Case study: Darlington nuclear generating station [software-driven shutdown systems]

Darlington is a four-reactor nuclear plant east of Toronto. It is operated by Ontario Hydro. Each reactor has two independent shutdown systems: SDS1 drops neutron-absorbing rods into the core, while SDS2 injects liquid poison into the moderator. Both are safety-critical and require high levels of confidence. In 1982, Ontario Hydro, with the concurrence of the Atomic Energy Control Board of Canada (AECB), had decided to fully implement the shutdown systems´ decision-making logic on computers. This was to be the first Canadian instance of such a system, so there were questions about what procedures to follow, both in developing and licensing the system. To help achieve certification for the plant´s shutdown systems, formal methods were applied to convince the AECB that the code was of acceptable quality and in accordance with specifications. Formal methods, applied only when serious concerns about the adequacy of the software and documentation arose, took the form of a formal model-based inspection.<>