



Title Verification of FPGA application design

by model checking

Author(s) Pakonen, Antti

Citation 9th International Workshop on the

Application of Field Programmable Gate Arrays in Nuclear Power Plants, 3 - 6

October 2016, Lyon, France

Date 2016

Rights This article may be downloaded for

personal use only.

VTT

http://www.vtt.fi P.O. box 1000 FI-02044 VTT Finland By using VTT Digital Open Access Repository you are bound by the following Terms & Conditions.

I have read and I understand the following statement:

This document is protected by copyright and other intellectual property rights, and duplication or sale of all or part of any of this document is not permitted, except duplication for research use or educational purposes in electronic or print form. You must obtain permission for any other use. Electronic or print copies may not be offered for sale.





# Verification of FPGA application design by model checking

9th Workshop on the application of FPGAs in NPPs Antti Pakonen

**VTT Technical Research Centre of Finland Ltd** 



# Scope: Verification of application design



**Program / Logic** 

Function Block Diagram FPGA schematic VHDL





#### **Code / Netlist**

C, Java... Assembly FPGA netlist







# **Embedded System**

PLC, FPGA, PC, µC...



# **Model checking**





# A short history

Theory developed in early 1980s

1990s: hardware verification

2000s: software verification





# Model checking of control logic design

- Model checking does not apply to the evaluation of sophisticated control loops...
- ...but it is very efficient in the context of safety critical systems!
- Faults can be found in systems that have already undergone traditional V&V.
- Faults often involve scenarios that are difficult to come up with.













## VTT customer projects



#### Olkiluoto 3 (under construction)

- Evaluation of NPP I&C system designs 2008-2011
- Evaluation of Olkiluoto 3 Protection System 2015
- Evaluation of Olkiluoto 3 PACS 2015

#### **©**Fortum

#### Loviisa 1 & 2 I&C modernization

- Verification of nuclear automation 2009
- Verification of nuclear I&C in the LARA project 2012-2014
- Verification of nuclear I&C in the ELSA project 2016

#### **FENNOVOIMA**

#### Hanhikivi 1 (decision-in-principle)

Model checking of functional, architecture-level I&C 2016





# **Challenges: Modelling**





```
_ D X
Simantics_example.smv * SciTE
File Edit Search View Tools Options Language Buffers Help
 1 Simantics_example.smv 3
  - MODULE LCT(IN1, IN1_FAULT, LIM, LIM_FAULT, HYST, HYST_FAULT)
               last_value : boolean;
          DEFINE
               OUT :=
               case
                    IN1_FAULT | LIM_FAULT | HYST_FAULT : last_value;
                     (IN1 < LIM): TRUE;
                     (IN1 > (LIM + HYST)): FALSE;
                    TRUE: last_value;
               esac;
               OUT_FAULT := IN1_FAULT | LIM_FAULT | HYST_FAULT;
          ASSIGN
               init(last_value) := FALSE;
               next(last_value) := OUT;
   - MODULE HCT(IN1, IN1_FAULT, LIM, LIM_FAULT, HYST, HYST_FAULT)
          VAR
               last_value : boolean;
          DEFINE
               OUT :=
               case
                    IN1_FAULT | LIM_FAULT | HYST_FAULT : last_value;
                    (IN1 > LIM): TRUE;
                     (IN1 < (LIM - HYST)): FALSE;
                     TRUE: last_value;
               esac;
               OUT_FAULT := IN1_FAULT | LIM_FAULT | HYST_FAULT;
               init(last_value) := FALSE;
               martilant valuel .- OUT.
```



# **Challenges: Counterexample visualization**







# **Challenges: Requirement formalization**







```
(G!Alarm) | (!Alarm U (Alarm & F
Shutdown -> (!Shutdown U ( ( Temperature
< 55 ) & !Shutdown & X ( !Shutdown U
Feedback_pump = OFF ) ) ) )
```

```
G ( ( Shutdown & ! ( ( T4_Level_M < 230 ) )
) -> ( G ( V15_Open ) | ! V15_Open
U ( T4_Level_M < 230 ) ) ) )
```



# MODCHK – graphical tools for I&C verification

- Vendor-specific, proprietary function block libraries [2]
- Structural, composite models
- Verification with NuSMV 2.6.0
- Counterexample animation



<sup>[1]</sup> https://www.simulationstore.com/node/52

<sup>[2]</sup> A. Pakonen, T. Mätäsniemi, J. Lahtinen, T. Karhela, A Toolset for Model Checking of PLC Software, 18th IEEE International Conference on Emerging Technologies and Factory Automation, ETFA2013, 10-13 September 2013, Cagliari, Italy, Proceedings. IEEE (2013)



# **MODCHK: Counterexample visualization**

2D animation, with numerical monitors for analogue signals







# **VHDL** model checking

- VHDL model checking tools have been proposed.
- "Tweaking" (simplification / abstraction) is still needed in the case of, e.g., timed delays.
  - Megahertz scale clock cycle vs. second-scale delays -> large integer variables & state space explosion [2]
- Theoretical problems for VHDL finite-state verification:
  - Increasingly delayed signal assignment nested in an infinite loop [1]
  - Non-halting recursive function with local variables [1]

<sup>[1]</sup> Déharbe, D., Shankar, S., Clarke, E.M.: Model Checking VHDL with CV. Proceedings of the Second International Conference on Formal Methods in Computer-Aided Design. FMCAD '98. 508-514. Springer-Verlag, London, UK, 1998 [2] Lahtinen, J., Ranta, J., Lötjönen L.: CORSICA 2013 work report: Test set generation, FPGA model checking, and fault injection. VTT Research Report VTT-R-00212-14, 2014.



## VHDL model checking – the "hard" way















# VHDL model checking with MODCHK

- Encapsulation of VHDL code
- Joint verification of µp and FPGA systems







# Application logic model checking: µp vs. FPGA

| μ <b>p</b> model checking                                                                                                   | FPGA model checking                                                                                                                                                                                                |
|-----------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <b>FB</b> : Automatic model generation not possible, if the basic blocks are proprietary. Abstraction is also often needed. | FB: Automatic model generation not possible, if the basic blocks are proprietary. Abstraction is also often needed.  VHDL: Automatic model generation not entirely feasible, e.g., timed delays have to be scaled. |
| <b>FB</b> : Graphical tools can be used for modelling & block-level counterexample animation.                               | FB / VHDL: Graphical tools can be used for modelling & block-level counterexample animation.                                                                                                                       |



## **VTT** customer projects



#### Olkiluoto 3 (under construction)

- Evaluation of NPP I&C system designs 2008-2011
- Evaluation of Olkiluoto 3 Protection System 2015
- Evaluation of Olkiluoto 3 PACS 2015

#### **©**Fortum

#### Loviisa 1 & 2 I&C modernization

- Verification of nuclear automation 2009
- Verification of nuclear I&C in the LARA project 2012-2014
- Verification of nuclear I&C in the ELSA project 2016

#### **FENNOVOIMA**

#### Hanhikivi 1 (decision-in-principle)

Model checking of functional, architecture-level I&C 2016





#### **OL3 I&C Architecture**





# Priority and Actuator Control System (PACS) functions

- Between actuators and main I&C systems
- Controls:
  - Valves (control, isolation, solenoid)
  - Motors for various components (e.g. pumps, fans)
- Performs functions:
  - Prioritization of actuation requests
  - Drive actuation
  - Drive monitoring
  - Component protection (terminate command to valve if a travel limit and/or torque limit switch responds)



## **PACS** components

- To introduce diversity, OL3 PACS uses two different modules:
  - AV42
  - SPLM1-PC11









#### **AV42**

- Areva NP AV42 Priority Actuation and Control (PAC) Module
- Two major components:
  - Programmable logic device (PLD)
     consisting of interconnected logic gate arrays
  - ASIC PROFIBUS controller for non-safetyrelated functions
- Detailed design specification, using the ALTERA tool for PLD programming with predefined function blocks
- Programming tool: ALTERA MAX+plus II





#### **AV42 PLD functions**

- Safety-related functions implemented in the PLD:
  - Acquisition and prioritization of safety-related commands
  - Acquisition and processing of the checkback signals from the actuators
  - Command output and command termination
  - Output of signals to lamps on I&C panels
  - Test logic incl. lamp test
- Application I/O number: 60
- Internal memories, delays





#### SPLM1-PC11

- Logic functions for priority and monitoring are distributed among two PLD devices.
- a dedicated instance of the SPLM1 programmable logic module of the TELEPERM XS (TXS) equipment platform

Detailed design specification using VHDL





#### **SPLM1-PC11** functions

- Safety-related functions implemented in the PLDs:
  - Acquisition and prioritization of safety-related commands
  - Acquisition and processing of the checkback signals from the actuators
  - Command output and command termination
  - Output of signals to lamps on I&C panels
  - Test logic incl. lamp test
- Application I/O number: ~40
- VHDL code: ~2500 lines
- Internal memories, delays





# **Verifying AV42**

- Model built graphically, using MODCHK
- Model state space: ~ 10<sup>14</sup> reachable states
- Analysis times: less than a second some minutes (depending on property)







# **Verifying PC11**

- Model built manually based on VHDL code
- Model state space: ~ 10<sup>20</sup> reachable states
- Analysis times: seconds







# **Verifying the functionality of PS + AV42 + PC11**

Confidential figure redacted.





#### **Verification results for the PLDs**

- No issues relevant to safety were detected in the PLD application logics.
- Minor issues (no practical relevance) related to checkback delays – discrepancy between processing details and simplified presentation in the manuals









# Application logic: Microprocessor vs. FPGA

| Microprocessor                                                                                        | FPGA                                                                                                  |
|-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|
| The application logic is designed using function blocks, or some other suitable programming language. | The application logic is designed using function blocks, or some other suitable programming language. |
| It is very easy to design an application logic that is very complex.                                  | It is very easy to design an application logic that is very complex.                                  |
| Most real-world applications are complex enough to prevent 100% functional testing.                   | Most real-world applications are complex enough to prevent 100% functional testing.                   |
| While requiring some effort, model checking is a relatively cheap method given the benefits.          | While requiring <i>some</i> effort, model checking is a relatively cheap method given the benefits.   |



30

#### **Conclusions**

- Model checking of FPGA designs is feasible in practice.
- Expertise is required, but work effort is calculated in days, not weeks.
- The analysis itself is fast and exhaustive, even when verifying systems that are consist of both microprocessor and FPGA application logic.
- http://www.vttresearch.com/modelchecking

