ML20057D006
| ML20057D006 | |
| Person / Time | |
|---|---|
| Issue date: | 09/22/1993 |
| From: | Brill R NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| NUDOCS 9309300233 | |
| Download: ML20057D006 (16) | |
Text
_
September 22, 1993 NOTE FOR:
Document Control Desk P 137
^
FROM:
Robert Brill (NL/N 316)
/
Human Factors Branch Office of Research
SUBJECT:
DOCUMENT FOR PUBLIC DOCUMENT ROOM Please place the attached document, "NRC Research Activities", in the Public Document Room. This paper was presented at the Digital Systems Reliability and Nuclear Safety Workshop on September 13, 1993 by Leo Beltacchi.
l I
t i
I 220001 l
T h b 93o9300233 930922 i
/
Presented at the Digital Systems Reliability and Nuclear Safety Workshop on DRA September 13, 1993 NRC RESEARCH ACTIVITIES Leo Beltracchi U.S. Nuclear Regulatory Commission Washington, DC 20555 1.0 ABSTRACT l
This paper identifies and describes safety issues related to the design, development, and qualification of reliable digital computer systems for nuclear power plants.
It also describes the U.S. Nuclear Regulatory Commission's research program on.these. issues.
The paper discusses an evaluation of the initial standards for hard-wired based safety systems. The.
lessons learned in developing these standards provides guidance in the design and use of digital technology in nuclear power plants. Also, this evaluation discusses how the content of the standards should lead to a framework of design criteria and the related acceptance criteria that can be used for computer-based safety systems. The opinions and viewpoints expressed herein are the author's personal ones and they do not necessarily reflect the criteria, requirements, and guidelines of the U.S. Nuclear Regulatory Commission (NRC).
l
2.0 INTRODUCTION
Analog, hard-wired technology is the dominant technology for nuclear. power plant instrumentation and control systems and safety systems within the United States. The design, development, and qualification of safety systems is governed by General Design Criteria (10 CFR 50, Appendix A), published by the NRC, and by industry developed standards (See Section 6.1, Standards). The General Design Criteria present top level requirements and are generally independent of implementation technology.
However, the standards amplify these top level requirements and contain requirements and guidelines i
reflective of safety issues associated with the use of hard-wired technology.
Digital technology will replace ageing hard-wired technology in nuclear power plant safety systems; standards should be revised to reflect safety issues associated with the use of digital technology. This paper describes several of the safety issues associated with the design and development of computer-based, safety systems.
There are many unique design and safety issues for digital systems.
For I
example, digital systems operate in a discrete fashion whereas analog systems operate in a time-continuous fashion when executing a function. Thus, software execution time in computing a safety function is an important design performance issue for digital systems. Also, computer programs are more difficult to test than analog hard-wired systems.
For example, tracing a 1
sensor signal through a computer program is usually more difficult than signal tracing through hard-wired systems.
Furthermore, the loss of a safety-i function by common cause failure due to environmental factors must also be
-j considered.
Because of the difficulty in establishing reliable stored logic, digital systems are usually more complex than analog systems. Much of this difficulty stems from the lack of a systems engineering approach in the design of digital systems.
Leveson and Turner's (1993) analysis of the Therac-25 Accidents-
i" DRAFT concluded:
" Accidents are seldom simple - they usually involve a complex web of interacting events with multiple contributing technical, human, and organizational factors."
"The problem of accidents in complex systems must be approached from a system engineering point of view and all possible contributing factors considered and handled."
The safety concern is that an inadequate design process can lead to errors in the final product, which may lead to the loss of a safety function.
A computer-based, safety system consists of hardware and software to implement the desired safety functions. There are also human interfaces from which humans monitor operation and perform maintenance on the system.
Several of these elements are discussed next in the context of a need for a framework of design criteria for computer-based, safety systems.
3.0 DISCUSSION 3.1 Standards A standard encodes a body of knowledge and accepted practices.
The development of industry standards for the design of nuclear power plant safety systems first began about the time the NRC published General Design Criteria (10 CFR 50, Appendix A).Section III, " Protection and Reactivity Control Systems," Appendix A,10 CFR 50 identifies ten criteria for the design of protection safety systems. These criteria identify the basic performance requirements and design principles for a protection system and are generally independent of the implementation technology.
In order to expand on the General Design Criteria and identify specific design requirements, the nuclear industry developed standards, such as IEEE Standard 279-1971 and IEEE Standard 308-1971 (R1980).
See Section 6.1, Standards, for the title of each of these standards and subsequent standards defined in this paper.
IEEE 279 defines specific requirements for the design of protection systems, while IEEE 308 defines specific design requirements for Class lE electrical systems.
A reliable source of electrical power is necessary to operate the protection system.
In reviewing these standards, it is important to understand the definitions used for terms in these documents.
IEEE Standard 308-1980 identifies a safety system as follows:
l "Those systems (the reactor trip system and an engineered safety feature, or both, including all their auxiliary supporting features) which provide a safety function."
While this appears to be a reasonable definition, it is incomplete. A human system is also necessary as part of the safety system.
Operators and l
maintainers are key elements of the human system necessary to manually initiate a safety action, monitor, adjust, and maintain a safety system. The data in Table A-2.5, Reactor Scram Signals, (NUREG 1272, 1992) indicates operators are significant initiators of manur.1 reactor scrams.
No safety
,(.-
DRAFT l
system is able to operate for the life of the plant without the support of a human system. A better definition of a safety system is then:
Those systems (the reactor trip system and an engineered safety feature, or both including all their auxiliary supporting systems and a human system) which provide a safety function.
The author reviewed IEEE Standard 279-1971, IEEE Standard 308-1971, and ANSI N18.8-1973. ANSI N18.8 identifies requirements for the preparation of a design basis for systems that perform protective functions; however, it was never published as a standard.
Furthermore, it appears to be an overview type of standard for the design of a plant.
In fact, ANSI N18.8 was developed after (in 1973) the aforementioned standards.
Concerning design basis, ANSI N18.8 states that:
... safety systems and their auxiliary systems shall be adequate to assure that events caused by a station transient, a failure, an act of nature, or accidental act do not produce effects that will prevent the degree of control over the containment or movement of radioactive material that is deemed acceptable for the event."
Clearly, the safety system must be tolerant of hazards to ensure the j
successful operation of the safety function.
l While ANSI N18.8 was never published as a standard, its contents were integrated into earlier versions of ANSI /ANS 51.1-1988 and ANSI /ANS 52.1-1988.
Consideration of design basis accidents is necessary prior to the design of a reactor trip system.
Analysis of the design basis accidents is necessary to establish the performance requirements of the reactor trip system to maintain safety functions.
Thus, ANSI N18.8-1973 logically should have preceded IEEE Standard 279-1971.
This is a lesson learned from the review of previous standards; that is standards should include a top-down prescription. Another lesson learned is the need to specify the role of the human system as part of the safety system in the design process.
ANSI /ANS 50.1-Draft 6 is a draft standard that will eventually replace both ANSI /ANS 51.1-1988 and ANSI /ANS 52.1-1988.
The new elements in the draft standard reflect an increment in the knowledge base when compared to ANSI N18.8. ANSI /ANS 50.1-Draft 6 sets design requirements for safety grade and non-safety grade equipment.
In addressing the overall safety design criteria, the document discusses six elements:
- 1) a general approach,
- 2) deterministic analysis,
- 3) probabilistic risk analysis,
- 4) industry codes and standards,
- 5) safety analyses, and
- 6) design criteria for specific plant systems.
These elements form the start of a framework for design criteria.
- However, s
the framework does not address the use of digital computers and it barely addresses the human system.
l
4 DRAFT The six elements in ANSI /ANS 50.1-Draft 6 define a two step approach to design. The first five elements define potential safety issues and a design basis for the plant.
The sixth element, design criteria for specific plant systems, defines unique requirements for plant systems such as the reactor protection system and these requirements define the second step in the design process. The requirements are stated in the form of a standard.
IEEE Standard 603-1980, which replaces IEEE Standard 279-1971, identifies requirements necessary to design a reactor protection system.
A short discussion of some of the safety issues associated with the design of I
computer based, safety systems in the context of ANSI /ANS 50.1-Draft 6 type of standard elements follows next. These issues include: a possible need to identify diverse means of achieving a safety function, time. response requirements of the safety system, and fault tolerance requirements.
A highly likely source of a common software error is a poor design process (Neumann,1992). The most challenging part of the design process is to specify a complete set of requirements for a. system. The problem becomes, i
what is the acceptance criterion for a complete set? A possible acceptance criteria is the operating history of the developed and installed system.
However, this represents trial and error, which is unacceptable for nuclear safety.
The most likely acceptance criterion for the completeness of a set of requirements is engineering judgment.
Leveson (1993) advocates the use of hazard analysis as part of the system design process in the use of digital computers for high integrity
)
i applications.
System hazard analyses should be conducted at the start of the-i design process.
The goal of hazard analysis is to identify the weak points in the system design and then to specify fault tolerant response (s) for l
implementation in the computer system.
The hazards analysis serves an lmportant role to identify threats to and potential failures of the safety system. Also, a hazard analysis may be a preliminary step to a probabilistic risk analysis (PRA).
Furthermore, hazard analyses and PRA have a common goal in detecting and responding to potential operational faults.
One form of risk that is difficult to assess is the adequacy of the system design process. How does a designer measure the completeness of the set of l
design requirements to meet the stated goals of the safety system? The i
omission of a key design requirement for a safety system may result in the loss of a safety function.
In an on-going NRC sponsored study (Personal communication with Mr. Carl Johnson, NRC) on common cause failure event cause, l
it was found that 54 percent of these failures of plant hardware components 1
were due to design or installation faults. Another 30 percent of the causes were due to test and maintenance faults.
L In an unrelated study, Fujii (1993) reports that for small systems, 53 percent i
of the software errors were caused by an improper understanding of the interaction between the system and the software design.
Furthermore, for large systems, the number jumps to 63 percent.
These figures resulted.from the analysis'and examination of software. errors in complex command.and control, avionics, and critical medical control systems.
Although these errors were identified from diverse, non-nuclear applications, the results of this study are very similar to the result from the on-going NRC sponsored study discussed earlier. An important lesson from these studies is the need
l
~
DRAFT
~
[
l for a systematic, rigorous effort in establishing design requirements to i
minimize errors in the -f_inal product.
l In summary, fault tolerance requirements for a computer-based, safety system should be developed from hazard analyses and PRA studies. Also, to minimize the risk of design error, a systematic,. rigorous effort is necessary in establishing and verifying design requirements.
i The use of digital technology in safety systems provides an opportunity to l
compute safety functions directly from monitored plant parameters. For example, one critical safety function is to maintain a cool reactor core..A-cooled core maintains the geometry of the core and of the passageways for the insertion of control rods.
Insertion of the control rods are necessary to i
shut down the reactor upon threat to a critical safety funct An.
_A measure of core cooling is the Departure from Nucleate Boiling Ratio (DNBR)-
An j
algorithm for DNBR would include coolant temperature, pressure, coolant flow, l
and reactor power as input data. A trip set point is also necessary.
l A functionally diverse measure of core cooling would be hot leg subcooling.
I The subcooling of the hot leg coolant is determined from coolant temperature, pressure, and saturation temperature, which is a function of pressure. A subcooling trip set point and response time must also be specified through 1
scenario analysis to establish the limiting design basis event. The use of a functionally diverse means of achieving a safety function should reduce the risk to a common cause design error; however quantifying the risk reduction may be difficult.
A framework of design criteria for a computer-based, safety system should j
contain a time response performance requirement. A time response requirement j
is necessary because a computer requires a finite amount of time to process r
stored safety logic but the system must react in sufficient time to maintain the safety function. The analysis of limiting design basis events develops important performance data for each safety function in the design of computer-l based, safety systems. The limiting design basis events-help to determine the time response requirements of a safety system. The time response'of the l
safety system must thnn be divided and allocated to sensor response time, computer response time to calculate the safety algorithm, and the response j
time of the actuator. The specification of computer response time is an j
important parameter for the performance of the processor. The processor must complete the execution of the program within the allotted time.
In summary, deterministic analyses are _necessary to identify and document each i
safety function, diverse means of achieving a safety function, time response of the safety system, and the sensor data necessary to implement each function.
j ANS-50.1-Draft 6 identifies basic design requirements for a nuclear power i
plant; it does not identify design requirements for plant systems. However, it does identify other standards that contain requirements for the design of plant systems.
For plant safety systems, it identifies 'IEEE Standard 603-1980 and IEEE Standard 308-1980 as standards containing system specific l
requirements. These standards do not contain requirements-for computer-based safety systems.
W
. -.. - - - ~.-...---,,-...-.-.-,.-.-,-,,:
DRAFT One standard that addresses application criteria for computer-based safety systems is ANSI /IEEE-ANS-7-4.3.2-1982.
This standard was developed to augment IEEE Standard 603-1980 because of the uniqueness of software in computer systems.
The standard contains requirements for software development, hardware-software integration, computer system validation, and verification.
An effort is underway to revise and update this standard for the use of digital computers in safety systems (P-7-4.3.2, Draft 8).
P-7-4.3.2, Draft 8, identifies criteria in specifying requirements for computers used as part of a safety system. Moreover, it specifies computer specific requirements to meet the criteria of IEEE Standard 603-1991.
IEEE Standard 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, provides system level hardware criteria for safety systems.
P-7-4.3.2, Draft 8 endorses the use of IEEE software standards.
One purpose of these software standards is to control the development process and thereby minimize the potential for error in the application software.
In developing software for a safety application, a designer should select and use standards to cover all elements of the development process such as requirements analysis, design, and test.
Furthermore, project type standards for quality assurance, verification and validation, and configuration control are also identified and should be used to minimize the potential for error in the final i
product.
ANSI /ANS 58.8(Draft, Revision of 1984 Standard) establishes time response design criteria for safety-related operator actions. The criteria are used to determine the minimum response time intervals for safety-related operator j
actions, such as manually initiated reactor trip.
The draft standard also contains general guidance for instrumentation and controls necessary to support safety-related operator actions.
However, this draft standard is not directly linked to safety system design standards, e.g. IEEE Standard 603-1980 and ANSI /ANS 50.1, Draft 6.
The human system is not included in the plant system in ANS 50.1-Draft 6.
One reasor. for not identifying this system may be because the human system is one of the most flexible systems in the plant. However, the human system is an important support system necessary for the successful operation of the plant's safety system.
Much of the information necessary to generate emergency operation procedures comes from the design analyses for safety systems.
Safety-related operator actions for interacting with safety systems must be specified during the design process as part of the effort in establishing requirements for safety systems. ANSI /ANS 58.8(Draft, Revision of 1984 Standard) is a first step in this direction, but it must be integrated with the appropriate design standards for safety systems.
In summary, Figure 1 shows the relationship among the major standards for the design of safety systems. ANS' N18.8(1973, no longer valid), ANSI /ANS 51.1-1988, ANSI /ANS 52.1-1988, and ANSI /ANS 50.1, Draft 6 define requirements for the design basis of safety systems.
IEEE Standard 308-1972(R1980) defines l
requirements for Class lE electrical systems necessary to operate safety l
systems. ANSI /ANS 58.8(Draft, November,1992) establishes time response design criteria for safety related operator actions. However, this standard is not integrated with and cross referenced to the other standards identified in Figure 1.
Finally, IEEE Standard 603-1980 identifies requirements l
necessary to design a reactor protection system. ANSI /IEEE-ANS-7-4.3.2-1982 l
l I
L
DRAFT and its revision, P-7-4.3.2, Draft 8 are the only standards that identify design requirements for the use of digital computers in safety systems.
However, these standards do not identify all of the requirements necessary for the design of a computer-based, safety system.
Based on NUREG/CR-5930 and the review of ANSI /ANS 50.1-Draft 6, it appears that standards for the design of safety systems need to include computer unique design requirements.
Because many standards and disciplines are involved it is important to establish a framework of design criteria to ensure a reasonable degree of completeness in the specifications.
3.2 Outline Of A Framework Of Design Criteria The outline of a framework of design criteria for a computer-based, safety system in Figure 2 is based on the review of standards and lessons learned.
This outline is a functional version of the standards presented in Figure 1, with some additional detail. The goal of the example system identified in Figure 2, the reactor trip system, is to operate the NPP safely.
The design basis must identify all functions performed by the safety system.
These functions must then be allacated to the individual systems within the safety system.
Furthermore, deterministic analyses would be performed to identify the limiting design basis events.
Plant design basis events would also be identified, analyzed, and documented.
The plant events analyzed could include system and component failures as well as challenges from environmental hazards. Also, emphasis could be placed on identifying vulnerabilities and environmental limitations to develop acceptance criteria for qualifying the hardware of digital systems. The susceptibility of digital systems to electromagnetic interference (EMI) and radio-frequency interference (RFI) is a major concern.
Furthermore, the operational history of safety systems and the challenges to safety systems could also be considered (NUREG 1272,1992).
In summary, a plant hazard analysis and then a probabilistic risk analysis identify threats to safe operation.
Fault tolerance and response requirements to hazards could be determined and specified as part of the design basis.
Figure 3 presents a conceptual model of a system design and development life cycle based on the discussions in this paper. Once system requirements and functions have been established, they must then be allocated to hardware, i
software, and humans. After completion of this step, the next efforts for i
software development could be detailed design, coding, unit tests, and unit integration followed by software test and validation.
Similar efforts could also be done for hardware development and for the human system.
Environmental qualification of the hardware could be an important step in the development process. The design requirements for the human interface will impact the software design and the hardware design, and this relationship is not illustrated in Figure 3.
The integration of the hardware, software, and human l
interfaces could be necessary to construct the system.
Once assembled, the l
system could be then subjected to test and validation in response to pre-established system requirements.
Not shown in Figure 3 are the verification activities for the various steps in l
the design and development life cycle.
Effective verification activities early in the design and development life cycle minimizes the resources that j
would be needed to detect and correct problems later in the life cycle.
DRAFT Furthermore, the lessons learned from the verification and validation l
activities provide important information for updating the standards and guidelines used in the design and development process.
In summary, the design and development process for digital systems consists of many activities and the use of many standards.
To minimize the potential for errors in these activities, consideration could be given to the development of an overview standard.
4.0 RESEARCH PROGRAMS l
4.1 Hardware Frograms Most operating plants in the U.S. contain instrumentation and control (I&C) systems that were de::igned over 25 years ago. As these systems age, maintenance and support costs increase due to obsolescence, lack of original equipment support, and increased testing requirements. On the other hand, major advances in the electronic industries have produced products that were never envisioned during the original design process of nuclear power plants.
In order to benefit from these evolving technologies, the NRC initiated two research programs to perform confirmatory research, and develop a tc:hnical basis for acceptance criteria for hardware qualification of digital I&C systems which will be used in existing nuclear power plants and in the proposed new plants.
l First, under the auspices of the NRC, the Oak Ridge National Laboratory (ORNL) l is conducting a study with a view to identify functional and environmental issues arising from the application of new technologies to the instrumentation i
comprising the next generation of nuclear power plants. The pu u se of this program is to develop an understanding of the technical issues involved in evaluating long-term properties of advanced digital instrumentation and control systems.
Emphasis has been placed on identifying vulnerabilities and environmental limitations that could be imposed on microprocessor-based systems in nuclear environments.
Second, ORNL is daveloping a technical basis for evaluating the susceptibility of digital systems to electromagnetic interference (EMI) and radio frequency interference (RFI).
IEEE Standard 1050-1989 was found for the most part to do an adequate job of specifying electromagnetic compatibility design and installation practices that are applicable to nuclear power plant environments. Relevant military standards are MIL-STD-461C and MIL-STD-462.
These standards were found to be reasonable starting points from which to begin an evaluation of relevant test criteria and methods for nuclear power plant applications.
The results from this study are currently under internal
{
review.
In summary, the objectives of these programs are to:
- To develop regulatory guidance on susceptibility to EMI and RF1,
- To develop regulatory guidance on the qualification of digital I&C hardware.
4.2 Software Programs
..~
DRAFT A clear need exists for standards and a technical basis for acceptance criteria for the use of digital computers in safety systems. There is not yet j
however, a clear consensus on the safety issues and the technical basis for their resolution in the area of digital technology.
Generally, a technical basis exists when:
- 1. The topic has been clearly coupled to safe operations.
- 2. The scope of tha topic is clearly defined.
- 3. A substantive body of knowledge exists and the preponderance of the evidence supports a technical conclusion.
- 4. A repeatable method to correlate relevant characteristics with performance exists.
- 5. A threshold for acceptance can be established.
Establishing a technical basis for the use of computer-based systems could be a significant, time consuming and expensive effort.
One means by which part of the technical bases are being developed is by the NRC's participation in the Organization for Economic Cooperation and Development (0 ECD) Halden Reactor Project. The OECD Halden Reactor Project is one of Europe's largest experimental laboratories conducting research on fuels, materials, man-machine interfaces, and advanced instrumentation and control systems. One area of interest to the staff is the Halden Project's research on the use of formal methods and theorem provers for the design of computer-based safety systems. Another area of interest is the research on the effectiveness of various software test techniques (Dahll, Barnes, and Bishop, 1990).
The NRC is also conducting other research to establish the technical basis for guidelines and acceptance criteria on the use of digital computers in nuclear power plant safety systems. The objectives of some of these programs are as follows.
i
- To identify and document the positive and negative attributes I
resulting from the use of standards and computer aided software engineering (CASE) tools when used in the design, development, evaluation, and certification of high integrity software for nuclear power plant safety systems,
- To evaluate the feasibility of (Phase A) and develop and test (Phase B) a prototype CASE tool for assessing the degree of functional diversity within software safety systems,
- To independently evaluate, test, and improve guidelines for use in the audit of computer-based, safety systems,
- To develop system classification guidelines and qualitative reliability measures,
- To develop and document guidelines for verifying and validating expert systems,
- To review and assess software languages for use in nuclear power plant safety systems,
DRAFT
- To assess how digital technology changes human actions and error rates, systems unavailability, and core r'amage frequency; and to improve methods for analyzing this humar performance in PRAs.
l
~
These programs are starting to produce useful products. A survey and 1
assessment of conventional software verification and validation methods has l
been published (NUREG/CR-6018). Also, an assessment of standards and guidelines for high integrity software has been published (NUREG/CR-5930).
The results from these studies are helping to identify a need to clarify the
" safety system" versus "softw ra" issues and to. establish a framework of j
design criteria for computer based, safety systems. The NRC is now in the process of formulating additional research with the objective of identifying j
and documenting a framework of design criteria. The first step in this direction is the integration of research products to develop the technical basis for regulatory positions on software.
This effort will survey the existing research programs within the NRC and other industries and integrate the relevant products into a matrix of requirements versus technical basis.
[
The end product will be to develop and document the technical basis for regulatory use.
A second step is necessary to refine the technical basis for.
computer-based, safety systems.
5.0 CONCLUSION
S t
The design and use of digital computers to perform safety functions within
}
nuclear power plants must be guided by guidelines, standards, and acceptance criteria. While the existing set of standards provide useful information, i
they do not provide all of the requirements necessary for the use of digital-i co'?uters. While some effort exists to revise standards, such as the effort on P-7-4.3.2, Draft 8, Standard Criteria' for Digital Computers in Safety Systems of Nuclear Power Generating Stations, additional effort could be l
needed to revise existing standards to incorporate the use of digital computers. To ensure a comprehensive approach to the development of standards and regulatory guidelines, a need exists for a framework of design-criteria.
The framework could include a requirement for a systematic approach to define, classify, and allocate functions to hardware, software, and humans.
- Finally, a technical basis could also be necessary for the computer unique requirements and guidelines to support the framework and to provide acceptance criteria.
6.0 REFERENCES
6.1 Standards i
American Nuclear Standards Institute, ANSI N18.8, October, 1973, Criteria for Preparation of Design Basis for Systems that Perform Protective Functions in Nuclear Power Generating Stations (Trail use and comment).
American Nuclear Standards Institute /American Nuclear Society, ANSI /ANS 51.1-1988, Nuclear Safety Criteria for the Design of s
Stationary Pressurized Water Reactor Plants.
American Nuclear Standards Institute /American Nuclear Society, ANSI /ANS 52.1-1988, Nuclear Safety Criteria for the Design of
DRAFT Boiling Water Reactor Plants.
American Nuclear Standards Institute /American Nuclear Society, ANSI /ANS 50.1, Draft #6, Nuclear Safety Design Criteria for Light Water Reactors, January 1993.
American Nuclear Standards Institute /American Nuclear Society, ANSI /ANS 58.8-1984, Time Response Design Criteria for Safety-Related Operator Actions.
American Nuclear Standards Institute /American Nuclear Society, ANSI /ANS 58.8, Draft, Time Response Design Criteria for Safety-Related Operator Actions, November, 1992.
American Nuclear Standards Institute / Institute of Electrical and Electronic Engineers-American Nuclear Society, ANSI /IEEE-ANS-7-4.3.2-1982, Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations.
Institute of Electrical and Electronics Engineers, IEEE Standard 279-1971, IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations.
Institute of Electrical and Electronics Engineers, IEEE Standard 308-1972, IEEE Standard: Criteria for Class IE Electrical Systems for Nuclear Power Generating Stations (IEEE Standard 308-1980, a later version).
Institute of Electrical and Electronics Engineers, IEEE Standard 603-1980, Criteria for Safety Systems for Nuclear Power Generating Stations.
Institute of Electrical and Electronics Engineers, IEEE Standard 1050-1989, Guide for Instrumentation and Control Equipment Grounding in Generating Stations American Nuclear Standarde Institute / Institute of Electrical and Electronics Engineers, F-7-4.3.2, Draft 8, Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, 1993.
MIL-STD-416C, Electromagnetic Emission and Susceptibility Requirements for the Control of Electromagnetic Interference.
MIL-STD-462, Measurement of Electromagnetic Interference Characteristics.
6.2 Articles and Books Dahll, G., Barnes, M., and Bishop, P., " Software Diversity - A Way To I
Enhance Safety 7" Second European Conference on Software Quality Assurance, l
Oslo, Norway, May 30 - June 1, 1990 Fujii, R., " Software Engineering for Instrumentation and Control Systems,"
Nuclear Plant Instrumentation, Control, and Man-Machine Technologies, Oak Ridge, TN, April 19-21, 1993.
Leveson, N.G. and Turner, C.S. "An Investigation of the Therac-25 l
l
DRAFT Accidents," COMPUTER, pas 18-41, July 1993.
i Personal Communication with Mr. Carl Johnson, NRC.
Neumann, P.G., " Illustrative Risks to the Public in the Use of Computer Systems and Related Technology," ACM SIGSOFT, Software Engineering Notes, Vol.17, No.1, pas 23-32, January,1992.
U.S. Nuclear Regulatory Commission, " Survey and Assessment of Conventional Software Verification and Validation Methods," NUREG/CR-6018, April 1993.
U.S. Nuclear Regulatory Commission, Licensing of Production and Utilization Facilities, Title 10, Code of Federal Regulations, Part 50, Appendix A: General Design Criteria for Nuclear Power Plants and Appendix B: Quality Assurance for Nuclear Power Plants. (Published Yearly)
U.S. Nuclear Regulatory Commission, " Analysis and Evaluation of Operational Data,1991 Annual Report," NUREG-1272, Vol. 6, No. I and No. 2, July 1992.
U.S. Nuclear Regulatory Commission, "High Integrity Software Standards and Guidelines," NUREG/CR-5930, September, 1992.
)
l
}
.. ~ -.. - _ _ _.. _ _ _
l
~
Allsi tila,o '
1913' Alis t / Atis-51. l (R1988)
AriSI/ Alls-52. l(R1988)
{
ANSI /ANS 50.1 DRAFT #6~
l j
l 1[EE Stil 308-1972(Rl980)
_I((E Std 279 1971 ANS-58.8-1984 4
IEEE Std 603-1980 ANSI /ANS-58.8(DRAFI)
November 1992 Af1SI/IEEE-ANS-7-4.3.2-1982 i
P-7-4.3.2.DRAFI 8 i
i l-d i
[
figure 1.
U.S. Standards for the Design of Safety Systems i
1-4 i-
l
=*
DRAFT i
OUTLINE OF A FRAMEWORK OF DESIGN CRITERIA 1
i FOR A 1
COMPUTER-BASED SAFETY SYSTEM DEVELOPMENT PROCESS GOAL:
DESIGN BASIS DATA BASE 4
GUIDELINES & STANDARDS OPERATE NPP SAFELY
- IDENTIFY AND DOCUMENT
- SOFTWARE DESIGN STANDARDS ALL FUNCTIONS
& GUIDELINES REACTOR TRIP
- DETERMINISTIC ANALYSES
+ QUALITY ASSURANCE SAFETY SYSTEM SAFETY FUNCTIONS l
STANDARD LIMITING DESIGN i
- VERIFICATION AND BASIS EVENTS VALIDATION STANDARD RESPONSE TIMES
- CONFIGURATION MANAGEMENT SINGLE FAILURE CRITERIOh STANDARD
- HAZARD ANALYSES l
- PROBABILISTIC ANALYSES l
l FUNCTION FUNCTION FUNCTION ALLOCATION &
ALLOCATION &
ALLOCATION &
REQUIREMENTS REQUIREMENTS REQUIREMENTS i
SUPPORT SYSTEMS REACTOR HUMAN t
e.g. CLASS 1E PROTECTION SYSTEM 1
POWER SYSTEM SYSTEM hACPOWER
-HARDWARE L OPERATORS SYSTEMS DIGITAL
-DC POWER
- MAINTAINERS SYSTEMS
-ANALOG
-VITAL INSTRMTS SOFTWARE
- TRAINERS
& CONTROL POWER SYSTEM HUMAN
- ENGINEERING i
- DISTRIBUTION INTERFACES SUPPORT SYSTEM
- LOAD
' - ADMINISTR-GROUPS ATORS-
-HUMAN INTERFACES Figure 2. Outline of A Framework of Design Criteria l
l
SYSTEM ANALYSES GOALS FUNCTION ANALYSES DETERMINISTIC SAFETY ANALYSES SYSTEM HAZARD ANALYSES ENVIRONMENTAL ANALYSES PROBABILISTIC RISK ANALYSES SYSTEM REQUIREMENTS FUNCTION ALLOCATION SYSTEM SYSTEM INTEGRATION - TEST &
VALIDATION
-- IIARDWARE
/' FABRICATE s s
HARDWARE ___ QUALIFICATION TESTS REQUIREMENTS -- DESIGN AND ANIMATION SPECIFICATIONS,
,- ASSEMBLY ENVIRONMENTAL TESTS
- SOFTWARE DETAILED CODE UNIT TESTS --- INTEGRATE -- SOFTWARE REQUIREMENTS - DESIGN +
UNITS TEST &
ANIMATION SPECIFICATION VALIDATION
- IlUMAN FUNCTION TASK
/' DESIGN
~~~ DEVELOP TEST INTERFACE INTERFACE INTERFACE REQUIREMENTS -- ALLOCATION ANALYSIS BY DISCIPLINE N-DEVELOP TEST TRAINING TRAINING PROGRAM PROGRAM O
Figure 3. Conceptual Model, System Design And Development Life Cycle l[]
Note: Model As Displayed Omits Any Assurance Activities
)3D T
--I t
_