Model checking has been successfully used for detailed formal verification of instrumentation and control (IC) systems, as long as the focus has been on the application logic, alone. In safety-critical applications, fault tolerance is also an important aspect, but introducing IC hardware failure modes to the formal models comes at a significant computational cost. Previous attempts have led to state space explosion, and prohibitively long processing times. In this paper, we present a method for adding hardware component failures and communication delays into IC application logic models for the NuSMV symbolic model checker. Based on a case study built around a semi-fictitious, four-redundant nuclear power plant protection system, we demonstrate how even detailed system designs can be verified, if the focus is kept on single failure tolerance.
|Series||IEEE International Conference on Industrial Technology|
|Conference||2019 IEEE International Conference on Industrial Technology, ICIT 2019|
|Period||13/02/19 → 15/02/19|
- Fault tolerance
- Formal verification
- Model checking