A case study is presented in which the Vienna development method (VDM), a formal specification and development methodology, was used during the analysis phase of the assessment of a prototype nuclear reactor protection system. The VDM specification was also translated into the logic language Prolog to animate the specification and to provide a diverse implementation for use in back-to-back testing. It is claimed that this technique provides a visible and effective method of analysis which is superior to the informal alternatives.