Model-Checking I&C Logics — Practical Examples

A spurious actuation of an instrumentation and control (I&C) system function is an illustrative example of a "negative"' requirement being violated. Verifying such requirements with testing is very hard. Model checking is a formal verification method, aimed at mathematical proof that a (system) model fulfills stated formal properties. Due to the exhaustive coverage, design issues are found in I&C systems already subjected to, e.g., testing. The formal properties can also address the absence of unwanted functionality—spurious signals, contradictory commands, frozen outputs, etc.In this paper, we discuss the use of model checking the Finnish nuclear industry, where the method has been applied in different plant life-cycle phases. In the Olkiluoto 3 newbuild and Loviisa 1&2 renewal projects, the focus was on detailed logic design. In the Hanhikivi 1 newbuild and Olkiluoto 1&2 I&C renewal projects, we instead verified functional diagrams, developed early in the projects as input for the later detailed design stages.Through two practical examples of design issues identified in these projects, we demonstrate how easy it is to disprove "negative" requirements having to do with contradictory signals. We also demonstrate how to filter out irrelevant counterexamples, to find out other types of problematic scenarios, even if the first one returned by the model checker can otherwise be ruled out