A CASE tool for the design of safety-critical software

The paper uses a CASE tool called StateTime to design the shutdown system of a nuclear reactor. The shutdown system is based on three identical microprocessors running in parallel with each other that monitor power and pressure for critical behaviour. The final decision on whether to shut down the reactor is implemented on a majority rules basis. The CASE tool uses a combination of visual (implementation) and logical (abstract) specification languages to represent each module. Modules can be refined or decomposed. Thus large systems can be decomposed into smaller parts, and each part can be refined and individually checked for correctness. Both refinement and modular validity can be checked automatically for finite state modules. The reactor example is used to indicate deficiencies of the current tool, and to recommend future strategies for constructing industrial strength tools for designing modular real-time reactive systems