Text

Hazard analysis for Nuclear Automation Defeating Digital Demons Technical Session #T7 Questions for the panel discussion

Question 1 For a safety-critical function, such as reactor protection :

Can a hazard analysis based on state-of-the-art methods show that a proposed system design developed without the use of design diversity has a level of safety assurance comparable to a system developed under the current practice using design diversity?

Scope of the panel discussion Digital upgrades of reactor protection systems for operating reactors Loss of concern: Non-performance of the safety function when demanded.

Hazard: Condition with potential to cause the loss of concern.

Causes of concern:

• Systemic causes (rather than random hardware failures), e.g.:

• Unwanted interactions causing misbehaviors.

• Invalid or implicit assumptions.

Methods of hazard analysis: Any relevant applicable combination.

Design diversity: Meaning for this panel discussion Item A1 Performs Function A Item A2 Performs Function A InputsA OutputsA1 OutputsA2 A1, A2 are diverse, if

• The same common cause does not degrade the performance of A1, A2, e.g.:

• Latent design defect.

• Unwanted interaction, e.g.:

• Unexpected signal (e.g.: message; data) pathways.

• Unexpected propagation through interconnections.

• Shared resources, e.g.:

• Memory.

• Computing resources.

• Communication resources.

• A1 does not degrade the performance of A2.

• A2 does not degrade the performance of A1.

Hazard Analysis: Scope for this panel discussion Plans Concept Requirements Architecture Detailed design Implementation Testing Verification Validation (V&V)

Vp System Development HAp Safety Analysis Requirements from NPP Safety Analysis HAc HAr HAr HAdd HAi HAi Vc Vr Va Vdd Vi Vt

Question 1 For a safety-critical function, such as reactor protection :

Can a hazard analysis based on state-of-the-art methods show that a proposed system design developed without the use of design diversity has a level of safety assurance comparable to a system developed under the current practice using design diversity?

Question 2 Does sufficient scientific evidence exist to support the assertion that the quality of hazard analysis (needed to avoid design diversity) can be evaluated independently with consistency?

e.g.: independent verification & validation (IV&V) methods exist)

Question 3 Does sufficient scientific evidence exist to support the assertion that the conditions needed to achieve the requisite quality of hazard analysis are understood well enough and are measurable adequately?

Sub-question:

What conditions affect quality of hazard analysis critically?

Competence elements?

Cultural aspects?

What else?