KR20180090073A - Method of Guarantee for Software Failure - Google Patents

Abstract

The present invention relates to a method for ensuring software that is guaranteed to be non-failing in order to verify the stability of the software. More specifically, all the variables of the software are divided into process variable groups and internal variable groups, and the test cases are derived for each case, and then the test cases of the two variables are combined to obtain the software for the non-failure .

Description

{Method of Guarantee for Software Failure}

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to a software failure prevention method, and more particularly, to a test method performed to confirm software safety. That is, for the software implemented in the Nuclear Reactor Digital Nuclear Reactor Protection System, all variables are divided into process variable group and internal variable group, and test cases of each variable group are derived. To ensure that software testing is performed for all test cases, thereby ensuring no-fault or high-reliability software.

Digital measurement and control technology has many advantages such as the storage space for processing large data, flexibility of design, and is introduced into nuclear power plants, because there is no drift of measurement compared with analog measurement control technology. The difference between the digital measurement control system and the existing analog system is the software. The software has a logic structure based on the digital signal, and the characteristics of the failure are very different from the analog equipments constituted only by the existing hardware. For example, in the case of hardware, as the use time increases, the probability of failure increases. On the other hand, since the software has a failure due to an inherent defect, even if a failure occurs immediately after the release or a defect occurs, Failure to do so may result in failure during use. The failure mechanism of the software is a mechanism different from the existing machine failure, and it is very important to grasp the failure mechanism of the software in advance.

A technique for grasping a software failure mechanism has been disclosed in Japanese Patent Application Laid-Open No. 2000-267889 (simulation verification method of software, hereinafter referred to as prior art). The prior art discloses a method of verifying the simulation of the elapsed time of each hardware model by comparing it with an actual operation when a plurality of hardware models are linked and combined. However, in the prior art, additional hardware was required to verify the simulation of the software.

Japanese Patent Application Laid-Open No. 2000-267889 (simulation verification method of software)

SUMMARY OF THE INVENTION The present invention has been made in order to solve the above problems, and it relates to a method for guaranteeing non-fault software in order to confirm the safety of software. More specifically, all the variables of the software are divided into process variable group and internal variable group, and the test case is derived for each variable group. Then, the test cases of the two variable groups are combined, Lt; RTI ID = 0.0 > software failures. ≪ / RTI >

The present invention relates to a method of ensuring the stability of software embodied in a digital reactor protection system, comprising a first step of listing a plurality of trips (100) implemented in a nuclear reactor protection system, one of a plurality of trips A third step of extracting all variables of the software used in the trip 100 selected in the second step, a fourth step of dividing the extracted variables into process variable groups and internal variable groups, A fifth step of deriving a test case of the process variable group and the internal variable group, and a sixth step of combining the process parameter group and the test case of the internal variable group.

Also, the process parameter group may be a process that occurs in accordance with a time delay occurring in converting a process variable signal into a digital signal when the process parameter reaches a predetermined trip setting value in the process of deriving a test case for the process parameter group Wherein the process parameter is characterized in that the test is performed only for an excess exceeding the trip setting value.

In addition, the test case of the internal variable group performs a gray box analysis, and a combination of the internal variables obtained through the gray box analysis is derived. The software non-failure guarantee method is obtained for all trips The test case is characterized in that the test is carried out at least once per each test case. Further, after the sixth step, a software test is performed on the combined test cases.

According to the method of guaranteeing software non-failure according to the present invention, it is possible to create a target to be subjected to the safety test of the digital system software by the methodology of deriving the total number of test cases, to identify vulnerabilities in the software, It is possible. In addition, by obtaining software that is guaranteed to be fault-free by the non-fault-proof method, it can meet the requirements for the safety-grade software to be used in power plants and the like.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic view showing a guarantee method according to an embodiment of the present invention; FIG.
2 is a graph illustrating trip settings according to an embodiment of the present invention.
FIG. 3 is a block diagram illustrating an internal variable group test case number according to an embodiment of the present invention; FIG.

Hereinafter, the technical idea of the present invention will be described more specifically with reference to the accompanying drawings. Prior to this, terms and words used in the present specification and claims should not be construed as limited to ordinary or dictionary terms, and the inventor should appropriately interpret the concepts of the terms appropriately It should be interpreted in accordance with the meaning and concept consistent with the technical idea of the present invention based on the principle that it can be defined.

Therefore, the embodiments described in this specification and the configurations shown in the drawings are merely the most preferred embodiments of the present invention and do not represent all the technical ideas of the present invention. Therefore, It should be understood that variations can be made.

Hereinafter, the technical idea of the present invention will be described more specifically with reference to the accompanying drawings. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide a further understanding of the technical concept of the present invention, are incorporated in and constitute a part of the specification, and are not intended to limit the scope of the present invention.

For software implemented in the digital reactor protection system, tests are performed to confirm safety. In software testing, you develop a test case and repeatedly insert it into the software to verify that the expected output is coming. A method for securing a software security according to an embodiment of the present invention relates to a method for securing the safety of software implemented in a digital reactor protection system, Lt; RTI ID = 0.0 > software. ≪ / RTI >

FIG. 1 is a schematic view showing a guarantee method according to an embodiment of the present invention.

Referring to FIG. 1, a method of ensuring software failure according to an embodiment of the present invention will be described in more detail.

That is, the method for guaranteeing software failure according to an embodiment of the present invention includes a first step of listing a plurality of trips implemented in the digital reactor protection system. The third step includes a second step of selecting one of the plurality of trips listed in the first step, and a third step of extracting all the parameters of the software used in the trip selected in the second step. That is, all the variables included in one trip are extracted in the third step.

The variables extracted in the third step may be separated into process variables and internal variables in the fourth step. The process variables and internal variables separated in the fourth step are subjected to a fifth step of deriving test cases of the respective variables.

The digital reactor protection system according to an embodiment of the present invention includes a specific trip implemented in the system. Tripping means that when an abnormality occurs in a reactor, one of the reactor safety circuits operates and the control rod is urgently inserted into the furnace to stop the fission chain reaction. The reactor protection system includes a plurality of trips.

The above process variable is a parameter for operating the main purpose of the software as an externally accepted variable. In one embodiment, when the role of the software causes a trip when the pressure of the reactor is lowered to a certain pressure or less, Pressure is the process variable group. That is, the process variable is a variable that varies depending on the state, and software implemented in a digital device used in a place where software is used, such as a nuclear power plant, that is, software according to an embodiment of the present invention, It is configured to look at the groups and monitor whether this process variable reaches the trip setpoint, and to signal when the trip setpoint is reached.

The process of deriving the test for the process variable group according to an embodiment of the present invention will be described in more detail. If the process variable group is below the trip setting value, it is not necessary to test it. The test case can be derived only when the process variable group reaches the trip setpoint exactly and then only a little. The explanation of 'little' is as follows. The process variable family begins with an analog signal as the voltage and current from the measuring instrument. As this enters the digital machine, it is converted to a digital signal by an analog to digital converter (ADC). At this time, the analog signal captured in real time is stored as a digital signal with a time delay due to a scan time (Scan Time Interval). At this time, the actual analog signal reaches the trip setting value. However, due to the scan time delay, the digital signal reads the signal at a point where the analog signal exceeds the trip setting value.

2 is a graph showing the number of process variable test cases according to an embodiment of the present invention. More specifically, FIG. 2 is a graph showing the result of predicting a process variable change in a specific accident using a computer code. Referring to Fig. 2, an embodiment of the process variable group will be described in detail. Using the previously entered computer codes, predict how the process variable group changes when an accident occurs. As shown in FIG. 2, although the analog signal reaches the trip setting value at time Tm, the digital signal actually reads the signal only at S1, S2, S3, .., S7 due to the scan time delay, Lt; / RTI > occurs at S6. Therefore, for the process variable group, the test should be performed from the trip setting value to the process variable group value at S6.

The internal variable means all variables that constitute the logic of the software. Software is composed of logic, and logic is constructed by internal variables. 3 is a block diagram illustrating an internal variable group test case number according to an embodiment of the present invention. In order to derive the test case for the internal variable group, a gray box analysis should be performed. The gray box is an intermediate concept between a black box and a white box, which means to look at the internal variables and look at the dependency of each variable.

Referring to FIG. 3, it can be seen that there are three Function Block Diagrams (FBD) in the software according to one embodiment of the present invention, and that there are several inputs and several outputs in each FBD. At this time, it can be seen that the output C1 directly affects the safety system and the output C2 does not affect the safety system. It is also the input C1, the input C2, and the input C3 that determine the output C1. Also, since the inputs C1 and C2 are determined by the outputs of the other FBDs, this is not a consideration of the test case. By determining whether or not the software is dependent on the internal variable group, a test case is extracted in consideration of the input A3, the input A4, the input A5, the input B3, and the input C3 as shown in FIG. Here, A3, A4, A5, B3, and C3 derived by internal variable dependency are called key variables.

In the fifth step, a sixth step of combining test cases extracted from process variables and internal variables is performed. The method for guaranteeing non-failure according to an embodiment of the present invention is characterized in that after the sixth step, a software test is performed on a combined test case.

The test case of the process variable may be selected from process variable values that actually trip from the predetermined trip setting value when the process variable result value is predicted according to a predetermined computer code for the selected trip.

It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

100: Trip

Claims (6)

A method for ensuring the stability of software implemented in a digital reactor protection system,
A first step of arranging a plurality of trips (100) implemented in a reactor protection system;
A second step of selecting one of the plurality of trips (100) listed;
A third step of extracting all variables of software used in the trip 100 selected in the second step;
A fourth step of separating the extracted variables into process variable groups and internal variable groups;
A fifth step of deriving a test case of the process variable group and the internal variable group; And
A sixth step of combining the process variable group with the test case of the internal variable group;
The method comprising the steps of:
The method according to claim 1,
When the process variable reaches the predetermined trip setting value in the process of deriving the test parameter set for the process parameter group, it is determined that the process parameter is in excess of the trip setting value of the process variable generated according to the time delay occurring in converting the process variable signal into the digital signal Wherein the step of identifying the software failure is performed.
3. The method of claim 2,
Wherein the test is performed only for an excess exceeding the trip setting.
The method of claim 1, wherein the test case of the internal variable group
Performing a gray box analysis, and deriving a combination of the internal variables obtained through the gray box analysis.
2. The method of claim 1, wherein the software fault-
Characterized in that for each test case obtained for all trips, the test is carried out at least once per each test case.
2. The method of claim 1, further comprising, after the sixth step,
And performing a software test on the combined test case.

Images