Timed model checking of fault-tolerant nuclear I&C systems

Certain safety-critical systems, such as nuclear instrumentation and control (I&C) systems, must be ensured to be correct. One of the approaches of doing this is formal verification and, in particular, model checking, which thoroughly examines the state space of the formal model of the system. To make model checking computationally feasible, many simplifying assumptions, often referred to as abstractions, are made. One of such abstractions is the assumption of discrete time. However, when I&C systems are considered working in the real world, where communication delays and failures are possible, this assumption becomes less realistic, calling for the need for richer formalisms. In this paper, using timed automata, we extend our previous model checking approach for nuclear I&C systems to account for continuous time. We apply our approach to a reactor protection system case study and show that continuous-time verification is in general feasible, although proving the satisfaction of certain system properties still remains a computational challenge.