Assessment of safety-critical software in nuclear power plants

This article outlines an approach to the design, documentation, and evaluation of computer systems. We believe that this approach allows the use of software in many safety-critical applications because it enables the systematic comparison of the program behavior with the engineering specifications of the computer system. Many of the ideas in this article have been used by the Atomic Energy Control Board of Canada (AECB) in its safety assessment of the software for the shutdown systems of the Darlington Nuclear Power Generating Station. The four main elements of this approach follow: (1) Formal Documentation of Software Requirements: Most of the details of a complex environment can be ignored by system implementers and reviewers if they are given a complete and precise statement of the behavioral requirements for the computer system. We describe five mathematical relations that specify the requirements for the software in a computerized control system. (2) Design and Documentation of the Module Structure: Complexity caused by interactions between separately written components can be reduced by applying ''Information Hiding'' (also known as Data Abstraction, Abstract Data Types, and Object-Oriented Programming) if the interfaces are precisely and completely documented. (3) Program Function Documentation: Software executions are lengthy sequences of state changes described by complex algorithms. The effects of these execution sequences can be precisely specified and documented with tabular representations of the program functions discussed by Mills and others. Also, large programs can be decomposed and presented as a collection of well-documented smaller programs. (4) ''Tripod Approach'' to Assessment: There are three basic approaches to the assessment of complex software products: (i) testing, (ii) systematic inspection, and (iii) certification of people and processes. Assessment of a complex system cannot depend on any one of these alone. The approach used on the Darlington shutdown software, which included systematic inspection as well as both planned and statistically designed random testing, is outlined. Certification of software engineers remains a difficult issue.