ML23264A021

From kanterella
Jump to navigation Jump to search
Addressing Hazards from Common Causes in Engineering Di&C Systems Without Diverse Designs - State-of-the-Art
ML23264A021
Person / Time
Issue date: 09/28/2023
From: Sushil Birla
NRC/RES/DE
To:
Sushil Birla 301-415-2311
References
Download: ML23264A021 (17)
v  d  e


Text

Addressing hazards from common causes in engineering DI&C systems without diverse designs State-of-the-Art Enlarged Halden HTO Programme Review Group (EHPRG) meeting September 25-28, 2023 Presenter: Sushil Birla Office of Nuclear Regulatory Research Division of Engineering The views expressed herein are those of the author and do not represent an official position of the U.S. NRC.

1

Understanding the Cost of Correcting Defects McConnell, Steve. Software Quality at Top Speed. August 1996.

http://www.stevemcconnell.com/articles/art04.htm Introduction to Assured Software Engineering [DISTRIBUTION STATEMENT A] Approved for public release

© 2018 Carnegie Mellon University and unlimited distribution. 2

Economics!

Engineering time Run time Preventative Reactive Monitor Prevent Prevent Diverse Verify Detect hazard propagation redundancy Intervene Potential to decrease intrinsic cost Cost increases 3

Prevention Mitigation Q

u a Changes needed to prevent CCF l Desired

  • Objective evaluation criteria i state
  • Paradigm t

y

  • State of practice
  • Competence o
  • Culture f

D Current e state s

i g

n Fault tolerance in Design 4

Evolve Assurance capability incrementally Goal state Goal G state Goal G-1 state G-2 State Capability S+3 State S+2 State S+1 Current state S Time 5

Evolve Assurance capability: NPP Case ITAAC G Design certification Application acceptance S+6 S+5 Implementation System architecture Detailed design Capability S+4 Requirements S+3 Software architecture Concept S+2 S+1 Current state S Time 6

One vision of the Assurance Process Accrediting, certifying authority certify Pre-certified Procedures International common core standards Pre-certified Facilities accredit derive Pre-certified Country-specialized evaluation People criteria Accredited Evaluation-basis 3rd party Learning cycle Object of Object is submit Evaluate evaluation certified Rework cycle 7

Envisioned pre-certification activities Object of pre-certification: Accredited certifying authority Processes Procedures Methods & techniques People Ob Learning cycle Tools Facilities Other reusable assets, e.g.:

  • Libraries Object is Evaluate certified Rework cycle 8

Creating the appropriate standards: One vision R&D organization develops Government Technical basis for:

Processes Procedures Methods & techniques Ob Standards body Other voices People Tools Facilities Standard Other reusable assets, e.g.:

  • Libraries Guideline 9

Research to reduce the uncertainty space Deficiencies in:

Hazard identification*

Requirements specification Architectural specification Conditions to reduce associated uncertainties Detailed design specification Implementation (coding)

Verification +

Conditions on methods and tools

  • = all phases

+

Logical integration of all the evidence

+

Reducing inconsistencies in judgment 10

Defect-prevention through Refinement Abstraction Requirements Declarative (what)

R E

F Architecture I

N E

M E

N Detailed design T

Concretion Imperative (how)

Implementation 11

Leverage domain engineering Development Phase Constraints to enable refinement Requirements Domain-specific controlled natural language refinement Semantically compatible Architecture Domain-specific architecture modeling language refinement Semantically compatible Detailed design Domain-specific design specification language refinement Semantically compatible Implementation Domain-specific coding/programming language Create pre-certified reusable assets

  • Domain modeling
  • Domain engineering (see NUREG/CR-6263; IEEE Std 1517:2010; ISO/IEC 26550) 12

Reasoning Model to support performance-based evaluation (based on the Toulmin model1)

Theoretical or causal model Basis for Inference rule Used in Premise / Evidence Reasoning Assertion Qualifiers Influences on validity Doubts/Defeaters (Strength; of proposition Condition)

Rebuttals 1Toulmin, S., The Uses of Argument, Cambridge, UK: Cambridge University Press, 1958 13

Some known technical limitations

  • Validating results of hazard analysis

- Did it really identify all causes that could degrade the safety function?

  • Validating assumptions about the environment of the safety system, e.g.:

- Conditions of operation and maintenance

- Configuration control change impact analysis

  • Qualifying suite of tools from different sources

- Libraries

- Underlying languages

  • Infrastructure for independent V&V 14

Why holistic? Effects of Missing Elements of Change Vision Resources Capable Capable Organizational Incentives Sanctions Action Workforce Processes Culture reinforcements Plan Change Resources Capable Capable Organizational Incentives Sanctions Action Workforce Processes Culture reinforcements Plan Confusion Vision Capable Capable Organizational Incentives Sanctions Action Anxiety &

Workforce Processes Culture reinforcements Plan frustration Vision Resources Capable Organizational Incentives Sanctions Action Slow or little Processes Culture reinforcements Plan progress Vision Resources Capable Organizational Incentives Sanctions Action Reinventing Workforce Culture reinforcements Plan the wheel Vision Resources Capable Capable Incentives Sanctions Action Barriers to change Workforce Processes reinforcements Plan Vision Resources Capable Capable Organizational Sanctions Action Sporadic change reinforcements Workforce Processes Culture Plan Vision Resources Capable Capable Organizational Incentives Action Misaligned Workforce Processes Culture Plan behaviors Vision Resources Capable Capable Organizational Incentives Sanctions reinforcements False starts Workforce Processes Culture Adapted by Dr. Palma Buttles-Valdez, SEI from: Delorise Ambrose, 1987 15

Acronyms & Abbreviations 1/2 AADL Architecture Analysis and Design Language CCF Common cause failure Dev Development Engrg Engineering DI&C Digital Instrumentation and Control EPRI Electrical Power Research Institute esp. Especially FSM Finite state machine HAp Hazard analysis of plans HAr Hazard analysis of requirements HAa Hazard analysis of architecture HAdd Hazard analysis of detailed design HAi Hazard analysis of implementation HAt Hazard analysis of testing (including test specifications and oracles)

IAEA International Atomic Energy Agency I&C Instrumentation and Control IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronics Engineers ISO International Standards Organization IV&V Independent Verification and Validation NPP Nuclear Power Plant NRC U.S. Nuclear Regulatory Commission OWL Web Ontology Language RIL Research Information Letter RPS Reactor Protection System RWI Review, Walkthrough, and Inspection 16

Acronyms & Abbreviations 2/2 R&D Research and Development Reqmts Requirements RIL Research Information Letter RPS Reactor Protection System SCR Software Cost Reduction (set of techniques for designing software systems) spec specification SQuaRE Systems and Software Quality Requirements and Evaluation STPA System Theoretic Process Analysis (method of hazard analysis)

Std Standard V&V Verification and Validation Vp V&V of plans Vr V&V of requirements Va V&V of architecture Vdd V&V of detailed design Vi V&V of implementation Vt V&V of testing (including test specifications and oracles) 17

Retrieved from "https://kanterella.com/w/index.php?title=ML23264A021&oldid=3620470"