**The SymPLe Project** 

#### Achieving Verifiable and High Integrity Embedded Digital Devices Through Complexity Awareness and Constrained Design

12th International Workshop on Application of

Field Programmable Gate Arrays in Nuclear Power Plants

October 14-16, 2019

Dr. Carl Elks, Rick Hite, Jason Moore (Mathworks) Athira Jayakumar, Smitha Gautham, Chris Deloglos, Andrew Nack (Paragon)and Dr. Ashraf Tantawy

> Virginia Commonwealth University Department of ECE Richmond, Virginia, USA

Matt Gibson Lead PI, Electric Power Research Institute, Charlotte, NC.

Sponsored by DOE Office of Nuclear Energy, Advanced Sensors and Instrumentation under the NEET-2 Program





#### **The Team**

POC information: <u>crelks@VCU.edu</u>, mgibson@epri.com ,

- Matt Gibson, Program PI, EPRI mgibson@epri.com
- Dr. Carl Elks, Co-PI, Assistant Professor of ECE, Virginia Commonwealth University – crelks@vcu.edu
- Dr. Ashraf Tantawy, Associate Research Professor, Virginia Commonwealth University
- Jason Moore, Consulting Services Mathworks
- Andrew Nack, Commercial Grade Dedication, Paragon Inc.
- VCU Students
  - Rick Hite, PhD Candidate Lead Architect
  - Smitha Gautham, PhD Candidate HW V&V and Formal Methods
  - Chris Deloglos, PhD Candidate Architect

- Athira Jayakumar MS Student Model Based V&V and Testing
- Future collaborators
  - Dr. Patrick Schaumont, Va Tech HW cyber security
  - Dave Landol OneSpin VLSI formal Verification











#### **SymPLe Project: Overview**

- The talk today is about two things: (1) A rapid overview of the SymPLe architecture concept, (2) and the formal model based design assurance activities with respect to IEC 61508.
- Phase 1 sponsored by EPRI and DOE Office of Nuclear Energy, Advanced Sensors and Instrumentation under the NEET-2 Program from 2015 to 2019.
  - The program objectives were to research effective methods to significantly reduce and mitigate Software Common Cause Faults (CCF) in digital I&C.
- Our approach to addressing SCCF was unusual we avoided software !
- SymPLe is as much a <u>way of thinking</u> about designing critical systems as it is as about the SymPle architecture itself.
- The way you design tells a lot about what you design.



#### Critical Systems Thinking "paraphrased from J. Rushby, Composing Safe Systems"

- We build systems from components and platforms, but what makes something a system is that its architected properties and behaviors are distinct from those of its components.
  - We have become good at this, most of the time.

- For critical systems, we need nearly <u>all of the time behavior.</u>
- As SW IP, SW languages, HW components become complex then we may inherit unwanted or undesirable component interactions, and not know it.
- How do we compose complex systems and not inherit undesired emergent properties and interactions? This is a open and very active research question.
- SymPLe architecture project are steps in this direction.



#### **COMPLEXITY AWARENESS FOR VERIFIABLE SYSTEMS**

- It is out of these insights that we cultivated the notions of "Complexity Awareness", "Constrained Behavior" and "Roots of Trust" to support verifiable and cost effective I&C devices and systems.
- Fact: Most nuclear I&C safety functions are not computationally demanding.
- In the context of nuclear power we often do not need derivatives of "software intensive" systems and by extension, not carrying the complexity associated with these devices and systems.
- We assert, reducing complexity and enhancing reasoning about a system provides a tenable foundation for justifying the trust in the system.



#### **COMPLEXITY AWARE CONCEPT**

- A <u>complexity aware design</u> avoids (or can't) encroach into the unknown state space (the light yellow space).
- Desirable to stay on valid and correct state space paths (green and dark yellow).
- By limiting complexity (by design), paths into the unknown state space are limited to the point we can reason about the design and its implemented behavior.

College of Engineering

 This can only occur through architectural solutions Domain of behavior state space diagram

Design flaw or omission flaw

Normal Execution - *Path exercised* continuously in normal situations

valid, but exception execution - *Path exercised in occasional but tested situations* 

Unforeseen and unknown execution, not tested resulting in erroneous behavior



#### **SymPle Architecture Concept**



FPGA or System on A Chip

- SymPLe is a HW solution. It allows programmability and computation at low orthogonality.
- **Engineer Accessible**: By adopting overlay architecture, we hope to make SymPLe accessible like a CPU based architecture but without its complexity function blocks are the execution functions.
- SymPLe is a architectural viewpoint that seeks to maximize reasoning, transparency and evidence while avoiding unnecessary complexity





### **Basic Design Tenants of SymPLe**

- <u>Model based formal Design and Verification</u> Maximize the transparency and evidence about design assurance, development, and implementation.
- *Verifiability* SymPLe is limited in what it can do it trades computational power for verifiability.
- <u>Composability</u> The behavior of "composed" element is a composition of the behaviors of its constituent elements, with welldefined, unambiguous rules of composition.
  - -Interfaces of elements are unambiguously specified, including behavior.
  - -Interactions across elements occur only through their specified interfaces
  - Assume guarantee reasoning
- <u>Orthogonal</u> The system is modularized using principles of separation of concerns, considering orthogonality<sup>1</sup> of functions and data.
  - Think of Lego blocks can only interact in a few restricted ways.
  - Only required interactions are allowed. The architecture precludes unwanted interactions and unwanted, unknown hidden coupling or dependencies.
  - Each element (e.g., a FB unit) is internally well-architected and relatively simple.
- *Determinism* The system is architected (satisfying conditions above) to be predictable and synchronous in it's execution behavior.

### These Tenants along with a formal model based design and verification methodology allows CCFs to be identified before deployment, and enhances the ability to reason about system during qualification.

1 = a relatively small set of primitive constructs can be combined in a relatively small number of ways to build the control and data structures of program behavior





#### SymPLe: Complexity Awareness Design + FPGA Overlay Architectures + Model Based Engineering

- Overlay architectures are computational systems that are designed on top of a traditional FPGA fabric.
- Overlays are not "fixed" designs or reverse engineered old designs:
  - They employ a computational model
  - They represent a user domain
  - They encode requirements from the users domain.
- Overlay architectures allow a domain community to decide what is "important" them.
- For the nuclear I&C community we know what is important

College of Engineering

 Verifiability, Safety, Security and evidence for trust.



An overlay – A user or need aspect oriented device or machine



#### High Level Architecture Model of SymPLe





#### **Illustration of SymPLe FB Execution**



#### **Complete SymPLe System**

College of Engineering

12



ELECTRIC POWER RESEARCH INSTITUTE EPRI

#### **SymPLe Function Blocks**

# Most safety critical I&C applications in NPP are not computationally challenging. Don't need complex operations.



- Inspired by IEC 61131-3 and IEC 61499-1
- Deterministic, synchronous behavior.
- Separation of control and dataflow with clear and defined interconnections

College of Engineering

Formal semantics

| Elementary | FBs |
|------------|-----|
|            |     |

| Instruction            | Description          |
|------------------------|----------------------|
| AND, OR, NOT, XOR,     | Logical Operators    |
| NAND, NOR              | Logical Operators    |
| BAND, BOR, BNOT, BXOR, | Bitwise Logical      |
| BNAND, BNOR, BSL, BSR  | Operators            |
| MAX, MIN, MUX          | Selection Operators  |
| GT, GE, EQ, LT, LE, NE | Comparison Operators |
| ADD, SUB, MUL, DIV     | Arithmetic Operators |
| MOVE                   | System Operators     |
| QMNtoINT, INTtoQMN,    |                      |
| BOOLtoSAFEBOOL,        | Type Conversion      |
| SAFEBOOLtoBOOL         |                      |

#### **Built-up FBs**

| Instruction  | Description              |  |  |
|--------------|--------------------------|--|--|
| PID          | Control Operator         |  |  |
| TON, TOF     | Timer Operator           |  |  |
| FXTOI, ITOFX | Data Conversion Operator |  |  |
| AVOTE        | Analog Voting            |  |  |
| BVOTE        | Digital Voting           |  |  |
| MEM          | Memory Operator          |  |  |
| LOG          | Logging Operator         |  |  |

## All V 2.0 Function blocks have undergone formal verification and extensive testing.







#### Model Based Design Assurance and Verification for SymPLe IEC 61508 Process

Athira Jayakumar<sup>2</sup>, Smitha Gautham<sup>1</sup>, Jason Moore<sup>3</sup> Virginia Commonwealth University Department of ECE Richmond VA <sup>3</sup>Mathworks Consulting Group VCU PhD candidate<sup>1</sup>, VCU MS candidate<sup>2</sup>



#### **Model Based Design Verification Workflow**





#### **The Major Tool Flows**

College of Engineering

MATLAB SIMULINK



#### OneSpin just acquired – Future workflow



#### IEC 61508 Guidance

- 61508 Section 3 Annex Table
- There are many of these tables
- These tables provide guidance on appropriate practices, techniques needed for compliance.
- The 61508 standard provides <u>no</u> guidance with respect to "how" or "methodology".
- Huge gap between standard and (methods and tools).
- Selecting IEC 61508 qualified tools is important.

#### Table A.9 – Software Verification

|                                                                                               | Technique/Measur<br>e                                                                                               | SIL<br>1  | SIL<br>2 | SIL<br>3 | SIL<br>4 | Applicable Model-Based<br>Design Tools and Processes                      | Comments                                                                                                                                                              |                                                                                                                                                           |
|-----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|-----------|----------|----------|----------|---------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1.                                                                                            | Formal proof                                                                                                        | -         | R        | R        | HR       | Simulink – Model Verification<br>block library                            | Model Verification blocks can be<br>used to formalize software safety<br>requirements and other model<br>properties.                                                  |                                                                                                                                                           |
|                                                                                               |                                                                                                                     |           |          |          |          | Simulink Design Verifier –<br>Property proving, design error<br>detection | Property proving can be used to<br>verify model properties. Design<br>error detection can analyze a<br>model to detect design errors that<br>might occur at run time. |                                                                                                                                                           |
|                                                                                               |                                                                                                                     |           |          |          |          | Polyspace Code Prover – Code<br>verification                              | Polyspace Code Prover can<br>analyze C code to identify<br>software errors that might occur<br>during run time.                                                       |                                                                                                                                                           |
| 2.                                                                                            | Animation of<br>specification and<br>design                                                                         | R         | R        | R        | R        | Simulink<br>Stateflow                                                     | Simulink and Stateflow can be<br>used to animate design and/or<br>specification models                                                                                |                                                                                                                                                           |
| 3.                                                                                            | Static analysis                                                                                                     | R         | HR       | HR       | R        | Model Advisor- 61508 Checks                                               |                                                                                                                                                                       |                                                                                                                                                           |
| 4.                                                                                            | Dynamic analysis and testing                                                                                        | R         | HR       | HR       | HR       | Simulink Test                                                             |                                                                                                                                                                       |                                                                                                                                                           |
| 5.                                                                                            | Forward traceability<br>between the software<br>design specification<br>and the software<br>verification (including | R         | R        | HR       | HR       | R HR                                                                      | Simulink Requirements                                                                                                                                                 | Simulink Requirements can be<br>used to link design models to<br>textual descriptions in Microsoft<br>Word, Microsoft Excel, ASCII text,<br>and PDF files |
|                                                                                               | data verification) plan                                                                                             |           |          |          |          | Simulink Test                                                             | Test Manager feature of Simulink<br>Test can be used to establish<br>bidirectional links between test<br>cases and external documents<br>with textual requirements.   |                                                                                                                                                           |
| 6. Backward traceability between the software verification (including data verification) plan |                                                                                                                     | R         | R        | HR       | HR       | Simulink Requirements                                                     | Simulink Requirements can be<br>used to link design models to<br>textual descriptions in Microsoft<br>Word, Microsoft Excel, ASCII text,<br>and PDF files             |                                                                                                                                                           |
|                                                                                               | and the software<br>design specification                                                                            |           |          |          |          | Simulink Test                                                             | Test Manager feature of Simulink<br>Test can be used to establish<br>bidirectional links between test<br>cases and external documents<br>with textual requirements.   |                                                                                                                                                           |
| 7.                                                                                            | Offline numerical analysis                                                                                          | R         | HR       | HR       | HR       | MATLAB                                                                    | MATLAB can support offline<br>numerical analysis                                                                                                                      |                                                                                                                                                           |
| Software module testing and integration                                                       |                                                                                                                     | Table A.5 |          |          |          |                                                                           |                                                                                                                                                                       |                                                                                                                                                           |
| Programmable electronics integration testing                                                  |                                                                                                                     | Table A.6 |          |          |          |                                                                           |                                                                                                                                                                       |                                                                                                                                                           |
| Software system testing (validation)                                                          |                                                                                                                     |           | e A.7    |          |          |                                                                           |                                                                                                                                                                       |                                                                                                                                                           |



### SymPLe Design Assurance V & V Workflow

- The Design Assurance workflow we developed and adopted was by far the most challenging part of the project
- IEC 61508 International functional safety standard for Electronic/Programmable Electronic Safety related systems.
- SymPLe Goal is SIL Level 4
- Need for a Systematic Verification Process with Evidence Reports

College of Engineering

**Evidence and Artifacts Perspective** 





#### **Design Assurance Process Perspective of V&V Workflow**

- Most V-Models portray a linear flow from requirements to design (waterfall).
- Note, the V- model aspects of our workflow are not linear. We have feedback loops.
- Requirements/specifications are refined by gaining more understanding of the desired (and undesired) system behaviors.
- This is the way it works in real life.





#### A few examples from V&V process

- Due to time limits, we can't go through every aspect of the model based V&V workflow today.
- We select a few, and jump to the main findings.
- The intention of the stateflow implementation as seen in figure is to keep the task\_error true when there is a non-recoverable error.





#### **Example1 – State Chart configuration issue**

- A wrong state chart setting "Initialize Outputs Every Time Chart Wakes Up" resulted in incorrect output behavior even though the stateflow implementation is perfectly alright.
- State chart setting caused the output to be initialized to zero each time the state chart woke up which was on each clock cycle.
- Model Based testing was effective enough to find even the hardest configuration related errors.
- 78% design faults were caught at Model Based Testing.
- Note:

22

The Bug was found well before HDL code generation !!





#### **Structural Coverage**

- Structural Model Coverage How much of the model has been exercised by testcases?
  - To determine design errors like dead Logic branches or over-specified design
  - To determine if sufficient test vectors have been created
  - To determine if existing requirements are sufficient.
- Used Modified Condition/Decision Coverage (MC/DC) coverage criteria.



- An example of an over-specified design causing less coverage.
- After removing the redundant condition in the transition, MC/DC coverage is no more applicable for the model due to absence of multiple condition decision statements or state transitions.
- Depicts simplicity of design.



#### Summary

| Model Hierarchy/Complexity              |    | Test 1   |           |           |
|-----------------------------------------|----|----------|-----------|-----------|
|                                         |    | Decision | Condition | Execution |
| 1. local_sequencer                      | 61 | 99%      | 100%      | 97%       |
| 2 Compare To Constant                   |    | NA       | 100%      | 100%      |
| 3 Extract Bits                          |    | NA       | NA        | 100%      |
| 4 <u>Extract Bits1</u>                  |    | NA       | NA        | 100%      |
| 5 Extract Bits2                         |    | NA       | NA        | 100%      |
| 6 Increment Stored Integer              |    | NA       | NA        | 100%      |
| 7 MATLAB Function                       | 3  | 100%     | NA        | NA        |
| 8 <u>StateFlow</u>                      | 50 | 100%     | NA        | NA        |
| 9 <u>SF: StateFlow</u>                  | 49 | 100%     | NA        | NA        |
| 10                                      | 3  | 100%     | NA        | NA        |
| 11                                      | 1  | 100%     | NA        | NA        |
| 12 <u>SF: FB_EXECUTE</u>                | 2  | 100%     | NA        | NA        |
| 13 <u>SF: FB_SELECT</u>                 | 4  | 100%     | NA        | NA        |
| 14 <u>SF: FETCH</u>                     | 10 | 100%     | NA        | NA        |
| 15                                      | 10 | 100%     | NA        | NA        |
| 16 <u>current_addr</u>                  | 1  | NA       | NA        | 100%      |
| 17 Unit Delay Enabled Resettable        | 1  | NA       | NA        | 100%      |
| 18 <u>function_num</u>                  | 1  | NA       | NA        | 100%      |
| 19 <u>Unit Delay Enabled Resettable</u> | 1  | NA       | NA        | 100%      |
| 20 <u>inst_counter</u>                  | 4  | 88%      | NA        | 93%       |
| 21 <u>Add_wrap</u>                      | 1  | 50%      | NA        | 75%       |
| 22 <u>start_inst_ptr</u>                | 1  | NA       | NA        | 100%      |
| 23 Unit Delay Enabled Resettable        | 1  | NA       | NA        | 100%      |
|                                         |    |          |           |           |



#### **Functional Coverage**

- Bi-directional traceability links between Testcases and Requirements
- Ensures 100% Requirements coverage



| ilts by name or tags, e.g. tags: test        | 9      | - SUMMARY                               |                                                  |
|----------------------------------------------|--------|-----------------------------------------|--------------------------------------------------|
|                                              | STATUS |                                         |                                                  |
| TestCase#8 Write State 2nd Output            | 0 *    | Name                                    | TestCase#17 End of Sequence                      |
| TestCase#9 FB Done state                     | 0      | Outcome<br>Start Time                   | 03/18/2019 21:14:43                              |
| TestCase#10 Error in FB Select State         | 0      | End Time                                | 03/18/2019 21:14:56                              |
| TestCase#11 Error in Fetch State             | 0      | Туре                                    | Baseline Test                                    |
| TestCase#12 Recoverable Error                | 0      | Test File Location                      | C:\Users\jayakumarav\Document                    |
| TestCase#13 FB Select to FETCH State         | 0      | Test Case Definition                    |                                                  |
|                                              |        | Rerun Test Case                         |                                                  |
| TestCase#14 Non Recoverable Error            | 0      | Tags                                    |                                                  |
| TestCase#15 Non Recoverable Error to INIT    | 0      | <ul> <li>Simulation Metadata</li> </ul> |                                                  |
| TestCase#16 Error in Write State             | 0      | ▼TEST REQUIREMENTS                      |                                                  |
| TestCase#17 End of Sequence                  | 0      |                                         |                                                  |
| TestCase#18 Task Done to INIT                | 0      | End of File Determination (lo           | cal_sequencer_req#7]                             |
| TestCase#19 Error in LATCH_ADDR substate i   | 0      | Transitions (local_sequencer            | <u>req#26)</u>                                   |
| TestCase#20 Error in MEM_WAIT substate in F  | 0      | Controller Super States (local          | sequencer_req#12]                                |
| TestCase#21 Error in CTRL_HI SubState in Fe  | 0      | Task Done Service Provided (            | local_sequencer_req#30)                          |
| TestCase#22 Error in CTRL_LO substate in Fe  | 0      | • ERRORS                                |                                                  |
| TestCase#23 Error in INCREMENT_INST Subs     | 0      |                                         |                                                  |
| TestCase#24 Error in INST_WAIT Substate in I | 0      | •LOGS                                   |                                                  |
| TestCase#25 Error in CTRL_HI Substate in FB  | 0      | No baseline criteria evaluation         | n performed as no baseline data is available fo  |
| TestCase#26 Error in CTRL_LO Substate in FE  | 0      |                                         | '<br>ncer Hamess3/Bus Selector' is not connected |
| TestCase#27 Error in LATCH_ADDR Substate     | 0      |                                         |                                                  |
| TestCase#28 Error in CTRL_HI Substate in Wr  | 0      | The following warning occurre           | ed while simulating the Model block with block   |
|                                              |        | Wrap on overflow detected. T            | his originated from 'local_sequencer/Data Typ    |
|                                              | •      | Wrap on overflow detected at            | time 108 in 'local sequencer/Data Type Conv      |

VUU College of Engineering

24

© 2018 Electric Power Research Institute, Inc. All rights reserved.



# Formal Methods: Simulink Design Verifier – Main Components

**Uses formal verification – Model Checking** 

**Design Error Detection** 

• Uncover hard to find dead logic and design flaws

| A Simulink Design Verifier Resu | A Simulink Design Verifier Results                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2-2- <b>2</b>                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| Back to summary - Close         | Back to summary - Close results                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| antipattern1a/Sum               | antipattern1a/Abs                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| Overflow VALID                  | Overfow ERROR - View test case                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| 1                               | 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| Derived Ranges:                 | Derived Ranges:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| Outport [-128127]               | Outport 1/[-128127]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| and an and a                    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| - Ins                           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 61                              | * *                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
|                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 10-11 - 1                       |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 2_int8_                         | threshold double Operator                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 1/2                             | Constant                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|                                 | A CONTRACT OF A |
|                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| Reidy                           | 134% T=0.00 ForedStepDecrete                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |

- Test Generation
- Automate test case generation for coverage completion or functional tests





### **Example of Property for a Higher Level Requirement**



Fig: Example of a property at a higher level

- Safety Property for a high level Requirement: done and busy -> only one of the signal is high at a given time
- Bidirectional Traceability IEC 61508 requirement

| index        | ID       | Summary                                   | Verified Implemented |                                         | Index: 9                                                                |
|--------------|----------|-------------------------------------------|----------------------|-----------------------------------------|-------------------------------------------------------------------------|
| local_sequen | icer_reg |                                           |                      |                                         | Custom ID: #32                                                          |
| 1            | #1       | Trigger Service Received                  |                      | 8                                       | Summary: Instruction Pointer Service Provided                           |
| ÷ 🗐 2        | #2       | Instruction Service Received              |                      |                                         | Description Rationale                                                   |
| i 🔟 3        | #3       | Function Block Status Service Received    |                      | 12                                      | Arial 8                                                                 |
| 4            | #8       | Function Number Register                  |                      |                                         |                                                                         |
| 5            | #9       | Start Instruction Pointer Register        |                      | 4                                       | The local sequencer shall provide a pointer to the current instruction. |
| 6            | #10      | Instruction Counter                       |                      | 19-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1- |                                                                         |
| - 1 7        | #11      | Current Address Register                  |                      | 19                                      |                                                                         |
| i 🗟 8        | #12      | Controller Super States                   |                      |                                         |                                                                         |
| 9            | #32      | Instruction Pointer Service Provided      |                      |                                         |                                                                         |
| 10           | #33      | Function Block Selection Service Provided |                      |                                         |                                                                         |
| 11           | #34      | Conversion of Data Input                  |                      |                                         |                                                                         |
| 12           | #29      | Error Signal Service Provided             |                      |                                         | Keywords:                                                               |
| 13           | #30      | Task Done Service Provided                |                      |                                         | Revision information:                                                   |
| 14           | #31      | Task Memory Control Service Provided      |                      |                                         |                                                                         |
| 15           | #36      | Execution of Function Blocks              |                      |                                         | ▼ Links                                                                 |
| 16           | #37      | Model of Computation                      |                      |                                         | □ ↓ Implemented by:                                                     |
| 17           | #38      | No Task Lane Impedance                    |                      |                                         | □ inst_ptr                                                              |
| 18           | #39      | Execution Outcomes                        |                      |                                         | E de Related to:                                                        |
| 19           | #40      | Concurrency of Tasks and Function Blo     |                      |                                         |                                                                         |
| 20           | #41      | Side Effects                              |                      |                                         | #36 Execution of Function Blocks<br>#37 Model of Computation            |
| 21           | #42      | Function Block Diagnostics                |                      |                                         | E 4 Verified by:                                                        |
| 22           | #43      | Resiliency                                |                      |                                         | Proof Objective1 1                                                      |
| i 🥝 23       | #44      | Justifications                            |                      |                                         |                                                                         |

- E 🗧 Implemented by:
  - inst\_ptr
- E 🗧 Related to:
  - #36 Execution of Function Blocks
  - #37 Model of Computation
- Verified by:
  - Proof Objective1
    - Fig: Properties are Hyper- linked to requirements



#### **Example of Property for a Low Level Requirement**

 "If the state is FB\_SELECT, FETCH or FB\_EXECUTE and an error is detected, the task\_error should be high for 2 clock cycles if error is non-recoverable (recoverable=0)"







#### Counterexample

- Example of synergism between testing and formal verification.
- Inconsistent values in task\_error
- This condition had also failed during testing





#### Task error changes



#### Synergism between testing and formal verification

- A key insight on more effective use of formal verification:
- Do functional testing first to inform formal methods: more subtle complex errors
- This insight was confirmed or validated by discussions with the formal methods engineering group at NASA.



#### **End-to-end Traceability**

- SymPLe is verified at every incremental level including the Simulink model, generated HDL code, and hardware implementation
- MBD offers traceability at each of these incremental levels thereby offering a chain of evidence to support verification.



#### Bidirectional Traceability between Requirements, test cases, properties, Model and HDL code



#### Findings and Results of the Model Based V&V

- 24 design faults found during V&V.
- Fig shows the V&V stage where the faults were first identified. The faults were classified into low, medium and high impact faults based on severity.
- 78% of the faults were first identified during model based testing
- High severity faults found during formal verification
- Synergy between testing and formal verification

College of Engineering

- helped find subtle and hard to detect bugs in corner case scenarios that could be overlooked during testing.
- Added strong confirmatory evidence that formal methods paired with testing is effective in detecting difficult SCCFs.
- Traceability between requirements, model, code and proofs provide a effective verification environment and support IEC 61508 compliance.
- Constrained and complexity aware principles and design requirements of SymPLe significantly improved the V&V efforts and time spent on verification.



### Faults found in SymPLe architecture by V&V process



#### Phase II of SymPLe

- Phase II will focus on synergistically integrating security and safety into SymPLe.
- We did not address security in Phase I.
- Phase II starting fall and winter of 2019.
- Specifically,
  - Constrained architectures (like SymPLe) provide a technical and pragmatic foundation for establishing very small attack surface devices.
  - Developing and implementing primitive security building blocks from PUFs (Physically Unclonable Functions) for SymPLe will provide a foundation for secure services against sophisticated life cycle attacks.
    - Equipment hijack/tampering
    - design/IP theft
    - data corruption/theft
    - Fingerprinting computations
  - Raising the TRL for SymPLe.
- For phase II we have teamed with Dr. Patrick Schaumont of ECE department at VA tech, Mathworks and with OneSpin solutions (USA).
- Phase II sponsored by Idaho National Labs and EPRI.



#### Where to find our work

- Report Publications
- ERPI report free to public
  - https://www.epri.com/#/pages/product/000000003002015754/?lang=en-US
- US Department of Energy ASI (soon to be released) or email me..
  - Matt Gibson and Carl Elks, Main Achieving Verifiable and High Integrity Instrumentation and Control Systems through Complexity Awareness and Constrained Design, Final Technical Report, M2CA-15-CA-EPRI-0703-0221, NEET-2 Project No. 15-8044 2019.
- Journal and Conference Publications:
- Near Submission: IEEE Transactions on SW Engineering, Model Based Design and Assurance of a I&C Architecture for Safety Critical Nuclear Power Applications.
- In preparation: SymPLe: High Integrity Instrumentation and Control Systems through Complexity Awareness and Constrained Design, IEEE Transactions on Nuclear Science.
- In preparation: Lessons Learned from a Model Based Verification and Validation effort for IEC 61508, Dependable Systems and Networks Conference 2020.
- ANS NPIC In progress.
- Welcome to visit our Lab at VCU and see SymPLe in action.













#### **Function Block Error Detection**

- Monitors SymPLe execution errors and Logic execution errors
- \*FB Controller manages execution recovery for transient errors
- SymPLe Execution Errors
  - Function Block Execution Timeout\*
  - Input Register Read Overflow
  - Output Register Write Overflow
  - Data Type Error\*
- Logic Execution Errors
  - Duplex Divergence Error (single-event upset)\*
  - Arithmetic Overflow
  - Arithmetic Underflow
  - Arithmetic Divide-By-0

College of Engineering

Logic execution errors are unique to each functionality

| Error Type                   | Variable Name     | Value | Binary Value |
|------------------------------|-------------------|-------|--------------|
| Duplex Divergence Error      | stateErrorBit     | 1     | 0b1          |
| Function Block Execution     | timeoutBit        | 2     | 0b10         |
| Timeout                      |                   |       |              |
| Arithmetic Overflow          | overflowBit       | 4     | 0b100        |
| Arithmetic Underflow         | underflowBit      | 8     | 0b1000       |
| Arithmetic Division by 0     | divideByZeroBit   | 16    | 0b10000      |
| Input Register Read Overflow | inputOverflowBit  | 32    | 0b100000     |
| Output Register Write        | outputOverflowBit | 64    | 0b1000000    |
| Overflow                     |                   |       |              |
| Data Type Error              | typeBit           | 256   | 0b10000000   |



### SymPLe Data Types

- All SymPLe data transmitted as two int32 words
- SymPLe utilizes type-masking for standard data communication protocol
- Simulink type inheritance allows for easy type modification and future work



| SymPLe Types | Description              | Min                                  | Max                                  |
|--------------|--------------------------|--------------------------------------|--------------------------------------|
| Boolean      | 1-bit logical            | 0                                    | 1                                    |
| Safebool     | 32-bit logical           | 010101010101010101010101010101010101 | 101010101010101010101010101010101010 |
| Integer      | int32                    | -2147483648                          | 2147483647                           |
| Qmn          | Fixed point (32.24 prec) | -2147483648                          | 2147483648                           |

