Creating a Validated Implementation of the Steam Boiler

SPIN is a tool for the simulation and veriication of protocols. PROMELA, its source language, is a formal description technique like SDL and Estelle that is based on communicating state machines. The tool and the language are in the public domain and therefore widely used. The "Steam-Boiler Control Speciication Problem" consists of an informal speciication of a steam boiler system in a nuclear power plant. In this paper we show that PROMELA is suitable for the description of a technical system like the steam boiler. We describe the methods which we used to translate the informal problem description into a PROMELA speciication. Further, we present our extensions to the SPIN system, which allow an automatic generation of compiled implementations from PROMELA sourcecodes. We summarise the extensions to PROMELA that we found necessary for the creation of the implementation. The "Steam Boiler Control Speciication Problem" 1] was given to the participants of the Dagstuhl meeting "Methods for Semantics and Speciication" which was organised by Egon BB orger (Pisa) and Hans Langmaack (Kiel) in June 1995. The problem speciication was published by Jean-Raymond Abrial and describes a control program which serves to control the water level in a steam boiler by communicating with a set of physical devices. It is based on a real specii-cation by the Institute for Risk Research" and the Institut de Protection et de Suret e Nucl eaire" and therefore very informal and strongly aimed at a particular implementation. The speciication does not describe implementation details, such as message formats or exact physical behaviour of the components. One of the main goals when trying to translate the informal speciication into a formal one should be to nd out which details are not described exactly enough. The task of the control program is to maintain the water level in the boiler between the two limits N1 and N2. The level must not pass under/over the limits M1/M2 for more than ve seconds, otherwise the boiler can be damaged. Since everyone can imagine what this would mean to a nuclear power plant, it is obvious why it makes sense to validate the control program with a formal description technique.