Formal Verification of Safety I&C System Designs: Two Nuclear Power Plant Related Applications

Instrumentation and control (I&C) systems play a crucial role in the operation of nuclear power plants (NPP) and other safety critical processes. An important change is the replacement of the old analogue I&C systems with new digitalised ones. The programmable digital logic controllers enable more complicated control tasks than the old analogue systems and thus the validation of the control logic designs against safety requirements has become more important. In order to diminish the subjective component of the evaluation there is a need to develop new formal verification methods. A promising approach is a method called model checking, which enables the complete verification of requirements when a finite state machine model of the system is available. The use of model checking to verify two nuclear power plant related systems is described: an arc protection system and a reactor emergency cooling system. For the verification, it was also necessary to model the operation environment of the device and the larger system it is part of. The environment models could be kept relatively simple, but it is important that the essential behaviour of the environment is covered. The reactor emergency cooling system is in use in an operating nuclear power plant and the arc protection system model included a typical realistic operation environment. The results showed that it was possible to reliably verify the presence of desired behaviour as well as the absence of an undesired behaviour of the system. The possibility for complete verification makes model checking different from simulation-based testing where only a number of selected scenarios can be simulated and one can never be sure that all the possible behaviour is covered. The challenges for future research are to develop more dedicated methods for the verification of safety critical automation and safety critical embedded software.