skip to main content
10.1145/2038642.2038676acmconferencesArticle/Chapter ViewAbstractPublication PagesesweekConference Proceedingsconference-collections
research-article

Software certification experience in the canadian nuclear industry: lessons for the future

Published: 09 October 2011 Publication History

Abstract

The computer controlled shutdown systems for the Nuclear Power Generating Station at Darlington, Canada, have been subject to licensing scrutinization on a number of occasions. After the first licence was approved in 1990, the licensee, Ontario Hydro, was given a number of years by the regulator to redesign the shutdown systems so that they would be more maintainable. This paper briefly describes the original certification process, lessons learned, and the subsequent development and certification of the shutdown systems. The development, internal certification processes and the regulator's certification process are briefly described. Although twenty years has elapsed since this work started, and there are new analysis techniques and tools that could be applied today, the original process itself has withstood the test of time extraordinarily well. This paper describes principles that explain why it was so successful, and how we can develop more modern approaches from this experience.

References

[1]
G. H. Archinoff, R. J. Hohendorf, A. Wassyng, B. Quigley, and M. R. Borsch. Verification of the shutdown system software at the Darlington nuclear generating station. In International Conference on Control and Instrumentation in Nuclear Installations, Glasgow, UK, May 1990. The Institution of Nuclear Engineers.
[2]
C. Barrett and C. Tinelli. CVC3. In W. Damm and H. Hermanns, editors, Proceedings of the 19th International Conference on Computer Aided Verification (CAV '07), volume 4590 of Lecture Notes in Computer Science, pages 298--302. Springer-Verlag, July 2007. Berlin, Germany.
[3]
P. Bishop and R. Bloomfield. A methodology for safety case development. In F. Redmill and T. Anderson, editors, Industrial Perspectives of Safety-critical Systems: Proceedings of the Sixth Safety-critical Systems Symposium, pages 194--203, Birmingham, UK, 1998. Springer.
[4]
J. Burch, E. Clarke, K. McMillan, D. Dill, and L. Hwang. Symbolic model checking: 1020 states and beyond. Information and computation, 98(2):142--170, 1992.
[5]
E. Clarke. Model checking. In Foundations of software technology and theoretical computer science, pages 54--56. Springer, 1997.
[6]
C. Eles and M. Lawford. A tabular expression toolbox for matlab/simulink. In 3rd NASA Formal Methods Symposium, volume 6617 of LNCS, pages 494--499. Springer-Verlag, 2010.
[7]
E. Fong, M. Kass, T. Rhodes, and F. Boland. Structured assurance case methodology for assessing software trustworthiness. In Secure Software Integration and Reliability Improvement Companion (SSIRI-C), 2010 Fourth International Conference on, pages 32--33. IEEE, 2010.
[8]
Formal Methods Program. Formal methods roadmap: PVS, ICS, and SAL. Technical Report SRI-CSL-03-05, Computer Science Laboratory, SRI International, Menlo Park, CA, Oct. 2003.
[9]
C. Heitmeyer, A. Bull, C. Gasarch, and B. Labaw. SCR*: A toolset for specifying and analyzing requirements. In Compass '95: 10th Annual Conference on Computer Assurance, pages 109--122, Gaithersburg, Maryland, 1995. National Institute of Standards and Technology.
[10]
C. Heitmeyer, J. Kirby, B. Labaw, and R. Bharadwaj. SCR*: A toolset for specifying and analyzing software requirements. In Proc. 10th Int. Conf. Computer Aided Verification (CAV'98), Vancouver, BC, Canada, June-July 1998, volume 1427 of Lecture Notes in Computer Science, pages 526--531. Springer, 1998.
[11]
G. Holzmann. Software model checking. volume 180, pages 309--355. IOS Press, Computer and System Sciences, Marktoberdorf, Germany, Aug. 2000.
[12]
P. Joannou et al. Standard for Software Engineering of Safety Critical Software. CANDU Computer Systems Engineering Centre of Excellence Standard CE-1001-STD Rev. 1, Jan. 1995.
[13]
M. Lawford, J. McDougall, P. Froebel, and G. Moum. Practical application of functional and relational methods for the specification and verification of safety critical software. In T. Rus, editor, Proceedings Algebraic Methodology and Software Technology, 8th International Conference, AMAST 2000, Iowa City, Iowa, USA, May 2000, volume 1816 of Lecture Notes in Computer Science, pages 73--88. Springer, 2000.
[14]
M. Lawford and A. Wassyng. Formal verification of nuclear systems: Past, present and future. In V. Kharchenko and T. Tagarev, editors, 1st International Workshop on Critical Infrastructure Safety and Security (CrISS-DESSERT'11), volume 1, pages 43--51, Kirovograd, Ukraine, 2011. National Aerospace University, Kharkiv, Ukraine.
[15]
S. Owre, J. Rushby, N. Shankar, and F. von Henke. Formal verification for fault-tolerant architectures: Prolegomena to the design of PVS. IEEE Transactions on Software Engineering, 21(2):107--125, Feb. 1995.
[16]
D. L. Parnas, G. J. K. Asmis, and J. Madey. Assessment of safety-critical software in nuclear power plants. Nuclear Safety, 3 (2):189--198, Apr. - June 1991.
[17]
A. Wassyng and M. Lawford. Lessons learned from a successful implementation of formal methods in an industrial project. In K. Araki, S. Gnesi, and D. Mandrioli, editors, FME 2003: International Symposium of Formal Methods Europe Proceedings, volume 2805 of Lecture Notes in Computer Science, pages 133--153, Pisa, Italy, Aug. 2003. Springer-Verlag.
[18]
A. Wassyng and M. Lawford. Software tools for safety-critical software development. International Journal on Software Tools for Technology Transfer (STTT), 8(4-5):337--354, Aug. 2006.
[19]
A. Wassyng and M. Lawford. Integrated software methodologies - An engineering approach. Transactions of the Royal Society of South Africa, 65(2):125--136, Oct. 2010.
[20]
A. Wassyng, T. Maibaum, M. Lawford, and H. Bherer. Software certification: Is there a case against safety cases? In R. Calinescu and E. Jackson, editors, Foundations of Computer Software. Modeling, Development, and Verification of Adaptive Systems, volume 6662 of Lecture Notes in Computer Science, pages 206--227. Springer Berlin / Heidelberg, 2011.

Cited By

View all
  • (2025)Completeness and Consistency of Tabular Requirements: An SMT-Based Verification ApproachIEEE Transactions on Software Engineering10.1109/TSE.2025.353082051:2(595-620)Online publication date: Feb-2025
  • (2022)A Case Study in the Automated Translation of BSV Hardware to PVS Formal Logic with Subsequent VerificationTheoretical Aspects of Software Engineering10.1007/978-3-031-10363-6_5(65-72)Online publication date: 2022
  • (2021)Applications of Discrete Event SystemsEncyclopedia of Systems and Control10.1007/978-3-030-44184-5_59(67-76)Online publication date: 4-Aug-2021
  • Show More Cited By

Index Terms

  1. Software certification experience in the canadian nuclear industry: lessons for the future

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      EMSOFT '11: Proceedings of the ninth ACM international conference on Embedded software
      October 2011
      366 pages
      ISBN:9781450307147
      DOI:10.1145/2038642
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 09 October 2011

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. nuclear
      2. safety-critical software
      3. software certification

      Qualifiers

      • Research-article

      Conference

      ESWeek '11
      ESWeek '11: Seventh Embedded Systems Week
      October 9 - 14, 2011
      Taipei, Taiwan

      Acceptance Rates

      Overall Acceptance Rate 60 of 203 submissions, 30%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)1
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 17 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2025)Completeness and Consistency of Tabular Requirements: An SMT-Based Verification ApproachIEEE Transactions on Software Engineering10.1109/TSE.2025.353082051:2(595-620)Online publication date: Feb-2025
      • (2022)A Case Study in the Automated Translation of BSV Hardware to PVS Formal Logic with Subsequent VerificationTheoretical Aspects of Software Engineering10.1007/978-3-031-10363-6_5(65-72)Online publication date: 2022
      • (2021)Applications of Discrete Event SystemsEncyclopedia of Systems and Control10.1007/978-3-030-44184-5_59(67-76)Online publication date: 4-Aug-2021
      • (2017)Correct safety critical hardware descriptions via static analysis and theorem provingProceedings of the 5th International FME Workshop on Formal Methods in Software Engineering10.5555/3101290.3101306(58-64)Online publication date: 20-May-2017
      • (2017)Correct Safety Critical Hardware Descriptions via Static Analysis and Theorem Proving2017 IEEE/ACM 5th International FME Workshop on Formal Methods in Software Engineering (FormaliSE)10.1109/FormaliSE.2017.11(58-64)Online publication date: May-2017
      • (2017)Use of Tabular Expressions for Refinement AutomationModel and Data Engineering10.1007/978-3-319-66854-3_13(167-182)Online publication date: 6-Sep-2017
      • (2015)Stateflow to Tabular ExpressionsProceedings of the 6th International Symposium on Information and Communication Technology10.1145/2833258.2833285(312-319)Online publication date: 3-Dec-2015
      • (2014)Applications of Discrete Event SystemsEncyclopedia of Systems and Control10.1007/978-1-4471-5102-9_59-1(1-10)Online publication date: 8-Feb-2014
      • (2013)Software Test of Wireless Vibration Nodes of Nuclear Power PlantsApplied Mechanics and Materials10.4028/www.scientific.net/AMM.336-338.313336-338(313-318)Online publication date: Jul-2013

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media