P.-J. Courtois and D. L. Parnas. Documentation for safety critical software. In Proc. 15th Int'l Conf. on Softw. Eng. (ICSE '93), pages 315--323, Baltimore, MD, 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....2. Mode table defining the Mode Class Pressure of SIS 2. 2 An SCR Case Study: the Safety Injection System (SIS) Case study of this paper is the SCR specification of a system called the Safety Injection System (SIS) a simplified version of a control system for safety injection in a nuclear plant [5], which monitors water pressure and injects coolant into the reactor core when the pressure falls below some threshold. The system operator may override safety injection by turning a Block switch to On and may reset the system after blockage by setting a Reset switch to On . To specify the ....

P.-J. Courtois and D. L. Parnas. Documentation for safety critical software. In Proc. 15th Int'l Conf. on Softw. Eng. (ICSE '93), pages 315--323, Baltimore, MD, 1993.

....method, we illustrate how the model checker SMV may be used to obtain a test sequence from a system property and an SCR requirements specification. We consider a system called the Safety Injection System (SIS) a 150 simplified version of a control system for safety injection in a nuclear plant [6], which monitors water pressure and injects coolant into the reactor core when the pressure falls below some threshold. The system operator may override safety injection by turning a Block switch to On and may reset the system after blockage by setting a Reset switch to On . To specify the ....

P.-J. Courtois and David L. Parhas. Documentation for safety critical software. In Proc. 15th [nt'l Conf. on Softw. Eng. ([CSE '93), Baltimore, MD, 1993. 162

....with its environment [Fen87, Fic92] Goals are formulated in terms of pre EffectiveCoolantSystem Mitigate. SafetylnjectionlffLossOfCoolant IffLSo awl evYalt neJ ies u r e Figure 1: Preliminary goals identified from initilal description of the safety injection system [Cou93] scriptive statements (as opposed to descriptive ones) Zav97] they may refer to functional or non functional properties and range from high level concerns (such as safe nuclear power plant ) to lower level ones (such as safety injec tion overridden when block switch is on and pressure is ....

....benefits of explicitly modeling and reasoning about multiple goals at various levels of abstraction in the specific context of high assurance systems. We show how our goal oriented techniques can be used to constructively elaborate and analyze the requirements for a safety injection control system [Cou93]. Although fairly small, this case study comes from a real application, raises many of the issues found in high assurance systems and is frequently used to illustrate other methods such as, e.g. the SCR method [Heit96] and its analysis techniques [Bha99, Jef98, Gar99] Illustrations on larger, ....

[Article contains additional citation context not shown here]

P.J. Courtois and D.L. Parnas, "Documentation for Safety-Critical Software", Proc. 1CSE'1993: 15th International Conference on Software Engineering, ACM Press, 1993, 315-323.

....speci cation for readers writers problem for various number of processes [3] lightcontrol and sis are two reactive software speci cations. lightcontrol is an oce light control system speci cation written in statecharts [5] sis is speci cation of a safety injection system for a nuclear reactor [7] which uses three sensor readings and a majority vote to control water pressure level in the reactor. insertionsort is a speci cation from [9] for array bound checking of an implementation of insertion sort algorithm. The results of our experimental evaluation of di erent representations for ....

P. J. Courtois and D. L. Parnas. Documentation for safety critical software. In Proceedings of the 15th International Conference on Software Engineering, pages 315-323, May 1993.

....However, those grammars contain modifications, including precedence rules, necessary for unambiguous parsing. The syntax of the language is best illustrated by an example. Below is the specification of a simplified version of a control system for safety injection (SIS) in a nuclear power plant [8]. The line numbers are not part of the actual specification. They are included for ease of reference. The SIS system monitors water pressure and if the pressure is too low, the system injects coolant into the reactor core. There are three monitored variables in this specification (lines ....

Courtois, P.-J. and D. L. Parnas: 1993, `Documentation for Safety Critical Software'. In: Proc. 15th Int'l Conf. on Softw. Eng. (ICSE '93). Baltimore, MD, pp. 315--323.

....Discourse Ambiguity We look at an example of the use of the scenario to identify potential ambiguities. The Engineered Safety Feature Actuation System (ESFAS) used in nuclear power plants, prevents or mitigates damage to the core and coolant system when a fault, such as loss of coolant, occurs [6]. The ESFAS monitors a pressure sensor and determines whether an actuation signal called safety injection must be sent to the safety feature components that cope with pressure accidents. The human operator has to press two momentary pushbuttons to block the signal and to reset the blockage. A part ....

Courtois, P.-J. and Parnas, D.L., "Documentation for Safety Critical Software," pp. 315--323 in Proceedings of the Fifteenth International Conference on Software Engineering, Baltimore, MD (May 1993 ).

....has been removed, forwarded, transformed, or is out of the scope of requirements model. Preparation. The preparation phase took 4 weeks. During this phase, the students read material about their RSL and produced a tiny requirements model of the ESFAS (Engineered Safety Feature Actuation System) [CP93]. Then, each team wrote a 1 to 2 page essay about the RSL. At the end of this phase, the students had an opportunity to discuss all the problems they encountered with the RSL or CASE tool with their supervisor. The outcome of this phase was the requirements model and the essay. Based on these two ....

P.-J. Courtois and D.L. Parnas. Documentation for safety critical software. In Proceedings of the 15th International Conference on Software Engineering, pages 315--323, Baltimore, Maryland, USA, May 1993. IEEE Computer Society Press.

....interpretations. We look at an example of the use of the scenario to identify potential ambiguities. The Engineered Safety Feature Actuation System (ESFAS) used in nuclear power plants, prevents or mitigates damage to the core and coolant system when a fault, such as loss of coolant, occurs [6]. The ESFAS monitors a pressure sensor and determines whether an actuation signal called safety injection must be sent to the safety feature components that cope 6 with pressure accidents. The human operator has to press two momentary pushbuttons to block the signal and to reset the blockage. A ....

Courtois, P.-J. and Parnas, D.L., "Documentation for Safety Critical Software," pp. 315--323 in Proceedings of the Fifteenth International Conference on Software Engineering, Baltimore, MD (May 1993 ).

....performance is significantly faster than the theoretical measure, making it possible to incorporate this tool in a number of optimizing compilers. To determine the effectiveness of our abstract model checker, we analyzed the implementation of the simplified version of a Safety Injection System [Courtois and Parnas, 1993]. Safety Injection is an embedded system that monitors the water pressure and injects the coolant into the reactor core when the pressure falls below a certain threshold. The specification includes 6 variables; two of which are unconstrained integers. This system has been verified by Bultan ....

Courtois, P.-J. and Parnas, D. L. (1993). "Documentation for Safety Critical Software". In Proceedings of the 15th International Conference on Software Engineering, pages 315-- 323.

....value. A special event, called an input event, occurs when an input variable changes value. A conditioned event occurs if an event occurs when a specified condition is true. To illustrate the SCR constructs, we consider a simplified version of the control system for safety injection described by Courtois and Parnas [1993]. The system uses three sensors to monitor water pressure and adds coolant to the reactor core when the pressure falls below some threshold. The system operator blocks safety injection by turning on a Block switch and resets the system after blockage by turning on a Reset switch. Figure 2 ....

COURTOIS, P.-J. AND PARNAS, D. L. 1993. Documentation for safety critical software. In Proceedings of the 15th International Conference on Software Engineering (ICSE'93) (Baltimore, Md.). ACM, New York, 315--323.

....Labaw, 1996, Heitmeyer, Jeffords and Labaw, 1999) 2.2. Types and Dependency Sets To illustrate the SCR constructs, we consider a simplified specification of a control system for a nuclear power plant. This safety injection system injects coolant into the reactor core under certain conditions (Courtois and Parnas, 1993). Appendix A.1 contains a prose description of the behavior of this system, three tables taken from an SCR specification of the required system behavior, and the functions that can be derived from the tables using our formal model. In the example system, the set of variable names RF contains the ....

....Finally, we thank Todd Grimm and Bruce Labaw for automating the first abstraction method and the translation of SCR specifications into Promela. MODEL CHECKING 59 Appendix A.1. Specifying a Simple Control System in SCR The system, a simplified version of a control system for safety injection (Courtois and Parnas, 1993), monitors water pressure and injects coolant into the reactor core when the pressure falls below some threshold. The system operator may override safety injection by turning a Block switch to On and may reset the system after blockage by setting a Reset switch to On . To specify the ....

Courtois, P.-J. and Parnas, D.L. 1993. Documentation for safety critical software. In Proc. 15th Int'l Conf. on Softw. Eng. (ICSE '93), pages 315--323, Baltimore, MD.

....our method, we illustrate how the model checker SMV may be used to obtain a test sequence from a system property and an SCR requirements speci cation. We consider a system called the Safety Injection System (SIS) a simpli ed version of a control system for safety injection in a nuclear plant [6], which monitors water pressure and injects coolant into the reactor core when the pressure falls below some threshold. The system operator may override safety injection by turning a Block switch to On and may reset the system after blockage by setting a Reset switch to On . To specify the ....

P.-J. Courtois and David L. Parnas. Documentation for safety critical software. In Proc. 15th Int'l Conf. on Softw. Eng. (ICSE '93), Baltimore, MD, 1993.

....performance is significantly faster than the theoretical measure, making it possible to incorporate this tool in a number of optimizing compilers. To determine the effectiveness of our abstract model checker, we analyzed the implementation of the simplified version of a Safety Injection System [11]. Safety Injection is an embedded system that monitors the water pressure and injects the coolant into the reactor core when the pressure falls below a certain threshold. The specification includes 6 variables; two of which are unconstrained integers. This system has been verified by Bultan [2] ....

P.-J. Courtois and D. L. Parnas. "Documentation for Safety Critical Software". In Proceedings of the 15th International Conferenceon Software Engineering, pages 315--323, May 1993.

....systems are given here. One motivation for specifying requirements formally is that some notations make review, design, implementation, and development of test cases easier and more accurate. Formal documentation of requirements has also been shown to improve the quality of the final product [Courtois and Parnas 1993]. Tabular notations, for example, are familiar to engineers and supported by many tool environments. Another motivation for specification of requirements in a formal notation is that it allows formal analysis to investigate whether certain safety properties are preserved. For example, Dutertre ....

Courtois, P.-J. and Parnas, D. L. 1993. Documentation for safety critical software. In Proc IEEE 15th Int Conf on Software Eng (1993), pp. 315--323.

....this property takes O(n Theta (n Gamma 1) steps. Therefore, the total running time for our model checker to check a formula P is O(jP j Theta n 2 ) 5 Case Study To determine the effectiveness of our abstract model checker, we analyzed the simplified version of a Safety Injection System [7]. Safety Injection is an embedded system that monitors the water pressure and injects the coolant into the reactor core when the pressure falls below a certain threshold. There is a manual control that the operator can use to prevent the system from injecting the coolant, which causes the system ....

P.-J. Courtois and D. L. Parnas. "Documentation for Safety Critical Software". In Proceedings of the 15th International Conference on Software Engineering, pages 315--323, May 1993.

....implementation language Erlang, cf. e.g. Armstrong et al. 1996] This work was supported by the Deutsche Forschungsgemeinschaft, Sonderforschungsbereich 501, Entwicklung gro....

P.-J. Courtois and D. L. Parnas. Documentation for safety critical software. In Proc. of 15th Intl. Conf. on Software Engineering, pages 315323, 1993.

....applied to a variety of practical systems. These include avionic systems, such as the A 7 Operational Flight Program (OFP) 13, 1] a submarine communications system [12] and safetycritical components of two nuclear power plants, the Darlington plant in Canada [22] and a second plant in Belgium [4]. Recently, a consortium of aerospace companies has developed a version of the SCR method, called CoRE, to capture and document the requirements of avionics and space applications [7, 8] While the above applications of SCR rely on manual techniques, effective use of the method in industrial ....

....an input event, occurs when an input variable changes value. Another special event, called a conditioned event, occurs if an event occurs when a specified condition is true. To illustrate the SCR constructs, we consider a simplified version of the control system for safety injection described in [4]. The system uses three sensors to monitor water pressure and adds coolant to the reactor core when the pressure falls below some threshold. The system operator blocks safety injection by turning on a Block switch and resets the system after blockage by turning on a Reset switch. Figure 2 ....

P.-J. Courtois and D. L. Parnas. Documentation for safety critical software. In Proc., 15th Intern. Conf. on Software Eng., Baltimore, 1993.

....approach by analyzing two example systems using our composite model checker: 1) a requirements specification for the control software of a nuclear reactor s cooling system, and (2) a transport protocol specification. The first system analyzed is an enhanced version of a known SCR specification [9, 31, 40]. The underlying model contains a good mixture of booleans, unbounded integers and enumerated types, each of which retain their exact semantic interpretation in our composite model checker. Specifically, this means that during automated analysis checks, important integer values get propagated ....

....one model checker. 4 Composite Model Checking We will demonstrate our composite model checking approach on the requirements specification of the control software of a reactor s cooling system (Figure 2) This example, called the safety injection system, was adapted from previous specifications in [9, 31, 40]. The full SCR specification is given in Section 7. The safety injection system functions as a feedback loop: its sensors monitor the coolant system s water pressure WP2 WP1 WP3 Inject Damp Control Software Coolant System TooLow High Low TooHigh Reset Block System Operator Pressure Sensors Water ....

[Article contains additional citation context not shown here]

P. J. Courtois and D. L. Parnas. Documentation for safety critical software. In Proceedings of the 15th International Conference on Software Engineering, pages 315--323, May 1993.

....technique which circumvents the weaknesses presented above. As mentioned in [4] tabular notation is particularly useful for specifying function rules to produce crisper, clearer, and more precise specifications. We integrate SCR styled requirements, a formal method for requirements representation [3,10], as a black box like description into box structures. SCR was developed for embedded real time systems and has been used in various projects. The integration results in a development process which allow the development of near zero defect software for embedded real time systems. The remainder of ....

....time functions of quantities: Next(event) Last(event) refers to the next (last) occurrence of this event . Drtn(condition) refers to the duration the condition holds Safety injection example. To illustrate the A7 language, we consider a control system for a safety injection of a nuclear plant [3,9]: The system uses a sensor to monitor water pressure and adds coolant to the reactor core when the pressure falls below some threshold. The system operator blocks safety injection by turning on a Block switch and resets the system after blockage by turning on a Reset switch. Figure 1 shows ....

P.-J. Courtois and D. L. Parnas. Documentation for Safety Critical Software. In Proceedings of the 15th International Conference on Software Engineering, pages 315--323. IEEE Computer Society Press, May 1993.

....in the new state. The environment may change a monitored quantity, causing an input event. In response, the system changes controlled quantities and updates terms and mode classes. To introduce the SCR constructs, we consider a simplified version of a control system for safety injection [CP93]. The system monitors water pressure and injects coolant into the reactor core when the pressure falls below some threshold. The system operator may block this process by pressing a Block switch. The system is reset by a Reset switch. To specify the requirements of the control system, we use ....

P.-J. Courtois and D. L. Parnas. "Documentation for safety critical software". In Proc. 15 th Int'l Conf. on Software Engg., Baltimore, 1993.

....not rely on the requirements specification document. If errors are found, the program version is returned to the development team for correction and verification needs to be restarted. Throughout this formally engineered process, detailed and well organized documentation needs to be maintained [8]. Development and certification are carried out incrementally and the system integration is continuous. During the development of the later versions, earlier versions and their interfaces must not be changed. As a methodology, evolutionary software design is similar to IBM s Cleanroom Software ....

P.-J. Courtois, D. L. Parnas, "Documentation for Safety Critical Software," Proc. 15 th International Conference on Software Engineering, Baltimore, MD, May 1993.

....monitored event, occurs when a monitored variable changes value. Another special event, called a conditioned event, occurs if an event occurs when a specified condition is true. To illustrate the SCR method, we consider a simplified version of the control system for safety injection described in [2]. The system uses three sensors to monitor water pressure and turns on a safety injection system (which adds coolant to the reactor core) when the pressure falls below some threshold. The system also displays the current value of water pressure. The system operator blocks safety injection by ....

P.-J. Courtois and David L. Parnas. Documentation for safety critical software. In Proc. 15th Int'l Conf. on Softw. Eng. (ICSE '93), pages 315--323, Baltimore, MD, 1993.

....to the description of Mealy or Moore automata. But on the other hand, these functions tend to be large and nested case statements which are difficult to read. It might be more convenient to describe them using graphical notations as e.g. statecharts or tabular notations as e.g. NRL, see [CP93] We found, that PAISLey is not expressive enough to state all desirable timing properties. In our opinion, it is not sufficient to constrain the evaluation time of single functions. Furthermore it is necessary to state constraints on paths connecting several processes. As an example it might be ....

P.-J. Courtois and David Lorge Parnas. Documentation for safety critical software. In Proc. of the 15th International Conference on Software Engineering, pages 315--323, 1993.

.... has been applied successfully to a number of practical systems, including the A 7 aircraft s Operational Flight Program [15, 1] a submarine communications system [14] and safety critical components of two nuclear power plants, the Darlington plant in Canada [22] and a second plant in Belgium [5]. More recently, a version of the SCR method called CoRE [8] was used to document the requirements of Lockheed s C 130J Operational Flight Program [9] While the above applications of the SCR method rely on manual techniques, effective use of the method in industrial settings requires powerful, ....

....an input event, occurs when an input variable changes value. Another special event, called a conditioned event, occurs if an event occurs when a specified condition is true. To illustrate the SCR constructs, we consider a simplified version of the control system for safety injection described in [5]. The system uses three sensors to monitor water pressure and adds coolant to the reactor core when the pressure falls below some threshold. The system operator blocks safety injection by turning on a Block switch and resets the system after blockage by turning on a Reset switch. Figure 2 ....

P.-J. Courtois and D. L. Parnas. Documentation for safety critical software. In Proc., 15th Intern. Conf. on Software Eng., Baltimore, 1993.

....constraints and their orthogonal implementations will hopefully allow us to expand to additional datatypes in the future. In the sequel, we demonstrate our results using an enhanced version of a known SCR specification, which states the requirements for a reactor s water pressure system [7, 16, 18]. The underlying model contains a good mixture of Booleans, unbounded integers and enumerated types, each of which retain their exact semantic interpretation in our composite model checker. Specifically, this means that during automated analysis checks, important integer values get propagated ....

....achieved for the SCR specification. We conclude with some remarks on the results, and outline our future research directions. 2 An Example: Safety Injection System As an example, we analyze the requirements for a reactor s cooling system; this example was adapted from previous specifications in [7, 16, 18] and in fact, we take a superset of these requirements, as well as add a few of our own. The target application is called an Engineered Safety Feature Actuation System, for a PWR Nuclear Power Plant. It basically functions as a feedback loop: its sensors monitor the coolant system s water ....

[Article contains additional citation context not shown here]

P. J. Courtois and D. L. Parnas. Documentation for safety critical software. In Proceedings of the 15th International Conference on Software Engineering, pages 315--323, May 1993.

....(at most one new system state is defined) and well defined (for each enabled input event, at least one new system state is completely defined) 14, 18] 2. 2 Types and Dependencies Sets To illustrate the SCR constructs, we consider a simplified version of a control system for safety injection [9]. Appendix A contains a prose description of the behavior of this system, three tables taken from an SCR specification of the required system behavior, and the table functions that can be derived from the tables using our formal model. In the example system, the set of variable names RF contains ....

P.-J. Courtois and David L. Parnas. Documentation for safety critical software. In Proc. 15th Int'l Conf. on Softw. Eng. (ICSE '93), pages 315--323, Baltimore, MD, 1993.

....of the controller as well as of the plant. Because they have to be related to the open loop behaviors of the plant, they should be expressed in terms of the plant only. These descriptions and their relationships are suggested by [Ostroff, 1989] and more explicitly by Parnas et.al. see e.g. [Courtois and Parnas, 1993, van Schouwen et al. 1993] There, the open loop behaviors of the plant are described by a relation NAT on the monitored and controlled variables, which are considered as functions over time. The requirements are captured by a relation REQ on the same variables. In [van Schouwen et al. 1993] ....

....is viewed as one component of a larger (closed) system, the controller as another one. This approach is e.g. advocated by Zave in her work on the language PAISLey, see [Zave and Yeh, 1981, Zave, 1991] There the environment and the controller are described by processes. Although Parnas et.al. [Courtois and Parnas, 1993] advocate the description of the environment by the relation NAT , few is said about concrete formalisms besides their proposal to use a tabular notation. More attention is given to descriptions of the plant in the development of hybrid systems, see e.g. Grossmann et al. 1993] and [Antsaklis et ....

[Article contains additional citation context not shown here]

P.-J. Courtois and David Lorge Parnas. Documentation for safety critical software. In Proc. of 15th Intl. Conf. on Software Engineering, pages 315-- 323, 1993.

No context found.

P.-J. Courtois and D. L. Parnas. Documentation for safety critical software. In Proc. 15th Int'l Conf. on Softw. Eng. (ICSE '93), pages 315--323, Baltimore, MD, 1993.

No context found.

P.J. Courtois and D.L. Parnas, "Documentation for Safety-Critical Software", Proc. ICSE'1993: 15th International Conference on Software Engineering , ACM Press, 1993, 315-323.

No context found.

P.-J. Courtois and D.L. Parnas, "Documentation for safety critical software", Proc. ICSE'93 - 15 Intl. Conf. on Software Engineering, 1993, pp. 315-323.

No context found.

P.J. Courtois and D.L. Parnas, "Documentation for Safety-Critical Software", Proc. ICSE'1993: 15th International Conference on Software Engineering , ACM Press, 1993, 315-323.

No context found.

Courtois, P.-J. and Parnas, D.L., "Documentation for Safety Critical Software", pp. 315--323 in Proceedings of the Fifteenth International Conference on Software Engineering, Baltimore, MD (May 1993 ).

No context found.

P. J. Courtois and D. L. Parnas. Documentation for safety critical software. In Proceedings of the 15th International Conference on Software Engineering, pages 315--323, May 1993.

No context found.

P.-J. Courtois and D. Parnas. Documentation for Safety Critical Software. In proc. 15 th Intl. Conf. on Software Engineering. pp. 315-323, 1993.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC