Mechanical proofs about computer programs
Proc. of a discussion meeting of the Royal Society of London on Mathematical logic and programming languages
Statecharts: A visual formalism for complex systems
Science of Computer Programming
ICSE '90 Proceedings of the 12th international conference on Software engineering
Requirements Specification for Process-Control Systems
IEEE Transactions on Software Engineering
An axiomatic basis for computer programming
Communications of the ACM
VDM '91 Proceedings of the 4th International Symposium of VDM Europe on Formal Software Development-Volume 2: Tutorials
A formal specifications maturity model
Communications of the ACM
A validation framework for a maturity measurement model for safety-critical software systems
ACM-SE 36 Proceedings of the 36th annual Southeast regional conference
| Hi-index | 0.02 |
Darlington is a four-reactor nuclear plant east of Toronto. It is operated by Ontario Hydro. Each reactor has two independent shutdown systems: SDS1 drops neutron-absorbing rods into the core, while SDS2 injects liquid poison into the moderator. Both are safety-critical and require high levels of confidence. In 1982, Ontario Hydro, with the concurrence of the Atomic Energy Control Board of Canada (AECB), had decided to fully implement the shutdown systems' decision-making logic on computers. This was to be the first Canadian instance of such a system, so there were questions about what procedures to follow, both in developing and licensing the system. To help achieve certification for the plant's shutdown systems, formal methods were applied to convince the AECB that the code was of acceptable quality and in accordance with specifications. Formal methods, applied only when serious concerns about the adequacy of the software and documentation arose, took the form of a formal model-based inspection.