Model checking methodology for supporting safety critical software development and verification

Instrumentation and control (I&C) systems play a vital role in the operation of safety critical processes. Programmable digital logic controllers enable sophisticated control tasks which sets high requirements for system verification. The principal methods for validation have traditionally been testing and simulation. They may have an important role in overall validation of a system but are not suitable for comprehensive validation because they are able to handle only a very limited number of different behaviours of the system state space, they take too long time to carry out or they can be performed too late in the development life cycle. New methods for validation have to be explored. This paper discusses the role of formal methods in software development in the area of nuclear engineering. It puts forward model checking, which is a computer-aided formal method for verifying correct functioning of a system design model, as a promising approach to system verification. Model checking methodology for system verification is explained and compared to the other traditional methods. The model checking process is described and the pros and cons of the method are discussed. Also practical experiences of utilizing model checking in safety evaluation of I&C system designs are elaborated. Model checking enables to reliably verify the presence of a desired or the absence of an undesired behaviour in an I&C logic system design. The possibility of complete verification with model checking makes it different from simulation based testing where only selected schemes can be simulated leaving the coverage of the verification low.