State Token Petri Net Modeling Method for Formal Verification of Computerized Procedure including Operator’s Interruptions of Procedure Execution Flow

The Computerized Procedure System (CPS) is applied to the digital Main Control Room (MCR) of a nuclear power plant including an APR1400 (Advanced Power Reactor 1400) in Korea as an operating supporting system [1]. The CPS provides an integrated operating means, such as a procedure with plant information, and supports decision-making and plant monitoring. The CPS also guides the operator to follow a procedure execution flow, and monitors the plant status required for procedure execution. The CPS is applied not only to normal operating procedures needed for general operation, but also to emergency operating procedures needed for accident mitigation, safe shutdown, and emergency response. The CPS software quality grade is important to safety and the software is verified and validated when the CPS is developed and provided to the nuclear power plant. For the management of procedures, the CPS consists of two parts; frame software that executes procedures, and the procedures themselves (Computerized Procedures CP) that contain the elements of the procedure. A CP is loaded to the CPS and executed with predefined execution flows and logics. Usually, the CP is written by an operator with a CP editor, when the editor has been provided to the operator. Also, a CP can be revised and the new CP can be added during operation of the plant. Therefore, the CP cannot be verified and validated when the CPS software is verified and validated. The CP shall be verified and validated by the operator or other staff in the utility. The CP includes the execution flow of procedures that guide the operator, and if there is an error in these, it could affect the safety of the nuclear power plant operation. For example, when a CP has an error, the operator can make a mistake, controlling a wrong component, or skipping an important step in the procedure. The verification and validation (V&V) of previously paper-based emergency operating procedures (EOP) has been required at NUREG 0899 [2]. In this guideline, the V&V of EOP is required to establish the accuracy of information and instructions, and to determine that the procedures can be accurately and efficiently carried out. Because the current guideline is about the paper-based EOP, The Computerized Procedure System (CPS) is one of the primary operating support systems in the digital Main Control Room. The CPS displays procedure on the computer screen in the form of a flow chart, and displays plant operating information along with procedure instructions. It also supports operator decision making by providing a system decision. A procedure flow should be correct and reliable, as an error would lead to operator misjudgment and inadequate control. In this paper we present a modeling for the CPS that enables formal verification based on Petri nets. The proposed State Token Petri Nets (STPN) also support modeling of a procedure flow that has various interruptions by the operator, according to the plant condition. STPN modeling is compared with Coloured Petri net when they are applied to Emergency Operating Computerized Procedure. A converting program for Computerized Procedure (CP) to STPN has been also developed. The formal verification and validation methods of CP with STPN increase the safety of a nuclear power plant and provide digital quality assurance means that are needed when the role and function of the CPS is increasing.