Stepwise Development and Veri cation of a Boiler System Speci cation

The rigorous development and veri cation of a boiler system speci cation is presented. Part I shows how the boiler system controller can be developed in a series of elaboration steps in which variables that directly re ect plant conditions are replaced by variables representing sensed, communicated values. Part II shows how the safety of the system can be assessed by rst verifying safety relative to some failure assumptions and then estimating the likelihood that the assumptions hold. 1 General Introduction In attempting to demonstrate the safety of the Generic Boiler System, two main problems are faced. First, there are a wide range of possible failures that can occur. For example, the physical devices themselves can fail, sensors can fail, and sensed values can be delayed or lost in transmission. Taking careful account of all possible failures is di cult. A second problem, common to all safety-critical systems, is that absolute safety cannot be shown. One can only hope to demonstrate partial or probable safety. However, estimates of the probability of safety are hard to calculate, and it is hard to know whether one can place much con dence in them. The approach demonstrated here addresses both of these issues. We present a stepwise approach to the development of the boiler monitoring and control system. Initially, we present an idealised controller that observes plant variables directly. Successive steps make weaker assumptions, until nally we arrive at a speci cation in which only sensor values received from the data communications system are observed. At each step, safety of the boiler system is maintained. In this way, failures are treated systematically. The second part of our approach is a separation of the deterministic and probabilistic parts of the safety analysis. Safety is proved of the boiler system absolutely, under certain assumptions that are believed to nearly always hold. Next, the likelihood of these assumptions actually holding is estimated to give an overall probability of safety. Our report has two parts. In Part I, the technique of step-wise elaboration of the boiler controller is demonstrated. In Part II, veri cation of safety and failure properties is shown for a boiler system model developed at a late step of elaboration. We do not present code of the boiler controller, only a speci cation. However, this speci cation is realistic in the sense that device failure and shutdown conditions are determined by values received from the data communication system. Part 1 Step-Wise Derivation of a Boiler System Speci cation Peter Bishop, Adelard, UK