software reliability in nuclear systems arsen papisyan anthony gwyn
TRANSCRIPT
![Page 1: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/1.jpg)
Software Reliability in Nuclear Systems
Arsen PapisyanAnthony Gwyn
![Page 2: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/2.jpg)
Introduction
• Therac-25 – delivery of high radiation to patients
• Slammer worm – disabled safety parameter system at nuclear power system
• Edwin I. Hatch nuclear power plant – computer resets the control system
• Stuxnet – worm in Iran nuclear power plants
![Page 3: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/3.jpg)
Introduction Cont’d
• Not always feasible to ensure complete software verification
• Not possible to test for every possibility• Software testing only indicates the presence of
faults and not its absence• Goal: Estimate software reliability in critical
systems• Approach: Combines results of software
verification and mutation testing
![Page 4: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/4.jpg)
Critical Systems
• Smaller and focused• Rugged and have fault tolerant features• Designed with defense in mind• Expected to have lower failure rates• Meant to fail in fail-safe mode• Not rely on human judgment or interaction to
initiate safety action• Written in stable programming languages
![Page 5: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/5.jpg)
Software in Nuclear Reactors
• Safety critical: systems important to safety – ie safe shutdown and heat removal from core
• Safety related: systems which are required for the normal functioning of the safety systems
• Non-nuclear safety: no nuclear safety function• Safety Systems in Power plants are categorized
in levels from 1 to 4 – probability of failure– Level 1: 10^-2 – 10^-1– Level 4: 10^-5 – 10^-4
![Page 6: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/6.jpg)
The Need for a New Approach
• Reliability depends on structure and runtime information – Simulation or executions of software provide the
runtime characteristics• Traditional models assume availability of
accurate and adequate software failure data– Difficult to collect
• Newly built plants with no failure history – Reliability estimation methods do not apply
![Page 7: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/7.jpg)
Proposed Approach - Assumption
• 5 Modules
• Pure Software Failures• Single Threaded w/o Op System or safe and
certified Op System with assumed reliability 1
![Page 8: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/8.jpg)
Assumptions Cont’d
• ROM to prevent malware modification• Output depends only on the current inputs
![Page 9: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/9.jpg)
Prerequisites for approach
• Precise and Verified Test Cases
![Page 10: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/10.jpg)
Prerequisites for approach cont’d
• Mutation testing: fault injection technique– First order mutants are single faults
• K = number of mutants killed by test cases• G = number of generated mutants• E = equivalent mutants• Test Adequacy Computation
![Page 11: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/11.jpg)
Reliability estimation approach 1
• Randomly induced faults • 3 possible outcomes• Reliability =
• Simple but results could be biased– If mutation testing is not effective enough, the large
number of verified test cases may lead to higher reliability estimate
![Page 12: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/12.jpg)
Reliability estimation approach 2
• Pseudo code - allows for integration of operational profile in the reliability estimate– Ensures that un-verified test cases fail during
mutation testing eliminating bias due to large number of verified test cases
![Page 13: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/13.jpg)
![Page 14: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/14.jpg)
Results
• Helps in choosing the combination of x and y values required to achieve target reliability
• x0, y0– Software requires rigorous verification
• x0, y1– Very high reusability, more software verification is +
• x1, y0– Nearly all generated paths verified, do not share much code
• x1, y1– Ideal scenario
![Page 15: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/15.jpg)
Conclusion
• Need common ways to demonstrate safety of computer bases systems in nuclear plants
• Results suggest that test adequacy is major factor in determining software reliability– Systems must have a high test coverage and
mutation score
![Page 16: Software Reliability in Nuclear Systems Arsen Papisyan Anthony Gwyn](https://reader036.vdocuments.net/reader036/viewer/2022081203/56649f055503460f94c19923/html5/thumbnails/16.jpg)
The End