NuDE 2.0 (Nuclear Development Environment 2.0) is a formal-method-based software development, verification and safety analysis environment for safety-critical digital I&Cs implemented with programmable logic controller (PLC) and field-programmable gate array (FPGA). It simultaneously develops PLC/FPGA software implementations from one requirement/design specification and also helps most of the development, verification, and safety analysis to be performed mechanically and in sequence. The NuDE 2.0 now consists of 25 CASE tools and also includes an in-depth solution for indirect commercial off-the-shelf (COTS) software dedication of new FPGA-based digital I&Cs. We expect that the NuDE 2.0 will be widely used as a means of diversifying software design/implementation and model-based software development methodology.
I. INTRODUCTION
The programmable logic controller (PLC) [1] is an industrial computer widely used to implement safety-critical systems in digital I&Cs of nuclear power plants (NPPs). The increasing complexity of newly developed systems and maintenance costs now warrant a more powerful and cost-effective implementation platform such as the field-programmable gate array (FPGA). The nuclear industry is now eagerly researching FPGA-based digital I&Cs [2] [3] [4] [5] to replace PLC-based systems.
However, the platform change from PLC to FPGA is not straightforward. It gives rise to a paradigm shift from CPU-based software development to gate-based hardware development. PLC software engineers should give up all experience, knowledge, and practices accumulated over decades, and start new FPGA-based hardware development from scratch. The platform change may potentially result safety-related problems. It is an urgent priority to transition safely and seamlessly to the new approach [6] .
The NuDE 2.0 (Nuclear Development Environment
Eui-Sub Kim et al.
2.0), the latest version of NuDE [7] [8] [9] [10] , is a formal method-based software development, verification, and safety analysis environment for safety-critical digital I&Cs implemented with PLC and FPGA. It starts from a formal requirement specification written in NuSCR [11] , and finally synthesizes C codes for PLC or Verilog/ VHDL codes for FPGA, through a series of model transformations. It also supports various levels of formal verification and safety analysis to check the correctness and safety of transformed models. Verifications such as simulation, model checking, and equivalence checking are supported at each development phase, along with the provision of safety analysis such as STAMP/STPA and FTA. The 25 CASE (computer-aided software engineering) tools now mechanically and seamlessly support all model creations, transformations, verification and safety analysis. While the NuDE (The name NuDE began to be used by [8] in 2012) was originally intended for the software development of PLC platforms, the NuDE 2.0 has been completely extended for FPGA platforms. The NuDE 2.0 makes it possible to develop software systems of PLC/ FPGA platforms simultaneously from the same requirements or design specifications. We expect that the NuDE 2.0 can reduce the semantic gap between software and hardware-based developments (i.e., PLC vs. FPGA), while keeping all accumulated experience and knowledge for decades. It can also be used as a means of gaining a variety of software designs/implementations and a modelbased software development methodology.
This paper explains the motivation and rationale of all techniques and supporting tools of the NuDE 2.0, and also shares an upgrade plan for the NuDE 3.0. This paper summarizes all the different case studies that we performed with several extracted reactor protection systems (RPS) examples [2, [12] [13] [14] .
The organization of this paper is as follows: Section II provides overviews of the fundamental standards and guidelines for the software system development in NPPs. It also summarizes typical software development processes for PLC and FPGA-based platforms. Section III introduces the NuDE 2.0 and its supporting tools in detail. The future extension plan is also shared. Section IV briefly looks at all case studies that we have performed, and Section V compares the NuDE 2.0 with its competitors such as commercial model-based development (MBD) tools. Section VI concludes the paper.
II. THE SOFTWARE SYSTEM DEVELOPMENT IN NPPS
The software systems such as digital I&Cs in NPPs have been implemented with two platforms, PLC and FPGA. They should be developed, verified and assessed by standards and guidelines about a safety life-cycle and safety assessment, as summarized in Section II-A. The CPU-based software development process for PLC and the gate-based hardware development process for FPGA are compared in the following subsections.
A. Standards and Guidelines
Safety-critical software to implement digital I&Cs should be developed and assessed by the safety criteria of IEC and IEEE. The two organizations show different perspectives on the way to try to guarantee safety. The IEC guidelines are based on functional safety of IEC 61508 and try to establish a safety life-cycle in parallel with a typical software development life-cycle (SDLC, a hierarchy of regulatory guides [NUREG] and industrial codes/ standards [IEEE] are applied). The plan of the standards is to realize and verify/validate safety requirements, which are developed and refined through safety/hazard/ risk analysis [15] at the early phases of the safety/development life-cycle. The safety life-cycle checks iteratively whether safety requirements are implemented appropriately and sufficiently. The list below indicates IEC and IEEE standards.
• IEC 61508: Functional safety of electrical/electronic/ programmable electronic (E/E/PE) safety-related systems [16] • IEC 61513: Nuclear power plants -Instrumentation and control for systems important to safety -General requirements for systems [17] • IEC 60880: Nuclear power plants -I&C systems important to safety -Software aspects for computerbased systems performing category A functions [ The IEEE standards, on the other hand, require direct safety analysis at each phase of the SDLC. They suggest that all hazards (new and as well as survived) should be identified at each development phase and the hazardous conditions should be validated through various selected V&V (verification and validation) activities. Manimaran et al. [22] carried out independent V&V at each development phase, according to the IEEE standards, for a prototype fast breeder reactor.
Lee et al. [23] performed a detailed comparative analysis of the IEC and IEEE standards. Based on the experience of developing a new commercial digital I&C in Korea, the authors established a complementary relationship between the processes of development and safety analysis [24] , which the NuDE 2.0 can cope with efficiently. Gabbar [25] also tried a similar approach by using process object-oriented modeling (POOM) methodology.
B. The PLC Software Development
The PLC-based digital I&Cs have a typical software development process as shown in Fig. 1 . Most safety-critical systems in NPPs such as RPS and ESF-CCS (engineered safety features-components control system) have been developed with the platform. Software requirements specification (SRS) is first written in natural languages, and then the design specification is manually modeled with PLC programming languages [1] such as FBD or LD. Commercial PLC vendors provide PLC SW engineering tools (e.g., 'TriStation 1131' of Invensys for 'TriStation 1131' PLC, 'SIMATIC-Manager' of Siemens for 'SIMANTIC Controller' PLC, 'pSET' of PONU-Tech for 'POSAFE-Q' PLC [26, 27] and 'SPACE' of AREVA for 'TELEPERM XS' PLC), which mechanically translate FBD/LD programs into subsequent ANSI-C programs and executable codes for specific target PLCs. Unfortunately the commercial PLC SW engineering tools are not compatible with other tools.
Most PLC SW engineering tools also translate a highlevel language such as C in order to perform verification activities such as the control flow graph (CFG)-based structural test [28] and simulation. The executable codes are too primitive to do the system/integration/unit test. Conventional software testing tools for C programs such as LDRA [29] and the one embedded in SCADE [30] can perform various testing on the C programs, while checking CFG-based structural coverages like all statements and MC/DC to assess the quality of the test cases used in [31, 32] .
The problem with the approach is that the translated C program lacks enough control flows to check the CFGbased structural coverages. FBD/LD are data-flow based programming languages for PLC, and the FBD/LD programs include almost no control flows, except for a few functional blocks containing internal timers like TOF and TON. Jee et al. [33] developed 3 new data-flow based structural coverages for FBD programs and proposed a direct test of the FBD programs [34, 35] .
The typical PLC software development process includes two translation/compilation steps. The translation step makes C programs with FBD programs and the compilation step makes executable codes for PLCs with C programs, which are depicted as triangles in Fig. 1 . For the compilation of C programs to executable codes for PLCs, most commercial PLC SW engineering tools use commercial off-the-shelf (COTS) compilers such as 'TMS320C55x' of Texas Instruments. The compilers were well verified and certified enough to be used without additional verification. However, the nuclear industry has not acknowledged empirically that a vendor-provided automatic compiler able to translate FBD to C is a correct and safe tool. To gain acceptance, it should be subjected to rigorous tests to demonstrate its functional safety and accuracy. There is no compiler verification technique [36, 37] for FBDs, to the best of our knowledge, and it is one of the critical obstacles for all new (so-called) FBD-to-C translators such as [27] to overcome.
C. The FPGA Software Development
An FPGA-based system has a specific feature that is classified into software as part of the development lifecycle using HDL (hardware description language), while the final chip is classified into hardware after the program is downloaded. It should be developed to meet both IEC-60880 [18] in terms of software and IEC-60987 [38] in terms of hardware criteria. Fig. 2 depicts the V-shaped life-cycle of FPGA development defined by IEC-62566 [39] , consisting of software and hardware aspects. The software aspect also has a typical development life-cycle defined by NUREG/CR-7006 [40] , as presented in the left-hand side of Fig. 2 .
The FPGA software development (this paper uses the FPGA Software to indicate the software aspect of FPGA) is fully automated by FPGA logic synthesis tools and commercial Electronic Design Automation (EDA) tools of FPGA vendors. After programming a register-transfer level (RTL) design with HDLs, the design is mechanically transformed into a gate-level design (i.e., netlist) by synthesis software (e.g., Synopsys Synplify Pro, Precision RTL and Encounter RTL Compiler). The FPGA EDAs such as Xilinx ISE Design Suit, Altera Quartus 2, and Microsemi Libero SoC perform P&R (place & route) Eui-Sub Kim et al.
to physically place and map all netlist elements, and prepare a downloadable file through configuration. Since FPGA EDA tools make the synthesis process fully-automatic, software designers largely focus on HDL designs to correctly implement FPGA requirements.
At each step of the FPGA software development lifecycle, designers perform simulation-based verification in order to confirm that each artifact satisfies its required specification. All simulation-based verifications at each step are prepared/performed individually and repetitively by experienced engineers, and are considered to be one of key factors for efficient FPGA development.
The V&V process also includes equivalence checking [41, 42] and the simulation techniques. The equivalence checking can prove that two given designs have the same functionality, i.e., "whether they show the same behavior for all possible input sequences." For example, it can prove that an RTL design and the gate-level design synthesized from the RTL design always show the same behaviors. Most synthesis software are black-boxes of unknown quality (the FPGA industry have acknowledged them empirically as correct and safe processes and tools) and have been developed in-house by EDA company. The equivalence checking can help us ensure correct synthesis or optimization.
III. THE NUDE 2.0
The NuDE 2.0 starts from a formal requirement specification and subsequently transforms/synthesizes more concrete models across the whole SDLC, as an MBD [43] methodology for the nuclear domain. It simultaneously and seamlessly supports PLC and FPGA platforms, encompasses various formal verification and safety analysis, and the MBD-based code generation. Fig. 3 describes the whole process, techniques and CASE tools in the NuDE 2.0. The NuDE 2.0 consists of all 25 CASE tools, except for the ones marked with an asterisk (*). The following subsections explain each SDLC phase of the supporting tools.
A. The Requirements Analysis Phase
The NuDE 2.0 starts from a NuSCR specification [11] modeled in 'NuSRS 2.0' as depicted in Fig. 4 . NuSCR is a data-flow based formal requirement specification language, specialized for the safety-critical systems in NPPs such as RPS and ESF-CCS. It provides 4 different notations-FOD (Function Overview Diagram), SDT (Structured Decision Table) , FSM (Finite State Machine) and TTS (Timed Transition System)-to improve modeling convenience in comparison with SCR [44] . SCR provides just one notation-the decision table for all cases. NuSRS 2.0, the NuSCR modeling tool, also provides a static analyzer, Quick Checker [45] , to check the syntactic completeness and consistency of NuSCR specifications. All tools underlined in Figs. 4-7 are the ones we developed.
The NuSCRtoSMV [46] translator embedded in NuSRS 2.0 generates a behaviorally-equivalent SMV input program from a NuSCR specification. After inserting CTL properties [47] , which the model should satisfy, we can execute the Cadence SMV model checker [48] seamlessly and perform the model checking. The SMV model http://jcse.kiise.org checking upon NuSCR specifications found several omitted but important assumptions [49, 50] in preliminary versions of KNICS APR-1400 RPS BP [12, 13] .
The NuDE 2.0 supports two safety analysis techniques/tools in the requirements analysis phase. NuFTA [51] generates software fault trees [52] mechanically for an important output node in the NuSCR specification as shown in Fig. 4 . It generates a software fault tree backwardly from the output to all inputs, and finds all combinations (i.e., conditions) of input variables, which will result in important situations such as "the shutdown signal is fired."
The NuDE 2.0 also provides the state-of-the-art safety analysis technique STAMP/STPA [53] , which tries to analyze system safety from the viewpoint of system theory. It claims that "Accidents occur when the system gets into a hazardous state, which in turn occurs because of inadequate control in the form of enforcement of the safety constraints on the system behavior." NuSTPA [54] helps safety engineers do the STAMP/STPA analysis on the NuSCR requirements specification. The full-scale application accompanies the extension of NuSCR and 'NuSRS 2.0', since the target of STAMP/STPA is not a SW component but a whole system consisting of many SW/HW components (e.g., RPS or NPP). The modeling target of NuSCR is now a small but critical SW component such as RPS BP.
A number of iterative modeling, verification and safety analysis produce a NuSCR specification, which fulfill the higher requirements (e.g., Functional Requirements Specification [FRS]) sufficiently and correctly. NuSCRtoFBD [55] then translates the NuSCR formal requirements specification into a behaviorally-equivalent FBD program. The FBD program plays the role of design specification for the traditional PLC-based system development. NuNavigator also shows the current phase in SDLC and helps the change into other CASE tools and SDLC phases, as shown in the upper left part of Fig. 4 .
B. The Design Phase
The design phase starts from an FBD program translated from a NuSCR requirements specification by NuSCRtoFBD. FBD Editor [56] reads and displays the FBD program as depicted in Fig. 5 . The FBD Editor is an independent tool from PLC vendors' SW engineering tools so that it is possible to edit FBD programs complying with the PLCopen TC6 XML scheme [57] . Commercial tools are not compatible with other editing tools for FBD programs. We can use any FBD program as a starting point, through translating it into the standard format as [58] did, if no formal specification is prepared. Programming an FBD in 'FBD Editor' from scratch is of course possible.
FBD Checker [59] checks the structure of FBD programs in accordance with several international rules and guidelines [1, 60, 61] , and advises which parts may have errors or potential problems in the structure. Commercial PLC SW engineering tools perform the structural analysis well, but the exact correlation to upper rules and guidelines is not clear nor opened. FBD Checker includes a set of specific rules on the FBD structure and makes it possible to argue/acknowledge direct correlations from FBDs to rules. The example shown in the upper left part of Fig. 5 advises that the function block MOVE_BOOL_1 violates the rule, "1.3.1 Implicit type conversion should not be used." It also informs that the violated rule 1.3.1 corresponds to the higher guideline "1.2.6 Use of data typing" in NUREG/CR-6463 [61] .
FBD Simulator [62] simulates any FBD program of the PLCopen TC6 standard format. It executes (i.e., simulate) the FBD program randomly or according to predefined scenarios which FBD Scenario Generator generates. Generally, PLC SW engineering tools use, store and receive each specific FBD program style or format, so that the FBD programs in different PLC engineering tools are not compatible with each other. Whereas FBD Editor and FBD Simulator follow the industrial standard, PLCopen TC6 format, the tools provide a PLC vendor-independent FBD development environment.
FBD Scenario Generator [62] generates a number of guided scenarios mechanically from an FBD program. It requests for auxiliary information on the FBD program in order to make the generated scenario meaningful ones. Initial values and a rate of change of all input variables, trip/pretrip set-points, the overall percentage of trip situations, and the number of PLC execution cycles for each scenario are requested (Now it has been customized into the features of RPS). Our previous work [63] shows how we could use the scenario generator efficiently.
The FBDtoVerilog 1.0 translator [64, 65] makes user perform formal verification using the VIS verification system [66] and the SMV model checker. As the design phase often includes hardware-dependent modifications on FBD programs, formal verifications such as model checking and equivalence checking are additional requirements.
The NuDE 2.0 also provides VIS Analyzer [67] to assist the VIS verification. Since the VIS provides no graphical interface and even requires a series of commands to do the verification, the VIS Analyzer provides GUI to analyze the verification results efficiently and also automate many kinds of the VIS verification such as model checking, equivalence checking and simulation. The screen-dump in the lower right of Fig. 5 shows two flow-charts reorganized from a text-based verification result (i.e., counter-example).
FBD FTA [68] is a tool of mechanical fault tree generation and analysis for FBD programs. It generates a software fault tree for an important output function block in the same way with NuFTA, as shown in the upper right of Fig. 5 . We are now refining it to get improvement of the generation-time. Fault tree templates [69] for FBDs can also be used to do the analysis, but safety experts have to perform manual methods [70] without automatic generation.
After a number of FBD programming iterations, verification and safety analysis, the FBD program in the FBD Editor can be transformed into two different implementation codes for PLC and FPGA, simultaneously. FBDtoC [71] translates the FBD into a behaviorally-equivalent C program for PLC, while FBDtoVerilog 2.0/2.1 [72, 73] transforms it into a Verilog program for FPGA. FBDtoVHDL [74] transforms the FBD into a VHDL program, too. Additionally, the NuDE 2.0 provides an automatic linking program, Libero Linker [75] , for the FPGA EDA of Actel. It reads the Verilog/VHDL program, creates a Libero project, and executes Actel Libero SoC.
C. The PLC Implementation Phase
The C programs transformed by FBDtoC [71] are then compiled into executable codes for a specific target PLC. Most commercial PLC SW engineering tools use COTS compilers, which were well verified and certified enough to be used without additional verification. However, the vendor-provided automatic translators from FBD to C, such as pSET [27] and FBDtoC, should be demonstrated to be functionally safe and accurate through rigorous tests.
FBDtoC [71] defined all FBD elements formally and proposed 1:1 translation algorithms from all FBD elements to corresponding C elements. It generates a hierarchy of ANSI-C programs, consisting of basic functions, components and a system. We acknowledge their behavioral equivalence through looking into their 1:1 correspondence between all elements. The behavioral equivalence can even be formally verified, if necessary, using the HW-CBMC model checker [76] through the verification process we proposed [77] .
C Simulator and C Scenario Generator [62, 78] test (i.e., simulate/execute) the intermediate C programs. C Scenario Generator generates a number of guided simulation scenarios for C programs, trying to reflect the physical conditions for the RPS trip logics. It is similar to the FBD Scenario Generator. C Simulator executes the ANSI-C programs. These tools support the efficient system testing of PLC software.
C Simulator and C/FBD Scenario Generator are also used to demonstrate the safety and correctness of the vendor-specific (so-called) FBD-to-C translators. C/FBD Scenario Generator generates scenarios for FBD and C programs, while C Simulator and FBD Simulator executes the ANSI-C and FBD programs, respectively. FBD-C Comparator reads the sets of FBD/C programs and scenarios, executes the both sets, compares simulation results, and finally decides their behavioral equivalence, as summarized in Fig. 6 .
In summary, most commercial PLC SW engineering tools read FBD programs and generate C programs and executable codes for PLCs without human intervention. We must use the commercial tools when developing FBD programs, even if the target PLC is not decided yet. On the other hand, FBDtoC can transform all FBD programs written in the PLCopen TC6 format into a set of behaviorally-equivalent ANSI-C programs. With the help of C Simulator and Scenario Generator, we can perform system tests upon the C programs. While FBDtoC provides a straightforward translation from all FBD elements into all Eui-Sub Kim et al. 
D. The FPGA Implementation Phase
The Verilog program translated by FBDtoVerilog 2.0/ 2.1 [72, 73] and the VHDL program by FBDtoVHDL 1.0 [74] are the starting point of the fully-automated FPGA synthesis procedure provided by commercial EDA tools, as shown in Fig. 7 . The NuDE 2.0 can also start from the Verilog/VHDL programs programmed by software engineers from scratch. Although any commercial EDA tools can read the Verilog and VHDL programs, Synplify Pro is a specific case tool in NuDE 2.0. The CVEC and IST-FPGA only aim to verify the tool.
Nuclear regulation authorities, however, require more considerate/rigorous demonstration of the correctness and even safety of the mechanical synthesis processes of FPGA synthesis tools, even if the FPGA industry has acknowledged them empirically as correct and safe processes and tools. We, therefore, have to get the indirect COTS SW dedication [79] upon the commercial FPGA synthesis tools. While the synthesis process can be formally verified with the compiler verification techniques [36, 37] , it is hard to apply them to the works of 3rd-party developers. It must be the most critical obstacle for FPGAs to be used as a new platform of digital I&Cs. We have tried to overcome it through a safety-and-correctness demonstration technique we proposed in [80] . The proposed solution is to do the indirect demonstration [81] . For a specific program (e.g., a Verilog program), if a synthesis tool produces a program (e.g., Netlist) that shows the same behavior for all possible cases, then we can claim that the synthesis tool works correctly at least for the program. There are several commercial formal verification tools which can be used for our purpose such as FormalPro, Encounter Conformal EC, and Formality. They are, however, too case-sensitive to use naïvely, as depending upon the combination of synthesis, EDA and verification tools, as summarized in [82] . For example, we cannot use FormalPro for Actel Libero IDE with Synopsys Synplify Pro synthesizer, which is the combination of the project we worked with. The FormalPro, however, requires additional information such as register/variable matching or libraries from synthesis tools. We cannot use the tools without supporting vendors. We needed to develop a new customized solution for this combination, since the vendors cannot expect to get a lot of profit from the extension.
CVEC [82] is a VIS-based equivalence checker, customized for the combination above. It formally checks the behavioral equivalence between a Verilog program and a Netlist (i.e., EDIF) subsequently synthesized by Synopsys Synplify Pro in the Actel Libero IDE environment. If the formal verification with CVEC succeeds, we can claim that the logic synthesis from Verilog into Netlist worked correctly at least for the Verilog program used. FPGA software designers often use the simulationbased verification techniques [83] [84] [85] in order to check if high-level designs are correctly synthesized into lowlevel ones. At each step (i.e., RTL, gate-level and layout), designers perform three similar activities. They first develop test scenarios, simulate each target in a test bench, and finally evaluate the simulation results against specified requirements. The problem is that they should perform the verification activity at each step individually and repetitively, and it takes considerable time and cost.
IST-FPGA [63] provides an integrated software testing framework for FPGA software developments. It allows us to perform the three activities only once and in one step. For all design artifacts at every step, it generates common and meaningful test scenarios mechanically, simulates all designs simultaneously, and finally evaluates the simulation results against expected ones all together. If any one of designs shows different (i.e., incorrect) behaviors from the expected ones, IST-FPGA analyzes and compares the incorrect case in detail.
In summary, commercial FPGA EDA tools provide fully-automatic FPGA SW synthesis. Nuclear regulation authorities, however, require more considerate/rigorous demonstration of the correctness of the automatic synthesis. CVEC provides formal equivalence checking between an RTL program and a Netlist in order to demonstrate the correctness of the Synopsys Synplify Pro synthesizer in the 'Actel Libero IDE' EDA. IST-FPGA also provides an integrated software simulation (testing) framework, which can generate and execute simulation cases simultaneously for all phases of FPGA SDLC.
E. The Challenges and Future Extension Plans for NuDE 3.0
The challenges in the NuDE 2.0 is to improve the quality with regard to a traceability of the processes and to assure safety of final program. The NuDE 2.0 helps the user to smoothly use all of individual tools such as editing and translation tools. The translators in NuDE 2.0 are whole automatic system so that users do not need to consider the internal behavior. However, the whole automatic assistance may reduce a tracing ability, which is an important factor in software development life-cycle. We need to develop a new environment in order to trace the important clues during software development life-cycle.
With regard to safety, the NuDE 2.0 only uses fault tree analysis (FTA) method, which may be lacking diversity. We also have to supplement other methods such as STAMP/STPA and Safety case to get a variety of insights.
We are now planning to extend the NuDE 2.0 to incorporate several advanced facilities. Fig. 8 shows the overall plan of the NuDE 3.0. The NuDE 3.0 will include an extended version of NuSCR formal requirements specification, which can handle not only a single SW but also a whole system consisting of many SW and HW. It will also include new structural testing coverages for RTL/ gate levels, and a mechanical coverage checker for Verilog/VHDL/Netlist programs will be developed. An automatic generation of simulation test cases according to defined structural coverages will be supported, too. Forward and backward traceability analysis on the whole elements of the NuDE will be the most important contribution of the NuDE 3.0. 
IV. CASE STUDY
We have performed various case studies to demonstrate the effectiveness and applicability of the NuDE 2.0. Fig. 9 summarizes all partial/full scale case studies for 25 techniques/tools of the NuDE 2.0. We have used 4 example systems.
[Example System I] starts from a NuSCR formal requirements specification [12] for a preliminary version of KNICS APR-1400 RPS BP. It consists of 8 representative shutdown logics for the RPS BP. The formal specification is translated to a behaviorally-equivalent FBD program by NuSCRtoFBD, and also translated to a C program for PLC implementation by FBDtoC and a Verilog program for FPGA implementation by FBDtoVerilog 2.0. More than 20 case studies [6, 7, 49, 55, 69, 71] were performed with the Example System I.
[Example System II] starts from an FBD program [14] for the second phase of KNICS APR-1400 RPS BP [13] . It was excerpted from an almost (but, not officially final version) commercial NPP in operation and it is much more complicated and detailed than the Example System I. It consists of 18 shutdown logics of FBD programs, and FBDtoVerilog 2.0/2.1 transform them into Verilog programs. Many case studies [64, 77, 80, 82] focusing on safety/correctness demonstration of commercial FPGA synthesis tools used the Example System II.
[Example System III & IV] start from Verilog and VHDL programs, respectively, for an experimental programmable logic device (PLD)-based RPS BP [2] in Korea. They consist of 18 shutdown logics as commercial RPS BPs, but are experimental systems with fundamental functionalities. Recent case studies in CVEC [82] and IST-FPGA [63] used the Example System III and IV.
It is worthwhile to note that the NuDE 2.0 has been developed, refined and improved for more than 10 years. Now it consists of 25 tools which can seamlessly communicate/link with each other. A number of case studies with the 4 example systems have been tried to demon- 
V. RELATED WORK
This section briefly surveys and compares widely-used commercial MBD tools with the NuDE 2.0. Each one has unique characteristic specific to target systems and objectives, as summarized in Table 1 . Applicability to NPP applications as well as support of code generation, safety analysis and formal verification are analyzed. SCADE Suite [86] is gradually used to design critical software such as trains, cars, airplanes and power plants. It supports system modeling, simulation, formal verification and C/Ada code generation. Simulink [87] is a widely-used modeling and simulation environment, based on block diagrams for multi-domain dynamic systems. It provides various solvers for modeling and simulating dynamic (i.e., continuous) systems, and also offers tight integration with the MATLAB environment [88] .
SCADE Suite [86] is gradually used to design critical software such as trains, cars, airplanes and power plants. It supports system modeling, simulation, formal verification and C/Ada code generation. Simulink [87] is a widely-used modeling and simulation environment, based on block diagrams for multi-domain dynamic systems. It provides various solvers for modeling and simulating dynamic (i.e., continuous) systems, and also offers tight integration with the MATLAB environment [88] .
Rhapsody [89] is a UML-based visual modeling environment for real-time systems. It uses graphical UML models to generate application programs of C, C++, Java and Ada. Rose RealTime [90] is similar to Rhapsody. Rose RealTime does not support verification activities, but Rhapsody provides analysis to check deadlock, mutual exclusion and invariants. Rhapsody also provides a tool for modeling FTA and deriving safety-based requirements. ASCET [91] has been developed to meet embedded automotive requirements. It uses block diagrams and state machines to design and generate C code. It can import UML models and models of other suppliers such as Simulink.
In summary, we note that most MBD tools do not support safety/hazard analysis such as FTA and STAMP/ STPA. FBD is only supported by the NuDE, while Simulink support an old and simple PLC programming language, ST (structured text). Most MBDs were used to develop PLC-based NPP applications [31, [92] [93] [94] [95] only, but the NuDE can be used to develop both, PLC and FPGA-based NPP applications. Formal verification such as equivalence checking and model checking can only be supported by the NuDE.
VI. CONCLUSION AND FUTURE WORK
The NuDE 2.0 is a formal methods-based software development, verification and safety analysis environment for safety-critical digital I&Cs implemented with PLC and FPGA. It now consists of 25 tools which can communicate/link with each other. It makes possible to develop PLC/FPGA-based systems simultaneously from one requirement/design specification, and also helps most of the development, verification and safety analysis to be performed mechanically and seamlessly. A number of case studies with the 4 example systems have tried to Fig. 9 Eui-Sub Kim et al.
show the correctness, effectiveness and applicability of the NuDE 2.0. We are now working on the next version of the NuDE to efficiently support safety analysis, structural testing and traceability. We expect that the NuDE 2.0 will be widely used as a means of gaining diversity of software design/implementation as well as a model-based software development methodology. We also expect that it will be used to reduce the semantic gap between the PLC-based and FPGA-based developments.
ACKNOWLEDGMENTS
This research was supported by the Ministry of Science, ICT & Future Planning. It was also supported by a grant from the Korea Atomic Energy Research Institute, under the development of the core software technologies of the integrated development environment for FPGAbased controllers.
