Creating A Validated Implementation Of The Steam Boiler Control

SPIN is a tool for the simulation and veri cation of protocols. PROMELA, its source language, is a formal description technique like SDL and Estelle that is based on communicating state machines. The tool and the language are in the public domain and therefore widely used. The "SteamBoiler Control Speci cation Problem" consists of an informal speci cation of a steam boiler system in a nuclear power plant. In this paper we show that PROMELA is suitable for the description of a technical system like the steam boiler. We describe the methods which we used to translate the informal problem description into a PROMELA speci cation. Further, we present our extensions to the SPIN system, which allow an automatic generation of compiled implementations from PROMELA sourcecodes. We summarise the extensions to PROMELA that we found necessary for the creation of the implementation. 1. The Steam Boiler Control Specification Problem The "Steam Boiler Control Speci cation Problem" [1] was given to the participants of the Dagstuhl meeting "Methods for Semantics and Speci cation" which was organised by Egon Borger (Pisa) and Hans Langmaack (Kiel) in June 1995. The problem speci cation was published by Jean-Raymond Abrial and describes a control program which serves to control the water level in a steam boiler by communicating with a set of physical devices. It is based on a real speci cation by the Institute for Risk Research" and the Institut de Protection et de Suret e Nucl eaire" and therefore very informal and strongly aimed at a particular implementation. The speci cation does not describe implementation details, such as message formats or exact physical behaviour of the components. One of the main goals when trying to translate the informal speci cation into a formal one should be to nd out which details are not described exactly enough. The task of the control program is to maintain the water level in the boiler between the two limits N1 and N2. The level must not pass under/over the limits M1/M2 for more than ve seconds, otherwise the boiler can be damaged. Since everyone can imagine what this would mean to a nuclear power plant, it is obvious why it makes sense to validate the control program with a formal description technique.