Author :
Craigen, Dan ; Gerhart, Ora Canada Susan ; Ralston, Ricis Ted
Abstract :
Darlington is a four-reactor nuclear plant east of Toronto. It is operated by Ontario Hydro. Each reactor has two independent shutdown systems: SDS1 drops neutron-absorbing rods into the core, while SDS2 injects liquid poison into the moderator. Both are safety-critical and require high levels of confidence. In 1982, Ontario Hydro, with the concurrence of the Atomic Energy Control Board of Canada (AECB), had decided to fully implement the shutdown systems´ decision-making logic on computers. This was to be the first Canadian instance of such a system, so there were questions about what procedures to follow, both in developing and licensing the system. To help achieve certification for the plant´s shutdown systems, formal methods were applied to convince the AECB that the code was of acceptable quality and in accordance with specifications. Formal methods, applied only when serious concerns about the adequacy of the software and documentation arose, took the form of a formal model-based inspection.<>
Keywords :
fission reactor core control and monitoring; fission reactor safety; formal specification; nuclear engineering computing; safety; software reliability; Atomic Energy Control Board of Canada; Canada; Darlington nuclear generating station; Ontario Hydro; case study; certification; code quality; decision-making logic; documentation; formal methods; formal model-based inspection; licensing; liquid poison injection; neutron-absorbing rods; nuclear plant; safety-critical systems; software driven shutdown systems; specifications; Certification; Control systems; Decision making; Documentation; Inductors; Inspection; Licenses; Logic; Nuclear power generation; Toxicology;
