Abstract:The verication of embedded, safety-critical industrial systems is important, since a failure ofthese systems may have catastrophic consequences. Formal methods guarantee not only thecorrectness, but also the completeness of the analysis. However, even moderately complexindustrialsystemshavestatespacessolargethatformeranalysistechniquescouldnothandle.In this paper we model and analyse a small, but important part of a safety-critical industrialsystem: a safety function initiating an emergency procedure in a nuclear power plant. Wemodel safety function using a proprietary coloured Petri net formalism, and perform the analy-sis by symbolic model checking based on the saturation algorithm. The analysis results werecomputed by the model checking tool developed at our department . Although this particularsafety function has been analysed in earlier research [11], this is the rst time the full behaviourof this system could be examined without any restrictions.Keywords:safety systems, formal methods, coloured Petri net, model checking, saturation1 INTRODUCTIONEmbedded controllers are now a standard and prevalent part of industrial systems. They pro-vide rich functionality and easy programmability. Still, these advantages also create a problem:the verication and validation (V&V) of these devices and their programs is becoming increas-ingly difcult. Testing is the traditional approach to V&V in industrial control systems. However,their behaviour is typically complex enough to make it impossible to achieve a complete testcoverage for an even moderately complex controller. Hence, formal modelling and analysis isgaining wider acceptance in the industry, especially in the safety-critical application areas.A frequently mentioned weakness of formal methods is that they often bite off more than theycan chew, meaning that the formal models of real systems are susceptible to state explosion .While this is a valid argument, the aim of our paper is to demonstrate that recent developmentin the eld of model checking, advanced state space exploration algorithms and storage datastructures make us possible to solve problems that older methods could not handle. Our ap-plication example is a small, but important safety-critical industrial system: the safety functioninitiating an emergency procedure in a nuclear power plant.The contributions of this paper are twofold: theoretical and practical. On the theoretical side,we have adapted and extended the so-called saturation algorithm [3] to be able to represent
[1]
Gianfranco Ciardo,et al.
Saturation-Based Symbolic Reachability Analysis Using Conjunctive and Disjunctive Partitioning
,
2005,
CHARME.
[2]
Andrew S. Miner,et al.
Saturation for a General Class of Models
,
2004,
IEEE Transactions on Software Engineering.
[3]
Lars Michael Kristensen,et al.
Coloured Petri Nets - Modelling and Validation of Concurrent Systems
,
2009
.
[4]
Katalin M. Hangos,et al.
Verification of a primary-to-secondary leaking safety procedure in a nuclear power plant using coloured Petri nets
,
2009,
Reliab. Eng. Syst. Saf..
[5]
Tamás Bartha,et al.
Formal Verification of Safety Functions by Reinterpretation of Functional Block Based Specifications
,
2008,
FMICS.
[6]
Gianfranco Ciardo,et al.
Saturation Unbound
,
2003,
TACAS.
[7]
Edmund M. Clarke,et al.
Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons
,
1982,
Sci. Comput. Program..
[8]
Edmund M. Clarke,et al.
Model Checking
,
1999,
Handbook of Automated Reasoning.
[9]
Randal E. Bryant,et al.
Graph-Based Algorithms for Boolean Function Manipulation
,
1986,
IEEE Transactions on Computers.
[10]
Dániel Darvas,et al.
Bounded saturation-based CTL model checking
,
2013
.
[11]
Jose Maria Izquierdo-Rocha,et al.
Application of the integrated safety assessment methodology to the emergency procedures of a SGTR of a PWR
,
1994
.
[12]
Edmund M. Clarke,et al.
Symbolic Model Checking with Partitioned Transistion Relations
,
1991,
VLSI.