Model-Checking Detailed Fault-Tolerant Nuclear Power Plant Safety Functions

Igor Buzhinsky, Antti Pakonen

Research output: Contribution to journalArticleScientificpeer-review

Abstract

Model checking has been successfully used for detailed formal verification of instrumentation and control (I&C) systems, as long as the focus has been on the application logic alone. In safety-critical applications, fault tolerance is also an important aspect, but introducing I&C hardware failure modes to the formal models comes at a significant computational cost. Previous attempts have led to state space explosion and prohibitively long processing times. In this paper, we present an approach to model and formally verify protection functions allocated to one or several I&C systems, accounting for hardware component failures and delays in communication within and between the systems. Formal verification is done with model checking, whose feasibility on such complex systems is achieved by utilizing the symmetry of I&C systems: the components of the overall model that do not influence the checked requirements are eliminated, and the failing components are fixed. Generation of such abstracted models, as well as subsequent verification of their requirements and symmetry with the NuSMV symbolic model checker, is handled by a software tool. In addition, we explore how to specify formal requirements for systems of the considered class. Based on a case study built around a semi-fictitious nuclear power plant protection system that achieves reliability by means of redundancy, we demonstrate how failure tolerance of even detailed system designs can be formally verified.
Original languageEnglish
Pages (from-to)162139-162156
Number of pages18
JournalIEEE Access
Volume7
DOIs
Publication statusPublished - 18 Nov 2019
MoE publication typeA1 Journal article-refereed

Fingerprint

Model checking
Nuclear power plants
Hardware
Fault tolerance
Failure modes
Explosions
Redundancy
Large scale systems
Systems analysis
Communication
Processing
Costs
Formal verification

Keywords

  • Formal verification
  • model checking
  • nuclear I&C systems
  • fault tolerance

Cite this

@article{34016511ba0348649a5c74ad32ce102e,
title = "Model-Checking Detailed Fault-Tolerant Nuclear Power Plant Safety Functions",
abstract = "Model checking has been successfully used for detailed formal verification of instrumentation and control (I&C) systems, as long as the focus has been on the application logic alone. In safety-critical applications, fault tolerance is also an important aspect, but introducing I&C hardware failure modes to the formal models comes at a significant computational cost. Previous attempts have led to state space explosion and prohibitively long processing times. In this paper, we present an approach to model and formally verify protection functions allocated to one or several I&C systems, accounting for hardware component failures and delays in communication within and between the systems. Formal verification is done with model checking, whose feasibility on such complex systems is achieved by utilizing the symmetry of I&C systems: the components of the overall model that do not influence the checked requirements are eliminated, and the failing components are fixed. Generation of such abstracted models, as well as subsequent verification of their requirements and symmetry with the NuSMV symbolic model checker, is handled by a software tool. In addition, we explore how to specify formal requirements for systems of the considered class. Based on a case study built around a semi-fictitious nuclear power plant protection system that achieves reliability by means of redundancy, we demonstrate how failure tolerance of even detailed system designs can be formally verified.",
keywords = "Formal verification, model checking, nuclear I&C systems, fault tolerance",
author = "Igor Buzhinsky and Antti Pakonen",
year = "2019",
month = "11",
day = "18",
doi = "10.1109/ACCESS.2019.2951938",
language = "English",
volume = "7",
pages = "162139--162156",
journal = "IEEE Access",
issn = "2169-3536",
publisher = "IEEE Institute of Electrical and Electronic Engineers",

}

Model-Checking Detailed Fault-Tolerant Nuclear Power Plant Safety Functions. / Buzhinsky, Igor; Pakonen, Antti.

In: IEEE Access, Vol. 7, 18.11.2019, p. 162139-162156.

Research output: Contribution to journalArticleScientificpeer-review

TY - JOUR

T1 - Model-Checking Detailed Fault-Tolerant Nuclear Power Plant Safety Functions

AU - Buzhinsky, Igor

AU - Pakonen, Antti

PY - 2019/11/18

Y1 - 2019/11/18

N2 - Model checking has been successfully used for detailed formal verification of instrumentation and control (I&C) systems, as long as the focus has been on the application logic alone. In safety-critical applications, fault tolerance is also an important aspect, but introducing I&C hardware failure modes to the formal models comes at a significant computational cost. Previous attempts have led to state space explosion and prohibitively long processing times. In this paper, we present an approach to model and formally verify protection functions allocated to one or several I&C systems, accounting for hardware component failures and delays in communication within and between the systems. Formal verification is done with model checking, whose feasibility on such complex systems is achieved by utilizing the symmetry of I&C systems: the components of the overall model that do not influence the checked requirements are eliminated, and the failing components are fixed. Generation of such abstracted models, as well as subsequent verification of their requirements and symmetry with the NuSMV symbolic model checker, is handled by a software tool. In addition, we explore how to specify formal requirements for systems of the considered class. Based on a case study built around a semi-fictitious nuclear power plant protection system that achieves reliability by means of redundancy, we demonstrate how failure tolerance of even detailed system designs can be formally verified.

AB - Model checking has been successfully used for detailed formal verification of instrumentation and control (I&C) systems, as long as the focus has been on the application logic alone. In safety-critical applications, fault tolerance is also an important aspect, but introducing I&C hardware failure modes to the formal models comes at a significant computational cost. Previous attempts have led to state space explosion and prohibitively long processing times. In this paper, we present an approach to model and formally verify protection functions allocated to one or several I&C systems, accounting for hardware component failures and delays in communication within and between the systems. Formal verification is done with model checking, whose feasibility on such complex systems is achieved by utilizing the symmetry of I&C systems: the components of the overall model that do not influence the checked requirements are eliminated, and the failing components are fixed. Generation of such abstracted models, as well as subsequent verification of their requirements and symmetry with the NuSMV symbolic model checker, is handled by a software tool. In addition, we explore how to specify formal requirements for systems of the considered class. Based on a case study built around a semi-fictitious nuclear power plant protection system that achieves reliability by means of redundancy, we demonstrate how failure tolerance of even detailed system designs can be formally verified.

KW - Formal verification

KW - model checking

KW - nuclear I&C systems

KW - fault tolerance

U2 - 10.1109/ACCESS.2019.2951938

DO - 10.1109/ACCESS.2019.2951938

M3 - Article

VL - 7

SP - 162139

EP - 162156

JO - IEEE Access

JF - IEEE Access

SN - 2169-3536

ER -