Analysis of an emergency diesel generator control system by compositional model checking: MODSAFE 2010 work report

Digital instrumentation and control (I&C) systems containing programmable logic controllers are challenging to verify. They enable complicated control functions and the state spaces (number of distinct values of inputs, outputs and internal memory) of the designs easily become too large for comprehensive manual inspection. Model checking is a formal method that can be used for verifying that systems have been correctly designed. A number of efficient model checking systems are available which provide analysis tools that are able to determine automatically whether a given state machine model satisfies the desired safety properties. The practical case analysed in this research project is called an "emergency diesel generator control system" and its purpose is to provide reserve power to critical devices and computers that must be available without interruption. This report describes 1) the development of a compositional approach for checking the models in large system designs, 2) the development of a modular model checking approach for modelling function block diagrams with the Uppaal model checker and 3) the experience of utilising the new modelling approaches in practice.