OptoNet - a case study in using rigorous analysis techniques to justify a revised product assurance strategy

When upgrading software in mission-critical or safety-related industrial control systems, it is imperative to ensure that system integrity properties are preserved. Comprehensive system testing is one way to gain this assurance. This has limitations, however, in that the hardware may be too expensive to assemble a large test rig, or where a product upgrade is to be deployed in diversely configured systems. This paper describes a method that uses rigorous system analysis to justify the replacement of system testing with both static analysis of the system configuration and dynamic testing of the upgraded system components. The paper reports on industrial experience in applying this method to the OptoNet product, which is an embedded software product used in industrial control systems. System analysis techniques are used to develop a detailed understanding of how OptoNet components (RTUs) interact to realise OptoNet system behaviour. Based on this detailed understanding, recommendations for a revised assurance strategy are made. The lessons learnt in the trial application of this method to the OptoNet product are discussed, and possible extensions to the method are proposed.