The 9th IEEE International Conference on Dependable Systems, Services and Technologies, DESSERT’2018

24-27 May, 2018, Kyiv, Ukraine

Fault Insertion Software and Hardware Testing

for Safety PLC-Based System SIL Certification
Oleg Odarushchenko1, Oleksiy Strjuk1, Yevhen Bulba1, Kostiantyn Leontiiev2, Alexandr Ivasyuk2,
Vyacheslav Kharchenko3,4
1
RadICS LLC, Kropyvnytskiy, Ukraine, {odarushchenko, strjuk.radiks, evhenb}@gmail.com
2
RPC Radiy, Kropyvnytskiy, Ukraine, ksleontiev@radiy.com, ivasiuk.radiks@gmail.com
3
National Aerospace University “KhAI”, Kharkiv, Ukraine, v.kharchenko@csn.khai.edu
4
Centre for Safety Infrastructure-Oriented Research and Analysis, Kharkiv, Ukraine, v.kharchenko@csn.khai.edu

Abstract — challenges and solutions related to
Programmable Logic Controller (PLC) and PLC based
Instrumentation and Control systems (PICS) verification
and validation (V&V) are discussed. A particular case of
safety critical PICS developed using FPGA (FPICS) is
analyzed. Fault insertion testing (FIT) is one of the V&V
techniques and FIT is applied to meet the IEC 61508
standard requirements and to be certified and confirm
safety integrity level (SIL3). The concept of ability of SW
and HW (as components of FPICS) to FIT (FIT-ability),
some theoretical issues and procedures, specific features of
FPICS SIL-certification techniques are discussed. The
suggested FIT techniques and tools are described basing on
experience of SIL-certificating some modules of FPGA-
based platform RadICS for NPP FPICS. Particularity of the
technique is joint application of FIT for hardware (FPGA
design) and software (VHDL code) considering FIT-ability
issue.
Keywords— I&C systems ; fault insertion testing (FIT);
hardware FIT; software FIT; FIT procedures; FIT tools
I. INTRODUCTION
At present time, widely used programmable logic
controllers (PLCs), which are the core of the automated
control systems of technological processes and
productions. PLC are applied more and more intensively
in safety critical domains, first of all, in instrumentation
and control systems (I&C) of nuclear power plants (NPP)
- PLC – Based safety critical I&C systems (PICS). An
example of such PLC is systems that are being developed
on the basis of FPGA technology (FPGA PLC-based
safety critical I&C systems (FPICS). It caused by a few
advantages of FPICS in comparing with SW-based ones
implemented using microprocessors and microcontrollers
with universal and fixed architecture. In particular,
application of FPGA technology ensures more high
reliability, safety and security, the best flexibility and
maintainability.
However, FPGA design, PLC and FPICS for safety
critical applications such as NPPs have specific risks
which should be tolerated during verification and
validation (V&V). There are strong requirements of the
international standards to V&V process and applied
techniques [3-5].
Fault insertion testing (FIT) is one of the V&V
techniques. FIT is applied to meet the IEC 61508
standard requirements and to be certified and confirm
safety integrity level.
Due to hardware (HW) and software (SW) fault
insertion a few tasks can be solved: (a) improving test
coverage, diagnostic coverage for HW and SW
components and configurations and general metrics of
test quality; (b) confirmation of fault-tolerance
procedures and means effectiveness and actual level of
FPICS safety.
To improve FIT considering complexity of safety
important projects and their typical restrictions we
suggested the concept FIT-ability for hardware design in
our previous works, in particular [1,2].
The objective of the paper is to generalize the concept
of ability to FIT for SW and HW components and to
discuss experience of SIL-certificating some modules of
platform RadICS for NPP FPICS.
II. MAIN CONCEPTS OF SW & HW FIT-ABILITY
A. FIT –ability of I&C
Prototype-based FIT-ability is an ability to insertion
faults regarding to actual physical scheme (HW FIT-
ability) or code (SW FIT-ability). Metrics for FIT
assessment are the number and complexity (time and
cost) of fault insertion and reinsertion operations.
For SIL-oriented process of FPICS certification
concept of SW&HW FIT-ability may be specified as
ability to fulfillment of fault insertion (injection) testing
according with FMEA or FMEDA results on different
level of system hierarchy: (system SW implemented with
HDL code (Chip) - FMEDA, application SW -
configuration files that are generated by the Integrated
Development Environment) - FMEA, (Module, Cabinet,
System) FMEDA.
As stated above FPICS has for levels for HW and SW
FIT (see Figure 1, FIT , FMEA/FMEDA )

978-1-5386-5903-8/18/$31.00 ©2018 IEEE 202

Authorized licensed use limited to: University Kassel. Downloaded on October 09,2023 at 23:10:59 UTC from IEEE Xplore. Restrictions apply.
 protective actions in accordance with the type of failure
detected (fi);
- checking the SW FIT ability of IDE on-line
components to detect errors in the configuration data and
check their ability to perform protective actions in
accordance with the type of failure detected.
For SW FPICS:

FMEA=(SW Components)FMEA. (8)

The next task is the separation of many types of

defects into subsets. The number of subsets corresponds
to the number of SW components tested. Then F = {fi} is
the complete set of SW faults and
Figure 1. The levels of FMEA/FMEDA and HW/SW SWComp={SWCompi} – set of tested SW components.
FIT procedures for FPICS Then it is possible to establish the mapping of the set of
B. HW FIT-ability components onto a set of faults:
A scheme SFIT which is object of FIT procedure may be f: SWComp F (9)
presented by a pair: The next task, by analogy with the HW FIT, for each
SFIT = <G = {A, B}, T FMEA/FMEDA >, (1) pair fi - SWCompi is to determine a position (point of
components) pfi and means mfi of insertion. In general pfi
where G = {A, B} – structure graph of SFIT consisting and mf i are sets pfi = {pf ij}, mfi = {mfik}, j = 1,…, npfi ; k
of a set of nodes (elements of scheme), A = {ax}, and a set = 1,…, nmfi, and
of edges B = {by}; T FMEA/FMEDA = {fi, mi, ei, di, ci} – a set Full SW FIT covered space of fi (FF_SWCSfi):
(FMEA/FMEDA table) consisting of subsets of types
faults fi, failure modes mi, failure effects ei, diagnostic FF_SWCSfi = pfi x mfi. (10)
attributes di, defining possibility (detecting) of fault fi,
and criticality of fault ci, i = 1,…,F. FF_SWCS is an aggregation of all FF_SWCSfi:
The next task is to determine a position (point of
scheme) pfi and means mfi of insertion for all faults fi. FF_SWCS =  FF_SWCSfi, , i = 1,…,F. (11)
Full FIT covered space of fi (FFCSfi) and of scheme
(FFCS) are described by a set receiving as a Cartesian Implemented FF_SWCS of component (IF_SWCS) is
product and aggregation of all FFCSfi correspondingly:
a subset of FF_SWCS, IF_SWCS  FF_SWCS. IF_SWCS
FFCSfi = pfi x mfi, (2) should be developed taking into account a main of
restriction SW FITR – SW fault insertion for SWComp
FFCSS =  FFCSfi, , i = 1,…,F. (3) must be technologically acceptable.
Implemented FIT covered space of scheme (IFCS) is
a subset of FFCS, IFCS  FFCS and should be III. SW & HW FIT- PROCEDURES
developed taking into account a set of restrictions FITR =
A. HW FIT procedure
{rz}: r1 – element parameters are not changed under
temperature and mechanical influences; r2 – fault To develop FIT – ability procedure according with
insertion for element axA (in space of element ax) does analysis of SFIT and TFMEDA it’s need to fulfill the
not cause failure or unacceptable parameter changing of following operations.
other elements aq; r3 – any element axA must be 1. Receiving of the sets FFCSfi, FFCSS and
technologically acceptable for fault insertion. corresponding Tables I. The feature of this stage is a
necessity of correct understanding and technological
C. SW FIT-ability interpretation of FMEDA-based symptoms.
The input data for performing SW FIT is the results of TABLE I. TABLE OF FFCS
FMEA. During the FMEA, an analysis is made of the
sources of risks that may arise during the work with the Attributes of fault
IDE and the formation of the FPICS configuration files. HW faults, insertion
These results are types of failure. fHWi Points, pfi Means, mfi
The main tasks of performing the testing phase SW f HW 1 pf1 mf1
FIT are the following:
- checking the SW FIT ability of the diagnostic … … …
subsystem of the FPICS to detect errors in the fHWF pfF mfF
configuration data and check its ability to perform

203
Authorized licensed use limited to: University Kassel. Downloaded on October 09,2023 at 23:10:59 UTC from IEEE Xplore. Restrictions apply.
2. Building of the IFCS table taking into account the TABLE V. TABLE OF IF_SWCS
restrictions set FITR (Table II). Attributes of SW fault
TABLE II. TABLE OF IFCS Subset insertion
types of Points, Ipfi Means, Imfi
HW faults, Attributes of fault insertion
failure,
fHWi Points, Ipfi Means, Imfi fswi
f HW 1 Ipf1 Imf1 fsw1 Ipf1 Imf1
… … … … … …
IpfF I mfF fswz IpfF I mfF

3. For selected points (Ipfi) and fault means (Imfi) should 4. For selected points (Ipfi) and fault means (Imfi) should
be determined HW FIT techniques into account the be determined SW FIT techniques (SW FITT) and SW
restrictions set FITR. FIT tools, which should be developed during the SW FIT
B. SW FIT procedure test design.
To develop SW FIT procedure according to analysis IV. INDUSTRIAL CASE
of system FIT and FMEA it’s need to fulfill the following
operations. A. FPICS example
1. Separation of the plurality of failure types into subsets An example of FPICS is the FPGA-based platform
(Table III). RadICS developed by Research and Production
TABLE III. TABLE OF FF_SWCS
Corporation Radiy. The procedures described are part of
the process of its SIL 3 – sertification. The platform is
SW Components presented on Figure 2. [7].
Faults,
SW Com1 ….. SW ComM
fswi
fsw1 + +
… +
fswF +

2. Receiving of the sets FF_SWCSfi, FF_SWCS and

corresponding tables (Table IV). The feature of this stage
is necessity of correct understanding and technological
interpretation of FMEA-based types of failure. Figure 2. FPGA-based platform RadICS

TABLE IV. TABLE OF FF_SWCS

B. An Example of HW-FIT procedure
We will illustrate the implementation of HW FIT
Attributes of SW fault procedure. For example the FMEDA table (for Logic
Subset insertion Module) contains five types of fault: fhw1 (LM. DOU HL
types of Points, pfi Means, mfi switch stuck on); fhw2 (LM DOU HR switch stuck on);
failure, fhw3 (LM DOU LL switch stuck on); fhw4 (LM DOU LR
fswi switch stuck on); fhw5 (LM. DIU Shorted field contact).
fsw1 pf1 mf1 Table of IFCS for the analyzed scheme of Discrete
… … … Output Unit of Logic Module (Figures 3,4) contain types
of faults and means their insertion. Every fault may be
fswz pfj mfF insertion into one of the ten points of the scheme (Ipfhwi)
by two means as “stuck off” (mi1) or short circuit of pins
“out&GND” (mi2). Electrical circuit for the
3. Building of the IF_SWCS table taking into account the
implementation of fault (fhw1) “LM. DOU HL switch
restriction set SW FITR for each subset types of SW
stuck on “is illustrated on Figure 3.
failure (Table V).

204
Authorized licensed use limited to: University Kassel. Downloaded on October 09,2023 at 23:10:59 UTC from IEEE Xplore. Restrictions apply.
 Choosing of the IFCSmin depends on insertion costs
for pairs (pfi, mij). Let’s assume that insertion cost for all
points is equal, and insertion costs of “stuck off” (mi1)
more than “out&GND” (mi2). In this case the best variant
is the following:

IFCSmin = {(p1,m12), (p6, m22),(p5, m32),(p7, m42),(p8, m52)}

S

C. HW FIT-tool
Figure 3. Implementation of fault fhw1 “LM. DOU HL switch
To fulfill HW FIT a special HW tool VTP (Validation
stuck on “
Electrical circuit for the implementation of the fault Test Panel) was developed. The tool allows
(fhw5) “LM. DIU Shorted field contact” is illustrated by simultaneously insert one or more faults, to set the fault
Figure 4. type and indicate required data, check uncontrolled
insertion risks. VTP is a part of the IVV system
integrating National Instruments modules and software
S
tool LabView. Several generations of HW FIT tools have
been developed (see Figures 5÷7).

Figure 4. Implementation of fault fhw5 “LM. DIU Shorted field contact“

IFCS table for the described symptoms is presented

below (Table VI). Figure 5. FIT panel v1.0
TABLE VI. TRANSFORMED IFCS TABLE
Faults, Means, Points, Ipfhwi
fhwi mij
Ipfhw10
Ipfhw1
Ipfhw2
Ipfhw3
Ipfhw4
Ipfhw5
Ipfhw6
Ipfhw7
Ipfhw8
Ipfhw9

fhw1, m11, stuck 0 1 0 0 0 0 0 0 0 0

LM. off
DOU HL m12, 1 0 0 0 0 0 0 0 0 0
switch out&GND
stuck on
fhw2, m21, 0 0 1 1 0 0 0 0 0 0
LM. stuck off
DOU HR
switch
m22, 0 0 0 0 0 1 0 0 0 0 Figure 6. FIT panel 2.0
out&GND
stuck on
fhw3, m31, 1 1 0 0 0 0 0 0 0 0 Fit Control
LM. stuck off RUN
S1
S2
S3 Panel
DOU LL FAULT
S4
S5

m32, 0 0 0 0 1 0 0 0 0 0
S6

switch
S7
S8

out&GND
S9

stuck on
S10
S11
S12
S13

fhw4, m41, 0 0 0 0 1 0 0 0 1 0 S35 Micro

LM. stuck off 1 LAN switches

DOU LR 2 LAN

switch m42, 0 0 0 0 0 0 1 0 0 0 3 LAN

stuck on out&GND 1 P1
Potentiometers
fhw5, m51, 0 0 0 0 0 0 0 0 0 1
P2
2 P3

LM. DIU stuck off

LM

P4
3
P5

Shorted
P6

field m52, 0 0 0 0 0 0 0 1 0 0
contact out&GND
Figure 7. FIT control panel
In general we have the 108 variants of the irIFCSs: D. An Example of SW FIT procedure
Let's consider an example of the SW FIT-procedure
irIFCS = {irIFCS1={(p2,m11),(p3, m21),(p1, m31),(p5,
implementation for one of the RPCT generated SW
m41),(p10, m51)},…, irIFCS108={(p1,m12) (p6, m22),(p5,
parameter – command code. Examples of types of failure
m32),(p7, m42),(p8, m52)}}.
identified by FMEA analysis are the following:

205
Authorized licensed use limited to: University Kassel. Downloaded on October 09,2023 at 23:10:59 UTC from IEEE Xplore. Restrictions apply.
- fsw1 - Command code is WRONG but VALID (code
fragment is highlighted in red):
- Command Code ≠ Command Code that was
specified in the UAL project;
- Command Code is within the legal range.
Figure 8;
- fsw2 - Command code is WRONG and INVALID (code
fragment is highlighted in red):
- Command Code ≠ Command Code specified in the
UAL project;
- Command Code is out of the legal range.
Figure 9;
- fsw3 – Tuning Station (TS) sends a WRONG but
VALID value to the LM different than the one entered
by the user. Figure 10.
Therefore, the location of defects (p) is determined by
the SW FIT-ability of the RPCT output file being
examined, and the value (m) is: the number of command
code for fsw1 and fsw2; tuning value for fsw3 and fsw4.
Figure 8. SW FIT (Command code is WRONG and INVALID)
Figure 9 . SW FIT (Number of the Block is WRONG but
VALID)
TV seeded by FIS: 50 TV entered by user: 40
LM#1 FIS
Figure 10. SW FIT – “ Tuning Station (TS) sends a WRONG but
VALID value to the LM”
E. SW FIT tool
To insertion various types of failure into the SW
components, special SW FIT tools were developed.
This tools are used to test the design and mitigation
measures which shall prevent the impact of RPCT
application project aspects which can potentially be
the source of FPICS faults. SW FIT tools allow to
perform the following:
- to insert fault(s) into RPCT output files and
recalculate Cyclic Redundancy Check (CRC), which
are used to protect the data;
Authorized licensed use limited to: University Kassel. Downloaded on October 09,2023 at 23:10:59 UTC from IEEE Xplore. Restrictions apply.
- to insert wrong data into network data frames, which
are transmitted between the logic module and the. To
insert wrong data network penetration attack – “Men-
in-the-Middle” is implemented by the tool” [6]
(Figure 11);
Figure 11. Network penetration attack – “Men-in-the-Middle”
- to insert fault(s) into Electronic Design (ED) of the
FSC Logic Module. Faults are inserted into LM ED
with dedicated ED block so-called – “saboteur”. The
saboteur block was developed, verified and added into
LM ED during SW FIT tests design.
CONCLUSIONS
The importance of HW and SW FIT performing for
the developed systems on the basis of FPICS and FIT-
ability as a subattribute of verifiability have been
analyzed. FIT-ability consists of a few characteristics
determining complexity of tools for FIT support,
simplicity of fault insertion (or injection) and reinjection,
etc. Procedures and tools for the implementation of HW
and SW FIT which were developed during the SIL
certification of prospective FPICS have been discussed
on the example RadICS modules developed by the RPC
Radiy. Future studies are aimed at developing of
recommendations for improving the modules of the
FPGA-based platform RadICS, with a view to enhancing
their HW and SW FIT ability.
REFERENCES
ATS [1] Kharchenko, V., Odarushchenko, O., Sklyar, V., Ivasyuk, A., 2013
“Fault Insertion Testing: FIT-Ability, Optimal Procedure and Tool
for FPGA Based Systems SIL Certification”,Proceedings of East-
West Design&Test Symosium (EWDTS”2013), September 27-30,
2013, Rostov-on-Don, Russia, pp.188-192.
[2] Kharchenko, V., Odarushchenko, O., Sklyar, V., Ivasyuk, A., 2014
“Fault Insertion Testing of FPGA-Based NPP I&C Systems: SIL
Certification Issues”, Proceedings of the 2014 22th International
Conference on Nuclear Engineering ICONE 22, July 7-11, 2014,
Prague, Czech Republic, Paper No. ICONE22-31163, 5 pages.
[3] Cotroneo, D., 2013, “Innovative Technologies for Dependable
OTS-Based Critical Systems: Challenges and Achievements of the
CRITICAL STEP Project”, Springer, Milan, p. 215.
[4] Hsueh, M., Tsai, T., Iyer. R., 1997, “Fault Injection Techniques
and Tools”, IEEE Computer, Vol. 30(4), pp. 75-82.
[5] Leveugle., R., 2000, “Fault Injection in VHDL Descriptions and
Emulations”, Proceedings of DFT'2000 Conference, October, pp.
414-419.
[6] Rehim, R, 2016, “Effective Python Penetration Testing”, Packt
Publishing, Birmingham, 156 p.
[7] RadIC Platform description http://www.radiy.com/ru/produktsiya-
dlya-aes/produktsiya/plaforma-radics.html.
206