www.kaeri.re.kr



### Automated Exhaustive Test Case Generation for FBD Software

KNS 2021 Fall Meeting, Oct. 2021 Sang Hun Lee<sup>1</sup>, Sung Min Shin<sup>1</sup>, Hyun Gook Kang<sup>2</sup>, Jong Gyun Choi<sup>1</sup> <sup>1</sup>Korea Atomic Energy Research Institute <sup>2</sup>Rensselaer Polytechnic Institute



### Contents

### Introduction

Research Background & Objectives

### Method

- Translation of FBD to SMT formula
- Exhaustive test case generation using SMT Solver

### Application

RPS Trip Logic Software Testing

### Conclusion

# Software is important for NPP Safety



Digital system failure events reported in LERs

| Category          | Number of Event |
|-------------------|-----------------|
| Software error    | 30 (39.97%)     |
| HMI error         | 25 (31.65%)     |
| EM interference   | 15 (18.99%)     |
| Random HW failure | 9 (11.39%)      |
| Total             | 79              |
|                   |                 |

### RPS unavailability for various software failure probability



PLC used in NPP safety I&C systems

# **Quantitative SW Reliability Assessment**

- Software Reliability Growth Model
- Bayesian Belief Network Model
- Metric-based Method
- Context-based Software Reliability Method
- Test-based Method

Etc...



SRGM application to NPP SW





Test Environment for ATR LOCS SW

### **Research Objectives**

- Integrated Testing Framework for NPP Safety Software
  - Simulation-based Test-bed for PLC Software Testing
  - SMT-based Exhaustive Test Case Generation for PLC Software



Block Diagram of NPP Software Exhaustive Testing Framework

# **Definition of Exhaustive Test Case**

- Software failure: fail to generate safety signal when demand comes.
  - Demand: a plant condition that requires actuation of safety systems
- Exhaustive test case
   : all possible sets of the SW input/internal variables that generates SW safety output (e.g. trip signal).



### **Theory of Test Case Generation**

- Generating Test Cases → Satisfiability Problem
  - Satisfiability : A formula is satisfiable if there is a model that makes formula true.
- Examples of Satisfiability Problems
  - Boolean Satisfiability Problem (SAT) : Propositional formula
  - Satisfiability Modulo theory (SMT) : First order logic formula

$$f_{1} = x_{1} \land x_{2} \qquad f_{2} = x_{1} \land \neg x_{1}$$

$$f_{3} = (\neg x_{1} \lor x_{2}) \land (\neg x_{1} \lor x_{3}) \land (x_{2} \lor x_{3}) \land (\neg x_{2} \lor \neg x_{3})$$

$$f_{4} = (x_{1} + 5 = x_{2}) \land (x_{2} \le x_{3}) \land (x_{3} \le 8)$$

- Is the formula  $(f_1, f_2, f_3, f_4)$  satisfiable?
- If the formula is satisfiable, do we have  $x_i$ 's that make formula true?

# **Theory of Test Case Generation**

### Formulation of Test Case Generation Problem

• **Objective** : Derive all possible software input/internal variables  $(x_i)$  such that the software output  $(f(x_i))$  becomes true.



 $\underset{x_i \in S}{arg f(x_i)} = true$ 

An example FBD program for calculating TRIP\_LOGIC

- **Formula (***f***)** : Software output
- <u>Literals (x<sub>i</sub>)</u>: Software input / internal variables
- Space (S) : Domain of all possible software input / internal variables that may encounter during software operation

### **Exhaustive Test Case Generation Framework**

- 1) Translating the SW program to semantically-equivalent SMT formula
- 2) Generating exhaustive test cases by finding the models for the literals of SMT formula by satisfiability check given software output.



#### NPP safety software in FBD language



Exhaustive test case generation algorithm

#### 907 908 # rung 0 # 909 910 AND2\_DWORD0\_in\_IN1 = \_\_MD1\_208\_in 911 912 AND2\_DWORD0\_in\_IN2 = BitVecVal(int("FFFF0000", 16), 32) 913 914 AND2\_DWORD0\_in\_EN = True 915 AND2\_DWORD0\_out\_ENO, AND2\_DWORD0\_out\_OUT = AND2\_DWORD0\_out\_ENO, AND2\_DWORD0\_out\_OUT = AND2\_DWORD0\_in\_IN1, AND2\_DWORD0\_in\_IN2, AND2\_DWORD0\_out\_ENO, AND2\_DWORD0\_out\_OUT)

### Translated SMT formula of RPS software

|              | 1  | 6 TRIP LOGIC | False | _6_TSP | 17780 | 6_PV_OUT | 17780 |
|--------------|----|--------------|-------|--------|-------|----------|-------|
|              | 2  | 6 TRIP LOGIC | False | 6 TSP  | 17781 | 6 PV OUT | 17781 |
|              | 3  | 6 TRIP LOGIC | False | 6 TSP  | 17782 | 6 PV OUT | 17782 |
|              | 4  | 6 TRIP LOGIC | False | 6 TSP  | 17783 | 6 PV OUT | 17783 |
|              | 5  | 6 TRIP LOGIC | False | 6 TSP  | 17784 | 6 PV OUT | 17784 |
|              | 6  | 6 TRIP LOGIC | False | 6 TSP  | 17785 | 6 PV OUT | 17785 |
|              | 7  | 6 TRIP LOGIC | False | 6 TSP  | 17786 | 6 PV OUT | 17786 |
|              | 8  | 6 TRIP LOGIC | False | 6 TSP  | 17787 | 6 PV OUT | 17787 |
|              | 9  | 6 TRIP LOGIC | False | 6 TSP  | 17788 | 6 PV OUT | 17788 |
| $\backslash$ | 10 | 6 TRIP LOGIC | False | 6 TSP  | 17789 | 6 PV OUT | 17789 |
| $\rangle$    | 11 | 6 TRIP LOGIC | False | 6 TSP  | 17790 | 6 PV OUT | 17790 |
| /            | 12 | 6 TRIP LOGIC | False | 6 TSP  | 17789 | 6 PV OUT | 17782 |
|              | 13 | 6 TRIP LOGIC | False | 6 TSP  | 17789 | 6 PV OUT | 17785 |
|              | 14 | 6 TRIP LOGIC | False | 6 TSP  | 17788 | 6 PV OUT | 17785 |
|              | 15 | 6 TRIP LOGIC | False | 6 TSP  | 17787 | 6 PV OUT | 17785 |
|              | 16 | 6 TRIP LOGIC | False | 6 TSP  | 17787 | 6 PV OUT | 17786 |
|              | 17 | 6 TRIP LOGIC | False | 6 TSP  | 17785 | 6 PV OUT | 17784 |
|              | 18 | 6 TRIP LOGIC | False | 6 TSP  | 17783 | 6 PV OUT | 17780 |
|              | 19 | 6 TRTP LOGIC | False | 6 TSP  | 17783 | 6 PV OUT | 17781 |

#### Exhaustive test case for software output

# NPP safety software - FBD program

- Function Block : Basic unit having input/internal/output variables
- <u>Component FBD</u> : Group of FBs interconnected according to execution order
- System FBD : Group of component FBDs (a whole software)



An example of FBD program

# **Translation of FBD programs**

 FBD exhaustive test case generator (FETCG) : automatically translates the source code to SMT formula based on the developed translation rules.

| D Exhaustive Test Ca                      | se Generator X                                                                                                                                                                                              | Source code of PLC program                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| BD-to-SMT Trans                           | Logs for translated FBDs                                                                                                                                                                                    | 1 2 3 4 5 6                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| Translate<br>Component FBD                | TRIP_DECISION.lds translated to TRIP_DECISION.py<br>_34_TRIP_DECISION.lds translated to _34_TRIP_DECISION.py v                                                                                              | 6 AMD2_DWORD BNOK EN SHEN<br>7 XM01.206 IN1 BP_b_SHE_Diag45 E3 III node 1 7 S start -> 1 7, -> 1 8, -> 4 8;                                                                                                                                                                                                                                                                                                                                                                                            |
| Translate System<br>FBD                   | BPI_Trip_LogicB.lds translated to BPI_Trip_LogicB.py       ^         BPm_BP_Test_ResultIds translated to BPm_BP_Test_Result.py       `         BPn_Data_Output.lds translated to BPn_Data_Output.py       ` | 8         16#FFFF0000-like         2         node         2_6         function         AND2_DWORD         OUT         ->         5_6.IN           9         4         node         5_6         function         SRN         OUT         ->         8         6.IN1;           9         4         node         8_6         function         MOVE         WORD         OUT         ->         10.7;           5         node         17         1d         %MD1.208         ->         2         6.IN1; |
| BDET execution<br>Generate Test<br>Module | BPout_6_TRIP_R == True Add Constraint                                                                                                                                                                       | <pre>6node _1_8ld 16#FFFF0000 -&gt;_2_6.IN2;<br/>7node _4_8ld 16 -&gt;_5_6.N;<br/>8node _10_7st %MW3.1 -&gt;_10_7_E;<br/>9node _10_7_Eend;<br/>10</pre>                                                                                                                                                                                                                                                                                                                                                |
| o                                         | ID Constraint                                                                                                                                                                                               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| Generate Model<br>for FBD output          | 1 BPout_6_TRIP_R == True                                                                                                                                                                                    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
|                                           | H                                                                                                                                                                                                           | BP b Self Diac.pv 🖾                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                                           |                                                                                                                                                                                                             | 4 from z3 import *                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|                                           | Name Type Value Description                                                                                                                                                                                 | 5 from pset_func import *                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| Execute FBDET                             | BPinMX1_1792 input False ChA BP1 PLC Diagnostic                                                                                                                                                             | 7 Heff BP b Self Diag (BP b Self Diag in):                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|                                           | BPinMX1_1984 input False ChA BP1 ICN 1 Module Di                                                                                                                                                            | 9064 ## function operation ##                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|                                           | BP_in_MW4_1495 input 26007 ATIP Heartbeat Value                                                                                                                                                             | 907<br>908 # rung 0 #                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|                                           |                                                                                                                                                                                                             | 909                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| [수요일, 12 6월 2019                          | 14:07] Initialized                                                                                                                                                                                          | 910 AND2_DWORD0_in_IN1 = _MD1_208in<br>911                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|                                           | 14:07 Start translating Component FBDs<br>14:07 Completed translating Component FBDs                                                                                                                        | 912 AND2 DWORDO in IN2 = BitVecVal(int("FFFF0000", 16), 32)                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| [수요일, 12 6월 2019                          | 14:07 Start translating System FBDs                                                                                                                                                                         | 913                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                                           | 14:07] Completed translating System FBDs<br>14:07] Constraint ID#1added to formula                                                                                                                          | 914 AND2_DWORD0_in_EN = True<br>915 AND2_DWORD0_out_ENO, AND2_DWORD0_out_OUT = AND2_DWORD(                                                                                                                                                                                                                                                                                                                                                                                                             |
| [수요일, 12 6월 2019                          | 14.07] Generated main.py<br>14.07] Executing main.py                                                                                                                                                        | 915 AND2_DWORD0_out_ENO, AND2_DWORD0_out_OUT = AND2_DWORD0(<br>AND2_DWORD0_in_EN, AND2_DWORD0_in_IN1, AND2_DWORD0_in_IN2,<br>AND2_DWORD0_out_ENO, AND2_DWORD0_out_OUT)                                                                                                                                                                                                                                                                                                                                 |
|                                           |                                                                                                                                                                                                             | 916 SHRN1_in_IN = AND2_DWORD0_out_OUT                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|                                           |                                                                                                                                                                                                             | 917<br>918 SHRN1 in N = BitVecVal(16, 32)                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

Screenshot of exhaustive test case generator

#### Translated SMT formula for the example program

### **Single Test Case Generation**



Process of single test case generation for PLC program

### **Exhaustive Test Case Generation Algorithm**



Process of test case generation for FBD program

## **Exhaustive Test Case Generation Algorithm**

- The algorithm is implemented to FBD exhaustive test case generator.
- It automatically generates exhaustive test cases for PLC program given the defined software output.

| 🛃 FBD Exhaustive Test Case Generator 🛛 🕹                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Source code of program                                                                                                                                                                                                                                                                                                                           |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| FBD-to-SMT Translator                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                                                                                                                                                                                                                                  |
| Translate<br>Component FBD         RESET_VSP.Ids translated to RESET_VSP.py         ^                                                                                                                                                                                                                                                                                                                                                                                                    | I         2         3         4         5         6           5         ARP Diacksus         BN         AND 2.0400         BNOX         EN         SHPN                                                                                                                                                                                          |
| BPLTrip_LogicB lds translated to BPLTrip_LogicB py         A           FBD         BPm_BP_Test_ResultIds translated to BPm_BP_Test_Result py         BPn_Data_OutputIds translated to BPn_Data_Outputpy         V                                                                                                                                                                                                                                                                        | 7     3801.238     INI     Impe_b.setDeads II       8     1     node     17.S     start -> 17> 18> 48;       8     16#777000-     12     node     2-6       9     4     node     5-6       4     node     6     function SHRN OUT -> 8.6.IN1;       9     4     node     6.6       10     10     NOVE WORD     0UT -> 10.7;                      |
| FBDET execution       (1) Define desired software output         Generate Test       BPout_6_TRIP_R == True         Module       Add         Constraint                                                                                                                                                                                                                                                                                                                                  | 6node _1_8ld 16♯FFF0000 -> 2_6.IN2;<br>7node _4_8ld 16 -> 5_6.N;<br>8node _10_7st %MW3_1 -> 10_7_E;<br>9node _10_7_Eend;                                                                                                                                                                                                                         |
| Generate Model<br>for FBD output         ID         Constraint           1         BPout_6_TRIP_R == True                                                                                                                                                                                                                                                                                                                                                                                | TestSet_pp_17790 txt ⊠                                                                                                                                                                                                                                                                                                                           |
| (2) Define range/value of software variables                                                                                                                                                                                                                                                                                                                                                                                                                                             | 6 * first row: address                                                                                                                                                                                                                                                                                                                           |
| Execute FBDET         Name         Type         Value         Description           BPinMX1_1792         input         False         ChA BP1 PLC Diagnostic           BPinMX1_1984         input         False         ChA BP1 NC N 1 Module Di           BPinMW4_1495         input         False         ChA BP1 NC N 1 Module Di                                                                                                                                                      | 7 * rest row: value<br>8 00db1700 00db17c0 00d985d7 00c0826e 00c080bd 00c080b7<br>00c0810d 00db46b0 00c080b8 00d985fc 00c080cc 00c080cd<br>00c080c5 00c080c6 00c07f93 00c07f94 00db3049 00db304a<br>00db304b 00c08275 00db4663 00c08276 00c07fad 00c08009<br>00c08105 00c08115 00c07ffb 00c089e8 00c089e9 00c089e6<br>00c089e7 00c07f8c 00c07ff8 |
| [+25]:1262:2019:14:07] Initialized         [+42]:1262:2019:14:07] Start translating Component FBDs         [+42]:1262:2019:14:07] Completed translating Component FBDs         [+42]:1262:2019:14:07] Completed translating System FBDs         [+42]:1262:2019:14:07] Constraint [DF1:added to formula         [+42]:1262:2019:14:07] Constraint [DF1:added to formula         [+42]:1262:2019:14:07] Constraint [DF1:added to formula         [+42]:1262:2019:14:07] Executing main.py | $\begin{array}{cccccccccccccccccccccccccccccccccccc$                                                                                                                                                                                                                                                                                             |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 0 0 0 0 0 0 1 0 17788 17790 0 0 0 0 0 0 0 √<br>Normal text file length : 8.457 lines : 100 Ln : 8 Col : 117 Sel : 0   0 Windows (CR LF) UTF-8 IN                                                                                                                                                                                                 |

Screenshot of exhaustive test case generator

Generated test case file for Rx. trip signal output

### **Demonstration of Test Case Generator**

|      |                                           |           |                   |        |       | D pSET v1.0 - [RES | ET_FALLING.ld]    |          |                            |                                                                |               |                                                                   |                                                                    |                                                    |        |                                                            |     |              |                |              | ×   |
|------|-------------------------------------------|-----------|-------------------|--------|-------|--------------------|-------------------|----------|----------------------------|----------------------------------------------------------------|---------------|-------------------------------------------------------------------|--------------------------------------------------------------------|----------------------------------------------------|--------|------------------------------------------------------------|-----|--------------|----------------|--------------|-----|
| 🖳 FE | D Exhaustive Test Cas                     | e Generat | tor (FETCG)       |        |       |                    |                   | × fbd    | 원소(L)                      | 컴파일(C                                                          | ) 하드웨이        | 여 설정(R) .                                                         | 고니터링(M) +                                                          | 옵션(0)                                              | 창(W) 5 | 드움말(H)                                                     |     |              |                | -            | ē × |
|      | BD-to-SMT Trans                           | lator     |                   |        |       |                    | ^<br>~            | = A<br>/ |                            | 1. 1. 1.                                                       | ε +νtε +νtε + |                                                                   | T₂ IS IS<br>(S)E (P)E (P)E (P)<br>(D) A* A¥                        | 0'e                                                |        |                                                            |     |              |                |              |     |
| F    | Translate System<br>FBD<br>BDET execution |           |                   |        |       |                    | <                 |          | HV<br>PV<br>TS<br>PT<br>PT | YS<br>V_OUT<br>SP2PTSP<br>TRIP_LOGIC<br>TSP<br>RIP_LOGIC<br>SP |               | GIOIEI EN<br>WORD<br>REAL<br>WORD<br>BOOL<br>REAL<br>BOOL<br>REAL | 입 배열크기<br>0<br>0<br>0<br>0<br>0<br>0<br>0<br>0<br>0<br>0<br>0<br>0 | 조0 이미 이미 이미 이미 이미 이미 이미<br>패作 강효 강효 강효 강효 강효 강효 강효 |        | 조기값<br>16#0<br>0.0<br>16#0<br>FALSE<br>0.0<br>FALSE<br>0.0 | 설명이 |              |                |              |     |
|      | Generate Test<br>Module                   |           | ID                |        | Co    | nstraint           | Add<br>Constraint |          |                            | 1                                                              | 1<br>(1-1)    | : 트립                                                              | 2<br>결정 (HYS적                                                      | 용) .<br>LE_RE                                      | 3 .    | 4                                                          | . 5 | . 6          | 7              | 8.           | ^   |
|      |                                           | •         |                   |        |       |                    |                   |          |                            | 3.4                                                            |               | PY_OUT<br>TSP                                                     |                                                                    |                                                    | UUT .  | TRIP_LOGIC                                                 |     | TRUE-        | MOVE<br>EN     | BOOL<br>ENOX | TRI |
|      | Load Variable<br>Information              | •         | Name              | Туре   | Value | Description        | Address           |          |                            | 5                                                              |               |                                                                   |                                                                    |                                                    |        |                                                            |     |              | ADD2_<br>EN    | REAL<br>ENOX |     |
|      | Execute FBDET                             |           |                   |        |       |                    |                   |          |                            | 6<br>7                                                         |               |                                                                   |                                                                    |                                                    |        | WORD_T<br>EN                                               |     | юх тяр-<br>л | - IN1<br>- IN2 | - TUO        | TSF |
|      | [Wednesday, 16 0                          | )ctober 2 | 2019 12:09] Initi | alized |       |                    | ^                 |          |                            |                                                                | (1-2)         | :정상                                                               | 운전 상태유7                                                            |                                                    |        |                                                            |     |              |                |              |     |
|      |                                           |           |                   |        |       |                    | 2                 | Ì        | - [                        | 9.                                                             |               |                                                                   | -                                                                  |                                                    |        |                                                            |     |              |                |              | >`` |
|      |                                           |           |                   |        |       | (8, 1)             |                   |          |                            |                                                                |               |                                                                   |                                                                    |                                                    |        |                                                            |     |              |                | NUM          | >   |

# **Application: RPS Trip Logic Software**

- IDiPS-RPS was developed in Korea to satisfy the design requirements of APR-1400 which has full-digital I&C systems.
- BP software has 15 trip logic modules which generate Rx. trip signal when the process parameter deviates from permissible operating condition.



Architecture of one channel IDiPS-RPS and prototype

Source code and compiled machine code of BP trip logic software

# **Application: RPS Trip Logic Software**

- Target Trip Logic: Pressurizer-pressure low trip logic
- Target Test Scope: Trip-initiation condition (SW output: '\_6\_TRIP\_R = true')

(b) Component FBDs

Target Scenario: All possible accidents



#### (a) Function Blocks



(c) System FBD

Generated files from BP trip logic SW source code

Information on the translated FBDs

| Category                        | Quantity   |
|---------------------------------|------------|
| Function Blocks (FBs)           | 242        |
| Component FBDs                  | 122        |
| System FBD                      | 1          |
| System input/internal variables | 32 (/ 612) |
| System output variable          | 1          |
| Temporary variables used*       | 2,661      |

List of software input/internal variables that contributes to trip signal generation

| Variables         | Description                                     |
|-------------------|-------------------------------------------------|
| _6_TSP_R          | PZR-pressure-low<br>trip setpoint               |
| _6_PV_OUT_AI      | PZR-pressure-low<br>process parameter           |
| AI_2_MDL_ERR      | PLC analog input<br>module error signal         |
| _6_RST_REQ_MCR_DI | Operator trip setpoint reset request (from MCR) |
| E                 | l                                               |

17

# **Application: RPS Trip Logic Software**

- A total of 4,206,164,480 test cases were generated for the target BP trip logic and tested in the developed test-bed.
- As a result, all test cases generated the trip output after BP software is executed. (~ 6.205 msec/case)



A part of test result for BP target trip logic

BP software execution in test-bed

### Conclusion





SCIENCE AND TECHNOLOGY





# **THANK YOU**

