Formal Safety Assessment Methods in Olkiluoto 1&2 NPP I&C Renewal Project DIMA

Formal languages and methods provide a rigorous and systematic framework for requirement specification and design. A key benefit is the ability to logically prove the correctness of design solutions. TVO operates three nuclear power plants in Olkiluoto, Finland. Units 1 and 2 are BWR type reactors in use since 1979 and 1982. In 2020, TVO started the digital I&C lifetime management project DIMA, where selected I&C systems are renewed using mostly softwarebased
technology. In DIMA, VTT has used two different formal, computer-assisted methods to verify the design solutions. First, model checking was used to verify the functional architecture diagrams serving as design input, and then the detailed I&C logic diagrams developed by Westinghouse Electric Sweden. The analyses have revealed several issues related to spurious actuation, contradictory commands, frozen logic, and in general, incorrect response to inputs. Second, on the overall I&C architecture level, an ontology-based Defense-in-Depth (DiD) assessment method was used to perform interface analyses. The work succeeded in identifying violations of communication independence rules between DiD levels and safety classes. For each violation, TVO was then able to prove by their analyses that failure propagation could not cause unacceptable consequences at the plant level. In this paper, we introduce the formal methods used in the DIMA project, describe the scope of their application, and discuss the results.