Practical solutions for the model-checking of fault-tolerant instrumentation and control system logics

Software in industrial instrumentation and control (I&C) systems is subject to high reliability requirements. If human errors made in I&C software engineering cause control failures during operation, the outcome, depending on the application, could be a huge financial loss, a severe hazard to health or the environment, or even loss of life.

Modern digital I&C systems are complex and so full of intricate dependencies that traditional met of proving their safety and reliability fall short. Model checking is a formal, computerassisted verification method, that can be used to logically prove that a model of the system is correct. The method has been proven to find hidden errors in designs already subjected to rigorous testing. VTT has used the method in Finnish nuclear and rail traffic industry projects and found over a hundred design issues. Still, the broader application of model checking has been hampered by thelack of user-friendly, domain-specific tools.

This thesis examines ways of (1) making the work process of I&C logic model checking more userfriendly, accessible, and cost-effective, and (2) broadening the scope in which I&C design can be analysed. First, it presents a tool-supported approach for modelling and analysing fault-tolerant I&C logics used in, e.g., nuclear facilities. Second, it examines ways of accounting for the failure modes of the underlying I&C hardware, when verifying that the logics are fault-tolerant. Third, it shows how infinite-state modelling and compositional verification can be applied to logics where the more common approach of symbolic, discrete-state model checking falls short.

The practical applicability of the contribution has been proven by evaluating the developed methods against data and models collected from real industrial projects and employing the methods in practice. The new techniques explored in the thesis, now already in used in VTT’s projects, have already uncovered design issues in logics that were previously thought too complex to check.