Finally we do not model tanks because we assume them to be of infinite capacity. Notice that the models of all these components might be essential for other kinds of analyses or in different settings. 5 shows the resulting block diagram. The functional block diagram is the basis for the formal NuSMV model, because each block is translated into an NuSMV MODULE, and the behavior of each module is specified through a state machine. org. The functional block diagram and the executable specification will be used in the next chapters to present various manual and automated safety assessment techniques.

Master’s thesis, Institute of Computer Science and Information Engineering College of Engineering, National Chung Cheng University. R. (2002). Inviting Disaster—Lessons from the Edge of Technology. New York: Harper Business. , Editor (2009). NASA Study on Flight Software Complexity. html. Ebert, C. and C. Jones (2009). Embedded software: Facts, figures, and future. Computer 42(04), 42–52. A. (1999). Fault tree analysis—A history. In Proc. 17th International System Safety Conference. A. (2006). A short history of system safety.

On the left hand side we see the reactor and the primary (first) circuit. The fluid in the circuit keeps moving by means of two pumps (P1a and P1b). A pressurizer and the PORV (top left side of the figure) ensure that the pressure does not become too high. The PORV can be excluded by a valve BV1. A safety valve automatically intervenes if the pressure is too high. Coolant can also be extracted from the primary circuit using a second valve BV2. Two coolant tanks (bottom left part of the figure) can be used to inject coolant into the primary circuit and increase its pressure.

