Model-Checking Detailed Fault-Tolerant Nuclear Power Plant Safety Functions

Igor Buzhinsky, Antti Pakonen

Research output: Contribution to journalArticleScientificpeer-review

Abstract

Model checking has been successfully used for detailed formal verification of instrumentation and control (I&C) systems, as long as the focus has been on the application logic alone. In safety-critical applications, fault tolerance is also an important aspect, but introducing I&C hardware failure modes to the formal models comes at a significant computational cost. Previous attempts have led to state space explosion and prohibitively long processing times. In this paper, we present an approach to model and formally verify protection functions allocated to one or several I&C systems, accounting for hardware component failures and delays in communication within and between the systems. Formal verification is done with model checking, whose feasibility on such complex systems is achieved by utilizing the symmetry of I&C systems: the components of the overall model that do not influence the checked requirements are eliminated, and the failing components are fixed. Generation of such abstracted models, as well as subsequent verification of their requirements and symmetry with the NuSMV symbolic model checker, is handled by a software tool. In addition, we explore how to specify formal requirements for systems of the considered class. Based on a case study built around a semi-fictitious nuclear power plant protection system that achieves reliability by means of redundancy, we demonstrate how failure tolerance of even detailed system designs can be formally verified.
Original languageEnglish
Article number8892461
Pages (from-to)162139-162156
Number of pages18
JournalIEEE Access
Volume7
DOIs
Publication statusPublished - 1 Jan 2019
MoE publication typeA1 Journal article-refereed

    Fingerprint

Keywords

  • Formal verification
  • model checking
  • nuclear I&C systems
  • fault tolerance

Cite this