Certification of Software in Safety-Critical I&C Systems of Nuclear Power Plants (original) (raw)
Related papers
Qualification of safety-critical systems in TVO nuclear power plants
Software Process: Improvement and Practice, 2007
Teollisuuden Voima Oy (TVO) operates two nuclear power plant units in Finland and has started to build a third one. The current nuclear power units have to continuously maintain and update existing instrumentation and control systems (I&C). Each new device will have to be classified and qualified according to its safety requirements. Using modern technology means in practice that more and more components have programmable features. The reliability of such components has proved to be difficult to demonstrate because of the nature of flaws in the software. Standards and rules given by authorities set the acceptance criteria for the components used in the safety systems of nuclear power plants. As a result of this trend, there is a clear need for an integrated and effective method to qualify software-intensive I&C systems in nuclear power plant units. The integration has three major areas: (i) definition and harmonization of requirements for software-intensive systems at different safety classes, (ii) integration of several approaches such as Software Process Improvement and Capability dEtermination (SPICE) and Failure Mode, Effects and Criticality Analysis method (FMECA) to improve confidence in qualification and (iii) integration of the system acquisition and qualification processes to improve the total effectiveness of the acquisition, delivery and deployment processes. The integrated qualification method is called the TVO SoftWare Evaluation Procedure (SWEP). It consists of a detailed qualification process and related methods for safety category B and C (IEC 61226) and Finnish safety class 3 qualifications. TVO will use the TVO SWEP method to evaluate suppliers and the conformance of their products/systems against requirements. It has been used in several cases, and it seems to save a lot of qualification resources compared to traditional methods.
Software certification experience in the canadian nuclear industry
Proceedings of the ninth ACM international conference on Embedded software - EMSOFT '11, 2011
The computer controlled shutdown systems for the Nuclear Power Generating Station at Darlington, Canada, have been subject to licensing scrutinization on a number of occasions. After the first licence was approved in 1990, the licensee, Ontario Hydro, was given a number of years by the regulator to redesign the shutdown systems so that they would be more maintainable. This paper briefly describes the original certification process, lessons learned, and the subsequent development and certification of the shutdown systems. The development, internal certification processes and the regulator's certification process are briefly described. Although twenty years has elapsed since this work started, and there are new analysis techniques and tools that could be applied today, the original process itself has withstood the test of time extraordinarily well. This paper describes principles that explain why it was so successful, and how we can develop more modern approaches from this experience.
ORNL/TM-2000/236, 2001
This document (1) summarizes the most significant findings of the "Qualification of Advanced Instrumentation and Control (I&C) Systems" program initiated by the Nuclear Regulatory Commission (NRC); (2) documents a comparative analysis of U.S. and European qualification standards; and (3) provides recommendations for enhancing regulatory guidance for environmental qualification of microprocessor-based safety-related systems. Safety-related I&C system upgrades of present-day nuclear power plants, as well as I&C systems of Advanced Light-Water Reactors (ALWRs), are expected to make increasing use of microprocessor-based technology. The Nuclear Regulatory Commission (NRC) recognized that the use of such technology may pose environmental qualification challenges different from current, analog-based I&C systems. Hence, it initiated the "Qualification of Advanced Instrumentation and Control Systems" program. The objectives of this confirmatory research project are to (1) identify any unique environmental-stress-related failure modes posed by digital technologies and their potential impact on the safety systems and (2) develop the technical basis for regulatory guidance using these findings. Previous findings from this study have been documented in several technical reports. This final report in the series documents a comparative analysis of two environmental qualification standardsCInstitute of Electrical and Electronics Engineers (IEEE) Std 323-1983 and International Electrotechnical Commission (IEC) 60780 (1998)Cand provides recommendations for environmental qualification of microprocessor-based systems based on this analysis as well as on the findings documented in the previous reports. The two standards were chosen for this analysis because IEEE 323 is the standard used in the U.S. for the qualification of safetyrelated equipment in nuclear power plants, and IEC 60780 is its European counterpart. In addition, the IEC document was published in 1998, and should reflect any new qualification concerns, from the European perspective, with regard to the use of microprocessor-based safety systems in power plants.
An Experience in Design and Validation of Software for a Reactor Protection System
Safety of Computer Control Systems, 1980
The paper describes the full life cycle process of design, developmen t and validation, which ras been followed for the production of software for an experimental computerized reactor protection system at Casaccia Center. The aim of the paper is to put in emphasis phase-by-phase the criteria which have been followed, the verification procedures aaop ted and the errors discovered. Additionally the system t esting activity is describ ed.
2001
This document (1) summarizes the most significant findings of the "Qualification of Advanced Instrumentation and Control (I&C) Systems" program initiated by the Nuclear Regulatory Commission (NRC); (2) documents a comparative analysis of U.S. and European qualification standards; and (3) provides recommendations for enhancing regulatory guidance for environmental qualification of microprocessor-based safety-related systems. Safety-related I&C system upgrades of present-day nuclear power plants, as well as I&C systems of Advanced Light-Water Reactors (ALWRs), are expected to make increasing use of microprocessor-based technology. The Nuclear Regulatory Commission (NRC) recognized that the use of such technology may pose environmental qualification challenges different from current, analog-based I&C systems. Hence, it initiated the "Qualification of Advanced Instrumentation and Control Systems" program. The objectives of this confirmatory research project are to (1) identify any unique environmental-stress-related failure modes posed by digital technologies and their potential impact on the safety systems and (2) develop the technical basis for regulatory guidance using these findings. Previous findings from this study have been documented in several technical reports. This final report in the series documents a comparative analysis of two environmental qualification standardsCInstitute of Electrical and Electronics Engineers (IEEE) Std 323-1983 and International Electrotechnical Commission (IEC) 60780 (1998)Cand provides recommendations for environmental qualification of microprocessor-based systems based on this analysis as well as on the findings documented in the previous reports. The two standards were chosen for this analysis because IEEE 323 is the standard used in the U.S. for the qualification of safetyrelated equipment in nuclear power plants, and IEC 60780 is its European counterpart. In addition, the IEC document was published in 1998, and should reflect any new qualification concerns, from the European perspective, with regard to the use of microprocessor-based safety systems in power plants.
Safety Analysis of Safety-Critical Software for Nuclear Digital Protection System
Lecture Notes in Computer Science, 2007
A strategy and relating activities of a software safety analysis (SSA) are presented for the software of a digital reactor protection system where software modules in the design description are represented by function blocks (FBs). The SSA, as a part of the verification and validation activities, was activated at each phase of the software lifecycle. For the SSA of the FB modules, the software HAZOP was performed and then the SFTA (Software Fault Tree Analysis) was applied. Both methods are redundant and complementary because the software HAZOP is a forward broad-thinking analysis method and the SFTA is a backward step-by-step local analysis method. The software HAZOP with qualitative properties for a deviation evaluated all the software modules and identified various hazards. The SFTA with well-defined FB fault tree templates was applied to some critical modules selected from the software HAZOP analysis and it identified some hazards that had not been identified in the prior processes of the document evaluation and the formal verification.
Handbook of software quality assurance techniques applicable to the nuclear industry
1987
Although the listing that follows represents the majority of document; cited in NRC publications it is not intended to be exhaustive Referenced documents available for inspection and copying for a fee from the NRC Public Docu ment Room include NRC correspondence and internal NRC memoranda, NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices, Licensee Event Reports, vendor reports and correspondence, Commission papers, and applicant and licensee documents and correspondence The following documents in the NUREG series are available for purchase from the GPO Sales Program formal NRC staff and contractor reports, NRC sponsored conference proceedings, and NRC booklets and brochures Also available are Regulatory Guides, NRC regulations in the Code of i Federal Regulations, and Nuclear Regulatory Commission Issuances Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries Documents such as theses, dissertations, foreign reports and translations, and non NRC conference proceedings are available for purchase from the organization sponsoring the publication cited Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the
Software qualification includes such activities as a software Verification and Validation (V&V), a software safety analysis, a software configuration management and a software quality assurance for the safety-critical applications in Nuclear Power Plant (NPP). This paper presents the software qualification of a safety grade Programmable Logic Controller (PLC) which is applied to a Reactor Protection System prototype. The software V&V is characterized by defining the inputs, tasks, and outputs for all the software life cycle phases defined in the software V&V plan, and the V&V techniques such as a checklist-based review and the Fagan Inspection, a traceability analysis, a formal verification, and a software test are applied to improve the software quality. The software safety analysis process, which employs the HAZard OPerability (HAZOP) methodology, has been developed and applied to improve the software safety. All the software documents and source codes are managed as software configuration items throughout the software life cycle under the control of a software quality assurance plan and procedure. Automated software tools and a 3 rd part review also support the activities for the software qualification. Our experience shows that the software qualification is very efficient for systematically qualifying the safety-critical software of a PLC to be embedded in the safety-critical systems of a NPP, and they can be easily extended to other safety-critical applications such as in the railways, military, medicine, etc.
HARMONICS: EU FP7 Project on the Reliability and Safety Assessment of Modern Nuclear I&C Software
2014
The reliability of computer-based systems implementing safety functions is a critical issue for the modernization and construction of nuclear power plants, in particular because software can usually not be proven to be entirely free of defects. The differences in regulation and safety justification principles between different countries restrict efficient co-operation and hinder the emergence of widely accepted best practices. This paper gives an introduction to an EU FP7 project HARMONICS (Harmonised Assessment of Reliability of Modern Nuclear I&C Software, 2011-2014) which has an overall objective to ensure that the nuclear industry has well founded and up-to-date methods and data for assessing software of computer-based safety systems.