ML23194A187: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot insert) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
| Line 15: | Line 15: | ||
=Text= | =Text= | ||
{{#Wiki_filter:}} | {{#Wiki_filter:Addressing Hazards from Common Causes in Engineering Digital I&C Systems: | ||
State of the Art July 20, 2023 Presenter: Sushil Birla Office of Nuclear Regulatory Research Division of Engineering 1 | |||
Outline | |||
: 1. Motivation for assessing the state-of-the-art | |||
: 2. Approach: Prevent common causes of hazards | |||
: 3. Evidence generation | |||
: 4. Integrating the evidence evaluating system safety | |||
: 5. Judgment 2 | |||
Terminology & Scope To assimilate knowledge from outside the NPP industry and avoid ambiguity | |||
* Sources of definitions are broader than NPP-specific standards. | |||
* Context in focus: Operating power reactor protection systems. | |||
* Focus: Hazards from (systemic) common causes: | |||
Rooted in engineering deficiencies That may degrade the redundancy and defense-in-depth characteristics Hazard: potential for harm through the degradation of a safety function allocated to the object under analysis Examples of sources: ISO/IEC/IEEE 24765; ISO/IEC Systems & Software SQuaRE series; ISO/IEC 15026 3 | |||
Meaning of state-of-the-art in this presentation State-of-the-art Capability demonstrated in leading-edge implementations; not yet scaled up State-of-the-practice Best-in-class; best practices, e.g., | |||
as seen in industry consensus standards Current practice As seen in many organizations 4 | |||
Motivation Engineering time Run time Preventative Reactive Monitor Prevent Prevent Diverse Verify Detect hazard propagation redundancy Intervene Potential to decrease intrinsic cost Cost increases 5 | |||
Reference Framework for Assurance Verification Validation (V&V) | |||
Vp Vc Vr Va Vdd Vi Vt Requirements from NPP Safety Analysis System Development Detailed Plans Concept Requirements Architecture Implementation Testing design HAp HAc HAr HAr HAdd HAi HAi Safety Engineering Reference model from IEEE Std 1012 6 | |||
Reducing the uncertainty space Deficiencies in: | |||
Hazard identification* | |||
Requirements specification Architectural specification Conditions to reduce associated uncertainties Detailed design specification Implementation (coding) | |||
Verification + | |||
Conditions on methods and tools | |||
* = all phases | |||
+ | |||
Logical integration of all the evidence | |||
+ | |||
Reducing inconsistencies in judgment 7 | |||
Refinement principle Abstraction Requirements Declarative (what) | |||
R E | |||
F Architecture I | |||
N E | |||
M E | |||
N Detailed design T | |||
Concretion Imperative (how) | |||
Implementation | |||
Leverage domain engineering Development Phase Constraints to enable refinement Requirements Domain-specific controlled natural language refinement Semantically compatible Architecture Domain-specific architecture modeling language refinement Semantically compatible Detailed design Domain-specific design specification language refinement Semantically compatible Implementation Domain-specific coding/programming language Create precertified reusable assets | |||
* Domain modeling | |||
* Domain engineering (see IEEE Std 1517:2010; ISO/IEC 26550; NUREG/CR-6263) | |||
Reasoning Model to support performance-based evaluation (based on the Toulmin model1) | |||
Theoretical or causal model Basis for Inference rule Used in Premise / Evidence Reasoning Assertion Qualifiers Factors influencing validity (Strength; of evidence link Condition) | |||
Challenges; rebuttals; inconsistencies 1Toulmin, S., The Uses of Argument, Cambridge, UK: Cambridge University Press, 1958 10 | |||
Judgment Decide The safety claim is satisfied unconditionally (i.e., the residual uncertainty has an insignificant effect on the safety claim). | |||
* No one can find any uncontrolled hazard with the potential to degrade the performance of the safety function | |||
* No one can find any unmitigated "defeater" The safety claim is not satisfied with the given evidence. | |||
The residual uncertainty is so great that the safety claim cannot be supported. | |||
The defeaters are identified and associated with the respective sub-claims. | |||
The safety claim does not hold. | |||
* Fallacies in logic. | |||
* Deficiencies in evidence. | |||
The state-of-the-art can support consistent judgment based on objective, scientific evidence and logical reasoning 11 | |||
Acronyms | |||
* Dev - Development | |||
* Engrg - Engineering | |||
* HAp - Hazard analysis of plans | |||
* HAr - Hazard analysis of requirements | |||
* HAa - Hazard analysis of architecture | |||
* HAdd - Hazard analysis of detailed design | |||
* HAi - Hazard analysis of implementation | |||
* HAt - Hazard analysis of testing (including test specifications and oracles) | |||
* IEC - International Electrotechnical Commission | |||
* IEEE - Institute of Electrical and Electronics Engineers | |||
* ISO - International Standards Organization | |||
* NPP - Nuclear Power Plant | |||
* NRC - U.S. Nuclear Regulatory Commission | |||
* R&D - Research and Development | |||
* Reqmts - Requirements | |||
* RIL - Research Information Letter | |||
* RPS - Reactor Protection System | |||
* SQuaRE - Systems and Software Quality Requirements and Evaluation | |||
* V&V - Verification and Validation | |||
* Vp - V&V of plans | |||
* Vr - V&V of requirements | |||
* Va - V&V of architecture | |||
* Vdd - V&V of detailed design | |||
* Vi - V&V of implementation | |||
* Vt - V&V of testing (including test specifications and oracles) 12}} | |||
Revision as of 09:00, 17 July 2023
| ML23194A187 | |
| Person / Time | |
|---|---|
| Issue date: | 07/20/2023 |
| From: | Sushil Birla NRC/RES/DE |
| To: | |
| Sushil Birla 301-415-2311 | |
| References | |
| Download: ML23194A187 (12) | |
Text
Addressing Hazards from Common Causes in Engineering Digital I&C Systems:
State of the Art July 20, 2023 Presenter: Sushil Birla Office of Nuclear Regulatory Research Division of Engineering 1
Outline
- 1. Motivation for assessing the state-of-the-art
- 2. Approach: Prevent common causes of hazards
- 3. Evidence generation
- 4. Integrating the evidence evaluating system safety
- 5. Judgment 2
Terminology & Scope To assimilate knowledge from outside the NPP industry and avoid ambiguity
- Sources of definitions are broader than NPP-specific standards.
- Context in focus: Operating power reactor protection systems.
- Focus: Hazards from (systemic) common causes:
Rooted in engineering deficiencies That may degrade the redundancy and defense-in-depth characteristics Hazard: potential for harm through the degradation of a safety function allocated to the object under analysis Examples of sources: ISO/IEC/IEEE 24765; ISO/IEC Systems & Software SQuaRE series; ISO/IEC 15026 3
Meaning of state-of-the-art in this presentation State-of-the-art Capability demonstrated in leading-edge implementations; not yet scaled up State-of-the-practice Best-in-class; best practices, e.g.,
as seen in industry consensus standards Current practice As seen in many organizations 4
Motivation Engineering time Run time Preventative Reactive Monitor Prevent Prevent Diverse Verify Detect hazard propagation redundancy Intervene Potential to decrease intrinsic cost Cost increases 5
Reference Framework for Assurance Verification Validation (V&V)
Vp Vc Vr Va Vdd Vi Vt Requirements from NPP Safety Analysis System Development Detailed Plans Concept Requirements Architecture Implementation Testing design HAp HAc HAr HAr HAdd HAi HAi Safety Engineering Reference model from IEEE Std 1012 6
Reducing the uncertainty space Deficiencies in:
Hazard identification*
Requirements specification Architectural specification Conditions to reduce associated uncertainties Detailed design specification Implementation (coding)
Verification +
Conditions on methods and tools
- = all phases
+
Logical integration of all the evidence
+
Reducing inconsistencies in judgment 7
Refinement principle Abstraction Requirements Declarative (what)
R E
F Architecture I
N E
M E
N Detailed design T
Concretion Imperative (how)
Implementation
Leverage domain engineering Development Phase Constraints to enable refinement Requirements Domain-specific controlled natural language refinement Semantically compatible Architecture Domain-specific architecture modeling language refinement Semantically compatible Detailed design Domain-specific design specification language refinement Semantically compatible Implementation Domain-specific coding/programming language Create precertified reusable assets
- Domain modeling
- Domain engineering (see IEEE Std 1517:2010; ISO/IEC 26550; NUREG/CR-6263)
Reasoning Model to support performance-based evaluation (based on the Toulmin model1)
Theoretical or causal model Basis for Inference rule Used in Premise / Evidence Reasoning Assertion Qualifiers Factors influencing validity (Strength; of evidence link Condition)
Challenges; rebuttals; inconsistencies 1Toulmin, S., The Uses of Argument, Cambridge, UK: Cambridge University Press, 1958 10
Judgment Decide The safety claim is satisfied unconditionally (i.e., the residual uncertainty has an insignificant effect on the safety claim).
- No one can find any uncontrolled hazard with the potential to degrade the performance of the safety function
- No one can find any unmitigated "defeater" The safety claim is not satisfied with the given evidence.
The residual uncertainty is so great that the safety claim cannot be supported.
The defeaters are identified and associated with the respective sub-claims.
The safety claim does not hold.
- Fallacies in logic.
- Deficiencies in evidence.
The state-of-the-art can support consistent judgment based on objective, scientific evidence and logical reasoning 11
- Dev - Development
- Engrg - Engineering
- HAp - Hazard analysis of plans
- HAr - Hazard analysis of requirements
- HAa - Hazard analysis of architecture
- HAdd - Hazard analysis of detailed design
- HAi - Hazard analysis of implementation
- HAt - Hazard analysis of testing (including test specifications and oracles)
- IEC - International Electrotechnical Commission
- IEEE - Institute of Electrical and Electronics Engineers
- ISO - International Standards Organization
- NPP - Nuclear Power Plant
- NRC - U.S. Nuclear Regulatory Commission
- R&D - Research and Development
- Reqmts - Requirements
- RIL - Research Information Letter
- SQuaRE - Systems and Software Quality Requirements and Evaluation
- V&V - Verification and Validation
- Vp - V&V of plans
- Vr - V&V of requirements
- Va - V&V of architecture
- Vdd - V&V of detailed design
- Vi - V&V of implementation
- Vt - V&V of testing (including test specifications and oracles) 12