Conference, October, pp.
perform the following: 414-419.
- to insert fault(s) into RPCT output files and [6] Rehim, R, 2016, “Effective Python Penetration Testing”, Packt
recalculate Cyclic Redundancy Check (CRC), which Publishing, Birmingham, 156 p.
are used to protect the data; [7] RadIC Platform description http://www.radiy.com/ru/produktsiya-
dlya-aes/produktsiya/plaforma-radics.html.
206
Authorized licensed use limited to: University Kassel. Downloaded on October 09,2023 at 23:10:59 UTC from IEEE Xplore. Restrictions apply.