An Integrated Software Testing Framework for FPGA-Based Controllers in Nuclear Power Plants  by Kim, Jaeyeob et al.
eDirect
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1Available online at SciencNuclear Engineering and Technology
journal homepage: www.elsevier .com/locate /netOriginal ArticleAn Integrated Software Testing Framework for
FPGA-Based Controllers in Nuclear Power Plants*Jaeyeob Kim a, Eui-Sub Kim a, Junbeom Yoo a,*, Young Jun Lee b, and
Jong-Gyun Choi b
a Division of Computer Science and Engineering, Konkuk University, 1 Hwayang-dong, Gwangjin-gu, Seoul,
143-701, Republic of Korea
b MMIS Lab., Korea Atomic Energy Research Institute, 989-111 Deadeok-daero, Yuseong-gu, Daejeon, 305-353,
Republic of Koreaa r t i c l e i n f o
Article history:
Received 1 September 2015
Received in revised form
28 November 2015
Accepted 3 December 2015
Available online 21 January 2016
Keywords:
Co-simulation
FPGA
Simulation
Testing
Verification* A preliminary version of this paper was p
Korea, in 2014 [1].
* Corresponding author.
E-mail address: jbyoo@konkuk.ac.kr (J. Yo
http://dx.doi.org/10.1016/j.net.2015.12.008
1738-5733/Copyright © 2016, Published by El
the CC BY-NC-ND license (http://creativecoma b s t r a c t
Field-programmable gate arrays (FPGAs) have received much attention from the nuclear
industry as an alternative platform to programmable logic controllers for digital instru-
mentation and control. The software aspect of FPGA development consists of several steps
of synthesis and refinement, and also requires verification activities, such as simulations
that are performed individually at each step. This study proposed an integrated software-
testing framework for simulating all artifacts of the FPGA software development simul-
taneously and evaluating whether all artifacts work correctly using common oracle pro-
grams. This method also generates a massive number of meaningful simulation scenarios
that reflect reactor shutdown logics. The experiment, which was performed on two FPGA
software implementations, showed that it can dramatically save both time and costs.
Copyright © 2016, Published by Elsevier Korea LLC on behalf of Korean Nuclear Society. This
is an open access article under the CC BY-NC-ND license (http://creativecommons.org/
licenses/by-nc-nd/4.0/).1. Introduction
Programmable logic controllers (PLCs) [2] are widely used to
implement safety-critical systems for digital instrumentation
and control (I&C) of Nuclear power plants (NPPs). The
increasing complexity of newly developed systems and
maintenance costs are now demanding more powerful and
cost-effective implementation, such as field-programmable
gate arrays (FPGAs) [3]. The nuclear industry is now eagerly
researchingFPGA-baseddigital I&Cs [4e6] to replacePLC-basedresented at the Transacti
o).
sevier Korea LLC on beha
mons.org/licenses/by-ncsystems. In turn, international standards [7e9] require more
rigorous demonstrations of the safety of these new systems.
The FPGA software, which this paper concerns, was first
modeledwith hardware description languages (HDLs), such as
Verilog and VHSIC HDL (VHDL), by software designers
manually, and then subsequently synthesized into gate-level
designs and physical layouts by software synthesis tools
provided by FPGA vendors (e.g., ISE Design Suite (Xilinx, San
Jose, CA, USA) [10], Quartus Prime (Altera, San Jose, CA, USA)
[11], and Libero SoC (Microsemi, Aliso Viejo, CA, USA) [12]).ons of the Korean Nuclear Society Autumn Meeting, Pyeongchang,
lf of Korean Nuclear Society. This is an open access article under
-nd/4.0/).
Fig. 1 e The V-shaped life cycle and a typical FPGA development process. FPGA, field-programmable gate arrays; RTL,
register-transfer level.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1 471FPGA tools make the synthesis process fully automatic, and
software designers largely focus on HDL designs to implement
FPGA requirements correctly.
FPGA software designers also use verification techniques,
such as “simulation” [13e15], in order to check if high-level
designs are correctly synthesized into low-level ones. At
each step [i.e., register-transfer level (RTL), gate-level, and
layout], designers perform three common activities. They first
develop test scenarios, then simulate each target in a test
bench, and finally evaluate (i.e., observe) the simulation re-
sults against specified requirements. The problem on which
this study focused is that the verification activity should be
performed at each step individually and repetitively.
Furthermore, the individual preparation for each verification
step, such as developing test scenarios and test benches, takes
considerable time and money.
This paper proposed an integrated software testing frame-
work for FPGA software developments (IST-FPGA). It allows us
to perform the three activities of the simulation-based verifi-
cationonly once and inone step. For all designartifacts at every
step, it generates common and meaningful test scenarios me-
chanically, simulates all designs simultaneously, and finally
evaluates the simulation results against expected ones alto-
gether. If any one of the designs show different (i.e., incorrect)
behavior from the expected one (i.e., a comparison oracle pro-
gram), IST-FPGA analyzes and compares the incorrect case in
detail. IST-FPGA is also supported by CASE tools, such as Ver-
ilog/VHDL Scenario Generator and Co-simulator.
In order to demonstrate the effectiveness of IST-FPGA, we
performed an experiment with two FPGA-based I&C systems
that are under development by the Korea Atomic Energy
Research Institute (Daejeon, Korea). This experiment success-
fully demonstrated how IST-FPGA can reduce the time and costfor the simulation-based verification of FPGA software. The
remainder of the paper is organized as follows: Section 2 pro-
vides background information on FPGA verification and simu-
lation techniques. Various standards and guidelines for
developing and verifying FPGA-based digital I&Cs are briefly
surveyed. Section 3 proposes the integrated software testing
framework for FPGA as well as assisting tools we developed.
Experiment results are presented in Section 4, and Section 5
surveys related research. Section 6 concludes the paper and
provides remarks on future research extension and direction.2. Background
2.1. FPGA development and software verification
The system development life cycle of FPGA-based I&Cs should
follow IEC-61513 [9]. An FPGA-based system has a specific
feature that the portion of the development life cycle that uses
HDL be classified as software, then once it is downloaded to a
chip, it is classified as hardware. FPGA, therefore, should be
developed to meet both IEC-60880 [8] in terms of software and
IEC-60987 [16] in terms of hardware. Fig. 1 depicts the V-sha-
ped life cycle of FPGA development explained in IEC-62566
[17], consisting of software and hardware aspects. The soft-
ware aspect also has a typical development life cycle [18]
presented on the left-hand side of the figure.
At each step of the FPGA software development life cycle,
designers perform a simulation-based verification in order to
confirm that each artifact satisfies its required specification.
The first simulation on RTL designs, called behavioral simu-
lation, aims to confirm that all requirements are implemented
Fig. 2 e The simulation-based verification technique. (A) Typical simulation-based verification and (B) typical co-simulation.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1472into the RTL design correctly. As most designers develop RTL
designs manually, this takes a significant amount of time for
the behavioral simulation. After logic synthesis from RTL to
gate-level design, designers perform a logic simulation in
order to confirm that functionalities were preserved during
synthesis. After place and route, they can validate the layout
via a post-layout simulation to check that the layout meets all
timing requirements. All simulation-based verifications at
each step are performed individually and repetitively by
experienced engineers, and are also considered to be one of
key factors for efficient FPGA development.2.2. Simulation-based verification
“Simulation-based verification” is a traditional method [15]
that can be applied at any design level, be it RTL, gate-level,
or layout. Fig. 2A depicts a typical flow of the simulation-
based verification. Static error, potential error, and coding
style guideline violations are checked through the linter pro-
gram [19] beforehand. We then need to prepare a test plan
determining what scenarios are used in the simulation. Sim-
ulations are performed using a test bench, andwe also need to
measure code coverages [20] in order to evaluate the quality of
the simulations performed. If the coverage value measured
does not reach an expected value, the portion of the dotted
line in Fig. 2A needs to be performed repeatedly. Debugging
can be performed on the basis of the analyzed information.
This entire verification process is repeated until the simula-
tion result has no debugging issues.
“Co-simulation” is a verification method that is extended
from that described above. The basic idea of co-simulation is
that if two designs generate the same outputs with the same
inputs, both designs will perform the same operations [21].
Fig. 2B depicts a typical co-simulation process. The two designsare simulated in a suitable way and then all simulation results
are compared. Two designs at any level can be used, e.g., two
Verilog programs [22], a Verilog and C program [23], or a Verilog
and FPGA hardware implementation [24]. Questa ADMS
(Mentor Graphics, Wilsonville, OR, USA) [25] extends the
Questa verification platform to provide a unified simulation
environment that can co-simulate various designs at any level.
If significant outputs in all simulation results are the same in
every case, it can be considered that the two designs perform
the same actions, at least for the simulation scenarios.2.3. Standards and guidelines for FPGA design
verification
The development and verification of FPGA-based safety-level
controllers in nuclear power plants is an active research topic
around the globe. For now, the standard discussing our concern
is IEC 62566 [17]: “Nuclear Power Plants - Instrumentation and
control important to safety - Development of HDL programmed
integrated circuits for systems performing category A func-
tions.” Various organizations and research groups are now
working todefinemoredetailedguidelinesandstandards [26,27].
System safety assessment and the design life cycle are
addressed in several regulations, such as DO-254 [28], IEEE 1012
[29], and IEC 61508 [30], and they can be used for FPGA-based
systems as a general guide. More specific verification and
validation processes, configuration management, and the
development life cycle used in safety systems in nuclear power
plants are addressed in IEEE 7-4.3.2 [31], IEEE 603 [32], IEC 62566
[17], and IEC 60880 [8]. Several Electric Power Research Institute
(EPRI; Palo Alto, CA, USA) guidelines (TR-1019181/109390/
1022983 [33e35]) try to guide the use of FPGA in NPP I&C sys-
tems, while NUREG/CR-7006 [18] provides a review guideline
that can support acceptance or licensing processes.
Fig. 3 e An integrated software testing framework for FPGA (IST-FPGA). EDIF, electronic design interchange format; FBD,
function block diagram; FPGA, field-programmable gate arrays; IDE, integrated development environment;IST, integrated
software testing; RTL, register-transfer level; VHDL, VHISC hardware description languages.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1 4733. IST-FPGA
3.1. Overview
IST-FPGA is an integrated software testing framework for
FPGA-based digital I&Cs in NPPs. As illustrated in Fig. 3, it
suggests three steps of co-simulation-based software verifi-
cation, namely: Step 1 - Preparation, preparing a common
oracle program with scenarios; Step 2 - Co-simulation, co-
simulating all designs simultaneously; and Step 3 - Evalua-
tion: evaluating simulation results all together.
3.1.1. Step 1dPreparation
IST-FPGA first prepares one common oracle program (i.e., a
correct answer) and confirms its correct functioning against
required specifications. It co-simulates all designs simulta-
neously in order to check their behavioral equivalence instead
of performing simulations and evaluating the results individ-
ually at each level. Therefore, it requires designers to evaluate
simulation results only once. IST-FPGA supports three kinds of
common oracles, such as a function block diagram (FBD) [2]
and Verilog and VHDL programs. If we use Verilog or VHDL
programs, IST-FPGA mechanically generates a number of
meaningful scenarios through the Verilog Scenario Generator
and the VHDL Scenario Generator. It also generates a test
bench that can execute the scenarios upon Verilog/VHLD-
Netlist-Layout programs seamlessly with ModelSim (MentorGraphics, Wilsonville, OR, USA) [36]. We then simulate the
Verilog/VHDL program with the scenarios through ModelSim
in order to verify that it works correctly. This is a manual
verification performed by experienced engineers and often
constitutes a large part of the entire FPGA software verification
process. After confirming correct functioning, we use it as a
common oracle program with which to co-simulate.
3.1.2. Step 2dCo-simulation
IST-FPGA then co-simulates all designs (i.e., Verilog/VHDL,
Netlist, and Layout) with the test scenarios simultaneously
with support of the Co-simulator. As a Verilog/VHDL program
is used as a correct answer (a common test oracle), all other
designs should show the same behaviors as the Verilog/VHDL
program. IST-FPGA uses ModelSim to simulate each design,
and the test benches generated by Verilog/VHDL Scenario
Generator are used to execute the simulator with a large
number of scenarios systematically and seamlessly.
3.1.3. Step 3dEvaluation
IST-FPGA finally evaluates all co-simulation results and
judges whether all designs work correctly or not. If all designs
show the same behaviors, i.e., the same outputs against all
test scenarios, it concludes that all designs work correctly. If
any design shows different behavior from the common oracle
program, it shows the case in detail to analyze when the
design works differently.
Fig. 4 e The simulation using Verilog Scenario Generator and ModelSim. (A) Verilog Scenario Generator. (B) Scenario (test
bench) generated. (C) The Verilog simulation with ModelSim.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1474It is worth noting that we can use an FBD program at the
level of design specification as a common oracle program,
as proposed by the NuDE framework [3]. An FBD program is
more intuitive to understand and analyze as compared
with RTL languages, and we also have many systems
designed with FBD working correctly. The NuDE frame-
work, therefore, proposes to use FBD programs as design
specifications and to generate RTL programs mechanically
from the FBD programs. We can generate a number of
meaningful test scenarios (i.e., as Scenario Generator,
which this paper proposes) from the FBD program with
support of FBD Scenario Generator, and also generate two
test benches that can execute the scenarios on FBD pro-
grams and Verilog/Netlist/Layout programs, respectively.
We then simulate them with FBD Simulator [37] to confirmthat they work correctly and can co-simulate them
simultaneously.
3.2. Supporting tools for IST-FPGA
Verilog/VHDL Scenario Generator generates a number of
meaningful scenarios mechanically from Verilog/VHDL pro-
grams and prepares test benches to seamlessly simulate the
programswith generated scenarios throughModelSim. Fig. 4A
shows the Verilog Scenario Generator, generating 1,000 sce-
narios of 100 cycles from a Verilog program implementing
Fixed Set-point Falling Trip Logic in the reactor protection
system (RPS). The tool first reads a Verilog (or VHDL) program
and requests more information about the program from de-
signers, such as initial values and rates of change for all input
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1 475variables, a trip set-point, and the percentage of trip situations
in all generated scenarios (this has now been customized into
the features of the RPS). The number of execution cycles for
each scenario and the total number of scenarios to generate
are also required. Fig. 4B shows an example of the scenario
(i.e., test bench) generated by Verilog Scenario Generator that
a simulator ModelSim can simulate seamlessly, as shown in
Fig. 4C.
We can confirm the correctness of the Verilog program
against the generated scenarios by inspecting the simulation
results carefully. For example, the fixed set-point falling trip
logic simulated in Fig. 4C has an important input (PV_OUT)
that starts from 15,000 and changes at the maximum rate of
50. If the trip condition PV_OUT  TSP is satisfied for 20 cycles
(TSP_CNT), then the shutdown signal will be initiated (i.e.,
TRIP¼ 1), as shown in the simulator. The simulation in Fig. 4C
shows the situation when the pre-trip was first activated,
followed by the trip. The current input value of PV_OUT is
12,838, while PTSP is 14,220¼ 13,920þ 300 (hysteresis) and TSP
is 13,200¼ 12,900þ 300.Wemodified the real value of trip/pre-
trip set-points to aid understanding. The pre-trip (PTRIP) is a
warning signal before the actual alarm, TRIP, and also shows
the same behavior as the trip signal, but works earlier in
advance of the trip signal. After confirming its correct
behavior through careful reviews of simulation results by
experts, the program (i.e., a Verilog program in this example)
will be used as a correct answer (i.e., a comparison oracle
program) for all other design artifacts.
It is worth noting that the scenarios generated by Verilog/
VHDL Scenario Generator try to reflect the physical conditions
for the RPS trip logic. Fig. 4A shows that we set information on
all input variables, as well as auxiliary information, such as
falling trip and trip set-point (12,900). It also set the tool to
generate scenarios, in which ~40% would generate the trip
signal. Fig. 5 shows the trajectories of 1,000 scenarios gener-
ated, i.e., 1,000 trajectories of the input variable PV OUT during
100 cycles.
The Co-simulator plays the role of an integrated controller
in IST-FPGA, and allows designers to perform the three steps
of IST-FPGA seamlessly andmechanically. Step 1 - Preparation
for a common oracle program with massive and meaningful
scenarios is the same as the Verilog/VHDL Scenario Generator,
except that it can also generate and execute scenarios for FBD
programs. Three designs, such as Verilog, VHDL, and FBD
programs, can be used as candidates for the comparison
oracle program at the first step, as shown in Fig. 6A.
Step 2 - Co-simulation of all designs simultaneously re-
quires all input designs, such as FBD, Verilog, VHDL, netlist
(EDIF), and post-layout, as well as required libraries, as pre-
sented in Fig. 6B. It then performs the co-simulation of all
input designs with the simulation scenarios generated in the
previous step by executing ModelSim or FBD Simulator in the
background.
Co-simulator also supports Step 3 - Evaluation of simula-
tion results altogether. If it detects any inequivalent case
against the oracle program in co-simulation, it explains all
simulation traces graphically (i.e., produces a counterexample
ofmodel-checking techniques [38] to aid the analysis, such as,
“Where and when does the inequivalent occur?”). For
example, the graph in Fig. 6C shows that the netlist showsdifferent/incorrect behavior in the 59th cycle. The graphical
counter example helps designers analyze the incorrect
behavior of a specific design and localize errors in the design
(this example used a seeded error in netlist design).
FBD Scenario Generator and FBD (Massive) Simulator are
specialized tools for FBD programs. The NuDE framework
[3,39] proposes the use of FBD programs as design specifica-
tions for RTL designs, and the FBD Scenario Generator gen-
erates a number of meaningful scenarios, while the FBD
(Massive) Simulator simulates them independently from the
software engineering tools of PLC vendors [38]. We notice that
the trace of the FBD program shown in Fig. 7 is easier to un-
derstand as compared to the wave of ModelSim in Fig. 4C,
while they all show the same behavior.4. Experimental results
We performed an experiment with two examples of software
implementations (i.e., Verilog and VHDL programs) that are
under development as new FPGA-based digital I&Cs in Korea.
We demonstrated how IST-FPGA can reduce the time and cost
of the simulation-based verification of FPGA software. Fig. 8
provides an overview of the entire process and the experi-
mental targets. The Verilog program of Case I was developed
to confirm the functionalities (trip logics) of the new FPGA-
based RPS [5], and consisted of 18 independent shutdown
logics/modules with no hardware-dependent implementation
details. The VHDL program of Case II, however, was the pro-
gram used to synthesize, configure, and download into the
FPGAs of the diverse protection system. It includes four
shutdown logics as well as FPGA HW details such as I/Os.
For both the Verilog/VHDL programs, we performed the
FPGA software development using Libero SoC and Synplify Pro
(Synopsys, Mountain View, CA, ISA) [40]. As shown in Fig. 8,
IST-FPGA performed the simulation-based verification with
support of Co-simulator. We estimated the time taken for the
IST-FPGA based verification and also compared it with the
calculated/estimated times of traditional approaches per-
formed individually and independently, as shown on the left-
hand side of Fig. 8. The equation for calculating the estimated
time taken for each verification approach is as follows:
EISTFPGA ¼
XN
i¼1
EISTFPGAðiÞ; (1)
where:
EISTFPGAðiÞ ¼ EStep 1ðiÞ þ TStep 2þStep 3ðiÞ
EStep 1ðiÞ ¼ TScenario GenerationðiÞ þ EMOðiÞ
EMOðiÞ ¼ eMOðiÞ  NS
TStep 2þStep 3ðiÞ ¼ TCo-SimulationðiÞ
where: N ¼ the number of logics/modules
(1  i  N ¼ 18); EðiÞ ¼ estimated time; NS ¼ the number of
scenario (NS ¼ 1,000); and e ¼ meaning that we measured it
with average time to estimate.
Fig. 5 e Trajectories of the 1,000 scenarios generated for a fixed set-point falling trip logic. PTSP, pretrip setpoint; TSP, trip
setpoint.
Fig. 6 e Co-simulation for IST-FPGA. (A) Step 1: Preparation. (B) Step 2: Co-simulation. (C) Step 3: Evaluation. FPGA, field-
programmable gate arrays; IST, integrated software testing.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1476
Fig. 7 e FBD simulator. FBD, function block diagram.
Fig. 8 e Experimental overview. FPGA, field-programmable gate arrays; IST, integrated software testing; P&R, place and
route; PLD, programmable logic device; RPS, reactor protection system; RTL, register-transfer level; VHDL, VHISC hardware
description languages.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1 477
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1478In IST-FPGA, Step 1 consists of scenario generation and
making the oracle (MO). Verilog/VHDL Scenario Generator or
Step 1 of the Co-simulator can perform the scenario genera-
tion, and we can measure the exact executing time. However,
MO is performed manually and depends upon the complexity
of the test scenario generation and the experience of the ex-
perts. Therefore, we estimated eMOðiÞ as the average time of
10 samples. Steps 2 and 3 are supported by the Co-simulator,
and the executing time can be measured accurately.
ETA ¼
XN
i¼1
ETAðiÞ; (2)
where:
ETAðiÞ ¼ ESDðiÞ þ TSimulationðiÞ þ EEvaluationðiÞ
ESDðiÞzTScenario GenerationðiÞ
TSimulationðiÞ ¼ TBSðiÞ þ TLSðiÞ þ TPSðiÞ
EEvaluationðiÞzEMOðiÞ  3:Table 1 e Summarized information for each module and meas
input; po, primary output; reg, register.The time for the traditional approach (TA) can be estimated
as shown above. Scenario development (SD) time is regarded
in the same way as with the IST-FPGA, since Verilog/VHDL
Scenario Generator can do it mechanically. The simulation
time, including behavioral simulation (BS), logic simulation
(LS), and post-layout simulation (PS) for three steps are
measured by ModelSim. The evaluation time for three simu-
lation results can reasonably be regarded as the three times of
EMOðiÞ in IST-FPGA.4.1. Case IdThe Verilog program
The Verilog program consists of 18 logics/modules, as sum-
marized in Table 1. For example, the Hi_CNY_PRS_FSR logic
(module) has 34 inputs and two outputs while using 36 reg
variables to store information for later steps. Asmostmodules
were developed to confirm the functionality of shutdown
logics, they have two outputs: trip and pre-trip. Implementa-
tion details, such as operational bypass and heartbeat, are not
implemented in the Verilog program, while they are in the
VHDL program.ured time in Case I. SD, scenario development; pi, primary
Table 2 e Summarized information for eachmodule andmeasured time in Case II. SD, scenario development; DPS, diverse
protection system; pi, primary input; po, primary output; reg, register.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1 479We performed two simulation-based verifications, the IST-
FPGA and the TA, and measured the time taken for each ac-
cording to the formulae above. We generated 1,000 scenarios
of 100 cycles, and the values of eMOðiÞ were estimated by ex-
perts as an average of 10 real evaluation times of simulation
results. For example, eMOð1Þ for the Hi_CNY_PRS_FSR module
was estimated as 0.33 minutes, and EMOð1Þwill be 0.33 * 1,000.
Since EMOðiÞ takes a larger portion of total verification time
(up to 90%), the number of times the action has to be executed
plays an important role in reducing the total verification time.
While the IST-FPGA performs the activity only one time at
Step 1 (Preparation), TAs have to do it for each evaluation step
and will take threefold longer than IST-FPGA. In summary,
IST-FPGA could perform the simulation-based test 2.73-times
faster than TAs, even when executing and evaluating the
same set of test scenarios.
4.2. Case IIdThe VHDL program
The VHDL program includes four shutdown logics, as well as
implementation details, such as interfaces for FPGA hard-
ware, as summarized in Table 2. For example, the DPS_BP 1
module uses 50 inputs (bits), 104 outputs (bits), and 2,815 reg
variables (bits). Implementation details, such as operational
bypass and heartbeat, were set appropriately beforehand.
We performed two simulation-based verifications and
measured (estimated) the time using the samemethods as in
Case I. We used VHDL Scenario Generator instead of Verilog
Scenario Generator. The results of Case II were similar to
those of Case I, but it took much more time, as the VHDL
program consists of more complex and larger scales of
logics. In summary, IST-FPGA could perform the simulation-
based test 2.87-times faster than TAs under the same
conditions.
4.3. Experiment analysis
The experiment claimed that IST-FPGA is approximately
threefold faster than traditional simulation-bases testing
approach. However, the time and cost of the TA greatly
depend on the experience and ability of developers and test
engineers. As we assume that the two approaches use the
same simulation scenarios mechanically generated by Co-
simulator, the time taken to develop test scenarios for TAs
may be underestimated. It must take a considerable amount
of time for developers to develop such test scenarios. How-
ever, they use a massive number of simulation scenarios (e.g.,1,000), and the time taken to evaluate simulation results may
be overestimated, even if not multiplied by three. Such
massive numbers of test scenarios cannot be developed nor
used in practice.
The heart of the question is how to guarantee the quality of
simulation scenarios generated by Co-simulator or Verilog/
VHDL Scenario Generator mechanically. If the scenarios are
meaningful ones reflecting the RPS trip logics, the experiment
will go close to common agreement. We now try to reflect the
fixed set-point trip logic to generate simulation scenarios as
shown in Figs. 4 and 5. Other trip logics, such as manual reset
and variable set-point, should be dealt with, and we are
working on these.
Structural testing techniques [41], as well as functional
testing, should be considered to improve the quality of simu-
lation scenarios. We need to check the code coverage [20] of
simulation scenarios generated against RTL programs to
determine whether they meet the code coverage requirements
for safety-critical I&C systems, which unfortunately are not yet
defined. DO-254 [28] in avionics requires 100% statement and
branch coverages for complex hardware systems that use
FPGAs, complex programmable logic devices, and application-
specific integrated circuits. It is also required that Verilog/VHDL
Scenario Generator generates test scenarios that can meet
specific predefined code coverages, and vice versa. We are now
planning an approach to this problem.5. Related work
There are several methods performing design verification in
the FPGA software development process. Simulation-based
verification is a widely used way to confirm the correctness
of designs. The co-simulation [42] technique can also be used
to execute two designs in parallel. Yang et al [43] proposed RTL
scan flow that is similar to our framework. It uses simulation
scenarios to perform co-simulation with an RTL-level design
and a mapped design in an FPGA environment (iPOVE) [44]. It
is more closely related to hardware/software co-simulation.
Zheng et al [14] proposed an FPGA software verification
method using test bench and assertion analysis. It simulates
an RTL program and a gate-level design with generated sce-
narios, including assertions. The simulation with assertions
checks specific design features and can be used to show the
authenticity and efficiency of FPGA. Neither support auto-
mated scenario generation.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1480There are also several methods used to generate simula-
tion scenarios from HDL designs [45e47]. Vemuri et al [45]
presented a method for generation of input sequences from
VHDL programs. It generates input sequences to execute
desired control-flow paths through enumeration, constraint
generation, and constraint-solving techniques. Gharebaghi
et al [46] presented two generation algorithms that work on
the VHDL process, representing combinational logic and
sequential logic. The goal of both algorithms is to test all
portions of the process body by traversing all the feasible
paths in order to achieve high coverages. Hari et al [47] pro-
posed a methodology for automatic extraction of word-level
model constraints from Verilog. The scenarios are also
expressed as constraints, which can be solved using an
integer solver to arrive at the necessary functional test.6. Conclusions and future work
This paper proposed an integrated software testing frame-
work (IST-FPGA) for FPGA-based digital controllers in NPPs. It
simulates all designs in each level of FPGA software develop-
ment simultaneously and evaluates whether all designs work
correctly against common oracle programs. It also generates a
massive number of input scenarios with the guide of domain
experts in order to produce meaningful scenarios reflecting
reactor shutdown logics. It is also supported by assistant tools,
such as Verilog/VHDL Scenario Generator and Co-simulator.
We performed experiments with two FPGA software imple-
mentations of RPS and showed that the proposed framework
can save time and costs associated with verifying FPGA
software.
We are now trying to improve the quality of simulation
scenarios, which are automatically generated by our tools, in
twoways. From the aspect of functional testing, more delicate
scenario generation reflecting all reactor shutdown logics are
required. From the aspect of structural testing, code coverages
for RTL programs should be measured and also be used to
generate simulation scenarios, and vice versa. We are also
planning to analyze the correspondence between the code
coverages in RTL and Netlists at the gate-level in order to
clarify the impact of high-quality FPGA software designs on
FPGA hardware implementations.Conflicts of interest
All authors have no conflicts of interest to declare.
Acknowledgments
This research was supported, in part, by a grant from the
Korean Ministry of Science, ICT, and future planning under
the I&C Safety Conformance Assessment Platform. It was also
supported, in part, by a grant from the Korea Atomic Energy
Research Institute under the development of the core soft-
ware technologies of the integrated development environ-
ment for FPGA-based controllers.r e f e r e n c e s
[1] J. Kim, E.S. Kim, J. Yoo, A translator verification technique for
FPGA software development in nuclear power plants,
Transactions of the Korean Nuclear Society Autumn
Meeting, Pyeongchang, Korea, 2014, pp. 1986e1988.
[2] International Electrotechnical Commission (IEC),
International standard for programmable controllers:
Programming languages 61131-Part 3, IEC, 1993.
[3] J. Yoo, J.H. Lee, J.S. Lee, A research on seamless platform
change of reactor protection system from PLC to FPGA, Nucl.
Eng. Technol. 45 (2013) 477e488.
[4] J.G. Choi, Survey of the CPLD/FPGA technology for
application to NPP digital I&C system, Technical Report,
Korea Atomic Energy Research Institute, 2009.
[5] J. Choi, D. Lee, Development of RPS trip logic based on PLD
technology, Nucl. Eng. Technol. 44 (2012) 697e708.
[6] J. Ranta, The current state of FPGA technology in the nuclear
domain, Technical Report, VTT Technical Research Centre of
Finland, Espoo (Finland), 2012.
[7] NS-G-1.2, Safety assessment and verification for nuclear
power plants: safety guide, IAEA, Vienna, 2004.
[8] International Electrotechnical Commission (IEC), Nuclear
power plantseInstrumentation and control systems
important to safetyeSoftware aspects for computer-
based systems performing category A functions, IEC
60880, 2006.
[9] International Electrotechnical Commission (IEC), Nuclear
power plantseInstrumentation and control important to
safetyeHardware design requirements for computer-based
systems, IEC 61513, 2011.
[10] Xilinx [Internet]. San Jose, CA, USA, 2013 [cited 2016 Feb 17].
Xilinx ISE Design Suite. Available from: http://www.xilinx.
com/products/design-tools/ise-design-suite.html.
[11] Altera [Internet]. San Jose, CA, USA, 2015 [cited 2016 Feb 17].
Quartus Prime. Available from: https://www.altera.com/
products/design-software/overview.html.
[12] Microsemi [Internet]. Aliso Viejo, CA, USA, 2015 [cited 2016
Feb 17]. Libero SoC. Available from: http://www.microsemi.
com/products/fpga-soc/design-resources/design-software/
libero-soc.
[13] D. Kim, M. Ciesielski, S. Yang, A new distributed event-
driven gate-level HDL simulation by accurate prediction,
Design, Automation & Test in Europe Conference &
Exhibition (DATE), IEEE, Grenoble, France, 2011, pp. 1e4.
[14] D. Zheng, W. Yichen, Z. Xueyi, The methods of FPGA
software verification, 2011 IEEE International Conference on
Computer Science and Automation Engineering (CSAE),
Shanghai, China, Volume 3, IEEE, 2011, pp. 86e89.
[15] R.E. Bryant, A methodology for hardware verification based
on logic simulation, JACM 38 (1991) 299e328.
[16] International Electrotechnical Commission (IEC), Nuclear
power plantseInstrumentation and control important to
safetyeHardware design requirements for computer-based
systems, IEC 60987, 2013.
[17] International Electrotechnical Commission (IEC), Nuclear
power plantseInstrumentation and control important to
safetyeDevelopment of HDL-programmed integrated
circuits for systems performing category A functions, IEC
62566, 2012.
[18] M. Bobrek, D. Bouldin, D.E. Holcomb, S.M. Killough,
S.F. Smith, C. Ward, R.T. Wood, Review guidelines for field-
programmable gate arrays in nuclear power plant safety
systems, NUREG/CR-7006, U.S. NRC, 2010.
[19] R. Lissel, J. Gerlach, Introducing new verification methods
into a company's design flow: an industrial user's point of
view, Proceedings of the Conference on Design, Automation,
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 4 7 0e4 8 1 481and Testing in Europe, EDA Consortium, Nice, France, 2007,
pp. 689e694.
[20] J.Y. Jou, C. Liu, Coverage analysis techniques for HDL design
validation, Proceedings of the 6th Asia Pacific Chip Design
Languages, Fukuoka, Japan, 1999, pp. 48e55.
[21] S. Sjoholm, L. Lindh, The need for co-simulation in ASIC-
verification, EUROMICRO 97. New Frontiers of Information
Technology, Proceedings of the 23rd EUROMICRO
Conference, IEEE, Budapest, Hungary, 1997, pp. 331e335.
[22] MathWorks [Internet]. Natick, MA, USA, 2015 [cited 2016 Feb
17]. HDL Verifier. Available from: http://kr.mathworks.com/
products/hdl-verifier/features.html.
[23] C. Valderrama, F. Nac¸abal, P. Paulin, A. Jerraya, Automatic
VHDL-C interface generation for distributed co-simulation:
application to large design examples, Des. Autom. Embed.
Syst. 3 (1998) 199e217.
[24] B. Oraw, V. Choudhary, R. Ayyanar, A co-simulation
approach to model-based design for complex power
electronics and digital control systems, Proceedings of
the 2007 Summer Computer Simulation Conference,
Society for Computer Simulation International, San Diego,
CA, USA, 2007, pp. 157e164.
[25] Mentor Graphics [Internet] Wilsonville, OR, USA, 2016 [cited
2016 Feb 17]. Questa ADMS. Available from: https://www.
mentor.com/products/fv/advance_ms/.
[26] SCC [Internet]. 2015, [cited 2016 Feb 17]. Software
Certification Consortium. Available from: http://cps-vo.org/
group/scc.
[27] J.K. Lee, Y.M. Kim, Design and verification of FPGA-based
applications in nuclear power plants, J. Energy Power Eng. 7
(2013) 537e544.
[28] Radio Technical Commission for Aeronautics (RTCA), Design
assurance guidance for airborne electronic hardware, DO-
254, 2000.
[29] Institute of Electrical and Electronics Engineers (IEEE), IEEE
standard for software verification and validation, IEEE 1012,
2005.
[30] International Electrotechnical Commission (IEC), Functional
safety of electrical, electronic and programmable electronic
(E/E/PE) safety-related systems, IEC 61508, 2000.
[31] Institute of Electrical and Electronics Engineers (IEEE), IEEE
standard criteria for digital computers in safety systems of
nuclear power generating stations, IEEE 7-4.3.2, 2003.
[32] Institute of Electrical and Electronics Engineers (IEEE), IEEE
standard criteria for safety systems of nuclear power
generating stations, IEEE 603, 2003.
[33] TR-1019181, Guidelines on the use of field-programmable
gate arrays in nuclear power plant I&C systems, Electric
Power Research Institute, 2009.
[34] TR-109390, Design description of a prototype
implementation of three reactor protection system channelusing field-programmable gate arrays, Electric Power
Research Institute, 1998.
[35] TR-1022983, Recommended approaches and design criteria
for application of field-programmable gate arrays in nuclear
power plant instrumentation and control systems, Electric
Power Research Institute, 2009.
[36] Mentor Graphics [Internet]. Wilsonville, OR, USA, 2015 [cited
2016 Feb 17]. ModelSim. Available from: http://www.mentor.
com/products/fpga/simulation/modelsim.
[37] E.S. Kim, D.A. Lee, J. Yoo, The scenario generator for verifying
the correctness of FBDtoVerilog translator Volume 1, Korea
Information Processing Society (KCC 2014), Busan, Korea,
2014, pp. 599e602 [in Korean].
[38] E.M. Clarke, O. Grumberg, D. Peled, Model checking, MIT
press, Cambridge, 1999.
[39] J. Yoo, E.S. Kim, D.A. Lee, J.G. Choi, An integrated software
development framework for PLC- & FPGA-based digital I&Cs,
International Symposium on Future I&C for Nuclear Power
Plants/International Symposium on Symbiotic Nuclear
Power System (ISOFIC/ISSNP), Jeju, Korea, 2014.
[40] Synopsys [Internet]. Mountain View, CA, USA, 2015 [cited
2016 Feb 17]. Synplify Pro. Available from: http://www.
synopsys.com/Tools/Implementation/FPGAImplementation/
FPGASynthesis/Pages/SynplifyPro.aspx.
[41] M. Pezze, M. Young, Software testing and analysis: process,
principles, and techniques, John Wiley & Sons, New York,
2008.
[42] S. Sicklinger, V. Belsky, B. Engelmann, H. Elmqvist,
H. Olsson, R. Wiichner, K.U. Bletzinger, Interface Jacobian-
based co-simulation, Int. J. Numer. Meth. Eng. 98 (2014)
418e444.
[43] S. Yang, H. Shim, W. Yang, C.M. Kyung, A new RTL debugging
methodology in FPGA-based verification platform,
Proceedings of 2004 IEEE Asia-Pacific Conference on
Advanced System Integrated Circuits 2004, Fukuoka, Japan,
IEEE, 2004, pp. 180e183.
[44] Dynalith Systems, iPROVE: a block design and Verification
platform, White Paper, 2003.
[45] R. Vemuri, R. Kalyanaraman, Generation of design
verification tests from behavioral VHDL programs using path
enumeration and constraint programming, IEEE T. VLSI Syst.
3 (1995) 201e214.
[46] A.M. Gharebaghi, Z. Navabi, High-level test generation from
VHDL behavioral descriptions, Proceedings of the VHDL
International Users Forum Fall Workshop (VIUF'00), Orlando,
FL, USA, 2000, pp. 123e126.
[47] S.K.S. Hari, V.V.R. Konda, V. Kamakoti, V.M. Vedula,
K.S. Maneperambil, Automatic constraint-based test
generation for behavioral HDL models, IEEE T. VLSI Syst. 16
(2008) 408e421.
