Safety Justification and Safety Case for Safety-critical Software in Digital Reactor Protection System

International Nuclear Information System (INIS)

Kwon, Kee-Choon; Lee, Jang-Soo; Jee, Eunkyoung

2016-01-01

Nuclear safety-critical software is under strict regulatory requirements and these regulatory requirements are essential for ensuring the safety of nuclear power plants. The verification & validation (V and V) and hazard analysis of the safety-critical software are required to follow regulatory requirements through the entire software life cycle. In order to obtain a license from the regulatory body through the development and validation of safety-critical software, it is essential to meet the standards which are required by the regulatory body throughout the software development process. Generally, large amounts of documents, which demonstrate safety justification including standard compliance, V and V, hazard analysis, and vulnerability assessment activities, are submitted to the regulatory body during the licensing process. It is not easy to accurately read and evaluate the whole documentation for the development activities, implementation technology, and validation activities. The safety case methodology has been kwon a promising approach to evaluate the level and depth of the development and validation results. A safety case is a structured argument, supported by a body of evidence that provides a compelling, comprehensible, and valid case that a system is safe for a given application in a given operating environment. It is suggested to evaluate the level and depth of the results of development and validation by applying safety case methodology to achieve software safety demonstration. A lot of documents provided as evidence are connected to claim that corresponds to the topic for safety demonstration. We demonstrated a case study in which more systematic safety demonstration for the target system software is performed via safety case construction than simply listing the documents

Safety Justification and Safety Case for Safety-critical Software in Digital Reactor Protection System

Energy Technology Data Exchange (ETDEWEB)

Kwon, Kee-Choon; Lee, Jang-Soo [Korea Atomic Energy Research Institute, Daejeon (Korea, Republic of); Jee, Eunkyoung [KAIST, Daejeon (Korea, Republic of)

2016-10-15

Nuclear safety-critical software is under strict regulatory requirements and these regulatory requirements are essential for ensuring the safety of nuclear power plants. The verification & validation (V and V) and hazard analysis of the safety-critical software are required to follow regulatory requirements through the entire software life cycle. In order to obtain a license from the regulatory body through the development and validation of safety-critical software, it is essential to meet the standards which are required by the regulatory body throughout the software development process. Generally, large amounts of documents, which demonstrate safety justification including standard compliance, V and V, hazard analysis, and vulnerability assessment activities, are submitted to the regulatory body during the licensing process. It is not easy to accurately read and evaluate the whole documentation for the development activities, implementation technology, and validation activities. The safety case methodology has been kwon a promising approach to evaluate the level and depth of the development and validation results. A safety case is a structured argument, supported by a body of evidence that provides a compelling, comprehensible, and valid case that a system is safe for a given application in a given operating environment. It is suggested to evaluate the level and depth of the results of development and validation by applying safety case methodology to achieve software safety demonstration. A lot of documents provided as evidence are connected to claim that corresponds to the topic for safety demonstration. We demonstrated a case study in which more systematic safety demonstration for the target system software is performed via safety case construction than simply listing the documents.

Qualification of safety-critical software for digital reactor safety system in nuclear power plants

International Nuclear Information System (INIS)

Kwon, Kee-Choon; Park, Gee-Yong; Kim, Jang-Yeol; Lee, Jang-Soo

2013-01-01

This paper describes the software qualification activities for the safety-critical software of the digital reactor safety system in nuclear power plants. The main activities of the software qualification processes are the preparation of software planning documentations, verification and validation (V and V) of the software requirements specifications (SRS), software design specifications (SDS) and codes, and the testing of the integrated software and integrated system. Moreover, the software safety analysis and software configuration management are involved in the software qualification processes. The V and V procedure for SRS and SDS contains a technical evaluation, licensing suitability evaluation, inspection and traceability analysis, formal verification, software safety analysis, and an evaluation of the software configuration management. The V and V processes for the code are a traceability analysis, source code inspection, test case and test procedure generation. Testing is the major V and V activity of the software integration and system integration phases. The software safety analysis employs a hazard operability method and software fault tree analysis. The software configuration management in each software life cycle is performed by the use of a nuclear software configuration management tool. Through these activities, we can achieve the functionality, performance, reliability, and safety that are the major V and V objectives of the safety-critical software in nuclear power plants. (author)

Formal model-based development for safety-critical embedded software

International Nuclear Information System (INIS)

Kim, Jin Hyun; Choi, Jin Young

2005-01-01

Safety-critical embedded software for nuclear I and C system is developed under the safety and reliability regulation. Programmable logic controller(PLC) is a computer system for instrumentation and control (I and C) system of nuclear power plants. PLC consists of various I and C logics in software, including real-time operating system (RTOS). Hence, errors related with RTOS should be detected and eliminated in development processes. Practically, the verification and validation for errors in RTOS is performed in test procedure, in which a lot of tasks for testing are embedded in RTOS and are running under a test environments. But the test process can not be enough to guarantee the safety and reliability of RTOS. Therefore, in this paper, we introduce to applying formal methods with the development of software for the PLC. We particularity apply formal methods to a development of RTOS for PLC, which is a safety critical level. In this development, we use the state charts of I-Logix to specify and verification and model checking to verify the specification

Formal model-based development for safety-critical embedded software

Energy Technology Data Exchange (ETDEWEB)

Kim, Jin Hyun; Choi, Jin Young [Korea University, seoul (Korea, Republic of)

2005-11-15

Safety-critical embedded software for nuclear I and C system is developed under the safety and reliability regulation. Programmable logic controller(PLC) is a computer system for instrumentation and control (I and C) system of nuclear power plants. PLC consists of various I and C logics in software, including real-time operating system (RTOS). Hence, errors related with RTOS should be detected and eliminated in development processes. Practically, the verification and validation for errors in RTOS is performed in test procedure, in which a lot of tasks for testing are embedded in RTOS and are running under a test environments. But the test process can not be enough to guarantee the safety and reliability of RTOS. Therefore, in this paper, we introduce to applying formal methods with the development of software for the PLC. We particularity apply formal methods to a development of RTOS for PLC, which is a safety critical level. In this development, we use the state charts of I-Logix to specify and verification and model checking to verify the specification.

Developing software for safety-critical applications

International Nuclear Information System (INIS)

Chudleigh, M.

1989-01-01

The effective implementation of many safety-critical systems involves microprocessors running software which needs to be of very high integrity. This article describes some of the problems of producing such software and the place of software within the total system. A development strategy is proposed based on three principles: the goal of defect-free development, the use of mathematical formalism, and the use of an independent team for testing. (author)

KAERI software safety guideline for developing safety-critical software in digital instrumentation and control system of nuclear power plant

International Nuclear Information System (INIS)

Lee, Jang Soo; Kim, Jang Yeol; Eum, Heung Seop.

1997-07-01

Recently, the safety planning for safety-critical software systems is being recognized as the most important phase in the software life cycle, and being developed new regulatory positions and standards by the regulatory and the standardization organization. The requirements for software important to safety of nuclear reactor are described in such positions and standards. Most of them are describing mandatory requirements, what shall be done, for the safety-critical software. The developers of such a software. However, there have been a lot of controversial factors on whether the work practices satisfy the regulatory requirements, and to justify the safety of such a system developed by the work practices, between the licenser and the licensee. We believe it is caused by the reason that there is a gap between the mandatory requirements (What) and the work practices (How). We have developed a guidance to fill such gap, which can be useful for both licenser and licensee to conduct a justification of the safety in the planning phase of developing the software for nuclear reactor protection systems. (author). 67 refs., 13 tabs., 2 figs

KAERI software safety guideline for developing safety-critical software in digital instrumentation and control system of nuclear power plant

Energy Technology Data Exchange (ETDEWEB)

Lee, Jang Soo; Kim, Jang Yeol; Eum, Heung Seop

1997-07-01

Recently, the safety planning for safety-critical software systems is being recognized as the most important phase in the software life cycle, and being developed new regulatory positions and standards by the regulatory and the standardization organization. The requirements for software important to safety of nuclear reactor are described in such positions and standards. Most of them are describing mandatory requirements, what shall be done, for the safety-critical software. The developers of such a software. However, there have been a lot of controversial factors on whether the work practices satisfy the regulatory requirements, and to justify the safety of such a system developed by the work practices, between the licenser and the licensee. We believe it is caused by the reason that there is a gap between the mandatory requirements (What) and the work practices (How). We have developed a guidance to fill such gap, which can be useful for both licenser and licensee to conduct a justification of the safety in the planning phase of developing the software for nuclear reactor protection systems. (author). 67 refs., 13 tabs., 2 figs.

Use of modern software - based instrumentation in safety critical systems

International Nuclear Information System (INIS)

Emmett, J.; Smith, B.

2005-01-01

Many Nuclear Power Plants are now ageing and in need of various degrees of refurbishment. Installed instrumentation usually uses out of date 'analogue' technology and is often no longer available in the market place. New technology instrumentation is generally un-qualified for nuclear use and specifically the new 'smart' technology contains 'firmware', (effectively 'soup' (Software of Uncertain Pedigree)) which must be assessed in accordance with relevant safety standards before it may be used in a safety application. Particular standards are IEC 61508 [1] and the British Energy (BE) PES (Programmable Electronic Systems) guidelines EPD/GEN/REP/0277/97. [2] This paper outlines a new instrument evaluation system, which has been developed in conjunction with the UK Nuclear Industry. The paper concludes with a discussion about on-line monitoring of Smart instrumentation in safety critical applications. (author)

Software safety analysis techniques for developing safety critical software in the digital protection system of the LMR

Energy Technology Data Exchange (ETDEWEB)

Lee, Jang Soo; Cheon, Se Woo; Kim, Chang Hoi; Sim, Yun Sub

2001-02-01

This report has described the software safety analysis techniques and the engineering guidelines for developing safety critical software to identify the state of the art in this field and to give the software safety engineer a trail map between the code and standards layer and the design methodology and documents layer. We have surveyed the management aspects of software safety activities during the software lifecycle in order to improve the safety. After identifying the conventional safety analysis techniques for systems, we have surveyed in details the software safety analysis techniques, software FMEA(Failure Mode and Effects Analysis), software HAZOP(Hazard and Operability Analysis), and software FTA(Fault Tree Analysis). We have also surveyed the state of the art in the software reliability assessment techniques. The most important results from the reliability techniques are not the specific probability numbers generated, but the insights into the risk importance of software features. To defend against potential common-mode failures, high quality, defense-in-depth, and diversity are considered to be key elements in digital I and C system design. To minimize the possibility of CMFs and thus increase the plant reliability, we have provided D-in-D and D analysis guidelines.

Software safety analysis techniques for developing safety critical software in the digital protection system of the LMR

International Nuclear Information System (INIS)

Lee, Jang Soo; Cheon, Se Woo; Kim, Chang Hoi; Sim, Yun Sub

2001-02-01

This report has described the software safety analysis techniques and the engineering guidelines for developing safety critical software to identify the state of the art in this field and to give the software safety engineer a trail map between the code and standards layer and the design methodology and documents layer. We have surveyed the management aspects of software safety activities during the software lifecycle in order to improve the safety. After identifying the conventional safety analysis techniques for systems, we have surveyed in details the software safety analysis techniques, software FMEA(Failure Mode and Effects Analysis), software HAZOP(Hazard and Operability Analysis), and software FTA(Fault Tree Analysis). We have also surveyed the state of the art in the software reliability assessment techniques. The most important results from the reliability techniques are not the specific probability numbers generated, but the insights into the risk importance of software features. To defend against potential common-mode failures, high quality, defense-in-depth, and diversity are considered to be key elements in digital I and C system design. To minimize the possibility of CMFs and thus increase the plant reliability, we have provided D-in-D and D analysis guidelines

Software reliability for safety-critical applications

International Nuclear Information System (INIS)

Everett, B.; Musa, J.

1994-01-01

In this talk, the authors address the question open-quotes Can Software Reliability Engineering measurement and modeling techniques be applied to safety-critical applications?close quotes Quantitative techniques have long been applied in engineering hardware components of safety-critical applications. The authors have seen a growing acceptance and use of quantitative techniques in engineering software systems but a continuing reluctance in using such techniques in safety-critical applications. The general case posed against using quantitative techniques for software components runs along the following lines: safety-critical applications should be engineered such that catastrophic failures occur less frequently than one in a billion hours of operation; current software measurement/modeling techniques rely on using failure history data collected during testing; one would have to accumulate over a billion operational hours to verify failure rate objectives of about one per billion hours

A study on quantitative V and V of safety-critical software

International Nuclear Information System (INIS)

Eom, H. S.; Kang, H. G.; Chang, S. C.; Ha, J. J.; Son, H. S.

2004-03-01

Recently practical needs have required quantitative features for the software reliability for Probabilistic Safety Assessment which is one of the important methods being used in assessing the overall safety of nuclear power plant. But the conventional assessment methods of software reliability could not provide enough information for PSA of NPP, therefore current assessments of a digital system which includes safety-critical software usually exclude the software part or use arbitrary values. This paper describes a Bayesian Belief Networks based method that models the rule-based qualitative software assessment method for a practical use and can produce quantitative results for PSA. The framework was constructed by utilizing BBN that can combine the qualitative and quantitative evidence relevant to the reliability of safety-critical software and can infer a conclusion in a formal and a quantitative way. The case study was performed by applying the method for assessing the quality of software requirement specification of safety-critical software that will be embedded in reactor protection system

Software quality assurance plans for safety-critical software

International Nuclear Information System (INIS)

Liddle, P.

2006-01-01

Application software is defined as safety-critical if a fault in the software could prevent the system components from performing their nuclear-safety functions. Therefore, for nuclear-safety systems, the AREVA TELEPERM R XS (TXS) system is classified 1E, as defined in the Inst. of Electrical and Electronics Engineers (IEEE) Std 603-1998. The application software is classified as Software Integrity Level (SIL)-4, as defined in IEEE Std 7-4.3.2-2003. The AREVA NP Inc. Software Program Manual (SPM) describes the measures taken to ensure that the TELEPERM XS application software attains a level of quality commensurate with its importance to safety. The manual also describes how TELEPERM XS correctly performs the required safety functions and conforms to established technical and documentation requirements, conventions, rules, and standards. The program manual covers the requirements definition, detailed design, integration, and test phases for the TELEPERM XS application software, and supporting software created by AREVA NP Inc. The SPM is required for all safety-related TELEPERM XS system applications. The program comprises several basic plans and practices: 1. A Software Quality-Assurance Plan (SQAP) that describes the processes necessary to ensure that the software attains a level of quality commensurate with its importance to safety function. 2. A Software Safety Plan (SSP) that identifies the process to reasonably ensure that safety-critical software performs as intended during all abnormal conditions and events, and does not introduce any new hazards that could jeopardize the health and safety of the public. 3. A Software Verification and Validation (V and V) Plan that describes the method of ensuring the software is in accordance with the requirements. 4. A Software Configuration Management Plan (SCMP) that describes the method of maintaining the software in an identifiable state at all times. 5. A Software Operations and Maintenance Plan (SO and MP) that

A formal safety analysis for PLC software-based safety critical system using Z

International Nuclear Information System (INIS)

Koh, Jung Soo

1997-02-01

This paper describes a formal safety analysis technique which is demonstrated by performing empirical formal safety analysis with the case study of beamline hutch door Interlock system that is developed by using PLC (Programmable Logic Controller) systems at the Pohang Accelerator Laboratory. In order to perform formal safety analysis, we have built the Z formal specifications representation from user requirement written in ambiguous natural language and target PLC ladder logic, respectively. We have also studied the effective method to express typical PLC timer component by using specific Z formal notation which is supported by temporal history. We present a formal proof technique specifying and verifying that the hazardous states are not introduced into ladder logic in the PLC-based safety critical system. And also, we have found that some errors or mismatches in user requirement and final implemented PLC ladder logic while analyzing the process of the consistency and completeness of Z translated formal specifications. In the case of relatively small systems like Beamline hutch door interlock system, a formal safety analysis including explicit proof is highly recommended so that the safety of PLC-based critical system may be enhanced and guaranteed. It also provides a helpful benefits enough to comprehend user requirement expressed by ambiguous natural language

Software for computer based systems important to safety in nuclear power plants. Safety guide

International Nuclear Information System (INIS)

2004-01-01

Computer based systems are of increasing importance to safety in nuclear power plants as their use in both new and older plants is rapidly increasing. They are used both in safety related applications, such as some functions of the process control and monitoring systems, as well as in safety critical applications, such as reactor protection or actuation of safety features. The dependability of computer based systems important to safety is therefore of prime interest and should be ensured. With current technology, it is possible in principle to develop computer based instrumentation and control systems for systems important to safety that have the potential for improving the level of safety and reliability with sufficient dependability. However, their dependability can be predicted and demonstrated only if a systematic, fully documented and reviewable engineering process is followed. Although a number of national and international standards dealing with quality assurance for computer based systems important to safety have been or are being prepared, internationally agreed criteria for demonstrating the safety of such systems are not generally available. It is recognized that there may be other ways of providing the necessary safety demonstration than those recommended here. The basic requirements for the design of safety systems for nuclear power plants are provided in the Requirements for Design issued in the IAEA Safety Standards Series.The IAEA has issued a Technical Report to assist Member States in ensuring that computer based systems important to safety in nuclear power plants are safe and properly licensed. The report provides information on current software engineering practices and, together with relevant standards, forms a technical basis for this Safety Guide. The objective of this Safety Guide is to provide guidance on the collection of evidence and preparation of documentation to be used in the safety demonstration for the software for computer based

Software for computer based systems important to safety in nuclear power plants. Safety guide

International Nuclear Information System (INIS)

2005-01-01

Computer based systems are of increasing importance to safety in nuclear power plants as their use in both new and older plants is rapidly increasing. They are used both in safety related applications, such as some functions of the process control and monitoring systems, as well as in safety critical applications, such as reactor protection or actuation of safety features. The dependability of computer based systems important to safety is therefore of prime interest and should be ensured. With current technology, it is possible in principle to develop computer based instrumentation and control systems for systems important to safety that have the potential for improving the level of safety and reliability with sufficient dependability. However, their dependability can be predicted and demonstrated only if a systematic, fully documented and reviewable engineering process is followed. Although a number of national and international standards dealing with quality assurance for computer based systems important to safety have been or are being prepared, internationally agreed criteria for demonstrating the safety of such systems are not generally available. It is recognized that there may be other ways of providing the necessary safety demonstration than those recommended here. The basic requirements for the design of safety systems for nuclear power plants are provided in the Requirements for Design issued in the IAEA Safety Standards Series.The IAEA has issued a Technical Report to assist Member States in ensuring that computer based systems important to safety in nuclear power plants are safe and properly licensed. The report provides information on current software engineering practices and, together with relevant standards, forms a technical basis for this Safety Guide. The objective of this Safety Guide is to provide guidance on the collection of evidence and preparation of documentation to be used in the safety demonstration for the software for computer based

Software for computer based systems important to safety in nuclear power plants. Safety guide

International Nuclear Information System (INIS)

2000-01-01

Computer based systems are of increasing importance to safety in nuclear power plants as their use in both new and older plants is rapidly increasing. They are used both in safety related applications, such as some functions of the process control and monitoring systems, as well as in safety critical applications, such as reactor protection or actuation of safety features. The dependability of computer based systems important to safety is therefore of prime interest and should be ensured. With current technology, it is possible in principle to develop computer based instrumentation and control systems for systems important to safety that have the potential for improving the level of safety and reliability with sufficient dependability. However, their dependability can be predicted and demonstrated only if a systematic, fully documented and reviewable engineering process is followed. Although a number of national and international standards dealing with quality assurance for computer based systems important to safety have been or are being prepared, internationally agreed criteria for demonstrating the safety of such systems are not generally available. It is recognized that there may be other ways of providing the necessary safety demonstration than those recommended here. The basic requirements for the design of safety systems for nuclear power plants are provided in the Requirements for Design issued in the IAEA Safety Standards Series.The IAEA has issued a Technical Report to assist Member States in ensuring that computer based systems important to safety in nuclear power plants are safe and properly licensed. The report provides information on current software engineering practices and, together with relevant standards, forms a technical basis for this Safety Guide. The objective of this Safety Guide is to provide guidance on the collection of evidence and preparation of documentation to be used in the safety demonstration for the software for computer based

KAERI software verification and validation guideline for developing safety-critical software in digital I and C system of NPP

Energy Technology Data Exchange (ETDEWEB)

Kim, Jang Yeol; Lee, Jang Soo; Eom, Heung Seop

1997-07-01

This technical report is to present V and V guideline development methodology for safety-critical software in NPP safety system. Therefore it is to present V and V guideline of planning phase for the NPP safety system in addition to critical safety items, for example, independence philosophy, software safety analysis concept, commercial off the shelf (COTS) software evaluation criteria, inter-relationships between other safety assurance organizations, including the concepts of existing industrial standard, IEEE Std-1012, IEEE Std-1059. This technical report includes scope of V and V guideline, guideline framework as part of acceptance criteria, V and V activities and task entrance as part of V and V activity and exit criteria, review and audit, testing and QA records of V and V material and configuration management, software verification and validation plan production etc., and safety-critical software V and V methodology. (author). 11 refs.

KAERI software verification and validation guideline for developing safety-critical software in digital I and C system of NPP

International Nuclear Information System (INIS)

Kim, Jang Yeol; Lee, Jang Soo; Eom, Heung Seop.

1997-07-01

This technical report is to present V and V guideline development methodology for safety-critical software in NPP safety system. Therefore it is to present V and V guideline of planning phase for the NPP safety system in addition to critical safety items, for example, independence philosophy, software safety analysis concept, commercial off the shelf (COTS) software evaluation criteria, inter-relationships between other safety assurance organizations, including the concepts of existing industrial standard, IEEE Std-1012, IEEE Std-1059. This technical report includes scope of V and V guideline, guideline framework as part of acceptance criteria, V and V activities and task entrance as part of V and V activity and exit criteria, review and audit, testing and QA records of V and V material and configuration management, software verification and validation plan production etc., and safety-critical software V and V methodology. (author). 11 refs

Method of V ampersand V for safety-critical software in NPPs

International Nuclear Information System (INIS)

Kim, Jang-Yeol; Lee, Jang-Soo; Kwon, Kee-Choon

1997-01-01

Safety-critical software is software used in systems in which a failure could affect personal or equipment safety or result in large financial or social loss. Examples of systems using safety-critical software are systems such as plant protection systems in nuclear power plants (NPPs), process control systems in chemical plants, and medical instruments such as the Therac-25 medical accelerator. This paper presents verification and validation (V ampersand V) methodology for safety-critical software in NPP safety systems. In addition, it addresses issues related to NPP safety systems, such as independence parameters, software safety analysis (SSA) concepts, commercial off-the-shelf (COTS) software evaluation criteria, and interrelationships among software and system assurance organizations. It includes the concepts of existing industrial standards on software V ampersand V, Institute of Electrical and Electronics Engineers (IEEE) Standards 1012 and 1059. This safety-critical software V ampersand V methodology covers V ampersand V scope, a regulatory framework as part of its acceptance criteria, V ampersand V activities and task entrance and exit criteria, reviews and audits, testing and quality assurance records of V ampersand V material, configuration management activities related to V ampersand V, and software V ampersand V (SVV) plan (SVVP) production

Statistical reliability assessment of software-based systems

International Nuclear Information System (INIS)

Korhonen, J.; Pulkkinen, U.; Haapanen, P.

1997-01-01

Plant vendors nowadays propose software-based systems even for the most critical safety functions. The reliability estimation of safety critical software-based systems is difficult since the conventional modeling techniques do not necessarily apply to the analysis of these systems, and the quantification seems to be impossible. Due to lack of operational experience and due to the nature of software faults, the conventional reliability estimation methods can not be applied. New methods are therefore needed for the safety assessment of software-based systems. In the research project Programmable automation systems in nuclear power plants (OHA), financed together by the Finnish Centre for Radiation and Nuclear Safety (STUK), the Ministry of Trade and Industry and the Technical Research Centre of Finland (VTT), various safety assessment methods and tools for software based systems are developed and evaluated. This volume in the OHA-report series deals with the statistical reliability assessment of software based systems on the basis of dynamic test results and qualitative evidence from the system design process. Other reports to be published later on in OHA-report series will handle the diversity requirements in safety critical software-based systems, generation of test data from operational profiles and handling of programmable automation in plant PSA-studies. (orig.) (25 refs.)

Resilience Engineering in Critical Long Term Aerospace Software Systems: A New Approach to Spacecraft Software Safety

Science.gov (United States)

Dulo, D. A.

Safety critical software systems permeate spacecraft, and in a long term venture like a starship would be pervasive in every system of the spacecraft. Yet software failure today continues to plague both the systems and the organizations that develop them resulting in the loss of life, time, money, and valuable system platforms. A starship cannot afford this type of software failure in long journeys away from home. A single software failure could have catastrophic results for the spaceship and the crew onboard. This paper will offer a new approach to developing safe reliable software systems through focusing not on the traditional safety/reliability engineering paradigms but rather by focusing on a new paradigm: Resilience and Failure Obviation Engineering. The foremost objective of this approach is the obviation of failure, coupled with the ability of a software system to prevent or adapt to complex changing conditions in real time as a safety valve should failure occur to ensure safe system continuity. Through this approach, safety is ensured through foresight to anticipate failure and to adapt to risk in real time before failure occurs. In a starship, this type of software engineering is vital. Through software developed in a resilient manner, a starship would have reduced or eliminated software failure, and would have the ability to rapidly adapt should a software system become unstable or unsafe. As a result, long term software safety, reliability, and resilience would be present for a successful long term starship mission.

Licensing safety critical software

International Nuclear Information System (INIS)

Archinoff, G.H.; Brown, R.A.

1990-01-01

Licensing difficulties with the shutdown system software at the Darlington Nuclear Generating Station contributed to delays in starting up the station. Even though the station has now been given approval by the Atomic Energy Control Board (AECB) to operate, the software issue has not disappeared - Ontario Hydro has been instructed by the AECB to redesign the software. This article attempts to explain why software based shutdown systems were chosen for Darlington, why there was so much difficulty licensing them, and what the implications are for other safety related software based applications

A Technique of Software Safety Analysis in the Design Phase for PLC Based Safety-Critical Systems

International Nuclear Information System (INIS)

Koo, Seo-Ryong; Kim, Chang-Hwoi

2017-01-01

The purpose of safety analysis, which is a method of identifying portions of a system that have the potential for unacceptable hazards, is firstly to encourage design changes that will reduce or eliminate hazards and, secondly, to conduct special analyses and tests that can provide increased confidence in especially vulnerable portions of the system. For the design and implementation phase of the PLC based systems, we proposed a technique for software design specification and analysis, and this technique enables us to generate software design specifications (SDSs) in nuclear fields. For the safety analysis in the design phase, we used architecture design blocks of NuFDS to represent the architecture of the software. On the basis of the architecture design specification, we can directly generate the fault tree and then use the fault tree for qualitative analysis. Therefore, we proposed a technique of fault tree synthesis, along with a universal fault tree template for the architecture modules of nuclear software. Through our proposed fault tree synthesis in this work, users can use the architecture specification of the NuFDS approach to intuitively compose fault trees that help analyze the safety design features of software.

The Qualification Experiences for Safety-critical Software of POSAFE-Q

Energy Technology Data Exchange (ETDEWEB)

Kim, Jang Yeol; Son, Kwang Seop; Cheon, Se Woo; Lee, Jang Soo; Kwon, Kee Choon [Korea Atomic Energy Research Institute, Daejeon (Korea, Republic of)

2009-05-15

Programmable Logic Controllers (PLC) have been applied to the Reactor Protection System (RPS) and the Engineered Safety Feature (ESF)-Component Control System (CCS) as the major safety system components of nuclear power plants. This paper describes experiences on the qualification of the safety-critical software including the pCOS kernel and system tasks related to a safety-grade PLC, i.e. the works done for the Software Verification and Validation, Software Safety Analysis, Software Quality Assurance, and Software Configuration Management etc.

Validation testing of safety-critical software

International Nuclear Information System (INIS)

Kim, Hang Bae; Han, Jae Bok

1995-01-01

A software engineering process has been developed for the design of safety critical software for Wolsung 2/3/4 project to satisfy the requirements of the regulatory body. Among the process, this paper described the detail process of validation testing performed to ensure that the software with its hardware, developed by the design group, satisfies the requirements of the functional specification prepared by the independent functional group. To perform the tests, test facility and test software were developed and actual safety system computer was connected. Three kinds of test cases, i.e., functional test, performance test and self-check test, were programmed and run to verify each functional specifications. Test failures were feedback to the design group to revise the software and test results were analyzed and documented in the report to submit to the regulatory body. The test methodology and procedure were very efficient and satisfactory to perform the systematic and automatic test. The test results were also acceptable and successful to verify the software acts as specified in the program functional specification. This methodology can be applied to the validation of other safety-critical software. 2 figs., 2 tabs., 14 refs. (Author)

A formal safety analysis for PLC software-based safety critical system using Z

International Nuclear Information System (INIS)

Koh, Jung Soo; Seong, Poong Hyun

1997-01-01

This paper describes a formal safety analysis technique which is demonstrated by performing empirical formal safety analysis with the case study of beamline hutch door Interlock system that is developed by using PLC (Programmable Logic Controller) systems at the Pohang Accelerator Laboratory. In order to perform formed safety analysis, we have built the Z formal specifications representation from user requirement written in ambiguous natural language and target PLC ladder logic, respectively. We have also studied the effective method to express typical PLC timer component by using specific Z formal notation which is supported by temporal history. We present a formal proof technique specifying and verifying that the hazardous states are not introduced into ladder logic in the PLC-based safety critical system

A hybrid approach to quantify software reliability in nuclear safety systems

International Nuclear Information System (INIS)

Arun Babu, P.; Senthil Kumar, C.; Murali, N.

2012-01-01

Highlights: ► A novel method to quantify software reliability using software verification and mutation testing in nuclear safety systems. ► Contributing factors that influence software reliability estimate. ► Approach to help regulators verify the reliability of safety critical software system during software licensing process. -- Abstract: Technological advancements have led to the use of computer based systems in safety critical applications. As computer based systems are being introduced in nuclear power plants, effective and efficient methods are needed to ensure dependability and compliance to high reliability requirements of systems important to safety. Even after several years of research, quantification of software reliability remains controversial and unresolved issue. Also, existing approaches have assumptions and limitations, which are not acceptable for safety applications. This paper proposes a theoretical approach combining software verification and mutation testing to quantify the software reliability in nuclear safety systems. The theoretical results obtained suggest that the software reliability depends on three factors: the test adequacy, the amount of software verification carried out and the reusability of verified code in the software. The proposed approach may help regulators in licensing computer based safety systems in nuclear reactors.

CTMCONTROL: Addressing the MC/DC Objective for Safety-Critical Automotive Software

OpenAIRE

Mjeda , Anila; Hinchey , Mike

2013-01-01

International audience; We propose a method tailored to the requirements of safety-critical embedded automotive software, named CTMCONTROL. CTMCONTROL has a par-ticular focus on the specification-based control logic of the system under test and offers improvements in testing coverage metrics over a classic method which is routinely used in industry. The proposed method targets the Modified Condition/ Decision Coverage (MC/DC) objective for automotive safety-critical software. CTMCONTROL is va...

High level issues in reliability quantification of safety-critical software

International Nuclear Information System (INIS)

Kim, Man Cheol

2012-01-01

For the purpose of developing a consensus method for the reliability assessment of safety-critical digital instrumentation and control systems in nuclear power plants, several high level issues in reliability assessment of the safety-critical software based on Bayesian belief network modeling and statistical testing are discussed. Related to the Bayesian belief network modeling, the relation between the assessment approach and the sources of evidence, the relation between qualitative evidence and quantitative evidence, how to consider qualitative evidence, and the cause-consequence relation are discussed. Related to the statistical testing, the need of the consideration of context-specific software failure probabilities and the inability to perform a huge number of tests in the real world are discussed. The discussions in this paper are expected to provide a common basis for future discussions on the reliability assessment of safety-critical software. (author)

Formal verification and validation of the safety-critical software in a digital reactor protection system

International Nuclear Information System (INIS)

Kwon, K. C.; Park, G. Y.

2006-01-01

This paper describes the Verification and Validation (V and V) activities for the safety-critical software in a Digital Reactor Protection System (DRPS) that is being developed through the Korea nuclear instrumentation and control system project. The main activities of the DRPS V and V process are a preparation of the software planning documentation, a verification of the software according to the software life cycle, a software safety analysis and a software configuration management. The verification works for the Software Requirement Specification (SRS) of the DRPS consist of a technical evaluation, a licensing suitability evaluation, a inspection and traceability analysis, a formal verification, and preparing a test plan and procedure. Especially, the SRS is specified by the formal specification method in the development phase, and the formal SRS is verified by a formal verification method. Through these activities, we believe we can achieve the functionality, performance, reliability, and safety that are the major V and V objectives of the nuclear safety-critical software in a DRPS. (authors)

Recommendations relating to safety-critical real-time software in nuclear power plants

International Nuclear Information System (INIS)

1992-01-01

The Advisory Committee on Nuclear Safety (ACNS) has reviewed safety issues associated with the software for the digital computers in the safety shutdown systems for the Darlington NGS. From this review the ACNS has developed four recommendations for safety-critical real-time software in nuclear power plants. These recommendations cover: the completion of the present efforts to develop an overall standard and sub-tier standards for safety-critical real-time software; the preparation of schedules and lists of responsibilities for this development; the concentration of AECB efforts on ensuring the scrutability of safety-critical real-time software; and, the collection of data on reliability and causes of failure (error) of safety-critical real-time software systems and on the probability and causes of common-mode failures (errors). (9 refs.)

Software Reliability Issues Concerning Large and Safety Critical Software Systems

Science.gov (United States)

Kamel, Khaled; Brown, Barbara

1996-01-01

This research was undertaken to provide NASA with a survey of state-of-the-art techniques using in industrial and academia to provide safe, reliable, and maintainable software to drive large systems. Such systems must match the complexity and strict safety requirements of NASA's shuttle system. In particular, the Launch Processing System (LPS) is being considered for replacement. The LPS is responsible for monitoring and commanding the shuttle during test, repair, and launch phases. NASA built this system in the 1970's using mostly hardware techniques to provide for increased reliability, but it did so often using custom-built equipment, which has not been able to keep up with current technologies. This report surveys the major techniques used in industry and academia to ensure reliability in large and critical computer systems.

Module Testing Techniques for Nuclear Safety Critical Software Using LDRA Testing Tool

International Nuclear Information System (INIS)

Moon, Kwon-Ki; Kim, Do-Yeon; Chang, Hoon-Seon; Chang, Young-Woo; Yun, Jae-Hee; Park, Jee-Duck; Kim, Jae-Hack

2006-01-01

The safety critical software in the I and C systems of nuclear power plants requires high functional integrity and reliability. To achieve those requirement goals, the safety critical software should be verified and tested according to related codes and standards through verification and validation (V and V) activities. The safety critical software testing is performed at various stages during the development of the software, and is generally classified as three major activities: module testing, system integration testing, and system validation testing. Module testing involves the evaluation of module level functions of hardware and software. System integration testing investigates the characteristics of a collection of modules and aims at establishing their correct interactions. System validation testing demonstrates that the complete system satisfies its functional requirements. In order to generate reliable software and reduce high maintenance cost, it is important that software testing is carried out at module level. Module testing for the nuclear safety critical software has rarely been performed by formal and proven testing tools because of its various constraints. LDRA testing tool is a widely used and proven tool set that provides powerful source code testing and analysis facilities for the V and V of general purpose software and safety critical software. Use of the tool set is indispensable where software is required to be reliable and as error-free as possible, and its use brings in substantial time and cost savings, and efficiency

Software system safety

Science.gov (United States)

Uber, James G.

1988-01-01

Software itself is not hazardous, but since software and hardware share common interfaces there is an opportunity for software to create hazards. Further, these software systems are complex, and proven methods for the design, analysis, and measurement of software safety are not yet available. Some past software failures, future NASA software trends, software engineering methods, and tools and techniques for various software safety analyses are reviewed. Recommendations to NASA are made based on this review.

Final Technical Report on Quantifying Dependability Attributes of Software Based Safety Critical Instrumentation and Control Systems in Nuclear Power Plants

International Nuclear Information System (INIS)

Smidts, Carol; Huang, Fuqun; Li, Boyuan; Li, Xiang

2016-01-01

With the current transition from analog to digital instrumentation and control systems in nuclear power plants, the number and variety of software-based systems have significantly increased. The sophisticated nature and increasing complexity of software raises trust in these systems as a significant challenge. The trust placed in a software system is typically termed software dependability. Software dependability analysis faces uncommon challenges since software systems' characteristics differ from those of hardware systems. The lack of systematic science-based methods for quantifying the dependability attributes in software-based instrumentation as well as control systems in safety critical applications has proved itself to be a significant inhibitor to the expanded use of modern digital technology in the nuclear industry. Dependability refers to the ability of a system to deliver a service that can be trusted. Dependability is commonly considered as a general concept that encompasses different attributes, e.g., reliability, safety, security, availability and maintainability. Dependability research has progressed significantly over the last few decades. For example, various assessment models and/or design approaches have been proposed for software reliability, software availability and software maintainability. Advances have also been made to integrate multiple dependability attributes, e.g., integrating security with other dependability attributes, measuring availability and maintainability, modeling reliability and availability, quantifying reliability and security, exploring the dependencies between security and safety and developing integrated analysis models. However, there is still a lack of understanding of the dependencies between various dependability attributes as a whole and of how such dependencies are formed. To address the need for quantification and give a more objective basis to the review process -- therefore reducing regulatory uncertainty

Final Technical Report on Quantifying Dependability Attributes of Software Based Safety Critical Instrumentation and Control Systems in Nuclear Power Plants

Energy Technology Data Exchange (ETDEWEB)

Smidts, Carol [The Ohio State Univ., Columbus, OH (United States); Huang, Funqun [The Ohio State Univ., Columbus, OH (United States); Li, Boyuan [The Ohio State Univ., Columbus, OH (United States); Li, Xiang [The Ohio State Univ., Columbus, OH (United States)

2016-03-25

With the current transition from analog to digital instrumentation and control systems in nuclear power plants, the number and variety of software-based systems have significantly increased. The sophisticated nature and increasing complexity of software raises trust in these systems as a significant challenge. The trust placed in a software system is typically termed software dependability. Software dependability analysis faces uncommon challenges since software systems’ characteristics differ from those of hardware systems. The lack of systematic science-based methods for quantifying the dependability attributes in software-based instrumentation as well as control systems in safety critical applications has proved itself to be a significant inhibitor to the expanded use of modern digital technology in the nuclear industry. Dependability refers to the ability of a system to deliver a service that can be trusted. Dependability is commonly considered as a general concept that encompasses different attributes, e.g., reliability, safety, security, availability and maintainability. Dependability research has progressed significantly over the last few decades. For example, various assessment models and/or design approaches have been proposed for software reliability, software availability and software maintainability. Advances have also been made to integrate multiple dependability attributes, e.g., integrating security with other dependability attributes, measuring availability and maintainability, modeling reliability and availability, quantifying reliability and security, exploring the dependencies between security and safety and developing integrated analysis models. However, there is still a lack of understanding of the dependencies between various dependability attributes as a whole and of how such dependencies are formed. To address the need for quantification and give a more objective basis to the review process -- therefore reducing regulatory uncertainty

Software for safety critical applications

International Nuclear Information System (INIS)

Kropik, M.; Matejka, K.; Jurickova, M.; Chudy, R.

2001-01-01

The contribution gives an overview of the project of the software development for safety critical applications. This project has been carried out since 1997. The principal goal of the project was to establish a research laboratory for the development of the software with the highest requirements for quality and reliability. This laboratory was established at the department, equipped with proper hardware and software to support software development. A research team of predominantly young researchers for software development was created. The activities of the research team started with studying and proposing the software development methodology. In addition, this methodology was applied to the real software development. The verification and validation process followed the software development. The validation system for the integrated hardware and software tests was brought into being and its control software was developed. The quality of the software tools was also observed, and the SOSAT tool was used during these activities. National and international contacts were established and maintained during the project solution.(author)

Evaluation of Model Driven Development of Safety Critical Software in the Nuclear Power Plant I and C system

International Nuclear Information System (INIS)

Jung, Jae Cheon; Chang, Hoon Seon; Chang, Young Woo; Kim, Jae Hack; Sohn, Se Do

2005-01-01

The major issues of the safety critical software are formalism and V and V. Implementing these two characteristics in the safety critical software will greatly enhance the quality of software product. The structure based development requires lots of output documents from the requirements phase to the testing phase. The requirements analysis phase is open omitted. According to the Standish group report in 2001, 49% of software project is cancelled before completion or never implemented. In addition, 23% is completed and become operational, but over-budget, over the time estimation, and with fewer features and functions than initially specified. They identified ten success factors. Among them, firm basic requirements and formal methods are technically achievable factors while the remaining eight are management related. Misunderstanding of requirements due to lack of communication between the design engineer and verification engineer causes unexpected result such as functionality error of system. Safety critical software shall comply with such characteristics as; modularity, simplicity, minimizing the sub-routine, and excluding the interrupt routine. In addition, the crosslink fault and erroneous function shall be eliminated. The easiness of repairing work after the installation shall be achieved as well. In consideration of the above issues, we evaluate the model driven development (MDD) methods for nuclear I and C systems software. For qualitative analysis, the unified modeling language (UML), functional block language (FBL) and the safety critical application environment (SCADE) are tested for the above characteristics

Software Quality Assurance for Nuclear Safety Systems

International Nuclear Information System (INIS)

Sparkman, D R; Lagdon, R

2004-01-01

The US Department of Energy has undertaken an initiative to improve the quality of software used to design and operate their nuclear facilities across the United States. One aspect of this initiative is to revise or create new directives and guides associated with quality practices for the safety software in its nuclear facilities. Safety software includes the safety structures, systems, and components software and firmware, support software and design and analysis software used to ensure the safety of the facility. DOE nuclear facilities are unique when compared to commercial nuclear or other industrial activities in terms of the types and quantities of hazards that must be controlled to protect workers, public and the environment. Because of these differences, DOE must develop an approach to software quality assurance that ensures appropriate risk mitigation by developing a framework of requirements that accomplishes the following goals: (sm b ullet) Ensures the software processes developed to address nuclear safety in design, operation, construction and maintenance of its facilities are safe (sm b ullet) Considers the larger system that uses the software and its impacts (sm b ullet) Ensures that the software failures do not create unsafe conditions Software designers for nuclear systems and processes must reduce risks in software applications by incorporating processes that recognize, detect, and mitigate software failure in safety related systems. It must also ensure that fail safe modes and component testing are incorporated into software design. For nuclear facilities, the consideration of risk is not necessarily sufficient to ensure safety. Systematic evaluation, independent verification and system safety analysis must be considered for software design, implementation, and operation. The software industry primarily uses risk analysis to determine the appropriate level of rigor applied to software practices. This risk-based approach distinguishes safety-critical

Software design specification and analysis(NuFDS) approach for the safety critical software based on porgrammable logic controller(PLC)

International Nuclear Information System (INIS)

Koo, Seo Ryong; Seong, Poong Hyun; Jung, Jin Yong; Choi, Seong Soo

2004-01-01

This paper introduces the software design specification and analysis technique for the safety-critical system based on Programmable Logic Controller (PLC). During software development phases, the design phase should perform an important role to connect between requirements phase and implementation phase as a process of translating problem requirements into software structures. In this work, the Nuclear FBD-style Design Specification and analysis (NuFDS) approach was proposed. The NuFDS approach for nuclear Instrumentation and Control (I and C) software are suggested in a straight forward manner. It consists of four major specifications as follows; Database, Software Architecture, System Behavior, and PLC Hardware Configuration. Additionally, correctness, completeness, consistency, and traceability check techniques are also suggested for the formal design analysis in NuFDS approach. In addition, for the tool supporting, we are developing NuSDS tool based on the NuFDS approach which is a tool, especially for the software design specification in nuclear fields

Reliability Quantification Method for Safety Critical Software Based on a Finite Test Set

International Nuclear Information System (INIS)

Shin, Sung Min; Kim, Hee Eun; Kang, Hyun Gook; Lee, Seung Jun

2014-01-01

Software inside of digitalized system have very important role because it may cause irreversible consequence and affect the whole system as common cause failure. However, test-based reliability quantification method for some safety critical software has limitations caused by difficulties in developing input sets as a form of trajectory which is series of successive values of variables. To address these limitations, this study proposed another method which conduct the test using combination of single values of variables. To substitute the trajectory form of input using combination of variables, the possible range of each variable should be identified. For this purpose, assigned range of each variable, logical relations between variables, plant dynamics under certain situation, and characteristics of obtaining information of digital device are considered. A feasibility of the proposed method was confirmed through an application to the Reactor Protection System (RPS) software trip logic

Verification of safety critical software

International Nuclear Information System (INIS)

Son, Ki Chang; Chun, Chong Son; Lee, Byeong Joo; Lee, Soon Sung; Lee, Byung Chai

1996-01-01

To assure quality of safety critical software, software should be developed in accordance with software development procedures and rigorous software verification and validation should be performed. Software verification is the formal act of reviewing, testing of checking, and documenting whether software components comply with the specified requirements for a particular stage of the development phase[1]. New software verification methodology was developed and was applied to the Shutdown System No. 1 and 2 (SDS1,2) for Wolsung 2,3 and 4 nuclear power plants by Korea Atomic Energy Research Institute(KAERI) and Atomic Energy of Canada Limited(AECL) in order to satisfy new regulation requirements of Atomic Energy Control Boars(AECB). Software verification methodology applied to SDS1 for Wolsung 2,3 and 4 project will be described in this paper. Some errors were found by this methodology during the software development for SDS1 and were corrected by software designer. Outputs from Wolsung 2,3 and 4 project have demonstrated that the use of this methodology results in a high quality, cost-effective product. 15 refs., 6 figs. (author)

Analyzing Software Errors in Safety-Critical Embedded Systems

Science.gov (United States)

Lutz, Robyn R.

1994-01-01

This paper analyzes the root causes of safty-related software faults identified as potentially hazardous to the system are distributed somewhat differently over the set of possible error causes than non-safety-related software faults.

Possibilities and limitations of applying software reliability growth models to safety-critical software

International Nuclear Information System (INIS)

Kim, Man Cheol; Jang, Seung Cheol; Ha, Jae Joo

2007-01-01

It is generally known that software reliability growth models such as the Jelinski-Moranda model and the Goel-Okumoto's Non-Homogeneous Poisson Process (NHPP) model cannot be applied to safety-critical software due to a lack of software failure data. In this paper, by applying two of the most widely known software reliability growth models to sample software failure data, we demonstrate the possibility of using the software reliability growth models to prove the high reliability of safety-critical software. The high sensitivity of a piece of software's reliability to software failure data, as well as a lack of sufficient software failure data, is also identified as a possible limitation when applying the software reliability growth models to safety-critical software

Ontario Hydro experience in the identification and mitigation of potential failures in safety critical software systems

International Nuclear Information System (INIS)

Huget, R.G.; Viola, M.; Froebel, P.A.

1995-01-01

Ontario Hydro has had experience in designing and qualifying safety critical software used in the reactor shutdown systems of its nuclear generating stations. During software design, an analysis of system level hazards and potential hardware failure effects provide input to determining what safeguards will be needed. One form of safeguard, called software self checks, continually monitor the health of the computer on line. The design of self checks usually is a trade off between the amount of computing resources required, the software complexity, and the level of safeguarding provided. As part of the software verification activity, a software hazards analysis is performed, which identifiers any failure modes that could lead to the software causing an unsafe state, and which recommends changes to mitigate that potential. These recommendations may involve a re-structuring of the software to be more resistant to failure, or the introduction of other safeguarding measures. This paper discusses how Ontario Hydro has implemented these aspects of software design and verification into safety critical software used in reactor shutdown systems

Formal methods and their applicability in the development of safety critical software systems

International Nuclear Information System (INIS)

Sievertsen, T.

1995-01-01

The OECD Halden Reactor Project has for a number of years been involved in the development and application of a formal software specification and development method based on algebraic specification and the HRP Prover. In parallel to this activity the Project has been evaluating and comparing different methods and approaches to formal software development by their application on realistic case examples. Recent work has demonstrated that algebraic specification and the HRP Prover can be used both in the specification and design of a software system, even down to a concrete model which can be translated into the chosen implementation language. The HRP Prover is currently being used in a case study on the applicability of the methodology in the development of a power range monitoring system for a nuclear power plant. The presentation reviews some of the experiences drawn from the Project's research activities in this area, with special emphasis on questions relating to applicability and limitations, and the role of formal methods in the development of safety-critical software systems. (14 refs., 1 fig.)

Estimation of Remained defects in a Safety-Critical Software using Bayesian Belief Network of Software Development Life Cycle

International Nuclear Information System (INIS)

Lee, Seung Jun; Jung, Wondea Jung

2015-01-01

Some researchers recognized Bayesian belief network (BBN) method to be a promising method of quantifying software reliability. Brookhaven National Laboratory (BNL) comprehensively reviewed various quantitative software reliability methods to identify the most promising methods for use in probabilistic safety assessments (PSAs) of digital systems of NPPs against a set of the most desirable characteristics developed therein. BBNs are recognized as a promising way of quantifying software reliability and are useful for integrating many aspects of software engineering and quality assurance. The method explicitly incorporates important factors relevant to reliability, such as the quality of the developer, the development process, problem complexity, testing effort, and the operation environment. In this work, a BBN model was developed to estimate the number of remained defects in a safety-critical software based on the quality evaluation of software development life cycle (SDLC). Even though a number of software reliability evaluation methods exist, none of them can be applicable to the safety-critical software in an NPP because software quality in terms of PDF is required for the PSA

Architecture Level Safety Analyses for Safety-Critical Systems

Directory of Open Access Journals (Sweden)

K. S. Kushal

2017-01-01

Full Text Available The dependency of complex embedded Safety-Critical Systems across Avionics and Aerospace domains on their underlying software and hardware components has gradually increased with progression in time. Such application domain systems are developed based on a complex integrated architecture, which is modular in nature. Engineering practices assured with system safety standards to manage the failure, faulty, and unsafe operational conditions are very much necessary. System safety analyses involve the analysis of complex software architecture of the system, a major aspect in leading to fatal consequences in the behaviour of Safety-Critical Systems, and provide high reliability and dependability factors during their development. In this paper, we propose an architecture fault modeling and the safety analyses approach that will aid in identifying and eliminating the design flaws. The formal foundations of SAE Architecture Analysis & Design Language (AADL augmented with the Error Model Annex (EMV are discussed. The fault propagation, failure behaviour, and the composite behaviour of the design flaws/failures are considered for architecture safety analysis. The illustration of the proposed approach is validated by implementing the Speed Control Unit of Power-Boat Autopilot (PBA system. The Error Model Annex (EMV is guided with the pattern of consideration and inclusion of probable failure scenarios and propagation of fault conditions in the Speed Control Unit of Power-Boat Autopilot (PBA. This helps in validating the system architecture with the detection of the error event in the model and its impact in the operational environment. This also provides an insight of the certification impact that these exceptional conditions pose at various criticality levels and design assurance levels and its implications in verifying and validating the designs.

Real-time software use in nuclear materials handling criticality safety control

International Nuclear Information System (INIS)

Huang, S.; Lappa, D.; Chiao, T.; Parrish, C.; Carlson, R.; Lewis, J.; Shikany, D.; Woo, H.

1997-01-01

This paper addresses the use of real-time software to assist handlers of fissionable nuclear material. We focus specifically on the issue of workstation mass limits, and the need for handlers to be aware of, and check against, those mass limits during material transfers. Here ''mass limits'' generally refer to criticality safety mass limits; however, in some instances, workstation mass limits for some materials may be governed by considerations other than criticality, e.g., fire or release consequence limitation. As a case study, we provide a simplified reliability comparison of the use of a manual two handler system with a software-assisted two handler system. We identify the interface points between software and handlers that are relevant to criticality safety

Planning the Unplanned Experiment: Assessing the Efficacy of Standards for Safety Critical Software

Science.gov (United States)

Graydon, Patrick J.; Holloway, C. Michael

2015-01-01

We need well-founded means of determining whether software is t for use in safety-critical applications. While software in industries such as aviation has an excellent safety record, the fact that software aws have contributed to deaths illustrates the need for justi ably high con dence in software. It is often argued that software is t for safety-critical use because it conforms to a standard for software in safety-critical systems. But little is known about whether such standards `work.' Reliance upon a standard without knowing whether it works is an experiment; without collecting data to assess the standard, this experiment is unplanned. This paper reports on a workshop intended to explore how standards could practicably be assessed. Planning the Unplanned Experiment: Assessing the Ecacy of Standards for Safety Critical Software (AESSCS) was held on 13 May 2014 in conjunction with the European Dependable Computing Conference (EDCC). We summarize and elaborate on the workshop's discussion of the topic, including both the presented positions and the dialogue that ensued.

The automatic programming for safety-critical software in nuclear power plants

Energy Technology Data Exchange (ETDEWEB)

Kim, Jang Yeol; Eom, Heung Seop; Choi, You Rark

1998-06-01

We defined the Korean unique safety-critical software development methodology by modifying Dr. Harel`s statechart-based on formal methods in order to digitalized the reactor protection system. It is suggested software requirement specification guideline to specify design specification which is basis for requirement specification and automatic programming by the caused by shutdown parameter logic of the steam generator water level for Wolsung 2/3/4 unit SDS no.1 and simulated it by binding the Graphic User Interface (GUI). We generated the K and R C code automatically by utilizing the Statemate MAGNUM Sharpshooter/C code generator. Auto-generated K and R C code is machine independent code and has high productivity, quality and provability. The following are the summaries of major research and development. - Set up the Korean unique safety-critical software development methodology - Developed software requirement specification guidelines - Developed software design specification guidelines - Reactor trip modeling for steam generator waster level Wolsung 2/3/4 SDS no. 1 shutdown parameter logic - Graphic panel binding with GUI. (author). 20 refs., 12 tabs., 15 figs

The automatic programming for safety-critical software in nuclear power plants

International Nuclear Information System (INIS)

Kim, Jang Yeol; Eom, Heung Seop; Choi, You Rark

1998-06-01

We defined the Korean unique safety-critical software development methodology by modifying Dr. Harel's statechart-based on formal methods in order to digitalized the reactor protection system. It is suggested software requirement specification guideline to specify design specification which is basis for requirement specification and automatic programming by the caused by shutdown parameter logic of the steam generator water level for Wolsung 2/3/4 unit SDS no.1 and simulated it by binding the Graphic User Interface (GUI). We generated the K and R C code automatically by utilizing the Statemate MAGNUM Sharpshooter/C code generator. Auto-generated K and R C code is machine independent code and has high productivity, quality and provability. The following are the summaries of major research and development. - Set up the Korean unique safety-critical software development methodology - Developed software requirement specification guidelines - Developed software design specification guidelines - Reactor trip modeling for steam generator waster level Wolsung 2/3/4 SDS no. 1 shutdown parameter logic - Graphic panel binding with GUI. (author). 20 refs., 12 tabs., 15 figs

Input-profile-based software failure probability quantification for safety signal generation systems

International Nuclear Information System (INIS)

Kang, Hyun Gook; Lim, Ho Gon; Lee, Ho Jung; Kim, Man Cheol; Jang, Seung Cheol

2009-01-01

The approaches for software failure probability estimation are mainly based on the results of testing. Test cases represent the inputs, which are encountered in an actual use. The test inputs for the safety-critical application such as a reactor protection system (RPS) of a nuclear power plant are the inputs which cause the activation of protective action such as a reactor trip. A digital system treats inputs from instrumentation sensors as discrete digital values by using an analog-to-digital converter. Input profile must be determined in consideration of these characteristics for effective software failure probability quantification. Another important characteristic of software testing is that we do not have to repeat the test for the same input value since the software response is deterministic for each specific digital input. With these considerations, we propose an effective software testing method for quantifying the failure probability. As an example application, the input profile of the digital RPS is developed based on the typical plant data. The proposed method in this study is expected to provide a simple but realistic mean to quantify the software failure probability based on input profile and system dynamics.

Interaction between systems and software engineering in safety-critical systems

International Nuclear Information System (INIS)

Knight, J.

1994-01-01

There are three areas of concern: when is software to be considered safe; what, exactly, is the role of the software engineer; and how do systems, or sometimes applications, engineers and software engineers interact with each other. The author presents his perspective on these questions which he feels differ from those of many in the field. He argues for a clear definition of safety in the software arena, so the engineer knows what he is engineering toward. Software must be viewed as part of the entire system, since it does not function on its own, or isolation. He argues for the establishment of clear specifications in this area

Evaluation for nuclear safety-critical software reliability of DCS

International Nuclear Information System (INIS)

Liu Ying

2015-01-01

With the development of control and information technology at NPPs, software reliability is important because software failure is usually considered as one form of common cause failures in Digital I and C Systems (DCS). The reliability analysis of DCS, particularly qualitative and quantitative evaluation on the nuclear safety-critical software reliability belongs to a great challenge. To solve this problem, not only comprehensive evaluation model and stage evaluation models are built in this paper, but also prediction and sensibility analysis are given to the models. It can make besement for evaluating the reliability and safety of DCS. (author)

Quantification of Safety-Critical Software Test Uncertainty

International Nuclear Information System (INIS)

Khalaquzzaman, M.; Cho, Jaehyun; Lee, Seung Jun; Jung, Wondea

2015-01-01

The method, conservatively assumes that the failure probability of a software for the untested inputs is 1, and the failure probability turns in 0 for successful testing of all test cases. However, in reality the chance of failure exists due to the test uncertainty. Some studies have been carried out to identify the test attributes that affect the test quality. Cao discussed the testing effort, testing coverage, and testing environment. Management of the test uncertainties was discussed in. In this study, the test uncertainty has been considered to estimate the software failure probability because the software testing process is considered to be inherently uncertain. A reliability estimation of software is very important for a probabilistic safety analysis of a digital safety critical system of NPPs. This study focused on the estimation of the probability of a software failure that considers the uncertainty in software testing. In our study, BBN has been employed as an example model for software test uncertainty quantification. Although it can be argued that the direct expert elicitation of test uncertainty is much simpler than BBN estimation, however the BBN approach provides more insights and a basis for uncertainty estimation

A Method to Select Test Input Cases for Safety-critical Software

International Nuclear Information System (INIS)

Kim, Heeeun; Kang, Hyungook; Son, Hanseong

2013-01-01

This paper proposes a new testing methodology for effective and realistic quantification of RPS software failure probability. Software failure probability quantification is important factor in digital system safety assessment. In this study, the method for software test case generation is briefly described. The test cases generated by this method reflect the characteristics of safety-critical software and past inputs. Furthermore, the number of test cases can be reduced, but it is possible to perform exhaustive test. Aspect of software also can be reflected as failure data, so the final failure data can include the failure of software itself and external influences. Software reliability is generally accepted as the key factor in software quality since it quantifies software failures which can make a powerful system inoperative. In the KNITS (Korea Nuclear Instrumentation and Control Systems) project, the software for the fully digitalized reactor protection system (RPS) was developed under a strict procedure including unit testing and coverage measurement. Black box testing is one type of Verification and validation (V and V), in which given input values are entered and the resulting output values are compared against the expected output values. Programmable logic controllers (PLCs) were used in implementing critical systems and function block diagram (FBD) is a commonly used implementation language for PLC

Requirement analysis of the safety-critical software implementation for the nuclear power plant

International Nuclear Information System (INIS)

Chang, Hoon Seon; Jung, Jae Cheon; Kim, Jae Hack; Nam, Sang Ku; Kim, Hang Bae

2005-01-01

The safety critical software shall be implemented under the strict regulation and standards along with hardware qualification. In general, the safety critical software has been implemented using functional block language (FBL) and structured language like C in the real project. Software design shall comply with such characteristics as; modularity, simplicity, minimizing the use of sub-routine, and excluding the interrupt logic. To meet these prerequisites, we used the computer-aided software engineering (CASE) tool to substantiate the requirements traceability matrix that were manually developed using Word processors or Spreadsheets. And the coding standard and manual have been developed to confirm the quality of software development process, such as; readability, consistency, and maintainability in compliance with NUREG/CR-6463. System level preliminary hazard analysis (PHA) is performed by analyzing preliminary safety analysis report (PSAR) and FMEA document. The modularity concept is effectively implemented for the overall module configurations and functions using RTP software development tool. The response time imposed on the basis of the deterministic structure of the safety-critical software was measured

An effective technique for the software requirements analysis of NPP safety-critical systems, based on software inspection, requirements traceability, and formal specification

International Nuclear Information System (INIS)

Koo, Seo Ryong; Seong, Poong Hyun; Yoo, Junbeom; Cha, Sung Deok; Yoo, Yeong Jae

2005-01-01

A thorough requirements analysis is indispensable for developing and implementing safety-critical software systems such as nuclear power plant (NPP) software systems because a single error in the requirements can generate serious software faults. However, it is very difficult to completely analyze system requirements. In this paper, an effective technique for the software requirements analysis is suggested. For requirements verification and validation (V and V) tasks, our technique uses software inspection, requirement traceability, and formal specification with structural decomposition. Software inspection and requirements traceability analysis are widely considered the most effective software V and V methods. Although formal methods are also considered an effective V and V activity, they are difficult to use properly in the nuclear fields as well as in other fields because of their mathematical nature. In this work, we propose an integrated environment (IE) approach for requirements, which is an integrated approach that enables easy inspection by combining requirement traceability and effective use of a formal method. The paper also introduces computer-aided tools for supporting IE approach for requirements. Called the nuclear software inspection support and requirements traceability (NuSISRT), the tool incorporates software inspection, requirement traceability, and formal specification capabilities. We designed the NuSISRT to partially automate software inspection and analysis of requirement traceability. In addition, for the formal specification and analysis, we used the formal requirements specification and analysis tool for nuclear engineering (NuSRS)

Failure Mode and Effect Analysis of the Application Software of the Safety-critical I and C System in APR1400

Energy Technology Data Exchange (ETDEWEB)

Kim, Koheun; Kim, Yong geul; Choi, Woong seok; Sohn, Se do [KEPCO Engineering and Construction, Daejeon (Korea, Republic of)

2016-10-15

In APR1400, the computer software hazard analysis is performed by hazard and operability analysis (HAZOP) method. Meanwhile, HAZOP has its limitation and cannot be considered better than fault tree analysis (FTA) or failure mode and effect (FMEA) analysis. HAZOP assumes that the system has been carefully studied, and all possible hazards, their effects or consequences and remedies are incorporated in the system. But incorporating every possible event in the design is impossible. In this light, this paper attempts to use FMEA method for evaluating the risk for safety-critical instrumentation and control (I and C) system software for NPP which is more practically than HAZOP. It is possible because the software failures are due to systematic faults that causing simultaneous failure in multiple division when the triggering event happens. This analysis is applied to safety-critical system of Shin-Hanul units 1 and 2 NPP, i.e., APR1400. Through SFMEA, the critical software failure modes and tasks that could result in CCF are identified and also evaluated to determine the associated risk level (e.g. high or intermediate or low) based on the failure effect. Biggest benefit from this analysis comparing with HAZOP is it can reveal the possible weak points and provide the guidance to the V and V team by helping to generate the test cases.

Testing digital safety system software with a testability measure based on a software fault tree

International Nuclear Information System (INIS)

Sohn, Se Do; Hyun Seong, Poong

2006-01-01

Using predeveloped software, a digital safety system is designed that meets the quality standards of a safety system. To demonstrate the quality, the design process and operating history of the product are reviewed along with configuration management practices. The application software of the safety system is developed in accordance with the planned life cycle. Testing, which is a major phase that takes a significant time in the overall life cycle, can be optimized if the testability of the software can be evaluated. The proposed testability measure of the software is based on the entropy of the importance of basic statements and the failure probability from a software fault tree. To calculate testability, a fault tree is used in the analysis of a source code. With a quantitative measure of testability, testing can be optimized. The proposed testability can also be used to demonstrate whether the test cases based on uniform partitions, such as branch coverage criteria, result in homogeneous partitions that is known to be more effective than random testing. In this paper, the testability measure is calculated for the modules of a nuclear power plant's safety software. The module testing with branch coverage criteria required fewer test cases if the module has higher testability. The result shows that the testability measure can be used to evaluate whether partitions have homogeneous characteristics

Finite test sets development method for test execution of safety critical software

International Nuclear Information System (INIS)

Shin, Sung Min; Kim, Hee Eun; Kang, Hyun Gook; Lee, Sung Jiun

2014-01-01

The V and V method has been utilized for this safety critical software, while SRGM has difficulties because of lack of failure occurrence data on developing phase. For the safety critical software, however, failure data cannot be gathered after installation in real plant when we consider the severe consequence. Therefore, to complement the V and V method, the test-based method need to be developed. Some studies on test-based reliability quantification method for safety critical software have been conducted in nuclear field. These studies provide useful guidance on generating test sets. An important concept of the guidance is that the test sets represent 'trajectories' (a series of successive values for the input variables of a program that occur during the operation of the software over time) in the space of inputs to the software.. Actually, the inputs to the software depends on the state of plant at that time, and these inputs form a new internal state of the software by changing values of some variables. In other words, internal state of the software at specific timing depends on the history of past inputs. Here the internal state of the software which can be changed by past inputs is named as Context of Software (CoS). In a certain CoS, a software failure occurs when a fault is triggered by some inputs. To cover the failure occurrence mechanism of a software, preceding researches insist that the inputs should be a trajectory form. However, in this approach, there are two critical problems. One is the length of the trajectory input. Input trajectory should long enough to cover failure mechanism, but the enough length is not clear. What is worse, to cover some accident scenario, one set of input should represent dozen hours of successive values. The other problem is number of tests needed. To satisfy a target reliability with reasonable confidence level, very large number of test sets are required. Development of this number of test sets is a herculean

Software qualification for digital safety system in KNICS project

International Nuclear Information System (INIS)

Kwon, Kee-Choon; Lee, Dong-Young; Choi, Jong-Gyun

2012-01-01

In order to achieve technical self-reliance in the area of nuclear instrumentation and control, the Korea Nuclear Instrumentation and Control System (KNICS) project had been running for seven years from 2001. The safety-grade Programmable Logic Controller (PLC) and the digital safety system were developed by KNICS project. All the software of the PLC and digital safety system were developed and verified following the software development life cycle Verification and Validation (V and V) procedure. The main activities of the V and V process are preparation of software planning documentations, verification of the Software Requirement Specification (SRS), Software Design Specification (SDS) and codes, and a testing of the software components, the integrated software, and the integrated system. In addition, a software safety analysis and a software configuration management are included in the activities. For the software safety analysis at the SRS and SDS phases, the software Hazard Operability (HAZOP) was performed and then the software fault tree analysis was applied. The software fault tree analysis was applied to a part of software module with some critical defects identified by the software HAZOP in SDS phase. The software configuration management was performed using the in-house tool developed in the KNICS project. (author)

Safety management of software-based equipment

CERN Document Server

Boulanger, Jean-Louis

2013-01-01

A review of the principles of the safety of software-based equipment, this book begins by presenting the definition principles of safety objectives. It then moves on to show how it is possible to define a safety architecture (including redundancy, diversification, error-detection techniques) on the basis of safety objectives and how to identify objectives related to software programs. From software objectives, the authors present the different safety techniques (fault detection, redundancy and quality control). "Certifiable system" aspects are taken into account throughout the book. C

Is Model-Based Development a Favorable Approach for Complex and Safety-Critical Computer Systems on Commercial Aircraft?

Science.gov (United States)

Torres-Pomales, Wilfredo

2014-01-01

A system is safety-critical if its failure can endanger human life or cause significant damage to property or the environment. State-of-the-art computer systems on commercial aircraft are highly complex, software-intensive, functionally integrated, and network-centric systems of systems. Ensuring that such systems are safe and comply with existing safety regulations is costly and time-consuming as the level of rigor in the development process, especially the validation and verification activities, is determined by considerations of system complexity and safety criticality. A significant degree of care and deep insight into the operational principles of these systems is required to ensure adequate coverage of all design implications relevant to system safety. Model-based development methodologies, methods, tools, and techniques facilitate collaboration and enable the use of common design artifacts among groups dealing with different aspects of the development of a system. This paper examines the application of model-based development to complex and safety-critical aircraft computer systems. Benefits and detriments are identified and an overall assessment of the approach is given.

Risk-Informed Safety Assurance and Probabilistic Assessment of Mission-Critical Software-Intensive Systems

Science.gov (United States)

Guarro, Sergio B.

2010-01-01

This report validates and documents the detailed features and practical application of the framework for software intensive digital systems risk assessment and risk-informed safety assurance presented in the NASA PRA Procedures Guide for Managers and Practitioner. This framework, called herein the "Context-based Software Risk Model" (CSRM), enables the assessment of the contribution of software and software-intensive digital systems to overall system risk, in a manner which is entirely compatible and integrated with the format of a "standard" Probabilistic Risk Assessment (PRA), as currently documented and applied for NASA missions and applications. The CSRM also provides a risk-informed path and criteria for conducting organized and systematic digital system and software testing so that, within this risk-informed paradigm, the achievement of a quantitatively defined level of safety and mission success assurance may be targeted and demonstrated. The framework is based on the concept of context-dependent software risk scenarios and on the modeling of such scenarios via the use of traditional PRA techniques - i.e., event trees and fault trees - in combination with more advanced modeling devices such as the Dynamic Flowgraph Methodology (DFM) or other dynamic logic-modeling representations. The scenarios can be synthesized and quantified in a conditional logic and probabilistic formulation. The application of the CSRM method documented in this report refers to the MiniAERCam system designed and developed by the NASA Johnson Space Center.

Development of a methodology for assessing the safety of embedded software systems

Science.gov (United States)

Garrett, C. J.; Guarro, S. B.; Apostolakis, G. E.

1993-01-01

A Dynamic Flowgraph Methodology (DFM) based on an integrated approach to modeling and analyzing the behavior of software-driven embedded systems for assessing and verifying reliability and safety is discussed. DFM is based on an extension of the Logic Flowgraph Methodology to incorporate state transition models. System models which express the logic of the system in terms of causal relationships between physical variables and temporal characteristics of software modules are analyzed to determine how a certain state can be reached. This is done by developing timed fault trees which take the form of logical combinations of static trees relating the system parameters at different point in time. The resulting information concerning the hardware and software states can be used to eliminate unsafe execution paths and identify testing criteria for safety critical software functions.

Co Modeling and Co Synthesis of Safety Critical Multi threaded Embedded Software for Multi Core Embedded Platforms

Science.gov (United States)

2017-03-20

Kaiserslautern Kaiserslautern, Germany Sandeep Shukla FERMAT Lab Electrical and Computer Engineering Department Virginia Tech 900 North Glebe Road...Software Engineering , Software Producibility, Component-based software design, behavioral types, behavioral type inference, Polychronous model of...near future, many embedded applications including safety critical ones as used in avionics, automotive , mission control systems will run on

Using Machine Learning for Risky Module Estimation of Safety-Critical Software

International Nuclear Information System (INIS)

Kim, Young Mi; Jeong, Choong Heui

2009-01-01

With the rapid development of digital computer and information processing technologies, nuclear I and C (Instrument and Control) system which needs safety critical function has adopted digital technologies. Software used in safety-critical system must have high dependability. Highly dependable software needs strict software testing and V and V activities. These days, regulatory demands for nuclear power plants are more and more increasing. But, human resources and time for regulation are limited. So, early software risky module prediction is very useful for software testing and regulation activities. Early estimation can be built from a collection of internal metrics during early development phase. Internal metrics are measures of a product derived from assessment of the product itself, and external metrics are measures of a product derived from assessment of the behavior of the systems. Internal metrics can be collected more easily and early than external metrics. In addition, internal metrics can be useful for estimating fault-prone software modules using machine learning. In this paper, we introduce current research status and techniques related to estimating risky software module using machine learning techniques. Section 2 describes the overview of the estimation model using machine learning and section 3 describes processes of the estimation model. Section 4 describes several estimation models using machine leanings. Section 5 concludes the paper

A comparative study of formal methods for safety critical software in nuclear power plant

International Nuclear Information System (INIS)

Sohn, Se Do; Seong Poong Hyun

2000-01-01

The requirement of ultra high reliability of the safety critical software can not be demonstrated by testing alone. The specification based on formal method is recommended for safety system software. But there exist various kinds of formal methods, and this variety of formal method is recognized as an obstacle to the wide use of formal method. In this paper six different formal method have been applied to the same part of the functional requirements that is calculation algorithm intensive. The specification results were compared against the criteria that is derived from the characteristics that good software requirements specifications should have and regulatory body recommends to have. The application experience shows that the critical characteristics should be defined first, then appropriate method has to e selected. In our case, the Software Cost Reduction method was recommended for internal condition or calculation algorithm checking, and state chart method is recommended for the external behavioral description. (author)

NASA's Software Safety Standard

Science.gov (United States)

Ramsay, Christopher M.

2007-01-01

NASA relies more and more on software to control, monitor, and verify its safety critical systems, facilities and operations. Since the 1960's there has hardly been a spacecraft launched that does not have a computer on board that will provide command and control services. There have been recent incidents where software has played a role in high-profile mission failures and hazardous incidents. For example, the Mars Orbiter, Mars Polar Lander, the DART (Demonstration of Autonomous Rendezvous Technology), and MER (Mars Exploration Rover) Spirit anomalies were all caused or contributed to by software. The Mission Control Centers for the Shuttle, ISS, and unmanned programs are highly dependant on software for data displays, analysis, and mission planning. Despite this growing dependence on software control and monitoring, there has been little to no consistent application of software safety practices and methodology to NASA's projects with safety critical software. Meanwhile, academia and private industry have been stepping forward with procedures and standards for safety critical systems and software, for example Dr. Nancy Leveson's book Safeware: System Safety and Computers. The NASA Software Safety Standard, originally published in 1997, was widely ignored due to its complexity and poor organization. It also focused on concepts rather than definite procedural requirements organized around a software project lifecycle. Led by NASA Headquarters Office of Safety and Mission Assurance, the NASA Software Safety Standard has recently undergone a significant update. This new standard provides the procedures and guidelines for evaluating a project for safety criticality and then lays out the minimum project lifecycle requirements to assure the software is created, operated, and maintained in the safest possible manner. This update of the standard clearly delineates the minimum set of software safety requirements for a project without detailing the implementation for those

Finite test sets development method for test execution of safety critical software

International Nuclear Information System (INIS)

El-Bordany Ayman; Yun, Won Young

2014-01-01

It reads inputs, computes new states, and updates output for each scan cycle. Korea Nuclear Instrumentation and Control System (KNICS) has recently developed a fully digitalized Reactor Protection System (RPS) based on PLD. As a digital system, this RPS is equipped with a dedicated software. The Reliability of this software is crucial to NPPs safety where its malfunction may cause irreversible consequences and affect the whole system as a Common Cause Failure (CCF). To guarantee the reliability of the whole system, the reliability of this software needs to be quantified. There are three representative methods for software reliability quantification, namely the Verification and Validation (V and V) quality-based method, the Software Reliability Growth Model (SRGM), and the test-based method. An important concept of the guidance is that the test sets represent 'trajectories' (a series of successive values for the input variables of a program that occur during the operation of the software over time) in the space of inputs to the software.. Actually, the inputs to the software depends on the state of plant at that time, and these inputs form a new internal state of the software by changing values of some variables. In other words, internal state of the software at specific timing depends on the history of past inputs. Here the internal state of the software which can be changed by past inputs is named as Context of Software (CoS). In a certain CoS, a software failure occurs when a fault is triggered by some inputs. To cover the failure occurrence mechanism of a software, preceding researches insist that the inputs should be a trajectory form. However, in this approach, there are two critical problems. One is the length of the trajectory input. Input trajectory should long enough to cover failure mechanism, but the enough length is not clear. What is worse, to cover some accident scenario, one set of input should represent dozen hours of successive values

A study on the quantitative evaluation of the reliability for safety critical software using Bayesian belief nets

International Nuclear Information System (INIS)

Eom, H. S.; Jang, S. C.; Ha, J. J.

2003-01-01

Despite the efforts to avoid undesirable risks, or at least to bring them under control in the world, new risks that are highly difficult to manage continue to emerge from the use of new technologies, such as the use of digital instrumentation and control (I and C) components in nuclear power plant. Whenever new risk issues came out by now, we have endeavored to find the most effective ways to reduce risks, or to allocate limited resources to do this. One of the major challenges is the reliability analysis of safety-critical software associated with digital safety systems. Though many activities such as testing, verification and validation (V and V) techniques have been carried out in the design stage of software, however, the process of quantitatively evaluating the reliability of safety-critical software has not yet been developed because of the irrelevance of the conventional software reliability techniques to apply for the digital safety systems. This paper focuses on the applicability of Bayesian Belief Net (BBN) techniques to quantitatively estimate the reliability of safety-critical software adopted in digital safety system. In this paper, a typical BBN model was constructed using the dedication process of the Commercial-Off-The-Shelf (COTS) installed by KAERI. In conclusion, the adoption of BBN technique can facilitate the process of evaluating the safety-critical software reliability in nuclear power plant, as well as provide very useful information (e.g., 'what if' analysis) associated with software reliability in the viewpoint of practicality

Reliability analysis of software based safety functions

International Nuclear Information System (INIS)

Pulkkinen, U.

1993-05-01

The methods applicable in the reliability analysis of software based safety functions are described in the report. Although the safety functions also include other components, the main emphasis in the report is on the reliability analysis of software. The check list type qualitative reliability analysis methods, such as failure mode and effects analysis (FMEA), are described, as well as the software fault tree analysis. The safety analysis based on the Petri nets is discussed. The most essential concepts and models of quantitative software reliability analysis are described. The most common software metrics and their combined use with software reliability models are discussed. The application of software reliability models in PSA is evaluated; it is observed that the recent software reliability models do not produce the estimates needed in PSA directly. As a result from the study some recommendations and conclusions are drawn. The need of formal methods in the analysis and development of software based systems, the applicability of qualitative reliability engineering methods in connection to PSA and the need to make more precise the requirements for software based systems and their analyses in the regulatory guides should be mentioned. (orig.). (46 refs., 13 figs., 1 tab.)

The software safety analysis based on SFTA for reactor power regulating system in nuclear power plant

International Nuclear Information System (INIS)

Liu Zhaohui; Yang Xiaohua; Liao Longtao; Wu Zhiqiang

2015-01-01

The digitalized Instrumentation and Control (I and C) system of Nuclear power plants can provide many advantages. However, digital control systems induce new failure modes that differ from those of analog control systems. While the cost effectiveness and flexibility of software is widely recognized, it is very difficult to achieve and prove high levels of dependability and safety assurance for the functions performed by process control software, due to the very flexibility and potential complexity of the software itself. Software safety analysis (SSA) was one way to improve the software safety by identify the system hazards caused by software failure. This paper describes the application of a software fault tree analysis (SFTA) at the software design phase. At first, we evaluate all the software modules of the reactor power regulating system in nuclear power plant and identify various hazards. The SFTA was applied to some critical modules selected from the previous step. At last, we get some new hazards that had not been identified in the prior processes of the document evaluation which were helpful for our design. (author)

Overview of Risk Mitigation for Safety-Critical Computer-Based Systems

Science.gov (United States)

Torres-Pomales, Wilfredo

2015-01-01

This report presents a high-level overview of a general strategy to mitigate the risks from threats to safety-critical computer-based systems. In this context, a safety threat is a process or phenomenon that can cause operational safety hazards in the form of computational system failures. This report is intended to provide insight into the safety-risk mitigation problem and the characteristics of potential solutions. The limitations of the general risk mitigation strategy are discussed and some options to overcome these limitations are provided. This work is part of an ongoing effort to enable well-founded assurance of safety-related properties of complex safety-critical computer-based aircraft systems by developing an effective capability to model and reason about the safety implications of system requirements and design.

Software important to safety in nuclear power plants

International Nuclear Information System (INIS)

1994-01-01

The report provides guidance on current practices, documenting their strengths and weaknesses for dealing with the important issues of software engineering that nuclear power plant system designers, software producers and regulators are facing. The focus of the report is on safety critical applications of general purpose processors controlled by custom developed software; however, it should also have application in safety related applications and for other types of computers. In addition to system designers, software producers and regulators, the intended readership of this report includes users of software based systems, who should be aware of the relevant issues in specifying and obtaining software for systems important to safety. Refs, 1 fig., tabs

Software criticality analysis of COTS/SOUP

Energy Technology Data Exchange (ETDEWEB)

Bishop, Peter; Bloomfield, Robin; Clement, Tim; Guerra, Sofia

2003-09-01

This paper describes the Software Criticality Analysis (SCA) approach that was developed to support the justification of using commercial off-the-shelf software (COTS) in a safety-related system. The primary objective of SCA is to assess the importance to safety of the software components within the COTS and to show there is segregation between software components with different safety importance. The approach taken was a combination of Hazops based on design documents and on a detailed analysis of the actual code (100 kloc). Considerable effort was spent on validation and ensuring the conservative nature of the results. The results from reverse engineering from the code showed that results based only on architecture and design documents would have been misleading.

Software criticality analysis of COTS/SOUP

International Nuclear Information System (INIS)

Bishop, Peter; Bloomfield, Robin; Clement, Tim; Guerra, Sofia

2003-01-01

This paper describes the Software Criticality Analysis (SCA) approach that was developed to support the justification of using commercial off-the-shelf software (COTS) in a safety-related system. The primary objective of SCA is to assess the importance to safety of the software components within the COTS and to show there is segregation between software components with different safety importance. The approach taken was a combination of Hazops based on design documents and on a detailed analysis of the actual code (100 kloc). Considerable effort was spent on validation and ensuring the conservative nature of the results. The results from reverse engineering from the code showed that results based only on architecture and design documents would have been misleading

The Dynamics of Agile Practices for Safety-Critical Software Development

DEFF Research Database (Denmark)

Nielsen, Peter Axel; Tordrup Heeager, Lise

2017-01-01

This short paper reports from a case study of the agile development of safety-critical software. It utilizes a framework of dynamic relationships between agile practices with the purpose of demonstrating the utility of the framework to understand a case in its context, and it shows significant...... dynamics. The study is concluded by pointing at which further research on the framework is required to use the framework in managing the agile development of safety-critical software....

A New Method to Detect and Correct the Critical Errors and Determine the Software-Reliability in Critical Software-System

International Nuclear Information System (INIS)

Krini, Ossmane; Börcsök, Josef

2012-01-01

In order to use electronic systems comprising of software and hardware components in safety related and high safety related applications, it is necessary to meet the Marginal risk numbers required by standards and legislative provisions. Existing processes and mathematical models are used to verify the risk numbers. On the hardware side, various accepted mathematical models, processes, and methods exist to provide the required proof. To this day, however, there are no closed models or mathematical procedures known that allow for a dependable prediction of software reliability. This work presents a method that makes a prognosis on the residual critical error number in software. Conventional models lack this ability and right now, there are no methods that forecast critical errors. The new method will show that an estimate of the residual error number of critical errors in software systems is possible by using a combination of prediction models, a ratio of critical errors, and the total error number. Subsequently, the critical expected value-function at any point in time can be derived from the new solution method, provided the detection rate has been calculated using an appropriate estimation method. Also, the presented method makes it possible to make an estimate on the critical failure rate. The approach is modelled on a real process and therefore describes two essential processes - detection and correction process.

Validation of Nuclear Criticality Safety Software and 27 energy group ENDF/B-IV cross sections

International Nuclear Information System (INIS)

Lee, B.L. Jr.

1994-08-01

The validation documented in this report is based on calculations that were executed during June through August 1992, and was completed in June 1993. The statistical analyses in Appendix C and Appendix D were completed in October 1993. This validation gives Portsmouth NCS personnel a basis for performing computerized KENO V.a calculations using the Martin Marietta Nuclear Criticality Safety Software. The first portion of the document outlines basic information in regard to validation of NCSS using ENDF/B-IV 27-group cross sections on the IBM 3090 at ORNL. A basic discussion of the NCSS system is provided, some discussion on the validation database and validation in general. Then follows a detailed description of the statistical analysis which was applied. The results of this validation indicate that the NCSS software may be used with confidence for criticality calculations at the Portsmouth Gaseous Diffusion Plant. When the validation results are treated as a single group, there is 95% confidence that 99.9% of future calculations of similar critical systems will have a calculated K eff > 0.9616. Based on this result the Portsmouth Nuclear Criticality Safety Department has adopted the calculational acceptance criteria that a k eff + 2σ ≤ 0.95 is safety subcritical. The validation of NCSS on the IBM 3090 at ORNL was extended to include NCSS on the IBM 3090 at K-25

Diversity for security: case assessment for FPGA-based safety-critical systems

Directory of Open Access Journals (Sweden)

Kharchenko Vyacheslav

2016-01-01

Full Text Available Industrial safety critical instrumentation and control systems (I&Cs are facing more with information (in general and cyber, in particular security threats and attacks. The application of programmable logic, first of all, field programmable gate arrays (FPGA in critical systems causes specific safety deficits. Security assessment techniques for such systems are based on heuristic knowledges and the expert judgment. Main challenge is how to take into account features of FPGA technology for safety critical I&Cs including systems in which are applied diversity approach to minimize risks of common cause failure. Such systems are called multi-version (MV systems. The goal of the paper is in description of the technique and tool for case-based security assessment of MV FPGA-based I&Cs.

Cyber Security Threats to Safety-Critical, Space-Based Infrastructures

Science.gov (United States)

Johnson, C. W.; Atencia Yepez, A.

2012-01-01

Space-based systems play an important role within national critical infrastructures. They are being integrated into advanced air-traffic management applications, rail signalling systems, energy distribution software etc. Unfortunately, the end users of communications, location sensing and timing applications often fail to understand that these infrastructures are vulnerable to a wide range of security threats. The following pages focus on concerns associated with potential cyber-attacks. These are important because future attacks may invalidate many of the safety assumptions that support the provision of critical space-based services. These safety assumptions are based on standard forms of hazard analysis that ignore cyber-security considerations This is a significant limitation when, for instance, security attacks can simultaneously exploit multiple vulnerabilities in a manner that would never occur without a deliberate enemy seeking to damage space based systems and ground infrastructures. We address this concern through the development of a combined safety and security risk assessment methodology. The aim is to identify attack scenarios that justify the allocation of additional design resources so that safety barriers can be strengthened to increase our resilience against security threats.

Towards a lessons learned system for critical software

International Nuclear Information System (INIS)

Andrade, J.; Ares, J.; Garcia, R.; Pazos, J.; Rodriguez, S.; Rodriguez-Paton, A.; Silva, A.

2007-01-01

Failure can be a major driver for the advance of any engineering discipline and Software Engineering is no exception. But failures are useful only if lessons are learned from them. In this article we aim to make a strong defence of, and set the requirements for, lessons learned systems for safety-critical software. We also present a prototype lessons learned system that includes many of the features discussed here. We emphasize that, apart from individual organizations, lessons learned systems should target industrial sectors and even the Software Engineering community. We would like to encourage the Software Engineering community to use this kind of systems as another tool in the toolbox, which complements or enhances other approaches like, for example, standards and checklists

Towards a lessons learned system for critical software

Energy Technology Data Exchange (ETDEWEB)

Andrade, J. [University of A Coruna. Campus de Elvina, s/n. 15071, A Coruna (Spain)]. E-mail: jag@udc.es; Ares, J. [University of A Coruna. Campus de Elvina, s/n. 15071, A Coruna (Spain)]. E-mail: juanar@udc.es; Garcia, R. [University of A Coruna. Campus de Elvina, s/n. 15071, A Coruna (Spain)]. E-mail: rafael@udc.es; Pazos, J. [Technical University of Madrid. Campus de Montegancedo, s/n. 28660, Boadilla del Monte, Madrid (Spain)]. E-mail: jpazos@fi.upm.es; Rodriguez, S. [University of A Coruna. Campus de Elvina, s/n. 15071, A Coruna (Spain)]. E-mail: santi@udc.es; Rodriguez-Paton, A. [Technical University of Madrid. Campus de Montegancedo, s/n. 28660, Boadilla del Monte, Madrid (Spain)]. E-mail: arpaton@fi.upm.es; Silva, A. [Technical University of Madrid. Campus de Montegancedo, s/n. 28660, Boadilla del Monte, Madrid (Spain)]. E-mail: asilva@fi.upm.es

2007-07-15

Failure can be a major driver for the advance of any engineering discipline and Software Engineering is no exception. But failures are useful only if lessons are learned from them. In this article we aim to make a strong defence of, and set the requirements for, lessons learned systems for safety-critical software. We also present a prototype lessons learned system that includes many of the features discussed here. We emphasize that, apart from individual organizations, lessons learned systems should target industrial sectors and even the Software Engineering community. We would like to encourage the Software Engineering community to use this kind of systems as another tool in the toolbox, which complements or enhances other approaches like, for example, standards and checklists.

RICIS Symposium 1992: Mission and Safety Critical Systems Research and Applications

Science.gov (United States)

1992-01-01

This conference deals with computer systems which control systems whose failure to operate correctly could produce the loss of life and or property, mission and safety critical systems. Topics covered are: the work of standards groups, computer systems design and architecture, software reliability, process control systems, knowledge based expert systems, and computer and telecommunication protocols.

Development of Safety-Critical Software for Nuclear Power Plant using a CASE Tool

Energy Technology Data Exchange (ETDEWEB)

Kim, Chang Ho; Oh, Do Young; Kim, Koh Eun; Choi, Woong Seock; Sohn, Se Do; Kim, Jae Hack; Kim, Hang Bae [KEPCO E and C, Daejeon (Korea, Republic of)

2011-08-15

The Integrated SOftware Development Environment (ISODE) is developed to provide the major S/W life cycle processes that are composed of development process, V/V process, requirements traceability process, and automated document generation process and target importing process to Programmable Logic Controller (PLC) platform. This provides critical safety software developers with a certified, domain optimized, model-based development environment, and the associated services to reduce time and efforts to develop software such as debugging, simulation, code generation and document generation. This also provides critical safety software verifiers with integrated V/V features of each phase of the software life cycle using appropriate tools such as model test coverage, formal verification, and automated report generation. In addition to development and verification, the ISODE gives a complete traceability solution from the SW design phase to the testing phase. Using this information, the coverage and impact analysis can be done easily whenever software modification is necessary. The final source codes of ISODE are imported into the newly developed PLC environment, as a module based after automatically converted into the format required by PLC. Additional tests for module and unit level are performed on the target platform.

Development of Safety-Critical Software for Nuclear Power Plant using a CASE Tool

International Nuclear Information System (INIS)

Kim, Chang Ho; Oh, Do Young; Kim, Koh Eun; Choi, Woong Seock; Sohn, Se Do; Kim, Jae Hack; Kim, Hang Bae

2011-01-01

The Integrated SOftware Development Environment (ISODE) is developed to provide the major S/W life cycle processes that are composed of development process, V/V process, requirements traceability process, and automated document generation process and target importing process to Programmable Logic Controller (PLC) platform. This provides critical safety software developers with a certified, domain optimized, model-based development environment, and the associated services to reduce time and efforts to develop software such as debugging, simulation, code generation and document generation. This also provides critical safety software verifiers with integrated V/V features of each phase of the software life cycle using appropriate tools such as model test coverage, formal verification, and automated report generation. In addition to development and verification, the ISODE gives a complete traceability solution from the SW design phase to the testing phase. Using this information, the coverage and impact analysis can be done easily whenever software modification is necessary. The final source codes of ISODE are imported into the newly developed PLC environment, as a module based after automatically converted into the format required by PLC. Additional tests for module and unit level are performed on the target platform

Safety critical software design approach developed for Canadian nuclear power plants

International Nuclear Information System (INIS)

Ichiyen, M.M.; Joannou, P.K.

1995-01-01

Recently two methodologies were developed that comply with a high safety critical standard: the Rational Design Process, which can be characterized as a methodology based on state machines where the required behaviour of the software is defined using mathematical functions written in a notation which has a well defined syntax and semantics, and the Integrated Approach, which uses a graphical functional notation to specify the functional software requirements. The first implementations based on the two methodologies are discussed. Results from all phases of testing show a remarkably low number of errors, demonstrating that the new methodologies have indeed led to a higher demonstrable level of software reliability. (orig./HP) [de

Failure mode and effects analysis of software-based automation systems

International Nuclear Information System (INIS)

Haapanen, P.; Helminen, A.

2002-08-01

Failure mode and effects analysis (FMEA) is one of the well-known analysis methods having an established position in the traditional reliability analysis. The purpose of FMEA is to identify possible failure modes of the system components, evaluate their influences on system behaviour and propose proper countermeasures to suppress these effects. The generic nature of FMEA has enabled its wide use in various branches of industry reaching from business management to the design of spaceships. The popularity and diverse use of the analysis method has led to multiple interpretations, practices and standards presenting the same analysis method. FMEA is well understood at the systems and hardware levels, where the potential failure modes usually are known and the task is to analyse their effects on system behaviour. Nowadays, more and more system functions are realised on software level, which has aroused the urge to apply the FMEA methodology also on software based systems. Software failure modes generally are unknown - 'software modules do not fail, they only display incorrect behaviour' - and depend on dynamic behaviour of the application. These facts set special requirements on the FMEA of software based systems and make it difficult to realise. In this report the failure mode and effects analysis is studied for the use of reliability analysis of software-based systems. More precisely, the target system of FMEA is defined to be a safety-critical software-based automation application in a nuclear power plant, implemented on an industrial automation system platform. Through a literature study the report tries to clarify the intriguing questions related to the practical use of software failure mode and effects analysis. The study is a part of the research project 'Programmable Automation System Safety Integrity assessment (PASSI)', belonging to the Finnish Nuclear Safety Research Programme (FINNUS, 1999-2002). In the project various safety assessment methods and tools for

Survey of bayesian belif nets for quantitative reliability assessment of safety critical software used in nuclear power plants

Energy Technology Data Exchange (ETDEWEB)

Eom, H.S.; Sung, T.Y.; Jeong, H.S.; Park, J.H.; Kang, H.G.; Lee, K

2001-03-01

As part of the Probabilistic Safety Assessment of safety grade digital systems used in Nuclear Power plants research, measures and methodologies applicable to quantitative reliability assessment of safety critical software were surveyed. Among the techniques proposed in the literature we selected those which are in use widely and investigated their limitations in quantitative software reliability assessment. One promising methodology from the survey is Bayesian Belief Nets (BBN) which has a formalism and can combine various disparate evidences relevant to reliability into final decision under uncertainty. Thus we analyzed BBN and its application cases in digital systems assessment area and finally studied the possibility of its application to the quantitative reliability assessment of safety critical software.

Survey of bayesian belif nets for quantitative reliability assessment of safety critical software used in nuclear power plants

International Nuclear Information System (INIS)

Eom, H. S.; Sung, T. Y.; Jeong, H. S.; Park, J. H.; Kang, H. G.; Lee, K.

2001-03-01

As part of the Probabilistic Safety Assessment of safety grade digital systems used in Nuclear Power plants research, measures and methodologies applicable to quantitative reliability assessment of safety critical software were surveyed. Among the techniques proposed in the literature we selected those which are in use widely and investigated their limitations in quantitative software reliability assessment. One promising methodology from the survey is Bayesian Belief Nets (BBN) which has a formalism and can combine various disparate evidences relevant to reliability into final decision under uncertainty. Thus we analyzed BBN and its application cases in digital systems assessment area and finally studied the possibility of its application to the quantitative reliability assessment of safety critical software

REVEAL - A tool for rule driven analysis of safety critical software

International Nuclear Information System (INIS)

Miedl, H.; Kersken, M.

1998-01-01

As the determination of ultrahigh reliability figures for safety critical software is hardly possible, national and international guidelines and standards give mainly requirements for the qualitative evaluation of software. An analysis whether all these requirements are fulfilled is time and effort consuming and prone to errors, if performed manually by analysts, and should instead be dedicated to tools as far as possible. There are many ''general-purpose'' software analysis tools, both static and dynamic, which help analyzing the source code. However, they are not designed to assess the adherence to specific requirements of guidelines and standards in the nuclear field. Against the background of the development of I and C systems in the nuclear field which are based on digital techniques and implemented in high level language, it is essential that the assessor or licenser has a tool with which he can automatically and uniformly qualify as many aspects as possible of the high level language software. For this purpose the software analysis tool REVEAL has been developed at ISTec and the Halden Reactor Project. (author)

Safety, danger and catastrophe inevitability in operation of safety-critical software algorithms: a possible new look at software safety analysis

International Nuclear Information System (INIS)

Povyakalo, A.A.

2000-01-01

The paper provides basic definitions and describes the basic procedure of the Formal Qualitative Safety Analysis (FQSA) of critical software algorithms. The procedure is described by C-based pseudo-code. It uses the notion of weakest precondition and representation of a given critical algorithm by a Gurevich's Abstract State Mashine (GASM). For a given GASM and a given Catastrophe Condition the procedure results in a Catastrophe Inevitability Condition (it means that every sequence of algorithm steps lead to a catastrophe early or late), Danger Condition (it means that next step may lead to a catastrophe or make a catastrophe to be inevitable, but a catastrophe may be prevented yet), Safety Condition (it means that a next step can not lead to a catastrophe or make a catastrophe to be inevitable). The using of proposed procedure is illustrated by a simplest test example of algorithm. The FQSA provides a logical basis for PSA of critical algorithm. (author)

Development of regulation technologies for software verification and validation of I and C systems important to safety in NPPs

International Nuclear Information System (INIS)

Kim, Bok Ryul; Oh, S. H.; Zhu, O. P.; Jeong, C. H.; Hwang, H. S.; Goo, C. S.; Chung, Y. H.

2000-12-01

The project has provided the draft regulatory policies and guides regarding the quality assurance of software used to I and C systems important to safety in nuclear power plants, differentiated V and V activities by safety classes which are important elements in ensuring software quality assurance, and suggested V and V techniques to be applied, regulatory guides and checklists for reviewing software important to safety. The project introduced the classification concepts on software quality assurance. The I and C systems important to safety are classified into IC-1, IC-2, IC-3, and Non-IC as based on safety classifications. And the software used to these I and C systems are classified into 3 categories, say, safety-critical software, safety-related software, and non-safety software, in the light of safety importance of functions to be performed. Based upon these safety classifications, the extent of software V and V activities by each class has been differentiated each other. On the other hand, the project has divided software important to safety into newly-developed software and previously-developed software in terms of design and implementation, and provided the draft regulatory guides on each type of software, for instance, newly-developed software, previously-developed software, and software tools

Application of an integrated PC-based neutronics code system to criticality safety

International Nuclear Information System (INIS)

Briggs, J.B.; Nigg, D.W.

1991-01-01

An integrated system of neutronics and radiation transport software suitable for operation in an IBM PC-class environment has been under development at the Idaho National Engineering Laboratory (INEL) for the past four years. Four modules within the system are particularly useful for criticality safety applications. Using the neutronics portion of the integrated code system, effective neutron multiplication values (k eff values) have been calculated for a variety of benchmark critical experiments for metal systems (Plutonium and Uranium), Aqueous Systems (Plutonium and Uranium) and LWR fuel rod arrays. A description of the codes and methods used in the analysis and the results of the benchmark critical experiments are presented in this paper. In general, excellent agreement was found between calculated and experimental results. (Author)

Software FMEA analysis for safety-related application software

International Nuclear Information System (INIS)

Park, Gee-Yong; Kim, Dong Hoon; Lee, Dong Young

2014-01-01

Highlights: • We develop a modified FMEA analysis suited for applying to software architecture. • A template for failure modes on a specific software language is established. • A detailed-level software FMEA analysis on nuclear safety software is presented. - Abstract: A method of a software safety analysis is described in this paper for safety-related application software. The target software system is a software code installed at an Automatic Test and Interface Processor (ATIP) in a digital reactor protection system (DRPS). For the ATIP software safety analysis, at first, an overall safety or hazard analysis is performed over the software architecture and modules, and then a detailed safety analysis based on the software FMEA (Failure Modes and Effect Analysis) method is applied to the ATIP program. For an efficient analysis, the software FMEA analysis is carried out based on the so-called failure-mode template extracted from the function blocks used in the function block diagram (FBD) for the ATIP software. The software safety analysis by the software FMEA analysis, being applied to the ATIP software code, which has been integrated and passed through a very rigorous system test procedure, is proven to be able to provide very valuable results (i.e., software defects) that could not be identified during various system tests

Development of an FPGA-based controller for safety critical application

International Nuclear Information System (INIS)

Xing, A.; De Grosbois, J.; Sklyar, V.; Archer, P.; Awwal, A.

2011-01-01

In implementing safety functions, Field Programmable Gate Arrays (FPGA) technology offers a distinct combination of benefits and advantages over microprocessor-based systems. FPGAs can be designed such that the final product is purely hardware, without any overhead runtime software, bringing the design closer to a conventional hardware-based solution. On the other hand, FPGAs can implement more complex safety logic that would generally require microprocessor-based safety systems. There are now qualified FPGA-based platforms available on the market with a credible use history in safety applications in nuclear power plants. Atomic Energy of Canada (AECL), in collaboration with RPC Radiy, has initiated a development program to define a vigorous FPGA engineering process suitable for implementing safety critical functions at the application development level. This paper provides an update on the FPGA development program along with the proposed design model using function block diagrams for the development of safety controllers in CANDU applications. (author)

Validation of nuclear criticality safety software and 27 energy group ENDF/B-IV cross sections. Revision 1

International Nuclear Information System (INIS)

Lee, B.L. Jr.; D'Aquila, D.M.

1996-01-01

The original validation report, POEF-T-3636, was documented in August 1994. The document was based on calculations that were executed during June through August 1992. The statistical analyses in Appendix C and Appendix D were completed in October 1993. This revision is written to clarify the margin of safety being used at Portsmouth for nuclear criticality safety calculations. This validation gives Portsmouth NCS personnel a basis for performing computerized KENO V.a calculations using the Lockheed Martin Nuclear Criticality Safety Software. The first portion of the document outlines basic information in regard to validation of NCSS using ENDF/B-IV 27-group cross sections on the IBM3090 at ORNL. A basic discussion of the NCSS system is provided, some discussion on the validation database and validation in general. Then follows a detailed description of the statistical analysis which was applied. The results of this validation indicate that the NCSS software may be used with confidence for criticality calculations at the Portsmouth Gaseous Diffusion Plant. For calculations of Portsmouth systems using the specified codes and systems covered by this validation, a maximum k eff including 2σ of 0.9605 or lower shall be considered as subcritical to ensure a calculational margin of safety of 0.02. The validation of NCSS on the IBM 3090 at ORNL was extended to include NCSS on the IBM 3090 at K-25

Software Dependability and Safety Evaluations ESA's Initiative

Science.gov (United States)

Hernek, M.

ESA has allocated funds for an initiative to evaluate Dependability and Safety methods of Software. The objectives of this initiative are; · More extensive validation of Safety and Dependability techniques for Software · Provide valuable results to improve the quality of the Software thus promoting the application of Dependability and Safety methods and techniques. ESA space systems are being developed according to defined PA requirement specifications. These requirements may be implemented through various design concepts, e.g. redundancy, diversity etc. varying from project to project. Analysis methods (FMECA. FTA, HA, etc) are frequently used during requirements analysis and design activities to assure the correct implementation of system PA requirements. The criticality level of failures, functions and systems is determined and by doing that the critical sub-systems are identified, on which dependability and safety techniques are to be applied during development. Proper performance of the software development requires the development of a technical specification for the products at the beginning of the life cycle. Such technical specification comprises both functional and non-functional requirements. These non-functional requirements address characteristics of the product such as quality, dependability, safety and maintainability. Software in space systems is more and more used in critical functions. Also the trend towards more frequent use of COTS and reusable components pose new difficulties in terms of assuring reliable and safe systems. Because of this, its dependability and safety must be carefully analysed. ESA identified and documented techniques, methods and procedures to ensure that software dependability and safety requirements are specified and taken into account during the design and development of a software system and to verify/validate that the implemented software systems comply with these requirements [R1].

Software Safety Life cycle and Method of POSAFE-Q System

International Nuclear Information System (INIS)

Lee, Jang-Soo; Kwon, Kee-Choon

2006-01-01

This paper describes the relationship between the overall safety life cycle and the software safety life cycle during the development of the software based safety systems of Nuclear Power Plants. This includes the design and evaluation activities of components as well as the system. The paper also compares the safety life cycle and planning activities defined in IEC 61508 with those in IEC 60880, IEEE 7-4.3.2, and IEEE 1228. Using the KNICS project as an example, software safety life cycle and safety analysis methods applied to the POSAFE-Q are demonstrated. KNICS software safety life cycle is described by comparing to the software development, testing, and safety analysis process with international standards. The safety assessment of the software for POSAFE-Q is a joint Korean German project. The assessment methods applied in the project and the experiences gained from this project are presented

Digital System Reliability Test for the Evaluation of safety Critical Software of Digital Reactor Protection System

Directory of Open Access Journals (Sweden)

Hyun-Kook Shin

2006-08-01

Full Text Available A new Digital Reactor Protection System (DRPS based on VME bus Single Board Computer has been developed by KOPEC to prevent software Common Mode Failure(CMF inside digital system. The new DRPS has been proved to be an effective digital safety system to prevent CMF by Defense-in-Depth and Diversity (DID&D analysis. However, for practical use in Nuclear Power Plants, the performance test and the reliability test are essential for the digital system qualification. In this study, a single channel of DRPS prototype has been manufactured for the evaluation of DRPS capabilities. The integrated functional tests are performed and the system reliability is analyzed and tested. The results of reliability test show that the application software of DRPS has a very high reliability compared with the analog reactor protection systems.

Migration of nuclear criticality safety software from a mainframe to a workstation environment

International Nuclear Information System (INIS)

Bowie, L.J.; Robinson, R.C.; Cain, V.R.

1993-01-01

The Nuclear Criticality Safety Department (NCSD), Oak Ridge Y-12 Plant has undergone the transition of executing the Martin Marietta Energy Systems Nuclear Criticality Safety Software (NCSS) on IBM mainframes to a Hewlett-Packard (HP) 9000/730 workstation (NCSSHP). NCSSHP contains the following configuration controlled modules and cross-section libraries: BONAMI, CSAS, GEOMCHY, ICE, KENO IV, KENO Va, MODIIFY, NITAWL SCALE, SLTBLIB, XSDRN, UNIXLIB, albedos library, weights library, 16-Group HANSEN-ROACH master library, 27-Group ENDF/B-IV master library, and standard composition library. This paper will discuss the method used to choose the workstation, the hardware setup of the chosen workstation, an overview of Y-12 software quality assurance and configuration control methodology, code validation, difficulties encountered in migrating the codes, and advantages to migrating to a workstation environment

V&V Within Reuse-Based Software Engineering

Science.gov (United States)

Addy, Edward A.

1996-01-01

Verification and Validation (V&V) is used to increase the level of assurance of critical software, particularly that of safety-critical and mission-critical software. V&V is a systems engineering discipline that evaluates the software in a systems context, and is currently applied during the development of a specific application system. In order to bring the effectiveness of V&V to bear within reuse-based software engineering, V&V must be incorporated within the domain engineering process.

Experiment to evaluate software safety

International Nuclear Information System (INIS)

Soubies, B.; Henry, J.Y.

1994-01-01

The process of licensing nuclear power plants for operation consists of mandatory steps featuring detailed examination of the instrumentation and control system by the safety authorities, including softwares. The criticality of these softwares obliges the manufacturer to develop in accordance with the IEC 880 standard 'Computer software in nuclear power plant safety systems' issued by the International Electronic Commission. The evaluation approach, a two-stage assessment is described in detail. In this context, the IPSN (Institute of Protection and Nuclear Safety), the technical support body of the safety authority uses the MALPAS tool to analyse the quality of the programs. (R.P.). 4 refs

Anatomy of safety-critical computing problems

International Nuclear Information System (INIS)

Swu Yih; Fan Chinfeng; Shirazi, Behrooz

1995-01-01

This paper analyzes the obstacles faced by current safety-critical computing applications. The major problem lies in the difficulty to provide complete and convincing safety evidence to prove that the software is safe. We explain this problem from a fundamental perspective by analyzing the essence of safety analysis against that of software developed by current practice. Our basic belief is that in order to perform a successful safety analysis, the state space structure of the analyzed system must have some properties as prerequisites. We propose the concept of safety analyzability, and derive its necessary and sufficient conditions; namely, definability, finiteness, commensurability, and tractability. We then examine software state space structures against these conditions, and affirm that the safety analyzability of safety-critical software developed by current practice is severely restricted by its state space structure and by the problem of exponential growth cost. Thus, except for small and simple systems, the safety evidence may not be complete and convincing. Our concepts and arguments successfully explain the current problematic situation faced by the safety-critical computing domain. The implications are also discussed

The achievement and assessment of safety in systems containing software

International Nuclear Information System (INIS)

Ball, A.; Dale, C.J.; Butterfield, M.H.

1986-01-01

In order to establish confidence in the safe operation of a reactor protection system, there is a need to establish, as far as it is possible, that: (i) the algorithms used are correct; (ii) the system is a correct implementation of the algorithms; and (iii) the hardware is sufficiently reliable. This paper concentrates principally on the second of these, as it applies to the software aspect of the more accurate and complex trip functions to be performed by modern reactor protection systems. In order to engineer safety into software, there is a need to use a development strategy which will stand a high chance of achieving a correct implementation of the trip algorithms. This paper describes three broad methodologies by which it is possible to enhance the integrity of software: fault avoidance, fault tolerance and fault removal. Fault avoidance is concerned with making the software as fault free as possible by appropriate choice of specification, design and implementation methods. A fault tolerant strategy may be advisable in many safety critical applications, in order to guard against residual faults present in the software of the installed system. Fault detection and removal techniques are used to remove as many faults as possible of those introduced during software development. The paper also discusses safety and reliability assessment as it applies to software, outlining the various approaches available. Finally, there is an outline of a research project underway in the UKAEA which is intended to assess methods for developing and testing safety and protection systems involving software. (author)

Planning the Unplanned Experiment: Towards Assessing the Efficacy of Standards for Safety-Critical Software

Science.gov (United States)

Graydon, Patrick J.; Holloway, C. M.

2015-01-01

Safe use of software in safety-critical applications requires well-founded means of determining whether software is fit for such use. While software in industries such as aviation has a good safety record, little is known about whether standards for software in safety-critical applications 'work' (or even what that means). It is often (implicitly) argued that software is fit for safety-critical use because it conforms to an appropriate standard. Without knowing whether a standard works, such reliance is an experiment; without carefully collecting assessment data, that experiment is unplanned. To help plan the experiment, we organized a workshop to develop practical ideas for assessing software safety standards. In this paper, we relate and elaborate on the workshop discussion, which revealed subtle but important study design considerations and practical barriers to collecting appropriate historical data and recruiting appropriate experimental subjects. We discuss assessing standards as written and as applied, several candidate definitions for what it means for a standard to 'work,' and key assessment strategies and study techniques and the pros and cons of each. Finally, we conclude with thoughts about the kinds of research that will be required and how academia, industry, and regulators might collaborate to overcome the noted barriers.

Evaluating software for safety systems in nuclear power plants

International Nuclear Information System (INIS)

Lawrence, J.D.; Persons, W.L.; Preckshot, G.G.; Gallagher, J.

1994-01-01

In 1991, LLNL was asked by the NRC to provide technical assistance in various aspects of computer technology that apply to computer-based reactor protection systems. This has involved the review of safety aspects of new reactor designs and the provision of technical advice on the use of computer technology in systems important to reactor safety. The latter includes determining and documenting state-of-the-art subjects that require regulatory involvement by the NRC because of their importance in the development and implementation of digital computer safety systems. These subjects include data communications, formal methods, testing, software hazards analysis, verification and validation, computer security, performance, software complexity and others. One topic software reliability and safety is the subject of this paper

Software hazard analysis for nuclear digital protection system by Colored Petri Net

International Nuclear Information System (INIS)

Bai, Tao; Chen, Wei-Hua; Liu, Zhen; Gao, Feng

2017-01-01

Highlights: •A dynamic hazard analysis method is proposed for the safety-critical software. •The mechanism relies on Colored Petri Net. •Complex interactions between software and hardware are captured properly. •Common failure mode in software are identified effectively. -- Abstract: The software safety of a nuclear digital protection system is critical for the safety of nuclear power plants as any software defect may result in severe damage. In order to ensure the safety and reliability of safety-critical digital system products and their applications, software hazard analysis is required to be performed during the lifecycle of software development. The dynamic software hazard modeling and analysis method based on Colored Petri Net is proposed and applied to the safety-critical control software of the nuclear digital protection system in this paper. The analysis results show that the proposed method can explain the complex interactions between software and hardware and identify the potential common cause failure in software properly and effectively. Moreover, the method can find the dominant software induced hazard to safety control actions, which aids in increasing software quality.

Safety certification of airborne software: An empirical study

International Nuclear Information System (INIS)

Dodd, Ian; Habli, Ibrahim

2012-01-01

Many safety-critical aircraft functions are software-enabled. Airborne software must be audited and approved by the aerospace certification authorities prior to deployment. The auditing process is time-consuming, and its outcome is unpredictable, due to the criticality and complex nature of airborne software. To ensure that the engineering of airborne software is systematically regulated and is auditable, certification authorities mandate compliance with safety standards that detail industrial best practice. This paper reviews existing practices in software safety certification. It also explores how software safety audits are performed in the civil aerospace domain. The paper then proposes a statistical method for supporting software safety audits by collecting and analysing data about the software throughout its lifecycle. This method is then empirically evaluated through an industrial case study based on data collected from 9 aerospace projects covering 58 software releases. The results of this case study show that our proposed method can help the certification authorities and the software and safety engineers to gain confidence in the certification readiness of airborne software and predict the likely outcome of the audits. The results also highlight some confidentiality issues concerning the management and retention of sensitive data generated from safety-critical projects.

Comparison of the Safety Critical Software V and V Requirements for the Research Reactor Instrumentation and Control System

Energy Technology Data Exchange (ETDEWEB)

Joo, Sungmoon; Suh, Yong-Suk; Park, Cheol [Korea Atomic Energy Research Institute, Daejeon (Korea, Republic of)

2016-10-15

This study was motivated by a research reactor project where the owner of the project and the equipment vendors are from two different standards frameworks. This paper reviews two major standards frameworks - NRC-IEEE and IAEA-IEC - and the software classification schemes as a background, then discuss the V and V issue. The purpose of this paper is by no means to solve the cross-standards-framework qualification issue, but, rather, is to remind the stakeholders of research reactor projects. V and V are also essential for the approval from regulatory bodies. As standards define or recommend consolidated engineering practices, methods, or criteria, V and V activities for software qualification are not exceptional. Within a standards framework, usually, the processes for the qualification of safety-critical software are well-established such that the safety is maximized while minimizing the compromises in software quality, safety, and reliability. When, however, multiple standards frameworks are involved in a research reactor project, it is difficult for equipment vendors to implement appropriate V and V activities as there is no unified view on this cross-standards-framework qualification issue yet. There are two major standards frameworks for safety-critical software development in nuclear industry. Unfortunately different safety classifications for software and thus different requirements for qualification are in place. What makes things worse is that (i) there are ambiguities in the standards and rooms for each stakeholders’ interpretation, and (ii) there is no one-to-one mapping between the associated V and V methods and activities. These may put the stakeholders of research reactor projects in trouble.

Comparison of the Safety Critical Software V and V Requirements for the Research Reactor Instrumentation and Control System

International Nuclear Information System (INIS)

Joo, Sungmoon; Suh, Yong-Suk; Park, Cheol

2016-01-01

This study was motivated by a research reactor project where the owner of the project and the equipment vendors are from two different standards frameworks. This paper reviews two major standards frameworks - NRC-IEEE and IAEA-IEC - and the software classification schemes as a background, then discuss the V and V issue. The purpose of this paper is by no means to solve the cross-standards-framework qualification issue, but, rather, is to remind the stakeholders of research reactor projects. V and V are also essential for the approval from regulatory bodies. As standards define or recommend consolidated engineering practices, methods, or criteria, V and V activities for software qualification are not exceptional. Within a standards framework, usually, the processes for the qualification of safety-critical software are well-established such that the safety is maximized while minimizing the compromises in software quality, safety, and reliability. When, however, multiple standards frameworks are involved in a research reactor project, it is difficult for equipment vendors to implement appropriate V and V activities as there is no unified view on this cross-standards-framework qualification issue yet. There are two major standards frameworks for safety-critical software development in nuclear industry. Unfortunately different safety classifications for software and thus different requirements for qualification are in place. What makes things worse is that (i) there are ambiguities in the standards and rooms for each stakeholders’ interpretation, and (ii) there is no one-to-one mapping between the associated V and V methods and activities. These may put the stakeholders of research reactor projects in trouble

Model checking of safety-critical software in the nuclear engineering domain

International Nuclear Information System (INIS)

Lahtinen, J.; Valkonen, J.; Björkman, K.; Frits, J.; Niemelä, I.; Heljanko, K.

2012-01-01

Instrumentation and control (I and C) systems play a vital role in the operation of safety-critical processes. Digital programmable logic controllers (PLC) enable sophisticated control tasks which sets high requirements for system validation and verification methods. Testing and simulation have an important role in the overall verification of a system but are not suitable for comprehensive evaluation because only a limited number of system behaviors can be analyzed due to time limitations. Testing is also performed too late in the development lifecycle and thus the correction of design errors is expensive. This paper discusses the role of formal methods in software development in the area of nuclear engineering. It puts forward model checking, a computer-aided formal method for verifying the correctness of a system design model, as a promising approach to system verification. The main contribution of the paper is the development of systematic methodology for modeling safety critical systems in the nuclear domain. Two case studies are reviewed, in which we have found errors that were previously not detected. We also discuss the actions that should be taken in order to increase confidence in the model checking process.

Security for safety critical space borne systems

Science.gov (United States)

Legrand, Sue

1987-01-01

The Space Station contains safety critical computer software components in systems that can affect life and vital property. These components require a multilevel secure system that provides dynamic access control of the data and processes involved. A study is under way to define requirements for a security model providing access control through level B3 of the Orange Book. The model will be prototyped at NASA-Johnson Space Center.

Automated Translation of Safety Critical Application Software Specifications into PLC Ladder Logic

Science.gov (United States)

Leucht, Kurt W.; Semmel, Glenn S.

2008-01-01

The numerous benefits of automatic application code generation are widely accepted within the software engineering community. A few of these benefits include raising the abstraction level of application programming, shorter product development time, lower maintenance costs, and increased code quality and consistency. Surprisingly, code generation concepts have not yet found wide acceptance and use in the field of programmable logic controller (PLC) software development. Software engineers at the NASA Kennedy Space Center (KSC) recognized the need for PLC code generation while developing their new ground checkout and launch processing system. They developed a process and a prototype software tool that automatically translates a high-level representation or specification of safety critical application software into ladder logic that executes on a PLC. This process and tool are expected to increase the reliability of the PLC code over that which is written manually, and may even lower life-cycle costs and shorten the development schedule of the new control system at KSC. This paper examines the problem domain and discusses the process and software tool that were prototyped by the KSC software engineers.

Software qualification in safety applications

International Nuclear Information System (INIS)

Lawrence, J.D.

2000-01-01

The developers of safety-critical instrumentation and control systems must qualify the design of the components used, including the software in the embedded computer systems, in order to ensure that the component can be trusted to perform its safety function under the full range of operating conditions. There are well known ways to qualify analog systems using the facts that: (1) they are built from standard modules with known properties; (2) design documents are available and described in a well understood language; (3) the performance of the component is constrained by physics; and (4) physics models exist to predict the performance. These properties are not generally available for qualifying software, and one must fall back on extensive testing and qualification of the design process. Neither of these is completely satisfactory. The research reported here is exploring an alternative approach that is intended to permit qualification for an important subset of instrumentation software. The research goal is to determine if a combination of static analysis and limited testing can be used to qualify a class of simple, but practical, computer-based instrumentation components for safety application. These components are of roughly the complexity of a motion detector alarm controller. This goal is accomplished by identifying design constraints that enable meaningful analysis and testing. Once such design constraints are identified, digital systems can be designed to allow for analysis and testing, or existing systems may be tested for conformance to the design constraints as a first step in a qualification process. This will considerably reduce the cost and monetary risk involved in qualifying commercial components for safety-critical service

Reliability assessment for safety critical systems by statistical random testing

International Nuclear Information System (INIS)

Mills, S.E.

1995-11-01

In this report we present an overview of reliability assessment for software and focus on some basic aspects of assessing reliability for safety critical systems by statistical random testing. We also discuss possible deviations from some essential assumptions on which the general methodology is based. These deviations appear quite likely in practical applications. We present and discuss possible remedies and adjustments and then undertake applying this methodology to a portion of the SDS1 software. We also indicate shortcomings of the methodology and possible avenues to address to follow to address these problems. (author). 128 refs., 11 tabs., 31 figs

Reliability assessment for safety critical systems by statistical random testing

Energy Technology Data Exchange (ETDEWEB)

Mills, S E [Carleton Univ., Ottawa, ON (Canada). Statistical Consulting Centre

1995-11-01

In this report we present an overview of reliability assessment for software and focus on some basic aspects of assessing reliability for safety critical systems by statistical random testing. We also discuss possible deviations from some essential assumptions on which the general methodology is based. These deviations appear quite likely in practical applications. We present and discuss possible remedies and adjustments and then undertake applying this methodology to a portion of the SDS1 software. We also indicate shortcomings of the methodology and possible avenues to address to follow to address these problems. (author). 128 refs., 11 tabs., 31 figs.

The safety implications of emerging software paradigms

International Nuclear Information System (INIS)

Suski, G.J.; Persons, W.L.; Johnson, G.L.

1994-10-01

This paper addresses some of the emerging software paradigms that may be used in developing safety-critical software applications. Paradigms considered in this paper include knowledge-based systems, neural networks, genetic algorithms, and fuzzy systems. It presents one view of the software verification and validation activities that should be associated with each paradigm. The paper begins with a discussion of the historical evolution of software verification and validation. Next, a comparison is made between the verification and validation processes used for conventional and emerging software systems. Several verification and validation issues for the emerging paradigms are discussed and some specific research topics are identified. This work is relevant for monitoring and control at nuclear power plants

An integrated computer design environment for the development of micro-computer critical software

International Nuclear Information System (INIS)

De Agostino, E.; Massari, V.

1986-01-01

The paper deals with the development of micro-computer software for Nuclear Safety System. More specifically, it describes an experimental work in the field of software development methodologies to be used for the implementation of micro-computer based safety systems. An investigation of technological improvements that are provided by state-of-the-art integrated packages for micro-based systems development has been carried out. The work has aimed to assess a suitable automated tools environment for the whole software life-cycle. The main safety functions, as DNBR, KW/FT, of a nuclear power reactor have been implemented in a host-target approach. A prototype test-bed microsystem has been implemented to run the safety functions in order to derive a concrete evaluation on the feasibility of critical software according to new technological trends of ''Software Factories''. (author)

ESRS guidelines for software safety reviews. Reference document for the organization and conduct of Engineering Safety Review Services (ESRS) on software important to safety in nuclear power plants

International Nuclear Information System (INIS)

2000-01-01

The IAEA provides safety review services to assist Member States in the application of safety standards and, in particular, to evaluate and facilitate improvements in nuclear power plant safety performance. Complementary to the Operational Safety Review Team (OSART) and the International Regulatory Review Team (IRRT) services are the Engineering Safety Review Services (ESRS), which include reviews of siting, external events and structural safety, design safety, fire safety, ageing management and software safety. Software is of increasing importance to safety in nuclear power plants as the use of computer based equipment and systems, controlled by software, is increasing in new and older plants. Computer based devices are used in both safety related applications (such as process control and monitoring) and safety critical applications (such as reactor protection). Their dependability can only be ensured if a systematic, fully documented and reviewable engineering process is used. The ESRS on software safety are designed to assist a nuclear power plant or a regulatory body of a Member State in the review of documentation relating to the development, application and safety assessment of software embedded in computer based systems important to safety in nuclear power plants. The software safety reviews can be tailored to the specific needs of the requesting organization. Examples of such reviews are: project planning reviews, reviews of specific issues and reviews prior final acceptance. This report gives information on the possible scope of ESRS software safety reviews and guidance on the organization and conduct of the reviews. It is aimed at Member States considering these reviews and IAEA staff and external experts performing the reviews. The ESRS software safety reviews evaluate the degree to which software documents show that the development process and the final product conform to international standards, guidelines and current practices. Recommendations are

Software safety hazard analysis

International Nuclear Information System (INIS)

Lawrence, J.D.

1996-02-01

Techniques for analyzing the safety and reliability of analog-based electronic protection systems that serve to mitigate hazards in process control systems have been developed over many years, and are reasonably well understood. An example is the protection system in a nuclear power plant. The extension of these techniques to systems which include digital computers is not well developed, and there is little consensus among software engineering experts and safety experts on how to analyze such systems. One possible technique is to extend hazard analysis to include digital computer-based systems. Software is frequently overlooked during system hazard analyses, but this is unacceptable when the software is in control of a potentially hazardous operation. In such cases, hazard analysis should be extended to fully cover the software. A method for performing software hazard analysis is proposed in this paper

Design Information from the PSA for Digital Safety-Critical Systems

International Nuclear Information System (INIS)

Kang, Hyun Gook; Jang, Seung Cheol

2005-01-01

Many safety-critical applications such as nuclear field application usually adopt a similar design strategy for digital safety-critical systems. Their differences from the normal design for the non-safety-critical applications could be summarized as: multiple-redundancy, highly reliable components, strengthened monitoring mechanism, verified software, and automated test procedure. These items are focusing on maintaining the capability to perform the given safety function when it is requested. For the past several decades, probabilistic safety assessment (PSA) techniques are used in the nuclear industry to assess the relative effects of contributing events on plant risk and system reliability. They provide a unifying means of assessing physical faults, recovery processes, contributing effects, human actions, and other events that have a high degree of uncertainty. The applications of PSA provide not only the analysis results of already installed system but also the useful information for the system under design. The information could be derived from the PSA experience of the various safety-critical systems. Thanks to the design flexibility, the digital system is one of the most suitable candidates for risk-informed design (RID). In this article, we will describe the feedbacks for system design and try to develop a procedure for RID. Even though the procedure is not sophisticated enough now, it could be the start point of the further investigation for developing more complete and practical methodology

75 FR 11918 - Hewlett Pachard Company, Business Critical Systems, Mission Critical Business Software Division...

Science.gov (United States)

2010-03-12

... Pachard Company, Business Critical Systems, Mission Critical Business Software Division, Openvms Operating... Colorado, Marlborough, Massachuetts; Hewlett Pachard Company, Business Critical Systems, Mission Critical... Company, Business Critical Systems, Mission Critical Business Software Division, OpenVMS Operating System...

Design aspects of safety critical instrumentation of nuclear installations

Energy Technology Data Exchange (ETDEWEB)

Swaminathan, P. [Electronics Group, Indira Gandhi Centre for Atomic Research, Kalpakkam 603 102, Tamil Nadu (India)]. E-mail: swamy@igcar.ernet.in

2005-07-01

Safety critical instrumentation systems ensure safe shutdown/configuration of the nuclear installation when process status exceeds the safety threshold limits. Design requirements for safety critical instrumentation such as functional and electrical independence, fail-safe design, and architecture to ensure the specified unsafe failure rate and safe failure rate, human machine interface (HMI), etc., are explained with examples. Different fault tolerant architectures like 1/2, 2/2, 2/3 hot stand-by are compared for safety critical instrumentation. For embedded systems, software quality assurance is detailed both during design phase and O and M phase. Different software development models such as waterfall model and spiral model are explained with examples. The error distribution in embedded system is detailed. The usage of formal method is outlined to reduce the specification error. The guidelines for coding of application software are outlined. The interface problems of safety critical instrumentation with sensors, actuators, other computer systems, etc., are detailed with examples. Testability and maintainability shall be taken into account during design phase. Online diagnostics for safety critical instrumentation is detailed with examples. Salient details of design guides from Atomic Energy Regulatory Board, International Atomic Energy Agency and standards from IEEE, BIS are given towards the design of safety critical instrumentation systems. (author)

Design aspects of safety critical instrumentation of nuclear installations

International Nuclear Information System (INIS)

Swaminathan, P.

2005-01-01

Safety critical instrumentation systems ensure safe shutdown/configuration of the nuclear installation when process status exceeds the safety threshold limits. Design requirements for safety critical instrumentation such as functional and electrical independence, fail-safe design, and architecture to ensure the specified unsafe failure rate and safe failure rate, human machine interface (HMI), etc., are explained with examples. Different fault tolerant architectures like 1/2, 2/2, 2/3 hot stand-by are compared for safety critical instrumentation. For embedded systems, software quality assurance is detailed both during design phase and O and M phase. Different software development models such as waterfall model and spiral model are explained with examples. The error distribution in embedded system is detailed. The usage of formal method is outlined to reduce the specification error. The guidelines for coding of application software are outlined. The interface problems of safety critical instrumentation with sensors, actuators, other computer systems, etc., are detailed with examples. Testability and maintainability shall be taken into account during design phase. Online diagnostics for safety critical instrumentation is detailed with examples. Salient details of design guides from Atomic Energy Regulatory Board, International Atomic Energy Agency and standards from IEEE, BIS are given towards the design of safety critical instrumentation systems. (author)

BBN based Quantitative Assessment of Software Design Specification

International Nuclear Information System (INIS)

Eom, Heung-Seop; Park, Gee-Yong; Kang, Hyun-Gook; Kwon, Kee-Choon; Chang, Seung-Cheol

2007-01-01

Probabilistic Safety Assessment (PSA), which is one of the important methods in assessing the overall safety of a nuclear power plant (NPP), requires quantitative reliability information of safety-critical software, but the conventional reliability assessment methods can not provide enough information for PSA of a NPP. Therefore current PSA which includes safety-critical software does not usually consider the reliability of the software or uses arbitrary values for it. In order to solve this situation this paper proposes a method that can produce quantitative reliability information of safety-critical software for PSA by making use of Bayesian Belief Networks (BBN). BBN has generally been used to model an uncertain system in many research fields including the safety assessment of software. The proposed method was constructed by utilizing BBN which can combine the qualitative and the quantitative evidence relevant to the reliability of safety critical software. The constructed BBN model can infer a conclusion in a formal and a quantitative way. A case study was carried out with the proposed method to assess the quality of software design specification (SDS) of safety-critical software that will be embedded in a reactor protection system. The intermediate V and V results of the software design specification were used as inputs to the BBN model

Implementing Software Safety in the NASA Environment

Science.gov (United States)

Wetherholt, Martha S.; Radley, Charles F.

1994-01-01

the system to be built. Shortly thereafter, as the system requirements are being defined, the second iteration of hazard analyses takes place, the systems hazard analysis (SHA). During the systems requirements phase, decisions are made as to what functions of the system will be the responsibility of software. This is the most critical time to affect the safety of the software. From this point, software safety analyses as well as software engineering practices are the main focus for assuring safe software. While many of the steps proposed in this paper seem like just sound engineering practices, they are the best technical and most cost effective means to assure safe software within a safe system.

Agility in Development of Safety-Critical Software: A Conceptual Model

DEFF Research Database (Denmark)

Tordrup Heeager, Lise; Nielsen, Peter Axel

2018-01-01

Safety-critical information systems are being used increasingly as we see applications in new areas such as personal medical devices, traffic control and detection of pathogens. A current research debate is whether safety-critical systems must be developed with traditional waterfall processes...

Determination of the number of software tests using probabilistic safety assessment

International Nuclear Information System (INIS)

Kang, H. K.; Seong, T. Y.; Lee, K. Y.

2000-01-01

The broader usage of digital equipment in nuclear power plants gives rise to the safety problems of software. The field test should be performed before the software is used in critical applications because it is well known that software shows non-linear response when it is applied to different target systems in different environment. In the case of safety-critical applications, the result of tests contains usually zero failure case and the satisfiable number of tests is hard to be determined. In this paper, we suggests the method to determine the number of software tests without failure using the probabilistic safety assessment. From the result of the probabilistic safety assessment on total system, the desirable unavailability of software is calculated and the number of tests is determined

Analysis and recommendations for a reliable programming of software based safety systems

International Nuclear Information System (INIS)

Nunez McLeod, J.; Nunez McLeod, J.E.; Rivera, S.S.

1997-01-01

The present paper summarizes the results of several studies performed for the development of high software on i486 microprocessors, towards its utilization for control and safety systems for nuclear power plants. The work is based on software programmed in C language. Several recommendations oriented to high reliability software are analyzed, relating the requirements on high level language to its influence on assembler level. Several metrics are implemented, that allow for the quantification of the results achieved. New metrics were developed and other were adapted, in order to obtain more efficient indexes for the software description. Such metrics are helpful to visualize the adaptation of the software under development to the quality rules under use. A specific program developed to assist the reliability analyst on this quantification is also present in the paper. It performs the analysis of an executable program written in C language, disassembling it and evaluating its inter al structures. (author)

V and V methods of a safety-critical software for a programmable logic controller

Energy Technology Data Exchange (ETDEWEB)

Kim, Jang Yeol; Lee, Young Jun; Cha, Kyung Ho; Cheon, Se Woo; Lee, Jang Soo; Kwon, Kee Choon [Korea Atomic Energy Research Institute, Daejeon (Korea, Republic of); Kong, Seung Ju [Korea Hydro and Nuclear Power Co., Ltd, Daejeon (Korea, Republic of)

2005-11-15

This paper addresses the Verification an Validation(V and V) process and the methodology for an embedded real time software of a safety-grade Programmable Logic Controller(PLC). This safety-grade PLC is being developed as one of the Korean Nuclear Instrumentation and Control System(KNICS) project KNICS projects are developing a Reactor Protection System(RPS) and an Engineered Safety Feature-Component Control System(ESF-CCS) as well as a safety-grade PLC. The safety-grade PLC will be a major component that encomposes the RPS systems and the ESF-CCS systems as nuclear instruments and control equipment. This paper describes the V and V guidelines an procedures, V and V environment, V and V process and methodology, and the V and V tools in the KNICS projects. Specifically, it describes the real-time operating system V and V experience which corresponds to the requirement analysis phase, design phase and the implementation and testing phase of the software development life cycle. Main activities of the V and V for the PLC system software are a technical evaluation, licensing suitability evaluation, inspection and traceability analysis, formal verification, software safety analysis, and a software configuration management. The proposed V and V methodology satisfies the Standard Review Plan(SRP)/Branch Technical Position(BTP)-14 criteria for the safety software in nuclear power plants. The proposed V and V methodology is going to be used to verify the upcoming software life cycle in the KNICS projects.

V and V methods of a safety-critical software for a programmable logic controller

International Nuclear Information System (INIS)

Kim, Jang Yeol; Lee, Young Jun; Cha, Kyung Ho; Cheon, Se Woo; Lee, Jang Soo; Kwon, Kee Choon; Kong, Seung Ju

2005-01-01

This paper addresses the Verification an Validation(V and V) process and the methodology for an embedded real time software of a safety-grade Programmable Logic Controller(PLC). This safety-grade PLC is being developed as one of the Korean Nuclear Instrumentation and Control System(KNICS) project KNICS projects are developing a Reactor Protection System(RPS) and an Engineered Safety Feature-Component Control System(ESF-CCS) as well as a safety-grade PLC. The safety-grade PLC will be a major component that encomposes the RPS systems and the ESF-CCS systems as nuclear instruments and control equipment. This paper describes the V and V guidelines an procedures, V and V environment, V and V process and methodology, and the V and V tools in the KNICS projects. Specifically, it describes the real-time operating system V and V experience which corresponds to the requirement analysis phase, design phase and the implementation and testing phase of the software development life cycle. Main activities of the V and V for the PLC system software are a technical evaluation, licensing suitability evaluation, inspection and traceability analysis, formal verification, software safety analysis, and a software configuration management. The proposed V and V methodology satisfies the Standard Review Plan(SRP)/Branch Technical Position(BTP)-14 criteria for the safety software in nuclear power plants. The proposed V and V methodology is going to be used to verify the upcoming software life cycle in the KNICS projects

A Conceptual Model of Agile Software Development in a Safety-Critical Context: A Systematic Literature Review

DEFF Research Database (Denmark)

Tordrup Heeager, Lise; Nielsen, Peter Axel

2018-01-01

challenges of agile software development of safety-critical systems. The conceptual model consists of four problematic practice areas and five relationships, which we find to be even more important than the problematic areas. From this review, we suggest that there are important research gaps that need...... processes or agile processes that are purportedly faster and promise to lead to better products. Objective: To identify the issues and disputes in agile development of safety-critical software and the key qualities as found in the extant research literature. Method: We conducted a systematic literature...... review as an interpretive study following a research design to search, assess, extract, group, and understand the results of the found studies. Results: There are key issues and propositions that we elicit from the literature and combine into a conceptual model for understanding the foundational...

Intermediate probabilistic safety assessment approach for safety critical digital systems

International Nuclear Information System (INIS)

Taeyong, Sung; Hyun Gook, Kang

2001-01-01

Even though the conventional probabilistic safety assessment methods are immature for applying to microprocessor-based digital systems, practical needs force to apply it. In the Korea, UCN 5 and 6 units are being constructed and Korean Next Generation Reactor is being designed using the digital instrumentation and control equipment for the safety related functions. Korean regulatory body requires probabilistic safety assessment. This paper analyzes the difficulties on the assessment of digital systems and suggests an intermediate framework for evaluating their safety using fault tree models. The framework deals with several important characteristics of digital systems including software modules and fault-tolerant features. We expect that the analysis result will provide valuable design feedback. (authors)

A Bayesian belief nets based quantitative software reliability assessment for PSA: COTS case study

International Nuclear Information System (INIS)

Eom, H. S.; Sung, T. Y.; Jeong, H. S.; Park, J. H.; Kang, H. G.; Lee, K. Y.; Park, J. K

2002-03-01

Current reliability assessments of safety critical software embedded in the digital systems in nuclear power plants are based on the rule-based qualitative assessment methods. Then recently practical needs require the quantitative features of software reliability for Probabilistic Safety Assessment (PSA) that is one of important methods being used in assessing the whole safety of nuclear power plant. But conventional quantitative software reliability assessment methods are not enough to get the necessary results in assessing the safety critical software used in nuclear power plants. Thus, current reliability assessment methods for these digital systems exclude the software part or use arbitrary values for the software reliability in the assessment. This reports discusses a Bayesian Belief Nets (BBN) based quantification method that models current qualitative software assessment in formal way and produces quantitative results required for PSA. Commercial Off-The-Shelf (COTS) software dedication process that KAERI developed was applied to the discussed BBN based method for evaluating the plausibility of the proposed method in PSA

Safety-critical Java for embedded systems

DEFF Research Database (Denmark)

Schoeberl, Martin; Dalsgaard, Andreas Engelbredt; Hansen, René Rydhof

2016-01-01

This paper presents the motivation for and outcomes of an engineering research project on certifiable Javafor embedded systems. The project supports the upcoming standard for safety-critical Java, which defines asubset of Java and libraries aiming for development of high criticality systems....... The outcome of this projectinclude prototype safety-critical Java implementations, a time-predictable Java processor, analysis tools formemory safety, and example applications to explore the usability of safety-critical Java for this applicationarea. The text summarizes developments and key contributions...

Software reliability and safety in nuclear reactor protection systems

Energy Technology Data Exchange (ETDEWEB)

Lawrence, J.D. [Lawrence Livermore National Lab., CA (United States)

1993-11-01

Planning the development, use and regulation of computer systems in nuclear reactor protection systems in such a way as to enhance reliability and safety is a complex issue. This report is one of a series of reports from the Computer Safety and Reliability Group, Lawrence Livermore that investigates different aspects of computer software in reactor National Laboratory, that investigates different aspects of computer software in reactor protection systems. There are two central themes in the report, First, software considerations cannot be fully understood in isolation from computer hardware and application considerations. Second, the process of engineering reliability and safety into a computer system requires activities to be carried out throughout the software life cycle. The report discusses the many activities that can be carried out during the software life cycle to improve the safety and reliability of the resulting product. The viewpoint is primarily that of the assessor, or auditor.

Software reliability and safety in nuclear reactor protection systems

International Nuclear Information System (INIS)

Lawrence, J.D.

1993-11-01

Planning the development, use and regulation of computer systems in nuclear reactor protection systems in such a way as to enhance reliability and safety is a complex issue. This report is one of a series of reports from the Computer Safety and Reliability Group, Lawrence Livermore that investigates different aspects of computer software in reactor National Laboratory, that investigates different aspects of computer software in reactor protection systems. There are two central themes in the report, First, software considerations cannot be fully understood in isolation from computer hardware and application considerations. Second, the process of engineering reliability and safety into a computer system requires activities to be carried out throughout the software life cycle. The report discusses the many activities that can be carried out during the software life cycle to improve the safety and reliability of the resulting product. The viewpoint is primarily that of the assessor, or auditor

Development methodology for the software life cycle process of the safety software

Energy Technology Data Exchange (ETDEWEB)

Kim, D. H.; Lee, S. S. [BNF Technology, Taejon (Korea, Republic of); Cha, K. H.; Lee, C. S.; Kwon, K. C.; Han, H. B. [KAERI, Taejon (Korea, Republic of)

2002-05-01

A methodology for developing software life cycle processes (SLCP) is proposed to develop the digital safety-critical Engineered Safety Features - Component Control System (ESF-CCS) successfully. A software life cycle model is selected as the hybrid model mixed with waterfall, prototyping, and spiral models and is composed of two stages , development stages of prototype of ESF-CCS and ESF-CCS. To produce the software life cycle (SLC) for the Development of the Digital Reactor Safety System, the Activities referenced in IEEE Std. 1074-1997 are mapped onto the hybrid model. The SLCP is established after the available OPAs (Organizational Process Asset) are applied to the SLC Activities, and the known constraints are reconciled. The established SLCP describes well the software life cycle activities with which the Regulatory Authority provides.

Development methodology for the software life cycle process of the safety software

International Nuclear Information System (INIS)

Kim, D. H.; Lee, S. S.; Cha, K. H.; Lee, C. S.; Kwon, K. C.; Han, H. B.

2002-01-01

A methodology for developing software life cycle processes (SLCP) is proposed to develop the digital safety-critical Engineered Safety Features - Component Control System (ESF-CCS) successfully. A software life cycle model is selected as the hybrid model mixed with waterfall, prototyping, and spiral models and is composed of two stages , development stages of prototype of ESF-CCS and ESF-CCS. To produce the software life cycle (SLC) for the Development of the Digital Reactor Safety System, the Activities referenced in IEEE Std. 1074-1997 are mapped onto the hybrid model. The SLCP is established after the available OPAs (Organizational Process Asset) are applied to the SLC Activities, and the known constraints are reconciled. The established SLCP describes well the software life cycle activities with which the Regulatory Authority provides

Model-based testing for software safety

NARCIS (Netherlands)

Gurbuz, Havva Gulay; Tekinerdogan, Bedir

2017-01-01

Testing safety-critical systems is crucial since a failure or malfunction may result in death or serious injuries to people, equipment, or environment. An important challenge in testing is the derivation of test cases that can identify the potential faults. Model-based testing adopts models of a

Software quality assurance and software safety in the Biomed Control System

International Nuclear Information System (INIS)

Singh, R.P.; Chu, W.T.; Ludewigt, B.A.; Marks, K.M.; Nyman, M.A.; Renner, T.R.; Stradtner, R.

1989-01-01

The Biomed Control System is a hardware/software system used for the delivery, measurement and monitoring of heavy-ion beams in the patient treatment and biology experiment rooms in the Bevalac at the Lawrence Berkeley Laboratory (LBL). This paper describes some aspects of this system including historical background philosophy, configuration management, hardware features that facilitate software testing, software testing procedures, the release of new software quality assurance, safety and operator monitoring. 3 refs

Estimating Impact and Frequency of Risks to Safety and Mission Critical Systems Using CVSS

NARCIS (Netherlands)

Houmb, S.H.; Nunes Leal Franqueira, V.; Engum, E.A.

2008-01-01

Many safety and mission critical systems depend on the correct and secure operation of both supportive and core software systems. E.g., both the safety of personnel and the effective execution of core missions on an oil platform depend on the correct recording storing, transfer and interpretation of

The PSA of safety-critical digital I and C system: the determination of important factors and sensitivity analysis

International Nuclear Information System (INIS)

Kang, H. G.; Sung, T. Y.; Eom, H. S.; Jeong, H. S.; Park, J. K.; Lee, K. Y.; Park, J. K.

2002-01-01

This report is prepared to suggest a practical Probabilistic Safety Assessment (PSA) methodology of safety-critical digital instrumentation and control (I and C) systems. Even though conventional probabilistic safety assessment methods are immature for applying to microprocessor-based digital systems, practical needs force to apply it because the result of probabilistic safety assessment plays very important role in proving the safety of a designed system. Microprocessors and software technologies make the digital system very complex and hard to analyze the safety of their applications. The aim of this is: (1) To summarize the factors which should be represented by the model for probabilistic safety assessment and to propose a standpoint of evaluation for digital systems. (2) To quantitatively presents the results of a mathematical case study which examines the analysis framework of the safety of digital systems in the context of the PSA. (3) To show the results of a sensitivity study for some critical factors

Design verification enhancement of field programmable gate array-based safety-critical I&C system of nuclear power plant

Energy Technology Data Exchange (ETDEWEB)

Ahmed, Ibrahim [Department of Nuclear Engineering, Kyung Hee University, 1732 Deogyeong-daero, Giheung-gu, Yongin-si, Gyeonggi-do 17104 (Korea, Republic of); Jung, Jaecheon, E-mail: jcjung@kings.ac.kr [Department of Nuclear Power Plant Engineering, KEPCO International Nuclear Graduate School, 658-91 Haemaji-ro, Seosang-myeon, Ulju-gun, Ulsan 45014 (Korea, Republic of); Heo, Gyunyoung [Department of Nuclear Engineering, Kyung Hee University, 1732 Deogyeong-daero, Giheung-gu, Yongin-si, Gyeonggi-do 17104 (Korea, Republic of)

2017-06-15

Highlights: • An enhanced, systematic and integrated design verification approach is proposed for V&V of FPGA-based I&C system of NPP. • RPS bistable fixed setpoint trip algorithm is designed, analyzed, verified and discussed using the proposed approaches. • The application of integrated verification approach simultaneously verified the entire design modules. • The applicability of the proposed V&V facilitated the design verification processes. - Abstract: Safety-critical instrumentation and control (I&C) system in nuclear power plant (NPP) implemented on programmable logic controllers (PLCs) plays a vital role in safe operation of the plant. The challenges such as fast obsolescence, the vulnerability to cyber-attack, and other related issues of software systems have currently led to the consideration of field programmable gate arrays (FPGAs) as an alternative to PLCs because of their advantages and hardware related benefits. However, safety analysis for FPGA-based I&C systems, and verification and validation (V&V) assessments still remain important issues to be resolved, which are now become a global research point of interests. In this work, we proposed a systematic design and verification strategies from start to ready-to-use in form of model-based approaches for FPGA-based reactor protection system (RPS) that can lead to the enhancement of the design verification and validation processes. The proposed methodology stages are requirement analysis, enhanced functional flow block diagram (EFFBD) models, finite state machine with data path (FSMD) models, hardware description language (HDL) code development, and design verifications. The design verification stage includes unit test – Very high speed integrated circuit Hardware Description Language (VHDL) test and modified condition decision coverage (MC/DC) test, module test – MATLAB/Simulink Co-simulation test, and integration test – FPGA hardware test beds. To prove the adequacy of the proposed

Design verification enhancement of field programmable gate array-based safety-critical I&C system of nuclear power plant

International Nuclear Information System (INIS)

Ahmed, Ibrahim; Jung, Jaecheon; Heo, Gyunyoung

2017-01-01

Highlights: • An enhanced, systematic and integrated design verification approach is proposed for V&V of FPGA-based I&C system of NPP. • RPS bistable fixed setpoint trip algorithm is designed, analyzed, verified and discussed using the proposed approaches. • The application of integrated verification approach simultaneously verified the entire design modules. • The applicability of the proposed V&V facilitated the design verification processes. - Abstract: Safety-critical instrumentation and control (I&C) system in nuclear power plant (NPP) implemented on programmable logic controllers (PLCs) plays a vital role in safe operation of the plant. The challenges such as fast obsolescence, the vulnerability to cyber-attack, and other related issues of software systems have currently led to the consideration of field programmable gate arrays (FPGAs) as an alternative to PLCs because of their advantages and hardware related benefits. However, safety analysis for FPGA-based I&C systems, and verification and validation (V&V) assessments still remain important issues to be resolved, which are now become a global research point of interests. In this work, we proposed a systematic design and verification strategies from start to ready-to-use in form of model-based approaches for FPGA-based reactor protection system (RPS) that can lead to the enhancement of the design verification and validation processes. The proposed methodology stages are requirement analysis, enhanced functional flow block diagram (EFFBD) models, finite state machine with data path (FSMD) models, hardware description language (HDL) code development, and design verifications. The design verification stage includes unit test – Very high speed integrated circuit Hardware Description Language (VHDL) test and modified condition decision coverage (MC/DC) test, module test – MATLAB/Simulink Co-simulation test, and integration test – FPGA hardware test beds. To prove the adequacy of the proposed

Dependability Assessment by Static Analysis of Software Important to Nuclear Power Plant Safety

Energy Technology Data Exchange (ETDEWEB)

Ourghanlian, Alain [EDF Lab, Chatou (France)

2014-08-15

We describe a practical experimentation of safety assessment of safety-critical software used in Nuclear Power Plants. To enhance the credibility of safety assessments and to optimize safety justification costs, Electricite de France (EDF) investigates the use of methods and tools for source code semantic analysis, to obtain indisputable evidence and help assessors focus on the most critical issues. EDF has been using the PolySpace tool for more than 10 years. Today, new industrial tools, based on the same formal approach, Abstract Interpretation, are available. Practical experimentation with these new tools shows that the precision obtained on one of our shutdown systems software is very significantly improved. In a first part, we present the analysis principles of the tools used in our experimentation. In a second part, we present the main characteristics of protection-system software, and why these characteristics are well adapted for the new analysis tools. In the last part, we present an overview of the results and the limitation of the tools.

System and software safety analysis for the ERA control computer

International Nuclear Information System (INIS)

Beerthuizen, P.G.; Kruidhof, W.

2001-01-01

The European Robotic Arm (ERA) is a seven degrees of freedom relocatable anthropomorphic robotic manipulator system, to be used in manned space operation on the International Space Station, supporting the assembly and external servicing of the Russian segment. The safety design concept and implementation of the ERA is described, in particular with respect to the central computer's software design. A top-down analysis and specification process is used to down flow the safety aspects of the ERA system towards the subsystems, which are produced by a consortium of companies in many countries. The user requirements documents and the critical function list are the key documents in this process. Bottom-up analysis (FMECA) and test, on both subsystem and system level, are the basis for safety verification. A number of examples show the use of the approach and methods used

Safety Justification of Software Systems. Software Based Safety Systems. Regulatory Inspection Handbook

International Nuclear Information System (INIS)

Dahll, Gustav; Liwang, Bo; Wainwright, Norman

2006-01-01

The introduction of new software based technology in the safety systems in nuclear power plants also makes it necessary to develop new strategies for regulatory review and assessment of these new systems that is more focused on reviewing the processes at the different phases in design phases during the system life cycle. It is a general requirement that the licensee shall perform different kinds of reviews. From a regulatory point of view it is more cost effective to assess that the design activities at the suppliers and the review activities within the development project are performed with good quality. But the change from more technical reviews over to the development process oriented approach also cause problems. When reviewing development and quality aspects there are no 'hard facts' that can be judged against some specified criteria, the issues are more 'soft' and are more to build up structure of arguments and evidences that the requirements are met. The regulatory review strategy must therefore change to follow the development process over the whole life cycle from concept phase until installation and operation. Even if we know what factors that is of interest we need some guidance on how to interpret and judge the information.For that purpose SKl started research activities in this area at the end of the 1990s. In the first phase, in co-operation with Gustav Dahll at the Halden project, a life cycle model was selected. For the different phases a qualitative influence net was constructed of the type that is used in Bayesian Believe Network together with a discussion on different issues involved. In the second phase of the research work, in co-operation with Norman Wainwright, a former NII inspector, information from a selection of the most important sources as guidelines, IAEA and EC reports etc, was mapped into the influence net structure (the total list on used sources are in the report). The result is presented in the form of questions (Q) and a

Safety Justification of Software Systems. Software Based Safety Systems. Regulatory Inspection Handbook

Energy Technology Data Exchange (ETDEWEB)

Dahll, Gustav (OECD Halden Project, Halden (NO)); Liwaang, Bo (Swedish Nuclear Power Inspectorate, Stockholm (Sweden)); Wainwright, Norman (Wainwright Safety Advice (GB))

2006-07-01

The introduction of new software based technology in the safety systems in nuclear power plants also makes it necessary to develop new strategies for regulatory review and assessment of these new systems that is more focused on reviewing the processes at the different phases in design phases during the system life cycle. It is a general requirement that the licensee shall perform different kinds of reviews. From a regulatory point of view it is more cost effective to assess that the design activities at the suppliers and the review activities within the development project are performed with good quality. But the change from more technical reviews over to the development process oriented approach also cause problems. When reviewing development and quality aspects there are no 'hard facts' that can be judged against some specified criteria, the issues are more 'soft' and are more to build up structure of arguments and evidences that the requirements are met. The regulatory review strategy must therefore change to follow the development process over the whole life cycle from concept phase until installation and operation. Even if we know what factors that is of interest we need some guidance on how to interpret and judge the information.For that purpose SKl started research activities in this area at the end of the 1990s. In the first phase, in co-operation with Gustav Dahll at the Halden project, a life cycle model was selected. For the different phases a qualitative influence net was constructed of the type that is used in Bayesian Believe Network together with a discussion on different issues involved. In the second phase of the research work, in co-operation with Norman Wainwright, a former NII inspector, information from a selection of the most important sources as guidelines, IAEA and EC reports etc, was mapped into the influence net structure (the total list on used sources are in the report). The result is presented in the form of

Software diversity: way to enhance safety?

International Nuclear Information System (INIS)

Dahll, G.; Bishop, P.

1990-01-01

The topic of the paper is the use of diversely produced programs to enhance the safety of computer-based systems applied in safety-critical areas. The paper starts with a survey of scientific investigations on the impact of software redundancy made at various institutions around the world. Main emphasis will, however, be put on the PODS/STEM projects, which have been performed at the OECD Halden Project in cooperation with the Technical Research Center of Finland, the Safety and Reliability Directorate, AEA Technology, UK, and Central Electricity Research Laboratory (now National Power Technology and Environment Centre), UK. In these projects, three program versions were made independently by three different teams, all based on the same specification. The three programs were tested back-to-back with a large amount of test data. The experience and results from this process were carefully logged and used for further analysis. Various strategies for test data selection were compared, with respect to fault finding strategies, as well as to branch and statement coverages of the tested programs. The assumption of independence of failures in diversely produced programs was investigated. A particularly interesting effect, namely failure masking due to program structure, was revealed. Static analysis techniques, software measures, and software reliability estimates were also studied. (author)

Usage models in reliability assessment of software-based systems

Energy Technology Data Exchange (ETDEWEB)

Haapanen, P.; Pulkkinen, U. [VTT Automation, Espoo (Finland); Korhonen, J. [VTT Electronics, Espoo (Finland)

1997-04-01

This volume in the OHA-project report series deals with the statistical reliability assessment of software based systems on the basis of dynamic test results and qualitative evidence from the system design process. Other reports to be published later on in the OHA-project report series will handle the diversity requirements in safety critical software-based systems, generation of test data from operational profiles and handling of programmable automation in plant PSA-studies. In this report the issues related to the statistical testing and especially automated test case generation are considered. The goal is to find an efficient method for building usage models for the generation of statistically significant set of test cases and to gather practical experiences from this method by applying it in a case study. The scope of the study also includes the tool support for the method, as the models may grow quite large and complex. (32 refs., 30 figs.).

Usage models in reliability assessment of software-based systems

International Nuclear Information System (INIS)

Haapanen, P.; Pulkkinen, U.; Korhonen, J.

1997-04-01

This volume in the OHA-project report series deals with the statistical reliability assessment of software based systems on the basis of dynamic test results and qualitative evidence from the system design process. Other reports to be published later on in the OHA-project report series will handle the diversity requirements in safety critical software-based systems, generation of test data from operational profiles and handling of programmable automation in plant PSA-studies. In this report the issues related to the statistical testing and especially automated test case generation are considered. The goal is to find an efficient method for building usage models for the generation of statistically significant set of test cases and to gather practical experiences from this method by applying it in a case study. The scope of the study also includes the tool support for the method, as the models may grow quite large and complex. (32 refs., 30 figs.)

Maintaining scale as a realiable computational system for criticality safety analysis

International Nuclear Information System (INIS)

Bowmann, S.M.; Parks, C.V.; Martin, S.K.

1995-01-01

Accurate and reliable computational methods are essential for nuclear criticality safety analyses. The SCALE (Standardized Computer Analyses for Licensing Evaluation) computer code system was originally developed at Oak Ridge National Laboratory (ORNL) to enable users to easily set up and perform criticality safety analyses, as well as shielding, depletion, and heat transfer analyses. Over the fifteen-year life of SCALE, the mainstay of the system has been the criticality safety analysis sequences that have featured the KENO-IV and KENO-V.A Monte Carlo codes and the XSDRNPM one-dimensional discrete-ordinates code. The criticality safety analysis sequences provide automated material and problem-dependent resonance processing for each criticality calculation. This report details configuration management which is essential because SCALE consists of more than 25 computer codes (referred to as modules) that share libraries of commonly used subroutines. Changes to a single subroutine in some cases affect almost every module in SCALE exclamation point Controlled access to program source and executables and accurate documentation of modifications are essential to maintaining SCALE as a reliable code system. The modules and subroutine libraries in SCALE are programmed by a staff of approximately ten Code Managers. The SCALE Software Coordinator maintains the SCALE system and is the only person who modifies the production source, executables, and data libraries. All modifications must be authorized by the SCALE Project Leader prior to implementation

Guideline for Bayesian Net based Software Fault Estimation Method for Reactor Protection System

International Nuclear Information System (INIS)

Eom, Heung Seop; Park, Gee Yong; Jang, Seung Cheol

2011-01-01

The purpose of this paper is to provide a preliminary guideline for the estimation of software faults in a safety-critical software, for example, reactor protection system's software. As the fault estimation method is based on Bayesian Net which intensively uses subjective probability and informal data, it is necessary to define formal procedure of the method to minimize the variability of the results. The guideline describes assumptions, limitations and uncertainties, and the product of the fault estimation method. The procedure for conducting a software fault-estimation method is then outlined, highlighting the major tasks involved. The contents of the guideline are based on our own experience and a review of research guidelines developed for a PSA

14 CFR 417.123 - Computing systems and software.

Science.gov (United States)

2010-01-01

... 14 Aeronautics and Space 4 2010-01-01 2010-01-01 false Computing systems and software. 417.123... systems and software. (a) A launch operator must document a system safety process that identifies the... systems and software. (b) A launch operator must identify all safety-critical functions associated with...

Safety critical software development qualification

International Nuclear Information System (INIS)

Marron, J. E.

2006-01-01

With the increasing use of digital systems in control applications, customers must acquire appropriate expectations for software development and quality assurance procedures. Purchasers and users of digital systems need to understand the benefits to the supplier of effective quality systems. These systems consist not only of procedures but tools that enable automation. Without the use of automation, quality can not be assured. A software and systems quality program starts with the documents you are very familiar with. But these documents must define more than the final system. They must address specific development environment characteristics and testing capabilities. Starting with the RFP, some of the items that should be introduced are Software Configuration Management, regression testing and defect tracking. The digital system customer is in the best position to enforce the use of software and systems quality programs by including them in project requirements as early as the Purchase Order. The customer's understanding of the full scope and implementation of a software quality program is essential to achieving the quality necessary in nuclear projects, and, incidentally, completing those projects on schedule. (authors)

Considerations of the Software Metric-based Methodology for Software Reliability Assessment in Digital I and C Systems

International Nuclear Information System (INIS)

Ha, J. H.; Kim, M. K.; Chung, B. S.; Oh, H. C.; Seo, M. R.

2007-01-01

Analog I and C systems have been replaced by digital I and C systems because the digital systems have many potential benefits to nuclear power plants in terms of operational and safety performance. For example, digital systems are essentially free of drifts, have higher data handling and storage capabilities, and provide improved performance by accuracy and computational capabilities. In addition, analog replacement parts become more difficult to obtain since they are obsolete and discontinued. There are, however, challenges to the introduction of digital technology into the nuclear power plants because digital systems are more complex than analog systems and their operation and failure modes are different. Especially, software, which can be the core of functionality in the digital systems, does not wear out physically like hardware and its failure modes are not yet defined clearly. Thus, some researches to develop the methodology for software reliability assessment are still proceeding in the safety-critical areas such as nuclear system, aerospace and medical devices. Among them, software metric-based methodology has been considered for the digital I and C systems of Korean nuclear power plants. Advantages and limitations of that methodology are identified and requirements for its application to the digital I and C systems are considered in this study

LEGOS: Object-based software components for mission-critical systems. Final report, June 1, 1995--December 31, 1997

Energy Technology Data Exchange (ETDEWEB)

NONE

1998-08-01

An estimated 85% of the installed base of software is a custom application with a production quantity of one. In practice, almost 100% of military software systems are custom software. Paradoxically, the marginal costs of producing additional units are near zero. So why hasn`t the software market, a market with high design costs and low productions costs evolved like other similar custom widget industries, such as automobiles and hardware chips? The military software industry seems immune to market pressures that have motivated a multilevel supply chain structure in other widget industries: design cost recovery, improve quality through specialization, and enable rapid assembly from purchased components. The primary goal of the ComponentWare Consortium (CWC) technology plan was to overcome barriers to building and deploying mission-critical information systems by using verified, reusable software components (Component Ware). The adoption of the ComponentWare infrastructure is predicated upon a critical mass of the leading platform vendors` inevitable adoption of adopting emerging, object-based, distributed computing frameworks--initially CORBA and COM/OLE. The long-range goal of this work is to build and deploy military systems from verified reusable architectures. The promise of component-based applications is to enable developers to snap together new applications by mixing and matching prefabricated software components. A key result of this effort is the concept of reusable software architectures. A second important contribution is the notion that a software architecture is something that can be captured in a formal language and reused across multiple applications. The formalization and reuse of software architectures provide major cost and schedule improvements. The Unified Modeling Language (UML) is fast becoming the industry standard for object-oriented analysis and design notation for object-based systems. However, the lack of a standard real-time distributed

Software fault detection and recovery in critical real-time systems: An approach based on loose coupling

International Nuclear Information System (INIS)

Alho, Pekka; Mattila, Jouni

2014-01-01

Highlights: •We analyze fault tolerance in mission-critical real-time systems. •Decoupled architectural model can be used to implement fault tolerance. •Prototype implementation for remote handling control system and service manager. •Recovery from transient faults by restarting services. -- Abstract: Remote handling (RH) systems are used to inspect, make changes to, and maintain components in the ITER machine and as such are an example of mission-critical system. Failure in a critical system may cause damage, significant financial losses and loss of experiment runtime, making dependability one of their most important properties. However, even if the software for RH control systems has been developed using best practices, the system might still fail due to undetected faults (bugs), hardware failures, etc. Critical systems therefore need capability to tolerate faults and resume operation after their occurrence. However, design of effective fault detection and recovery mechanisms poses a challenge due to timeliness requirements, growth in scale, and complex interactions. In this paper we evaluate effectiveness of service-oriented architectural approach to fault tolerance in mission-critical real-time systems. We use a prototype implementation for service management with an experimental RH control system and industrial manipulator. The fault tolerance is based on using the high level of decoupling between services to recover from transient faults by service restarts. In case the recovery process is not successful, the system can still be used if the fault was not in a critical software module

Software fault detection and recovery in critical real-time systems: An approach based on loose coupling

Energy Technology Data Exchange (ETDEWEB)

Alho, Pekka, E-mail: pekka.alho@tut.fi; Mattila, Jouni

2014-10-15

Highlights: •We analyze fault tolerance in mission-critical real-time systems. •Decoupled architectural model can be used to implement fault tolerance. •Prototype implementation for remote handling control system and service manager. •Recovery from transient faults by restarting services. -- Abstract: Remote handling (RH) systems are used to inspect, make changes to, and maintain components in the ITER machine and as such are an example of mission-critical system. Failure in a critical system may cause damage, significant financial losses and loss of experiment runtime, making dependability one of their most important properties. However, even if the software for RH control systems has been developed using best practices, the system might still fail due to undetected faults (bugs), hardware failures, etc. Critical systems therefore need capability to tolerate faults and resume operation after their occurrence. However, design of effective fault detection and recovery mechanisms poses a challenge due to timeliness requirements, growth in scale, and complex interactions. In this paper we evaluate effectiveness of service-oriented architectural approach to fault tolerance in mission-critical real-time systems. We use a prototype implementation for service management with an experimental RH control system and industrial manipulator. The fault tolerance is based on using the high level of decoupling between services to recover from transient faults by service restarts. In case the recovery process is not successful, the system can still be used if the fault was not in a critical software module.

Safety review on unit testing of safety system software of nuclear power plant

International Nuclear Information System (INIS)

Liu Le; Zhang Qi

2013-01-01

Software unit testing has an important place in the testing of safety system software of nuclear power plants, and in the wider scope of the verification and validation. It is a comprehensive, systematic process, and its documentation shall meet the related requirements. When reviewing software unit testing, attention should be paid to the coverage of software safety requirements, the coverage of software internal structure, and the independence of the work. (authors)

Achieving Critical System Survivability Through Software Architectures

National Research Council Canada - National Science Library

Knight, John C; Strunk, Elisabeth A

2006-01-01

.... In a system with a survivability architecture, under adverse conditions such as system damage or software failures, some desirable function will be eliminated but critical services will be retained...

The verification methodologies for a software modeling of Engineered Safety Features- Component Control System (ESF-CCS)

International Nuclear Information System (INIS)

Lee, Young-Jun; Cheon, Se-Woo; Cha, Kyung-Ho; Park, Gee-Yong; Kwon, Kee-Choon

2007-01-01

The safety of a software is not guaranteed through a simple testing of the software. The testing reviews only the static functions of a software. The behavior, dynamic state of a software is not reviewed by a software testing. The Ariane5 rocket accident and the failure of the Virtual Case File Project are determined by a software fault. Although this software was tested thoroughly, the potential errors existed internally. There are a lot of methods to solve these problems. One of the methods is a formal methodology. It describes the software requirements as a formal specification during a software life cycle and verifies a specified design. This paper suggests the methods which verify the design to be described as a formal specification. We adapt these methods to the software of a ESF-CCS (Engineered Safety Features-Component Control System) and use the SCADE (Safety Critical Application Development Environment) tool for adopting the suggested verification methods

Methods and tools used at the IPSN for the safety assessment of critical software

International Nuclear Information System (INIS)

Regnier, P.; Henry, J.Y.

1998-01-01

A significant feature of EDF's latest 1400MWe ''N4'' generation of pressurized water reactor (PWR) is the extensive use of computerized instrumentation and control, including a fully digital system for the reactor protection function. For the safety assessment of the software driving the operation of this digital reactor protection called SPIN, IPSN has developed and implemented a set of methods and tools. Using the lessons learned from this experience, IPSN has worked at improving those methods and tools, mainly trying to make them more automatic to use, and has participated in an international assessment exercise to test some other methods and tools, either new products on the market or self-developed products. As a result of these works, this paper presents an up to date overview of the IPSN methods and tools used for the assessment of safety critical software. This assessment, which consists of an analysis of all the documentation associated with the technical specifications and of a representative set of functions, is usually carried out in five steps: (1) critical examination of the documents, (2) evaluation of the quality of the code, (3) determination of the critical software components, (4) development of test cases and choice of testing strategy, (5) dynamic analysis (consistency and robustness). This paper also presents methods and tools developed or implemented by IPSN in order to: evaluate the completeness and consistency of specification and design documents written in natural language; build a model and simulate specification or design items; evaluate the quality of the source code; carry out FMEA analysis; run the binary code and perform tests (CLAIRE); perform random or mutational tests. (author)

From conventional software based systems to knowledge based systems

International Nuclear Information System (INIS)

Bologna, S.

1995-01-01

Even if todays nuclear power plants have a very good safety record, there is a continuous search for still improving safety. One direction of this effort address operational safety, trying to improve the handling of disturbances and accidents partly by further automation, partly by creating a better control room environment, providing the operator with intelligent support systems to help in the decision making process. Introduction of intelligent computerised operator support systems has proved to be an efficient way of improving the operators performance. A number of systems have been developed worldwide, assisting in tasks like process fault detection and diagnosis, selection and implementation of proper remedial actions. Unfortunately, the use of Knowledge Based Systems (KBSs), introduces a new dimension to the problem of the licensing process. KBSs, despite the different technology employed, are still nothing more than a computer program. Unfortunately, quite a few people building knowledge based systems seem to ignore the many good programming practices that have evolved over the years for producing traditional computer programs. In this paper the author will try to point out similarities and differences between conventional software based systems, and knowledge based systems, introducing also the concept of model based reasoning. (orig.) (25 refs., 2 figs.)

Model-based Development of Safety-critical Functions and ISO 26262 Work Products using modified EAST-ADL

Directory of Open Access Journals (Sweden)

Bülent Sari

2017-07-01

Full Text Available Safety is becoming more and more important with the ever increasing level of safety related E/E Systems built into the cars. Increasing functionality of vehicle systems through electrification of power train, in future even more by autonomous driving, leads to complexity in designing system, software and safety architecture. ISO 26262 aims to reduce the complexity and to approve the traceability of the different safety activities. This paper presents an approach about model-based development of system, software and safety architecture using Electronics Architecture and Software Technology – Architecture Description Language (EAST-ADL, being in line with the relevant standard ISO 26262. In particular, we briefly discuss how the main safety related activities, such as hazard analysis and risk assessment, developing functional and technical safety concepts and performing safety analysis can be performed model-based and how the activities can be related with system and software development. The state-of-art is also provided and compared with the proposed approach.

A Scalable Semantics-Based Verification System for Flight Critical Software, Phase II

Data.gov (United States)

National Aeronautics and Space Administration — Flight-critical systems rely on an ever increasing amount of software—the Boe- ing 777 contains over 2 million lines of code. Most of this code is written in the C...

75 FR 5146 - Hewlett Packard Company Business Critical Systems, Mission Critical Business Software Division...

Science.gov (United States)

2010-02-01

... Packard Company Business Critical Systems, Mission Critical Business Software Division, OpenVMS Operating... Colorado, Marlborough, MA; Hewlett Packard Company Business Critical Systems, Mission Critical Business... Assistance on August 27, 2009, applicable to workers of Hewlett Packard Company, Business Critical Systems...

Applicability of object-oriented design methods and C++ to safety-critical systems

International Nuclear Information System (INIS)

Cuthill, B.B.

1994-01-01

This paper reports on a study identifying risks and benefits of using a software development methodology containing object-oriented design (OOD) techniques and using C++ as a programming language relative to selected features of safety-critical systems development. These features are modularity, functional diversity, removing ambiguous code, traceability, and real-time performance

Practicality for Software Hazard Analysis for Nuclear Safety I and C System

International Nuclear Information System (INIS)

Kim, Yong-Ho; Moon, Kwon-Ki; Chang, Young-Woo; Jeong, Soo-Hyun

2016-01-01

We are using the concept of system safety in engineering. It is difficult to make any system perfectly safe and probably a complete system may not easily be achieved. The standard definition of a system from MIL-STD- 882E is: “The organization of hardware, software, material, facilities, personnel, data, and services needed to perform a designated function within a stated environment with specified results.” From the perspective of the system safety engineer and the hazard analysis process, software is considered as a subsystem. Regarding hazard analysis, to date, methods for identifying software failures and determining their effects is still a research problem. Since the success of software development is based on rigorous test of hardware and software, it is necessary to check the balance between software test and hardware test, and in terms of efficiency. Lessons learned and experience from similar systems are important for the work of hazard analysis. No major hazard has been issued for the software developed and verified in Korean NPPs. In addition to hazard analysis, software development, and verification and validation were thoroughly performed. It is reasonable that the test implementation including the development of the test case, stress and abnormal conditions, error recovery situations, and high risk hazardous situations play a key role in detecting and preventing software faults

Practicality for Software Hazard Analysis for Nuclear Safety I and C System

Energy Technology Data Exchange (ETDEWEB)

Kim, Yong-Ho; Moon, Kwon-Ki; Chang, Young-Woo; Jeong, Soo-Hyun [KEPCO Engineering and Construction Co., Deajeon (Korea, Republic of)

2016-10-15

We are using the concept of system safety in engineering. It is difficult to make any system perfectly safe and probably a complete system may not easily be achieved. The standard definition of a system from MIL-STD- 882E is: “The organization of hardware, software, material, facilities, personnel, data, and services needed to perform a designated function within a stated environment with specified results.” From the perspective of the system safety engineer and the hazard analysis process, software is considered as a subsystem. Regarding hazard analysis, to date, methods for identifying software failures and determining their effects is still a research problem. Since the success of software development is based on rigorous test of hardware and software, it is necessary to check the balance between software test and hardware test, and in terms of efficiency. Lessons learned and experience from similar systems are important for the work of hazard analysis. No major hazard has been issued for the software developed and verified in Korean NPPs. In addition to hazard analysis, software development, and verification and validation were thoroughly performed. It is reasonable that the test implementation including the development of the test case, stress and abnormal conditions, error recovery situations, and high risk hazardous situations play a key role in detecting and preventing software faults.

Safety critical FPGA-based NPP instrumentation and control systems: assessment, development and implementation

International Nuclear Information System (INIS)

Bakhmach, E. S.; Siora, A. A.; Tokarev, V. I.; Kharchenko, V. S.; Sklyar, V. V.; Andrashov, A. A.

2010-10-01

The stages of development, production, verification, licensing and implementation methods and technologies of safety critical instrumentation and control systems for nuclear power plants (NPP) based on FPGA (Field Programmable Gates Arrays) technologies are described. A life cycle model and multi-version technologies of dependability and safety assurance of FPGA-based instrumentation and control systems are discussed. An analysis of NPP instrumentation and control systems construction principles developed by Research and Production Corporation Radiy using FPGA-technologies and results of these systems implementation and operation at Ukrainian and Bulgarian NPP are presented. The RADIY TM platform has been designed and developed by Research and Production Corporation Radiy, Ukraine. The main peculiarity of the RADIY TM platform is the use of FPGA as programmable components for logic control operation. The FPGA-based RADIY TM platform used for NPP instrumentation and control systems development ensures sca lability of system functions types, volume and peculiarities (by changing quantity and quality of sensors, actuators, input/output signals and control algorithms); sca lability of dependability (safety integrity) (by changing a number of redundant channel, tiers, diagnostic and reconfiguration procedures); sca lability of diversity (by changing types, depth and method of diversity selection). (Author)

Software coding for reliable data communication in a reactor safety system

International Nuclear Information System (INIS)

Maghsoodi, R.

1978-01-01

A software coding method is proposed to improve the communication reliability of a microprocessor based fast-reactor safety system. This method which replaces the conventional coding circuitry, applies a program to code the data which is communicated between the processors via their data memories. The system requirements are studied and the suitable codes are suggested. The problems associated with hardware coders, and the advantages of software coding methods are discussed. The product code which proves a faster coding time over the cyclic code is chosen as the final code. Then the improvement of the communication reliability is derived for a processor and its data memory. The result is used to calculate the reliability improvement of the processing channel as the basic unit for the safety system. (author)

On the Use of Safety Certification Practices in Autonomous Field Robot Software Development

DEFF Research Database (Denmark)

Mogensen, Johann Thor Ingibergsson; Schultz, Ulrik Pagh; Kuhrmann, Marco

2015-01-01

reactions or performance in malfunctioning systems, and influence industry regarding software development and project management. However, academia seemingly did not reach the same degree of utilisation of standards. This paper presents the findings from a systematic mapping study in which we study...... the state-of-the-art in developing software for safety-critical software for autonomous field robots. The purpose of the study is to identify practices used for the development of autonomous field robots and how these practices relate to available safety standards. Our findings from reviewing 49 papers show...... on the quest for suitable approaches to develop safety-critical software, awaiting appropriate standards for this support....

Evaluation of static analysis tools used to assess software important to nuclear power plant safety

Energy Technology Data Exchange (ETDEWEB)

Ourghanlian, Alain [EDF Lab CHATOU, Simulation and Information Technologies for Power Generation Systems Department, EDF R and D, Cedex (France)

2015-03-15

We describe a comparative analysis of different tools used to assess safety-critical software used in nuclear power plants. To enhance the credibility of safety assessments and to optimize safety justification costs, Electricit e de France (EDF) investigates the use of methods and tools for source code semantic analysis, to obtain indisputable evidence and help assessors focus on the most critical issues. EDF has been using the PolySpace tool for more than 10 years. Currently, new industrial tools based on the same formal approach, Abstract Interpretation, are available. Practical experimentation with these new tools shows that the precision obtained on one of our shutdown systems software packages is substantially improved. In the first part of this article, we present the analysis principles of the tools used in our experimentation. In the second part, we present the main characteristics of protection-system software, and why these characteristics are well adapted for the new analysis tools.

Software safety analysis on the model specified by NuSCR and SMV input language at requirements phase of software development life cycle using SMV

International Nuclear Information System (INIS)

Koh, Kwang Yong; Seong, Poong Hyun

2005-01-01

Safety-critical software process is composed of development process, verification and validation (V and V) process and safety analysis process. Safety analysis process has been often treated as an additional process and not found in a conventional software process. But software safety analysis (SSA) is required if software is applied to a safety system, and the SSA shall be performed independently for the safety software through software development life cycle (SDLC). Of all the phases in software development, requirements engineering is generally considered to play the most critical role in determining the overall software quality. NASA data demonstrate that nearly 75% of failures found in operational software were caused by errors in the requirements. The verification process in requirements phase checks the correctness of software requirements specification, and the safety analysis process analyzes the safety-related properties in detail. In this paper, the method for safety analysis at requirements phase of software development life cycle using symbolic model verifier (SMV) is proposed. Hazard is discovered by hazard analysis and in other to use SMV for the safety analysis, the safety-related properties are expressed by computation tree logic (CTL)

Study on safety classifications of software used in nuclear power plants and distinct applications of verification and validation activities in each class

International Nuclear Information System (INIS)

Kim, B. R.; Oh, S. H.; Hwang, H. S.; Kim, D. I.

2000-01-01

This paper describes the safety classification regarding instrumentation and control (I and C) systems and their software used in nuclear power plants, provides regulatory positions for software important to safety, and proposes verification and validation (V and V) activities applied differently in software classes which are important elements in ensuring software quality assurance. In other word, the I and C systems important to safety are classified into IC-1, IC-2, IC-3, and Non-IC and their software are classified into safety-critical, safety-related, and non-safety software. Based upon these safety classifications, the extent of software V and V activities in each class is differentiated each other. In addition, the paper presents that the software for use in I and C systems important to safety is divided into newly-developed and previously-developed software in terms of design and implementation, and provides the regulatory positions on each type of software

Software Safety Analysis of Digital Protection System Requirements Using a Qualitative Formal Method

International Nuclear Information System (INIS)

Lee, Jang-Soo; Kwon, Kee-Choon; Cha, Sung-Deok

2004-01-01

The safety analysis of requirements is a key problem area in the development of software for the digital protection systems of a nuclear power plant. When specifying requirements for software of the digital protection systems and conducting safety analysis, engineers find that requirements are often known only in qualitative terms and that existing fault-tree analysis techniques provide little guidance on formulating and evaluating potential failure modes. A framework for the requirements engineering process is proposed that consists of a qualitative method for requirements specification, called the qualitative formal method (QFM), and a safety analysis method for the requirements based on causality information, called the causal requirements safety analysis (CRSA). CRSA is a technique that qualitatively evaluates causal relationships between software faults and physical hazards. This technique, extending the qualitative formal method process and utilizing information captured in the state trajectory, provides specific guidelines on how to identify failure modes and the relationship among them. The QFM and CRSA processes are described using shutdown system 2 of the Wolsong nuclear power plants as the digital protection system example

Evaluation procedure of software safety plan for digital I and C of KNGR

International Nuclear Information System (INIS)

Lee, Jang Soo; Park, Jong Kyun; Lee, Ki Young; Kwon, Ki Choon; Kim, Jang Yeol; Cheon, Se Woo

2000-05-01

The development, use, and regulation of computer systems in nuclear reactor instrumentation and control (I and C) systems to enhance reliability and safety is a complex issue. This report is one of a series of reports from the Korean next generation reactor (KNGR) software safety verification and validation (SSVV) task, Korea Atomic Energy Research Institute, which investigates different aspects of computer software in reactor I and C systems, and describes the engineering procedures for developing such a software. The purpose of this guideline is to give the software safety evaluator the trail map between the code and standards layer and the design methodology and documents layer for the software important to safety in nuclear power plants. Recently, the safety planning for safety-critical software systems is being recognized as the most important phase in the software life cycle, and being developed new regulatory positions and standards by the regulatory and the standardization organizations. The requirements for software important to safety of nuclear reactor are described in such positions and standards, for example, the new standard review plan (SRP), IEC 880 supplements, IEEE standard 1228-1994, IEEE standard 7-4.3.2-1993, and IAEA safety series No. 50-SG-D3 and D8. We presented the guidance for evaluating the safety plan of the software in the KNGR protection systems. The guideline consists of the regulatory requirements for software safety in chapter 2, the evaluation checklist of software safety plan in chapter3, and the evaluation results of KNGR software safety plan in chapter 4

Evaluation procedure of software safety plan for digital I and C of KNGR

Energy Technology Data Exchange (ETDEWEB)

Lee, Jang Soo; Park, Jong Kyun; Lee, Ki Young; Kwon, Ki Choon; Kim, Jang Yeol; Cheon, Se Woo

2000-05-01

The development, use, and regulation of computer systems in nuclear reactor instrumentation and control (I and C) systems to enhance reliability and safety is a complex issue. This report is one of a series of reports from the Korean next generation reactor (KNGR) software safety verification and validation (SSVV) task, Korea Atomic Energy Research Institute, which investigates different aspects of computer software in reactor I and C systems, and describes the engineering procedures for developing such a software. The purpose of this guideline is to give the software safety evaluator the trail map between the code and standards layer and the design methodology and documents layer for the software important to safety in nuclear power plants. Recently, the safety planning for safety-critical software systems is being recognized as the most important phase in the software life cycle, and being developed new regulatory positions and standards by the regulatory and the standardization organizations. The requirements for software important to safety of nuclear reactor are described in such positions and standards, for example, the new standard review plan (SRP), IEC 880 supplements, IEEE standard 1228-1994, IEEE standard 7-4.3.2-1993, and IAEA safety series No. 50-SG-D3 and D8. We presented the guidance for evaluating the safety plan of the software in the KNGR protection systems. The guideline consists of the regulatory requirements for software safety in chapter 2, the evaluation checklist of software safety plan in chapter3, and the evaluation results of KNGR software safety plan in chapter 4.

The Application of V&V within Reuse-Based Software Engineering

Science.gov (United States)

Addy, Edward

1996-01-01

Verification and Validation (V&V) is performed during application development for many systems, especially safety-critical and mission-critical systems. The V&V process is intended to discover errors as early as possible during the development process. Early discovery is important in order to minimize the cost and other impacts of correcting these errors. In reuse-based software engineering, decisions on the requirements, design and even implementation of domain assets can can be made prior to beginning development of a specific system. in order to bring the effectiveness of V&V to bear within reuse-based software engineering. V&V must be incorporated within the domain engineering process.

Verification and testing of the RTOS for safety-critical embedded systems

Energy Technology Data Exchange (ETDEWEB)

Lee, Na Young [Seoul National University, Seoul (Korea, Republic of); Kim, Jin Hyun; Choi, Jin Young [Korea University, Seoul (Korea, Republic of); Sung, Ah Young; Choi, Byung Ju [Ewha Womans University, Seoul (Korea, Republic of); Lee, Jang Soo [KAERI, Taejon (Korea, Republic of)

2003-07-01

Development in Instrumentation and Control (I and C) technology provides more convenience and better performance, thus, adopted in many fields. To adopt newly developed technology, nuclear industry requires rigorous V and V procedure and tests to assure reliable operation. Adoption of digital system requires verification and testing of the OS for licensing. Commercial real-time operating system (RTOS) is targeted to apply to various, unpredictable needs, which makes it difficult to verify. For this reason, simple, application-oriented realtime OS is developed for the nuclear application. In this work, we show how to verify the developed RTOS at each development lifecycle. Commercial formal tool is used in specification and verification of the system. Based on the developed model, software in C language is automatically generated. Tests are performed for two purposes; one is to identify consistency between the verified model and the generated code, the other is to find errors in the generated code. The former assumes that the verified model is correct, and the latter incorrect. Test data are generated separately to satisfy each purpose. After we test the RTOS software, we implement the test board embedded with the developed RTOS and the application software, which simulates the safety critical plant protection function. Testing to identify whether the reliability criteria is satisfied or not is also designed in this work. It results in that the developed RTOS software works well when it is embedded in the system.

Verification and testing of the RTOS for safety-critical embedded systems

International Nuclear Information System (INIS)

Lee, Na Young; Kim, Jin Hyun; Choi, Jin Young; Sung, Ah Young; Choi, Byung Ju; Lee, Jang Soo

2003-01-01

Development in Instrumentation and Control (I and C) technology provides more convenience and better performance, thus, adopted in many fields. To adopt newly developed technology, nuclear industry requires rigorous V and V procedure and tests to assure reliable operation. Adoption of digital system requires verification and testing of the OS for licensing. Commercial real-time operating system (RTOS) is targeted to apply to various, unpredictable needs, which makes it difficult to verify. For this reason, simple, application-oriented realtime OS is developed for the nuclear application. In this work, we show how to verify the developed RTOS at each development lifecycle. Commercial formal tool is used in specification and verification of the system. Based on the developed model, software in C language is automatically generated. Tests are performed for two purposes; one is to identify consistency between the verified model and the generated code, the other is to find errors in the generated code. The former assumes that the verified model is correct, and the latter incorrect. Test data are generated separately to satisfy each purpose. After we test the RTOS software, we implement the test board embedded with the developed RTOS and the application software, which simulates the safety critical plant protection function. Testing to identify whether the reliability criteria is satisfied or not is also designed in this work. It results in that the developed RTOS software works well when it is embedded in the system

Safety critical FPGA-based NPP instrumentation and control systems: assessment, development and implementation

Energy Technology Data Exchange (ETDEWEB)

Bakhmach, E. S.; Siora, A. A.; Tokarev, V. I. [Research and Production Corporation Radiy, 29 Geroev Stalingrada Str., Kirovograd 25006 (Ukraine); Kharchenko, V. S.; Sklyar, V. V.; Andrashov, A. A., E-mail: marketing@radiy.co [Center for Safety Infrastructure-Oriented Research and Analysis, 37 Astronomicheskaya Str., Kharkiv 61085 (Ukraine)

2010-10-15

The stages of development, production, verification, licensing and implementation methods and technologies of safety critical instrumentation and control systems for nuclear power plants (NPP) based on FPGA (Field Programmable Gates Arrays) technologies are described. A life cycle model and multi-version technologies of dependability and safety assurance of FPGA-based instrumentation and control systems are discussed. An analysis of NPP instrumentation and control systems construction principles developed by Research and Production Corporation Radiy using FPGA-technologies and results of these systems implementation and operation at Ukrainian and Bulgarian NPP are presented. The RADIY{sup TM} platform has been designed and developed by Research and Production Corporation Radiy, Ukraine. The main peculiarity of the RADIY{sup TM} platform is the use of FPGA as programmable components for logic control operation. The FPGA-based RADIY{sup TM} platform used for NPP instrumentation and control systems development ensures sca lability of system functions types, volume and peculiarities (by changing quantity and quality of sensors, actuators, input/output signals and control algorithms); sca lability of dependability (safety integrity) (by changing a number of redundant channel, tiers, diagnostic and reconfiguration procedures); sca lability of diversity (by changing types, depth and method of diversity selection). (Author)

A proposal for performing software safety hazard analysis

International Nuclear Information System (INIS)

Lawrence, J.D.; Gallagher, J.M.

1997-01-01

Techniques for analyzing the safety and reliability of analog-based electronic protection systems that serve to mitigate hazards in process control systems have been developed over many years, and are reasonably understood. An example is the protection system in a nuclear power plant. The extension of these techniques to systems which include digital computers is not well developed, and there is little consensus among software engineering experts and safety experts on how to analyze such systems. One possible technique is to extend hazard analysis to include digital computer-based systems. Software is frequently overlooked during system hazard analyses, but this is unacceptable when the software is in control of a potentially hazardous operation. In such cases, hazard analysis should be extended to fully cover the software. A method for performing software hazard analysis is proposed in this paper. The method concentrates on finding hazards during the early stages of the software life cycle, using an extension of HAZOP

A Nuclear Safety System based on Industrial Computer

International Nuclear Information System (INIS)

Kim, Ji Hyeon; Oh, Do Young; Lee, Nam Hoon; Kim, Chang Ho; Kim, Jae Hack

2011-01-01

The Plant Protection System(PPS), a nuclear safety Instrumentation and Control (I and C) system for Nuclear Power Plants(NPPs), generates reactor trip on abnormal reactor condition. The Core Protection Calculator System (CPCS) is a safety system that generates and transmits the channel trip signal to the PPS on an abnormal condition. Currently, these systems are designed on the Programmable Logic Controller(PLC) based system and it is necessary to consider a new system platform to adapt simpler system configuration and improved software development process. The CPCS was the first implementation using a micro computer in a nuclear power plant safety protection system in 1980 which have been deployed in Ulchin units 3,4,5,6 and Younggwang units 3,4,5,6. The CPCS software was developed in the Concurrent Micro5 minicomputer using assembly language and embedded into the Concurrent 3205 computer. Following the micro computer based CPCS, PLC based Common-Q platform has been used for the ShinKori/ShinWolsong units 1,2 PPS and CPCS, and the POSAFE-Q PLC platform is used for the ShinUlchin units 1,2 PPS and CPCS. In developing the next generation safety system platform, several factors (e.g., hardware/software reliability, flexibility, licensibility and industrial support) can be considered. This paper suggests an Industrial Computer(IC) based protection system that can be developed with improved flexibility without losing system reliability. The IC based system has the advantage of a simple system configuration with optimized processor boards because of improved processor performance and unlimited interoperability between the target system and development system that use commercial CASE tools. This paper presents the background to selecting the IC based system with a case study design of the CPCS. Eventually, this kind of platform can be used for nuclear power plant safety systems like the PPS, CPCS, Qualified Indication and Alarm . Pami(QIAS-P), and Engineering Safety

A Nuclear Safety System based on Industrial Computer

Energy Technology Data Exchange (ETDEWEB)

Kim, Ji Hyeon; Oh, Do Young; Lee, Nam Hoon; Kim, Chang Ho; Kim, Jae Hack [Korea Electric Power Corporation Engineering and Construction, Daejeon (Korea, Republic of)

2011-05-15

The Plant Protection System(PPS), a nuclear safety Instrumentation and Control (I and C) system for Nuclear Power Plants(NPPs), generates reactor trip on abnormal reactor condition. The Core Protection Calculator System (CPCS) is a safety system that generates and transmits the channel trip signal to the PPS on an abnormal condition. Currently, these systems are designed on the Programmable Logic Controller(PLC) based system and it is necessary to consider a new system platform to adapt simpler system configuration and improved software development process. The CPCS was the first implementation using a micro computer in a nuclear power plant safety protection system in 1980 which have been deployed in Ulchin units 3,4,5,6 and Younggwang units 3,4,5,6. The CPCS software was developed in the Concurrent Micro5 minicomputer using assembly language and embedded into the Concurrent 3205 computer. Following the micro computer based CPCS, PLC based Common-Q platform has been used for the ShinKori/ShinWolsong units 1,2 PPS and CPCS, and the POSAFE-Q PLC platform is used for the ShinUlchin units 1,2 PPS and CPCS. In developing the next generation safety system platform, several factors (e.g., hardware/software reliability, flexibility, licensibility and industrial support) can be considered. This paper suggests an Industrial Computer(IC) based protection system that can be developed with improved flexibility without losing system reliability. The IC based system has the advantage of a simple system configuration with optimized processor boards because of improved processor performance and unlimited interoperability between the target system and development system that use commercial CASE tools. This paper presents the background to selecting the IC based system with a case study design of the CPCS. Eventually, this kind of platform can be used for nuclear power plant safety systems like the PPS, CPCS, Qualified Indication and Alarm . Pami(QIAS-P), and Engineering Safety

Software for computers in the safety systems of nuclear power stations

International Nuclear Information System (INIS)

1987-08-01

This standard includes the safety actuation systems, the safety system support features and the protection systems. The standard provides requirements for each stage of software generation, including design, development, qualification and operation as well as the documentation for each stage of the software generation for the purpose of achieving highly reliable software. The principles applied in developing these requirements include: Best available practice; top-down design methods; modularity; verification of each phase; clear documentation; auditable documents and validation testing. (orig./HP)

Conceptual Software Reliability Prediction Models for Nuclear Power Plant Safety Systems

International Nuclear Information System (INIS)

Johnson, G.; Lawrence, D.; Yu, H.

2000-01-01

The objective of this project is to develop a method to predict the potential reliability of software to be used in a digital system instrumentation and control system. The reliability prediction is to make use of existing measures of software reliability such as those described in IEEE Std 982 and 982.2. This prediction must be of sufficient accuracy to provide a value for uncertainty that could be used in a nuclear power plant probabilistic risk assessment (PRA). For the purposes of the project, reliability was defined to be the probability that the digital system will successfully perform its intended safety function (for the distribution of conditions under which it is expected to respond) upon demand with no unintended functions that might affect system safety. The ultimate objective is to use the identified measures to develop a method for predicting the potential quantitative reliability of a digital system. The reliability prediction models proposed in this report are conceptual in nature. That is, possible prediction techniques are proposed and trial models are built, but in order to become a useful tool for predicting reliability, the models must be tested, modified according to the results, and validated. Using methods outlined by this project, models could be constructed to develop reliability estimates for elements of software systems. This would require careful review and refinement of the models, development of model parameters from actual experience data or expert elicitation, and careful validation. By combining these reliability estimates (generated from the validated models for the constituent parts) in structural software models, the reliability of the software system could then be predicted. Modeling digital system reliability will also require that methods be developed for combining reliability estimates for hardware and software. System structural models must also be developed in order to predict system reliability based upon the reliability

Development of a test rig and its application for validation and reliability testing of safety-critical software

Energy Technology Data Exchange (ETDEWEB)

Thai, N D; McDonald, A M [Atomic Energy of Canada Ltd., Mississauga, ON (Canada)

1996-12-31

This paper describes a versatile test rig developed by AECL for functional testing of safety-critical software used in the process trip computers of the Wolsong CANDU stations. The description covers the hardware and software aspects of the test rig, the test language and its interpreter, and other major testing software utilities such as the test oracle, sampler and profiler. The paper also discusses the application of the rig in the final stages of testing of the process trip computer software, namely validation and reliability tests. It shows how random test cases are generated, test scripts prepared and automatically run on the test rig. The versatility of the rig is further demonstrated in other types of testing such as sub-system tests, verification of the test oracle, testing of newly-developed test script, self-test and calibration. (author). 5 tabs., 10 figs.

Development of a test rig and its application for validation and reliability testing of safety-critical software

International Nuclear Information System (INIS)

Thai, N.D.; McDonald, A.M.

1995-01-01

This paper describes a versatile test rig developed by AECL for functional testing of safety-critical software used in the process trip computers of the Wolsong CANDU stations. The description covers the hardware and software aspects of the test rig, the test language and its interpreter, and other major testing software utilities such as the test oracle, sampler and profiler. The paper also discusses the application of the rig in the final stages of testing of the process trip computer software, namely validation and reliability tests. It shows how random test cases are generated, test scripts prepared and automatically run on the test rig. The versatility of the rig is further demonstrated in other types of testing such as sub-system tests, verification of the test oracle, testing of newly-developed test script, self-test and calibration. (author). 5 tabs., 10 figs

Critical enrichment and critical density of infinite systems for nuclear criticality safety evaluation

International Nuclear Information System (INIS)

Naito, Yoshitaka; Koyama, Takashi; Komuro, Yuichi

1986-03-01

Critical enrichment and critical density of homogenous infinite systems, such as U-H 2 O, UO 2 -H 2 O, UO 2 F 2 aqueous solution, UO 2 (NO 3 ) 2 aqueous solution, Pu-H 2 O, PuO 2 -H 2 O, Pu(NO 3 ) 4 aqueous solution and PuO 2 ·UO 2 -H 2 O, were calculated with the criticality safety evaluation computer code system JACS for nuclear criticality safety evaluation on fuel facilities. The computed results were compared with the data described in European and American criticality handbooks and showed good agreement with each other. (author)

A Development Framework for Software Security in Nuclear Safety Systems: Integrating Secure Development and System Security Activities

Energy Technology Data Exchange (ETDEWEB)

Park, Jaekwan; Suh, Yongsuk [Korea Atomic Energy Research Institute, Daejeon (Korea, Republic of)

2014-02-15

The protection of nuclear safety software is essential in that a failure can result in significant economic loss and physical damage to the public. However, software security has often been ignored in nuclear safety software development. To enforce security considerations, nuclear regulator commission recently issued and revised the security regulations for nuclear computer-based systems. It is a great challenge for nuclear developers to comply with the security requirements. However, there is still no clear software development process regarding security activities. This paper proposes an integrated development process suitable for the secure development requirements and system security requirements described by various regulatory bodies. It provides a three-stage framework with eight security activities as the software development process. Detailed descriptions are useful for software developers and licensees to understand the regulatory requirements and to establish a detailed activity plan for software design and engineering.

SCALE 5: Powerful new criticality safety analysis tools

International Nuclear Information System (INIS)

Bowman, Stephen M.; Hollenbach, Daniel F.; Dehart, Mark D.; Rearden, Bradley T.; Gauld, Ian C.; Goluoglu, Sedat

2003-01-01

Version 5 of the SCALE computer software system developed at Oak Ridge National Laboratory, scheduled for release in December 2003, contains several significant new modules and sequences for criticality safety analysis and marks the most important update to SCALE in more than a decade. This paper highlights the capabilities of these new modules and sequences, including continuous energy flux spectra for processing multigroup problem-dependent cross sections; one- and three-dimensional sensitivity and uncertainty analyses for criticality safety evaluations; two-dimensional flexible mesh discrete ordinates code; automated burnup-credit analysis sequence; and one-dimensional material distribution optimization for criticality safety. (author)

SCALE Graphical Developments for Improved Criticality Safety Analyses

International Nuclear Information System (INIS)

Barnett, D.L.; Bowman, S.M.; Horwedel, J.E.; Petrie, L.M.

1999-01-01

New computer graphic developments at Oak Ridge National Ridge National Laboratory (ORNL) are being used to provide visualization of criticality safety models and calculational results as well as tools for criticality safety analysis input preparation. The purpose of this paper is to present the status of current development efforts to continue to enhance the SCALE (Standardized Computer Analyses for Licensing Evaluations) computer software system. Applications for criticality safety analysis in the areas of 3-D model visualization, input preparation and execution via a graphical user interface (GUI), and two-dimensional (2-D) plotting of results are discussed

V and V-based remaining fault estimation model for safety–critical software of a nuclear power plant

International Nuclear Information System (INIS)

Eom, Heung-seop; Park, Gee-yong; Jang, Seung-cheol; Son, Han Seong; Kang, Hyun Gook

2013-01-01

Highlights: ► A software fault estimation model based on Bayesian Nets and V and V. ► Use of quantified data derived from qualitative V and V results. ► Faults insertion and elimination process was modeled in the context of probability. ► Systematically estimates the expected number of remaining faults. -- Abstract: Quantitative software reliability measurement approaches have some limitations in demonstrating the proper level of reliability in cases of safety–critical software. One of the more promising alternatives is the use of software development quality information. Particularly in the nuclear industry, regulatory bodies in most countries use both probabilistic and deterministic measures for ensuring the reliability of safety-grade digital computers in NPPs. The point of deterministic criteria is to assess the whole development process and its related activities during the software development life cycle for the acceptance of safety–critical software. In addition software Verification and Validation (V and V) play an important role in this process. In this light, we propose a V and V-based fault estimation method using Bayesian Nets to estimate the remaining faults for safety–critical software after the software development life cycle is completed. By modeling the fault insertion and elimination processes during the whole development phases, the proposed method systematically estimates the expected number of remaining faults.

Safety-Critical Java for Embedded Systems

DEFF Research Database (Denmark)

Rios Rivas, Juan Ricardo

for Java aims at providing a reduced set of the Java programming language that can be used for systems that need to be certified at the highest levels of criticality. Safety-critical Java (SCJ) restricts how a developer can structure an application by providing a specific programming model...... and by restricting the set of methods and libraries that can be used. Furthermore, its memory model do not use a garbage-collected heap but scoped memories. In this thesis we examine the use of the SCJ specification through an implementation in a time-predictable, FPGA-based Java processor. The specification is now...

Experience gained in the production of licensable safety-critical software for Darlington NGS

International Nuclear Information System (INIS)

Crane, R.H.

1992-01-01

The Darlington Nuclear Generating Station is a new station, consisting of four 935 Mw units, built by Ontario Hydro, on the north shore of Lake Ontario, approximately 50 miles east of Toronto. In May, 1987, the first of the four units of this station was approaching the point where Ontario Hydro would be requesting a license to load fuel, and then proceed to first criticality. At this point, however, the regulatory authority, the Atomic Energy Control Board (AECB) started to show increasing concerns related to the Trip Computer Software associated with Darlington's newly-designed computerized shutdown systems. The concerns centered around whether or not the safety reliability, reviewability, and maintainability of this software could be demonstrated by Ontario Hydro or the system designer, Atomic Energy of Canada Limited (AECL). In order to back up the validity of their concerns, they hired a well-known consultant, who reviewed the code, and made recommendations concerning its design, implementation, and documentation. Considerable effort was required by Ontario Hydro and AECL in order to comply with those recommendations. This paper describes those efforts, outlines the difficulties encountered, and assesses the lessons learned from them

78 FR 47015 - Software Requirement Specifications for Digital Computer Software Used in Safety Systems of...

Science.gov (United States)

2013-08-02

... NUCLEAR REGULATORY COMMISSION [NRC-2012-0195] Software Requirement Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants AGENCY: Nuclear Regulatory Commission... issuing a revised regulatory guide (RG), revision 1 of RG 1.172, ``Software Requirement Specifications for...

Nuclear criticality safety handbook. Version 2

International Nuclear Information System (INIS)

1999-03-01

The Nuclear Criticality Safety Handbook, Version 2 essentially includes the description of the Supplement Report to the Nuclear Criticality Safety Handbook, released in 1995, into the first version of Nuclear Criticality Safety Handbook, published in 1988. The following two points are new: (1) exemplifying safety margins related to modelled dissolution and extraction processes, (2) describing evaluation methods and alarm system for criticality accidents. Revision is made based on previous studies for the chapter that treats modelling the fuel system: e.g., the fuel grain size that the system can be regarded as homogeneous, non-uniformity effect of fuel solution, and burnup credit. This revision solves the inconsistencies found in the first version between the evaluation of errors found in JACS code system and criticality condition data that were calculated based on the evaluation. (author)

Natural Language Interface for Safety Certification of Safety-Critical Software

Science.gov (United States)

Denney, Ewen; Fischer, Bernd

2011-01-01

Model-based design and automated code generation are being used increasingly at NASA. The trend is to move beyond simulation and prototyping to actual flight code, particularly in the guidance, navigation, and control domain. However, there are substantial obstacles to more widespread adoption of code generators in such safety-critical domains. Since code generators are typically not qualified, there is no guarantee that their output is correct, and consequently the generated code still needs to be fully tested and certified. The AutoCert generator plug-in supports the certification of automatically generated code by formally verifying that the generated code is free of different safety violations, by constructing an independently verifiable certificate, and by explaining its analysis in a textual form suitable for code reviews.

Use of FPGA to face electronic component obsolescence in software based safety I and C in NPPS

International Nuclear Information System (INIS)

Hadj, Abdellah; Bach, Julien; Esmenjaud, Claude; Daumas, Frederic; Salauen, Patrick

2010-01-01

In order to extend the life time of their Nuclear Power Plants (NPPs), most utilities are looking for ways to implement the renovation of their existing Instrumentation and Control (I and C) systems. When the I and C to modernize is software based, three paths can be considered: - to keep the legacy microprocessor and limit refurbishment to the associated hardware (i.e. the I/O boards, memories and the CPU board itself), - to move to another I and C platform based on another microprocessor, - to move to a non microprocessor based I and C platform. Software based I and C provide strong advantages such as flexibility and ability to implement advanced functions, however the complexity and the decreasing life time of nowadays microprocessors, mainly developed for the needs of the personal computer market, makes difficult their use and licensing for safety digital I and C systems. Solutions based on re-engineering of legacy microprocessors, or use of microprocessors dedicated to critical application need to be considered. In order to share a prospective vision of the future of I and C systems in NPPs, Electricite de France (EDF) Research and Development division and Rolls-Royce have launched a three year cooperation program on the use of the ASIC/FPGA technology in safety I and C systems. The first step of this program addresses the ability of the ASIC/FPGA technology to provide replacement solutions for former microprocessors taking as example the replacement of the Motorola MC6800 microprocessor. This paper presents the development of an IP cloning the Motorola MC6800 microprocessor, suitable for use in the refurbishment of safety I and C equipment based on this microprocessor. (authors)

Prediction of safety critical software operational reliability from test reliability using testing environment factors

International Nuclear Information System (INIS)

Jung, Hoan Sung; Seong, Poong Hyun

1999-01-01

It has been a critical issue to predict the safety critical software reliability in nuclear engineering area. For many years, many researches have focused on the quantification of software reliability and there have been many models developed to quantify software reliability. Most software reliability models estimate the reliability with the failure data collected during the test assuming that the test environments well represent the operation profile. User's interest is however on the operational reliability rather than on the test reliability. The experiences show that the operational reliability is higher than the test reliability. With the assumption that the difference in reliability results from the change of environment, from testing to operation, testing environment factors comprising the aging factor and the coverage factor are developed in this paper and used to predict the ultimate operational reliability with the failure data in testing phase. It is by incorporating test environments applied beyond the operational profile into testing environment factors. The application results show that the proposed method can estimate the operational reliability accurately. (Author). 14 refs., 1 tab., 1 fig

SACS2: Dynamic and Formal Safety Analysis Method for Complex Safety Critical System

International Nuclear Information System (INIS)

Koh, Kwang Yong; Seong, Poong Hyun

2009-01-01

Fault tree analysis (FTA) is one of the most widely used safety analysis technique in the development of safety critical systems. However, over the years, several drawbacks of the conventional FTA have become apparent. One major drawback is that conventional FTA uses only static gates and hence can not capture dynamic behaviors of the complex system precisely. Although several attempts such as dynamic fault tree (DFT), PANDORA, formal fault tree (FFT) and so on, have been made to overcome this problem, they can not still do absolute or actual time modeling because they adapt relative time concept and can capture only sequential behaviors of the system. Second drawback of conventional FTA is its lack of rigorous semantics. Because it is informal in nature, safety analysis results heavily depend on an analyst's ability and are error-prone. Finally reasoning process which is to check whether basic events really cause top events is done manually and hence very labor-intensive and timeconsuming for the complex systems. In this paper, we propose a new safety analysis method for complex safety critical system in qualitative manner. We introduce several temporal gates based on timed computational tree logic (TCTL) which can represent quantitative notion of time. Then, we translate the information of the fault trees into UPPAAL query language and the reasoning process is automatically done by UPPAAL which is the model checker for time critical system

Using fuzzy self-organising maps for safety critical systems

International Nuclear Information System (INIS)

Kurd, Zeshan; Kelly, Tim P.

2007-01-01

This paper defines a type of constrained artificial neural network (ANN) that enables analytical certification arguments whilst retaining valuable performance characteristics. Previous work has defined a safety lifecycle for ANNs without detailing a specific neural model. Building on this previous work, the underpinning of the devised model is based upon an existing neuro-fuzzy system called the fuzzy self-organising map (FSOM). The FSOM is type of 'hybrid' ANN which allows behaviour to be described qualitatively and quantitatively using meaningful expressions. Safety of the FSOM is argued through adherence to safety requirements-derived from hazard analysis and expressed using safety constraints. The approach enables the construction of compelling (product-based) arguments for mitigation of potential failure modes associated with the FSOM. The constrained FSOM has been termed a 'safety critical artificial neural network' (SCANN). The SCANN can be used for non-linear function approximation and allows certified learning and generalisation for high criticality roles. A discussion of benefits for real-world applications is also presented

Software for the occupational health and safety integrated management system

International Nuclear Information System (INIS)

Vătăsescu, Mihaela

2015-01-01

This paper intends to present the design and the production of a software for the Occupational Health and Safety Integrated Management System with the view to a rapid drawing up of the system documents in the field of occupational health and safety

Software for the occupational health and safety integrated management system

Energy Technology Data Exchange (ETDEWEB)

Vătăsescu, Mihaela [University Politehnica Timisoara, Department of Engineering and Management, 5 Revolutiei street, 331128 Hunedoara (Romania)

2015-03-10

This paper intends to present the design and the production of a software for the Occupational Health and Safety Integrated Management System with the view to a rapid drawing up of the system documents in the field of occupational health and safety.

Safety Metrics for Human-Computer Controlled Systems

Science.gov (United States)

Leveson, Nancy G; Hatanaka, Iwao

2000-01-01

The rapid growth of computer technology and innovation has played a significant role in the rise of computer automation of human tasks in modem production systems across all industries. Although the rationale for automation has been to eliminate "human error" or to relieve humans from manual repetitive tasks, various computer-related hazards and accidents have emerged as a direct result of increased system complexity attributed to computer automation. The risk assessment techniques utilized for electromechanical systems are not suitable for today's software-intensive systems or complex human-computer controlled systems.This thesis will propose a new systemic model-based framework for analyzing risk in safety-critical systems where both computers and humans are controlling safety-critical functions. A new systems accident model will be developed based upon modem systems theory and human cognitive processes to better characterize system accidents, the role of human operators, and the influence of software in its direct control of significant system functions Better risk assessments will then be achievable through the application of this new framework to complex human-computer controlled systems.

Claire, a simulation and testing tool for critical softwares

International Nuclear Information System (INIS)

Gassino, J.; Henry, J.Y.

1996-01-01

The CEA and IPSN (Institute of Nuclear Protection and Safety) needs concerning the testing of critical softwares, have led to the development of the CLAIRE tool which is able to test the softwares without modification. This tool allows to graphically model the system and its environment and to include components into the model which observe and do not modify the behaviour of the system to be tested. The executable codes are integrated in the model. The tool uses target machine simulators (microprocessors). The technique used (the event simulation) allows to associate actions with events such as the execution of an instruction, the access to a variable etc.. The simulation results are exploited using graphic, states research and test cover measurement tools. In particular, this tool can give help to the evaluation of critical softwares with pre-existing components. (J.S.)

Two viewpoints for software failures and their relation in probabilistic safety assessment of digital instrumentation and control systems

International Nuclear Information System (INIS)

Kim, Man Cheol

2015-01-01

As the use of digital systems in nuclear power plants increases, the reliability of the software becomes one of the important issues in probabilistic safety assessment. In this paper, two viewpoints for a software failure during the operation of a digital system or a statistical software test are identified, and the relation between them is provided. In conventional software reliability analysis, a failure is mainly viewed with respect to the system operation. A new viewpoint with respect to the system input is suggested. The failure probability density functions for the two viewpoints are defined, and the relation between the two failure probability density functions is derived. Each failure probability density function can be derived from the other failure probability density function by applying the derived relation between the two failure probability density functions. The usefulness of the derived relation is demonstrated by applying it to the failure data obtained from the software testing of a real system. The two viewpoints and their relation, as identified in this paper, are expected to help us extend our understanding of the reliability of safety-critical software. (author)

Programming Guidelines for FBD Programs in Reactor Protection System Software

International Nuclear Information System (INIS)

Jung, Se Jin; Lee, Dong Ah; Kim, Eui Sub; Yoo, Jun Beom; Lee, Jang Su

2014-01-01

Properties of programming languages, such as reliability, traceability, etc., play important roles in software development to improve safety. Several researches are proposed guidelines about programming to increase the dependability of software which is developed for safety critical systems. Misra-c is a widely accepted programming guidelines for the C language especially in the sector of vehicle industry. NUREG/CR-6463 helps engineers in nuclear industry develop software in nuclear power plant systems more dependably. FBD (Function Block Diagram), which is one of programming languages defined in IEC 61131-3 standard, is often used for software development of PLC (programmable logic controllers) in nuclear power plants. Software development for critical systems using FBD needs strict guidelines, because FBD is a general language and has easily mistakable elements. There are researches about guidelines for IEC 61131-3 programming languages. They, however, do not specify details about how to use languages. This paper proposes new guidelines for the FBD based on NUREG/CR-6463. The paper introduces a CASE (Computer-Aided Software Engineering) tool to check FBD programs with the new guidelines and shows availability with a case study using a FBD program in a reactor protection system. The paper is organized as follows

Programming Guidelines for FBD Programs in Reactor Protection System Software

Energy Technology Data Exchange (ETDEWEB)

Jung, Se Jin; Lee, Dong Ah; Kim, Eui Sub; Yoo, Jun Beom [Division of Computer Science and Engineering College of Information and Communication, Konkuk University, Seoul (Korea, Republic of); Lee, Jang Su [Man-Machine Interface System team Korea Atomic Energy Research Institute, Daejeon (Korea, Republic of)

2014-10-15

Properties of programming languages, such as reliability, traceability, etc., play important roles in software development to improve safety. Several researches are proposed guidelines about programming to increase the dependability of software which is developed for safety critical systems. Misra-c is a widely accepted programming guidelines for the C language especially in the sector of vehicle industry. NUREG/CR-6463 helps engineers in nuclear industry develop software in nuclear power plant systems more dependably. FBD (Function Block Diagram), which is one of programming languages defined in IEC 61131-3 standard, is often used for software development of PLC (programmable logic controllers) in nuclear power plants. Software development for critical systems using FBD needs strict guidelines, because FBD is a general language and has easily mistakable elements. There are researches about guidelines for IEC 61131-3 programming languages. They, however, do not specify details about how to use languages. This paper proposes new guidelines for the FBD based on NUREG/CR-6463. The paper introduces a CASE (Computer-Aided Software Engineering) tool to check FBD programs with the new guidelines and shows availability with a case study using a FBD program in a reactor protection system. The paper is organized as follows.

The development of regulatory expectations for computer-based safety systems for the UK nuclear programme

Energy Technology Data Exchange (ETDEWEB)

Hughes, P. J. [HM Nuclear Installations Inspectorate Marine Engineering Submarines Defence Nuclear Safety Regulator Serco Assurance Redgrave Court, Merton Road, Bootle L20 7HS (United Kingdom); Westwood, R.N; Mark, R. T. [FLEET HQ, Leach Building, Whale Island, Portsmouth, PO2 8BY (United Kingdom); Tapping, K. [Serco Assurance,Thomson House, Risley, Warrington, WA3 6GA (United Kingdom)

2006-07-01

The Nuclear Installations Inspectorate (NII) of the UK's Health and Safety Executive (HSE) has completed a review of their Safety Assessment Principles (SAPs) for Nuclear Installations recently. During the period of the SAPs review in 2004-2005 the designers of future UK naval reactor plant were optioneering the control and protection systems that might be implemented. Because there was insufficient regulatory guidance available in the naval sector to support this activity the Defence Nuclear Safety Regulator (DNSR) invited the NII to collaborate with the production of a guidance document that provides clarity of regulatory expectations for the production of safety cases for computer based safety systems. A key part of producing regulatory expectations was identifying the relevant extant standards and sector guidance that reflect good practice. The three principal sources of such good practice were: IAEA Safety Guide NS-G-1.1 (Software for Computer Based Systems Important to Safety in Nuclear Power Plants), European Commission consensus document (Common Position of European Nuclear Regulators for the Licensing of Safety Critical Software for Nuclear Reactors) and IEC nuclear sector standards such as IEC60880. A common understanding has been achieved between the NII and DNSR and regulatory guidance developed which will be used by both NII and DNSR in the assessment of computer-based safety systems and in the further development of more detailed joint technical assessment guidance for both regulatory organisations. (authors)

Static and Dynamic Verification of Critical Software for Space Applications

Science.gov (United States)

Moreira, F.; Maia, R.; Costa, D.; Duro, N.; Rodríguez-Dapena, P.; Hjortnaes, K.

Space technology is no longer used only for much specialised research activities or for sophisticated manned space missions. Modern society relies more and more on space technology and applications for every day activities. Worldwide telecommunications, Earth observation, navigation and remote sensing are only a few examples of space applications on which we rely daily. The European driven global navigation system Galileo and its associated applications, e.g. air traffic management, vessel and car navigation, will significantly expand the already stringent safety requirements for space based applications Apart from their usefulness and practical applications, every single piece of onboard software deployed into the space represents an enormous investment. With a long lifetime operation and being extremely difficult to maintain and upgrade, at least when comparing with "mainstream" software development, the importance of ensuring their correctness before deployment is immense. Verification &Validation techniques and technologies have a key role in ensuring that the onboard software is correct and error free, or at least free from errors that can potentially lead to catastrophic failures. Many RAMS techniques including both static criticality analysis and dynamic verification techniques have been used as a means to verify and validate critical software and to ensure its correctness. But, traditionally, these have been isolated applied. One of the main reasons is the immaturity of this field in what concerns to its application to the increasing software product(s) within space systems. This paper presents an innovative way of combining both static and dynamic techniques exploiting their synergy and complementarity for software fault removal. The methodology proposed is based on the combination of Software FMEA and FTA with Fault-injection techniques. The case study herein described is implemented with support from two tools: The SoftCare tool for the SFMEA and SFTA

X-real-time executive (X-RTE) an ultra-high reliable real-time executive for safety critical systems

International Nuclear Information System (INIS)

Suresh Babu, R.M.

1995-01-01

With growing number of application of computers in safety critical systems of nuclear plants there has been a need to assure high quality and reliability of the software used in these systems. One way to assure software quality is to use qualified software components. Since the safety systems and control systems are real-time systems there is a need for a real-time supervisory software to guarantee temporal response of the system. This report describes one such software package, called X-Real-Time Executive (or X-RTE), which was developed in Reactor Control Division, BARC. The report describes all the capabilities and unique features of X-RTE and compares it with a commercially available operating system. The features of X-RTE include pre-emptive scheduling, process synchronization, inter-process communication, multi-processor support, temporal support, debug facility, high portability, high reliability, high quality, and extensive documentation. Examples have been used very liberally to illustrate the underlying concepts. Besides, the report provides a brief description about the methods used, during the software development, to assure high quality and reliability of X-RTE. (author). refs., 11 figs., tabs

Validation of the Continuous-Energy Monte Carlo Criticality-Safety Analysis System MVP and JENDL-3.2 Using the Internationally Evaluated Criticality Benchmarks

International Nuclear Information System (INIS)

Mitake, Susumu

2003-01-01

Validation of the continuous-energy Monte Carlo criticality-safety analysis system, comprising the MVP code and neutron cross sections based on JENDL-3.2, was examined using benchmarks evaluated in the 'International Handbook of Evaluated Criticality Safety Benchmark Experiments'. Eight experiments (116 configurations) for the plutonium solution and plutonium-uranium mixture systems performed at Valduc, Battelle Pacific Northwest Laboratories, and other facilities were selected and used in the studies. The averaged multiplication factors calculated with MVP and MCNP-4B using the same neutron cross-section libraries based on JENDL-3.2 were in good agreement. Based on methods provided in the Japanese nuclear criticality-safety handbook, the estimated criticality lower-limit multiplication factors to be used as a subcriticality criterion for the criticality-safety evaluation of nuclear facilities were obtained. The analysis proved the applicability of the MVP code to the criticality-safety analysis of nuclear fuel facilities, particularly to the analysis of systems fueled with plutonium and in homogeneous and thermal-energy conditions

Quality assurance for software important to safety

International Nuclear Information System (INIS)

2000-01-01

Software applications play an increasingly relevant role in nuclear power plant systems. This is particularly true of software important to safety used in both: calculations for the design, testing and analysis of nuclear reactor systems (design, engineering and analysis software); and monitoring, control and safety functions as an integral part of the reactor systems (monitoring, control and safety system software). Computer technology is advancing at a fast pace, offering new possibilities in nuclear reactor design, construction, commissioning, operation, maintenance and decommissioning. These advances also present new issues which must be considered both by the utility and by the regulatory organization. Refurbishment of ageing instrumentation and control systems in nuclear power plants and new safety related application areas have emerged, with direct (e.g. interfaces with safety systems) and indirect (e.g. operator intervention) implications for safety. Currently, there exist several international standards and guides on quality assurance for software important to safety. However, none of the existing documents provides comprehensive guidance to the developer, manager and regulator during all phases of the software life-cycle. The present publication was developed taking into account the large amount of available documentation, the rapid development of software systems and the need for updated guidance on h ow to do it . It provides information and guidance for defining and implementing quality assurance programmes covering the entire life-cycle of software important to safety. Expected users are managers, performers and assessors from nuclear utilities, regulatory bodies, suppliers and technical support organizations involved with the development and use of software applied in nuclear power plants

Health Monitor for Multitasking, Safety-Critical, Real-Time Software

Science.gov (United States)

Zoerner, Roger

2011-01-01

Health Manager can detect Bad Health prior to a failure occurring by periodically monitoring the application software by looking for code corruption errors, and sanity-checking each critical data value prior to use. A processor s memory can fail and corrupt the software, or the software can accidentally write to the wrong address and overwrite the executing software. This innovation will continuously calculate a checksum of the software load to detect corrupted code. This will allow a system to detect a failure before it happens. This innovation monitors each software task (thread) so that if any task reports "bad health," or does not report to the Health Manager, the system is declared bad. The Health Manager reports overall system health to the outside world by outputting a square wave signal. If the square wave stops, this indicates that system health is bad or hung and cannot report. Either way, "bad health" can be detected, whether caused by an error, corrupted data, or a hung processor. A separate Health Monitor Task is started and run periodically in a loop that starts and stops pending on a semaphore. Each monitored task registers with the Health Manager, which maintains a count for the task. The registering task must indicate if it will run more or less often than the Health Manager. If the task runs more often than the Health Manager, the monitored task calls a health function that increments the count and verifies it did not go over max-count. When the periodic Health Manager runs, it verifies that the count did not go over the max-count and zeroes it. If the task runs less often than the Health Manager, the periodic Health Manager will increment the count. The monitored task zeroes the count, and both the Health Manager and monitored task verify that the count did not go over the max-count.

Jefferson Lab IEC 61508/61511 Safety PLC Based Safety System

International Nuclear Information System (INIS)

Mahoney, Kelly; Robertson, Henry

2009-01-01

This paper describes the design of the new 12 GeV Upgrade Personnel Safety System (PSS) at the Thomas Jefferson National Accelerator Facility (TJNAF). The new PSS design is based on the implementation of systems designed to meet international standards IEC61508 and IEC 61511 for programmable safety systems. In order to meet the IEC standards, TJNAF engineers evaluated several SIL 3 Safety PLCs before deciding on an optimal architecture. In addition to hardware considerations, software quality standards and practices must also be considered. Finally, we will discuss R and D that may lead to both high safety reliability and high machine availability that may be applicable to future accelerators such as the ILC.

Software Design Improvements. Part 2; Software Quality and the Design and Inspection Process

Science.gov (United States)

Lalli, Vincent R.; Packard, Michael H.; Ziemianski, Tom

1997-01-01

The application of assurance engineering techniques improves the duration of failure-free performance of software. The totality of features and characteristics of a software product are what determine its ability to satisfy customer needs. Software in safety-critical systems is very important to NASA. We follow the System Safety Working Groups definition for system safety software as: 'The optimization of system safety in the design, development, use and maintenance of software and its integration with safety-critical systems in an operational environment. 'If it is not safe, say so' has become our motto. This paper goes over methods that have been used by NASA to make software design improvements by focusing on software quality and the design and inspection process.

Secure Software Configuration Management Processes for nuclear safety software development environment

International Nuclear Information System (INIS)

Chou, I.-Hsin

2011-01-01

Highlights: → The proposed method emphasizes platform-independent security processes. → A hybrid process based on the nuclear SCM and security regulations is proposed. → Detailed descriptions and Process Flow Diagram are useful for software developers. - Abstract: The main difference between nuclear and generic software is that the risk factor is infinitely greater in nuclear software - if there is a malfunction in the safety system, it can result in significant economic loss, physical damage or threat to human life. However, secure software development environment have often been ignored in the nuclear industry. In response to the terrorist attacks on September 11, 2001, the US Nuclear Regulatory Commission (USNRC) revised the Regulatory Guide (RG 1.152-2006) 'Criteria for use of computers in safety systems of nuclear power plants' to provide specific security guidance throughout the software development life cycle. Software Configuration Management (SCM) is an essential discipline in the software development environment. SCM involves identifying configuration items, controlling changes to those items, and maintaining integrity and traceability of them. For securing the nuclear safety software, this paper proposes a Secure SCM Processes (S 2 CMP) which infuses regulatory security requirements into proposed SCM processes. Furthermore, a Process Flow Diagram (PFD) is adopted to describe S 2 CMP, which is intended to enhance the communication between regulators and developers.

An intelligent and integrated V and V environment design for NPP I and C software systems

International Nuclear Information System (INIS)

Koo, Seo Ryong; Son Han Seong; Seong, Poong Hyun

2001-01-01

Nuclear Power Plant (NPP) is the safety critical system. Since, nuclear instrumentation and control (I and C) systems including the plant protection system play the brain part of human, nuclear I and C systems have an influence on safety and operation of NPP. Essentially, software V and V should be performed for the safety critical systems based on software. It is very important in the technical aspect because of the problems concerning license acquisitions. In this work, an intelligent and integrated V and V environment supporting the automation of V and V was designed. The intelligent and integrated V and V environment consists of the intelligent controller part, components part, interface part, and GUI part. These parts were integrated systematically, while taking their own independent functions

Data systems and computer science: Software Engineering Program

Science.gov (United States)

Zygielbaum, Arthur I.

1991-01-01

An external review of the Integrated Technology Plan for the Civil Space Program is presented. This review is specifically concerned with the Software Engineering Program. The goals of the Software Engineering Program are as follows: (1) improve NASA's ability to manage development, operation, and maintenance of complex software systems; (2) decrease NASA's cost and risk in engineering complex software systems; and (3) provide technology to assure safety and reliability of software in mission critical applications.

Licensing of safety critical software for nuclear reactors. Common position of seven European nuclear regulators and authorised technical support organisations

International Nuclear Information System (INIS)

2010-01-01

of guidelines; - as a reference in safety cases and demonstrations of safety of software based systems; - as guidance for system design specifications by manufacturers and major I and C suppliers on the international market. From the outset, attention focused on computer based systems used in nuclear power plants for the implementation of safety functions (i.e. the functions of the highest safety criticality level); namely, those systems classified by the International Atomic Energy Agency as 'safety systems'. The recommendations of this report therefore mainly address 'safety systems'; 'safety related systems' are addressed in certain common positions and recommendations only where explicitly mentioned. The common positions are intended to convey the unanimous views of the Task Force members on the guidance that the licensees need to follow as part of an adequate safety demonstration. Throughout the document these common positions are expressed with the auxiliary verb 'shall'. The use of this verb for common positions is intended to convey the unanimous desire felt by the Task Force members for the licensees to satisfy the requirements expressed in the clause. The common positions are a common set of requirements and practices considered necessary by the member states represented in the task force. There was no systematic attempt, however, at guaranteeing that for each issue area these sets are complete or sufficient. It is also recognised that - in certain cases - other possible practices cannot be excluded, but the members felt that such alternatives will be difficult to justify. Recommended practices are supported by most, but may not be systematically implemented by all of the members states represented in the task force. Recommended practices are expressed with the auxiliary verb 'should'. In order to avoid the guidance being merely reduced to a lowest common denominator of safety (inferior levelling), the task force - in addition to commonly accepted practices

Licensing of safety critical software for nuclear reactors. Common position of seven European nuclear regulators and authorised technical support organisations

Energy Technology Data Exchange (ETDEWEB)

2010-07-01

policies and in revisions of guidelines; - as a reference in safety cases and demonstrations of safety of software based systems; - as guidance for system design specifications by manufacturers and major I and C suppliers on the international market. From the outset, attention focused on computer based systems used in nuclear power plants for the implementation of safety functions (i.e. the functions of the highest safety criticality level); namely, those systems classified by the International Atomic Energy Agency as 'safety systems'. The recommendations of this report therefore mainly address 'safety systems'; 'safety related systems' are addressed in certain common positions and recommendations only where explicitly mentioned. The common positions are intended to convey the unanimous views of the Task Force members on the guidance that the licensees need to follow as part of an adequate safety demonstration. Throughout the document these common positions are expressed with the auxiliary verb 'shall'. The use of this verb for common positions is intended to convey the unanimous desire felt by the Task Force members for the licensees to satisfy the requirements expressed in the clause. The common positions are a common set of requirements and practices considered necessary by the member states represented in the task force. There was no systematic attempt, however, at guaranteeing that for each issue area these sets are complete or sufficient. It is also recognised that - in certain cases - other possible practices cannot be excluded, but the members felt that such alternatives will be difficult to justify. Recommended practices are supported by most, but may not be systematically implemented by all of the members states represented in the task force. Recommended practices are expressed with the auxiliary verb 'should'. In order to avoid the guidance being merely reduced to a lowest common denominator of safety (inferior

The Need for V&V in Reuse-Based Software Engineering

Science.gov (United States)

Addy, Edward A.

1997-01-01

V&V is currently performed during application development for many systems, especially safety-critical and mission-critical systems. The V&V process is intended to discover errors, especially errors related to entire' domain or product line rather than a critical processing, as early as possible during the development process. The system application provides the context under which the software artifacts are validated. engineering. This paper describes a framework that extends V&V from an individual application system to a product line of systems that are developed within an architecture-based software engineering environment. This framework includes the activities of traditional application-level V&V, and extends these activities into the transition between domain engineering and application engineering. The framework includes descriptions of the types of activities to be performed during each of the life-cycle phases, and provides motivation for activities.

Model-based safety architecture framework for complex systems

NARCIS (Netherlands)

Schuitemaker, Katja; Rajabali Nejad, Mohammadreza; Braakhuis, J.G.; Podofillini, Luca; Sudret, Bruno; Stojadinovic, Bozidar; Zio, Enrico; Kröger, Wolfgang

2015-01-01

The shift to transparency and rising need of the general public for safety, together with the increasing complexity and interdisciplinarity of modern safety-critical Systems of Systems (SoS) have resulted in a Model-Based Safety Architecture Framework (MBSAF) for capturing and sharing architectural

Product-based Safety Certification for Medical Devices Embedded Software.

Science.gov (United States)

Neto, José Augusto; Figueiredo Damásio, Jemerson; Monthaler, Paul; Morais, Misael

2015-01-01

Worldwide medical device embedded software certification practices are currently focused on manufacturing best practices. In Brazil, the national regulatory agency does not hold a local certification process for software-intensive medical devices and admits international certification (e.g. FDA and CE) from local and international industry to operate in the Brazilian health care market. We present here a product-based certification process as a candidate process to support the Brazilian regulatory agency ANVISA in medical device software regulation. Center of Strategic Technology for Healthcare (NUTES) medical device embedded software certification is based on a solid safety quality model and has been tested with reasonable success against the Class I risk device Generic Infusion Pump (GIP).

Reactor protection system software test-case selection based on input-profile considering concurrent events and uncertainties

International Nuclear Information System (INIS)

Khalaquzzaman, M.; Lee, Seung Jun; Cho, Jaehyun; Jung, Wondea

2016-01-01

Recently, the input-profile-based testing for safety critical software has been proposed for determining the number of test cases and quantifying the failure probability of the software. Input-profile of a reactor protection system (RPS) software is the input which causes activation of the system for emergency shutdown of a reactor. This paper presents a method to determine the input-profile of a RPS software which considers concurrent events/transients. A deviation of a process parameter value begins through an event and increases owing to the concurrent multi-events depending on the correlation of process parameters and severity of incidents. A case of reactor trip caused by feedwater loss and main steam line break is simulated and analyzed to determine the RPS software input-profile and estimate the number of test cases. The different sizes of the main steam line breaks (e.g., small, medium, large break) with total loss of feedwater supply are considered in constructing the input-profile. The uncertainties of the simulation related to the input-profile-based software testing are also included. Our study is expected to provide an option to determine test cases and quantification of RPS software failure probability. (author)

77 FR 50724 - Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of...

Science.gov (United States)

2012-08-22

... review of applications for permits and licenses. The DG entitled ``Developing Software Life Cycle... NUCLEAR REGULATORY COMMISSION [NRC-2012-0195] Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants AGENCY: Nuclear Regulatory Commission...

The Role and Quality of Software Safety in the NASA Constellation Program

Science.gov (United States)

Layman, Lucas; Basili, Victor R.; Zelkowitz, Marvin V.

2010-01-01

In this study, we examine software safety risk in the early design phase of the NASA Constellation spaceflight program. Obtaining an accurate, program-wide picture of software safety risk is difficult across multiple, independently-developing systems. We leverage one source of safety information, hazard analysis, to provide NASA quality assurance managers with information regarding the ongoing state of software safety across the program. The goal of this research is two-fold: 1) to quantify the relative importance of software with respect to system safety; and 2) to quantify the level of risk presented by software in the hazard analysis. We examined 154 hazard reports created during the preliminary design phase of three major flight hardware systems within the Constellation program. To quantify the importance of software, we collected metrics based on the number of software-related causes and controls of hazardous conditions. To quantify the level of risk presented by software, we created a metric scheme to measure the specificity of these software causes. We found that from 49-70% of hazardous conditions in the three systems could be caused by software or software was involved in the prevention of the hazardous condition. We also found that 12-17% of the 2013 hazard causes involved software, and that 23-29% of all causes had a software control. Furthermore, 10-12% of all controls were software-based. There is potential for inaccuracy in these counts, however, as software causes are not consistently scoped, and the presence of software in a cause or control is not always clear. The application of our software specificity metrics also identified risks in the hazard reporting process. In particular, we found a number of traceability risks in the hazard reports may impede verification of software and system safety.

A study on a quantitative V and V for safety-critical software

International Nuclear Information System (INIS)

Eom, Heung Seop; Son, Han Seong; Kang, Hyun Gook; Chang, Seung Cheol

2004-01-01

Verification and Validation (V and V) plays important role in assessing the safety-critical software embedded in the digital systems for a Nuclear Power Plant. A conventional V and V usually adopts a checklist method and its answers are mostly qualitative. There are some limitations to this conventional V and V method. First, the difficulties in using the checklist method are: Even for an acceptable software, some checklist questions will have negative answers. The checklist itself does not help to explain the reasons for drawing an overall positive conclusion in the presence of a few negative answers. The checklist does not help decide when enough issues have been examined to achieve a reasonable confidence in the software. The checklist method does not support a consideration of different kinds of information, such as software engineering measures. Second, a difficulty comes from the qualitative form of the answers in the checklist method, which is: It is usually hard to know when sufficient evidence has been collected. Finally a difficulty comes from a human expert's way of combining a great number of diverse evidence and inferring the conclusion, which is: Some of this evidence is qualitative and others are quantitative. Both are necessary to evaluate the quality of the software correctly. But, in general, the experts' way of combining the diverse evidence and performing an inference is usually informal and qualitative, which is hard to discuss and will eventually lead to a debate about the conclusion. Our overall goal is to develop a systematic method that can obtain quantitative information of the software quality from the works of V and V. To achieve this goal and to solve the above-mentioned problems in the current V and V method, we studied a method that can combine qualitative and quantitative evidence, and can infer a conclusion in a formal and a quantitative way by using the benefits of BBN

Identification of protective actions to reduce the vulnerability of safety-critical systems to malevolent acts: A sensitivity-based decision-making approach

International Nuclear Information System (INIS)

Wang, Tai-Ran; Pedroni, Nicola; Zio, Enrico

2016-01-01

A classification model based on the Majority Rule Sorting method has been previously proposed by the authors to evaluate the vulnerability of safety-critical systems (e.g., nuclear power plants) with respect to malevolent intentional acts. In this paper, we consider a classification model previously proposed by the authors based on the Majority Rule Sorting method to evaluate the vulnerability of safety-critical systems (e.g., nuclear power plants) with respect to malevolent intentional acts. The model is here used as the basis for solving an inverse classification problem aimed at determining a set of protective actions to reduce the level of vulnerability of the safety-critical system under consideration. To guide the choice of the set of protective actions, sensitivity indicators are originally introduced as measures of the variation in the vulnerability class that a safety-critical system is expected to undergo after the application of a given set of protective actions. These indicators form the basis of an algorithm to rank different combinations of actions according to their effectiveness in reducing the safety-critical systems vulnerability. Results obtained using these indicators are presented with regard to the application of: (i) one identified action at a time, (ii) all identified actions at the same time or (iii) a random combination of identified actions. The results are presented with reference to a fictitious example considering nuclear power plants as the safety-critical systems object of the analysis. - Highlights: • We use a hierarchical framework to represent the vulnerability. • We use an empirical classification model to evaluate vulnerability. • Sensitivity indicators are introduced to rank protective actions. • Constraints (e.g., budget limitations) are accounted for. • Method is applied to fictitious Nuclear Power Plants.

Automated tools for safety-critical software

International Nuclear Information System (INIS)

Lapassat, A.M.

1993-01-01

The regulatory (DSIN), the utilities (EDF, CEA..) and the CEA-Institute for Protection and Nuclear Safety (IPSN) work together at the French nuclear safety. This paper presents a tool, called CLAIRE, for simulation and tests of different nuclear safety system. (TEC)

Safety Characteristics in System Application Software for Human Rated Exploration

Science.gov (United States)

Mango, E. J.

2016-01-01

NASA and its industry and international partners are embarking on a bold and inspiring development effort to design and build an exploration class space system. The space system is made up of the Orion system, the Space Launch System (SLS) and the Ground Systems Development and Operations (GSDO) system. All are highly coupled together and dependent on each other for the combined safety of the space system. A key area of system safety focus needs to be in the ground and flight application software system (GFAS). In the development, certification and operations of GFAS, there are a series of safety characteristics that define the approach to ensure mission success. This paper will explore and examine the safety characteristics of the GFAS development.

Formal verification method for nuclear I and C systems using ESDT and SMV in the software design phase

International Nuclear Information System (INIS)

Song, Myung Jun; Koo, Seo Ryong; Seong, Poong Hyun

2004-01-01

As PLCs are widely used in the digital I and C systems of nuclear power plants (NPPs), the safety of PLC software has become the most important consideration. Software safety is an important property for safety critical systems, especially those in aerospace, satellite and nuclear power plants, whose failure could result in danger to human life, property or environment. It is recently becoming more important due to the increase in the complexity and size of safety critical systems. This research proposes a method to perform effective verification tasks on the traceability analysis and software design evaluation in the software design phase. In order to perform the traceability analysis between a Software Requirements Specification (SRS) written in a natural language and a Software Design Specification (SDS) written in Function Block Diagram (FBD), this method uses extended-structured decision tables (ESDTs). ESDTs include information related to the traceability analysis from a text-based SRS and a FBD-based SDS, respectively. Through comparing with both ESDTs from an SRS and ESDTs from an SDS, the effective traceability analysis of both a text-based SRS and a FBD-based SDS can be achieved. For the software design evaluation, a model checking, which is mainly used to verify PLC programs formally, is used in this research. A FBD-style design specification is translated into input languages of the SMV by translation rules and then the FBD-style design specification can be formally analyzed using SMV. (author)

A Systematic Analysis of Functional Safety Certification Practices in Industrial Robot Software Development

Directory of Open Access Journals (Sweden)

Tong Xie

2017-01-01

Full Text Available For decades, industry robotics have delivered on the promise of speed, efficiency and productivity. The last several years have seen a sharp resurgence in the orders of industrial robots in China, and the areas addressed within industrial robotics has extended into safety-critical domains. However, safety standards have not yet been implemented widely in academia and engineering applications, particularly in robot software development. This paper presents a systematic analysis of functional safety certification practices in software development for the safety-critical software of industrial robots, to identify the safety certification practices used for the development of industrial robots in China and how these practices comply with the safety standard requirements. Reviewing from Chinese academic papers, our research shows that safety standards are barely used in software development of industrial robot. The majority of the papers propose various solutions to achieve safety, but only about two thirds of the papers refer to non-standardized approaches that mainly address the systematic level rather than the software development level. In addition, our research shows that with the development of artificial intelligent, an emerging field is still on the quest for standardized and suitable approaches to develop safety-critical software.

Automated Freedom from Interference Analysis for Automotive Software

OpenAIRE

Leitner-Fischer , Florian; Leue , Stefan; Liu , Sirui

2016-01-01

International audience; Freedom from Interference for automotive software systems developed according to the ISO 26262 standard means that a fault in a less safety critical software component will not lead to a fault in a more safety critical component. It is an important concern in the realm of functional safety for automotive systems. We present an automated method for the analysis of concurrency-related interferences based on the QuantUM approach and tool that we have previously developed....

78 FR 47011 - Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

Science.gov (United States)

2013-08-02

... NUCLEAR REGULATORY COMMISSION [NRC-2012-0195] Software Unit Testing for Digital Computer Software... revised regulatory guide (RG), revision 1 of RG 1.171, ``Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants.'' This RG endorses American National Standards...

77 FR 50722 - Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

Science.gov (United States)

2012-08-22

... NUCLEAR REGULATORY COMMISSION [NRC-2012-0195] Software Unit Testing for Digital Computer Software...) is issuing for public comment draft regulatory guide (DG), DG-1208, ``Software Unit Testing for Digital Computer Software used in Safety Systems of Nuclear Power Plants.'' The DG-1208 is proposed...

Nuclear Criticality Safety Handbook, Version 2. English translation

International Nuclear Information System (INIS)

2001-08-01

The Nuclear Criticality Safety Handbook, Version 2 essentially includes the description of the Supplement Report to the Nuclear Criticality Safety Handbook, released in 1995, into the first version of the Nuclear Criticality Safety Handbook, published in 1988. The following two points are new: (1) exemplifying safety margins related to modeled dissolution and extraction processes, (2) describing evaluation methods and alarm system for criticality accidents. Revision has been made based on previous studies for the chapter that treats modeling the fuel system: e.g., the fuel grain size that the system can be regarded as homogeneous, non-uniformity effect of fuel solution, an burnup credit. This revision has solved the inconsistencies found in the first version between the evaluation of errors found in JACS code system and the criticality condition data that were calculated based on the evaluation. This report is an English translation of the Nuclear Criticality Safety Handbook, Version 2, originally published in Japanese as JAERI 1340 in 1999. (author)

Infusing Reliability Techniques into Software Safety Analysis

Science.gov (United States)

Shi, Ying

2015-01-01

Software safety analysis for a large software intensive system is always a challenge. Software safety practitioners need to ensure that software related hazards are completely identified, controlled, and tracked. This paper discusses in detail how to incorporate the traditional reliability techniques into the entire software safety analysis process. In addition, this paper addresses how information can be effectively shared between the various practitioners involved in the software safety analyses. The author has successfully applied the approach to several aerospace applications. Examples are provided to illustrate the key steps of the proposed approach.

Licensing of safety critical software for nuclear reactors. Common position of seven European nuclear regulators and authorised technical support organisations

International Nuclear Information System (INIS)

2007-01-01

The major result of the work is the identification of consensus and common technical positions on a set of important licensing issues raised by the design and operation of computer-based systems used in Nuclear Power Plants for safety functions. The purpose is to introduce greater consistency and more mutual acceptance into current practices. To achieve these common positions, detailed consideration was paid to the licensing approaches followed in the different countries represented by the experts of the task force. The report is intended to be useful: - to coordinate regulators' and safety experts' technical viewpoints in the design of regulators' national policies and in revisions of guidelines; - as a reference in safety cases and demonstrations of safety of software based systems; - as guidance for system design specifications by manufacturers and major I and C suppliers on the international market. The task force decided at an early stage to focus attention on computer based systems used in Nuclear Power Plants for the implementation of safety functions; namely, those systems classified by the IAEA as 'Safety Systems'. Therefore, recommendations of this report - except those of chapter 1.11 - primarily address 'safety systems' and not 'safety related systems'. It was felt that the most difficult aspects of the licensing of digital programmable systems are rooted in the specific properties of the technology. The objective was therefore to delineate practical and technical licensing guidance, rather than discussing or proposing basic principles or requirements. The design requirements and the basic principles of nuclear safety in force in each member state are assumed to remain applicable. This report represents the consensus view achieved by the experts who contributed to the task force. It is the result of what was at the time of its initiation a first attempt at the international level to achieve consensus among nuclear regulators on practical methods for

SCALE criticality safety verification and validation package

International Nuclear Information System (INIS)

Bowman, S.M.; Emmett, M.B.; Jordan, W.C.

1998-01-01

Verification and validation (V and V) are essential elements of software quality assurance (QA) for computer codes that are used for performing scientific calculations. V and V provides a means to ensure the reliability and accuracy of such software. As part of the SCALE QA and V and V plans, a general V and V package for the SCALE criticality safety codes has been assembled, tested and documented. The SCALE criticality safety V and V package is being made available to SCALE users through the Radiation Safety Information Computational Center (RSICC) to assist them in performing adequate V and V for their SCALE applications

Defense-in-depth for common cause failure of nuclear power plant safety system software

International Nuclear Information System (INIS)

Tian Lu

2012-01-01

This paper briefly describes the development of digital I and C system in nuclear power plant, and analyses the viewpoints of NRC and other nuclear safety authorities on Software Common Cause Failure (SWCCF). In view of the SWCCF issue introduced by the digitized platform adopted in nuclear power plant safety system, this paper illustrated a diversified defence strategy for computer software and hardware. A diversified defence-in-depth solution is provided for digital safety system of nuclear power plant. Meanwhile, analysis on problems may be faced during application of nuclear safety license are analyzed, and direction of future nuclear safety I and C system development are put forward. (author)

Obtaining Valid Safety Data for Software Safety Measurement and Process Improvement

Science.gov (United States)

Basili, Victor r.; Zelkowitz, Marvin V.; Layman, Lucas; Dangle, Kathleen; Diep, Madeline

2010-01-01

We report on a preliminary case study to examine software safety risk in the early design phase of the NASA Constellation spaceflight program. Our goal is to provide NASA quality assurance managers with information regarding the ongoing state of software safety across the program. We examined 154 hazard reports created during the preliminary design phase of three major flight hardware systems within the Constellation program. Our purpose was two-fold: 1) to quantify the relative importance of software with respect to system safety; and 2) to identify potential risks due to incorrect application of the safety process, deficiencies in the safety process, or the lack of a defined process. One early outcome of this work was to show that there are structural deficiencies in collecting valid safety data that make software safety different from hardware safety. In our conclusions we present some of these deficiencies.

Method and practice on safety software verification and validation for digital reactor protection system

International Nuclear Information System (INIS)

Li Duo; Zhang Liangju; Feng Junting

2010-01-01

The key issue arising from digitalization of reactor protection system for Nuclear Power Plant (NPP) is in essence, how to carry out Verification and Validation (V and V), to demonstrate and confirm the software is reliable enough to perform reactor safety functions. Among others the most important activity of software V and V process is unit testing. This paper discusses the basic concepts on safety software V and V and the appropriate technique for software unit testing, focusing on such aspects as how to ensure test completeness, how to establish test platform, how to develop test cases and how to carry out unit testing. The technique discussed herein was successfully used in the work of unit testing on safety software of a digital reactor protection system. (author)

Microbiological performance of Hazard Analysis Critical Control Point (HACCP)-based food safety management systems: A case of Nile perch processing company

NARCIS (Netherlands)

Kussaga, J.B.; Luning, P.A.; Tiisekwa, B.P.M.; Jacxsens, L.

2017-01-01

This study aimed at giving insight into microbiological safety output of a Hazard Analysis Critical Control Point (HACCP)-based Food Safety Management System (FSMS) of a Nile perch exporting company by using a combined assessment, This study aimed at giving insight into microbiological safety output

Technique for unit testing of safety software verification and validation

International Nuclear Information System (INIS)

Li Duo; Zhang Liangju; Feng Junting

2008-01-01

The key issue arising from digitalization of the reactor protection system for nuclear power plant is how to carry out verification and validation (V and V), to demonstrate and confirm the software that performs reactor safety functions is safe and reliable. One of the most important processes for software V and V is unit testing, which verifies and validates the software coding based on concept design for consistency, correctness and completeness during software development. The paper shows a preliminary study on the technique for unit testing of safety software V and V, focusing on such aspects as how to confirm test completeness, how to establish test platform, how to develop test cases and how to carry out unit testing. The technique discussed here was successfully used in the work of unit testing on safety software of a digital reactor protection system. (authors)

Experience with performance based training of nuclear criticality safety engineers

International Nuclear Information System (INIS)

Taylor, R.G.

1993-01-01

For non-reactor nuclear facilities, the U.S. Department of Energy (DOE) does not require that nuclear criticality safety engineers demonstrate qualification for their job. It is likely, however, that more formalism will be required in the future. Current DOE requirements for those positions which do have to demonstrate qualification indicate that qualification should be achieved by using a systematic approach such as performance based training (PBT). Assuming that PBT would be an acceptable mechanism for nuclear criticality safety engineer training in a more formal environment, a site-specific analysis of the nuclear criticality safety engineer job was performed. Based on this analysis, classes are being developed and delivered to a target audience of newer nuclear criticality safety engineers. Because current interest is in developing training for selected aspects of the nuclear criticality safety engineer job, the analysis is incompletely developed in some areas

Model extension and improvement for simulator-based software safety analysis

Energy Technology Data Exchange (ETDEWEB)

Huang, H.-W. [Department of Engineering and System Science, National Tsing Hua University (NTHU), 101 Section 2 Kuang Fu Road, Hsinchu, Taiwan (China) and Institute of Nuclear Energy Research (INER), No. 1000 Wenhua Road, Chiaan Village, Longtan Township, Taoyuan County 32546, Taiwan (China)]. E-mail: hwhwang@iner.gov.tw; Shih Chunkuan [Department of Engineering and System Science, National Tsing Hua University (NTHU), 101 Section 2 Kuang Fu Road, Hsinchu, Taiwan (China); Yih Swu [Department of Computer Science and Information Engineering, Ching Yun University, 229 Chien-Hsin Road, Jung-Li, Taoyuan County 320, Taiwan (China); Chen, M.-H. [Institute of Nuclear Energy Research (INER), No. 1000Wenhua Road, Chiaan Village, Longtan Township, Taoyuan County 32546, Taiwan (China); Lin, J.-M. [Taiwan Power Company (TPC), 242 Roosevelt Road, Section 3, Taipei 100, Taiwan (China)

2007-05-15

One of the major concerns when employing digital I and C system in nuclear power plant is digital system may introduce new failure mode, which differs with previous analog I and C system. Various techniques are under developing to analyze the hazard originated from software faults in digital systems. Preliminary hazard analysis, failure modes and effects analysis, and fault tree analysis are the most extensive used techniques. However, these techniques are static analysis methods, cannot perform dynamic analysis and the interactions among systems. This research utilizes 'simulator/plant model testing' technique classified in (IEEE Std 7-4.3.2-2003, 2003. IEEE Standard for Digital Computers in Safety Systems of Nuclear Power Generating Stations) to identify hazards which might be induced by nuclear I and C software defects. The recirculation flow system, control rod system, feedwater system, steam line model, dynamic power-core flow map, and related control systems of PCTran-ABWR model were successfully extended and improved. The benchmark against ABWR SAR proves this modified model is capable to accomplish dynamic system level software safety analysis and better than the static methods. This improved plant simulation can then further be applied to hazard analysis for operator/digital I and C interface interaction failure study, and the hardware-in-the-loop fault injection study.

Software Safety and Security

CERN Document Server

Nipkow, T; Hauptmann, B

2012-01-01

Recent decades have seen major advances in methods and tools for checking the safety and security of software systems. Automatic tools can now detect security flaws not only in programs of the order of a million lines of code, but also in high-level protocol descriptions. There has also been something of a breakthrough in the area of operating system verification. This book presents the lectures from the NATO Advanced Study Institute on Tools for Analysis and Verification of Software Safety and Security; a summer school held at Bayrischzell, Germany, in 2011. This Advanced Study Institute was

MDEP Generic Common Position No DICWG-01. Common position on the treatment of common cause failure caused by software within digital safety systems

International Nuclear Information System (INIS)

2013-01-01

Common cause failures (CCF)2 have been a significant safety concern for nuclear power plant systems. The increasing dependence on software-in safety systems for nuclear power plants has increased the safety significance of CCF caused by software, when software in redundant channels or portions of safety systems has some common dependency. For example, the effect of systematic failures can lead to a loss of safety in many ways: unwanted actuations, a safety function is not provided when needed. Therefore, nuclear power plants should be systematically protected from the effects of common cause failures caused by software in DI and C safety systems. Software for nuclear power plant safety systems should be of the high quality necessary to help assure against the loss of safety (i.e. developed with high-quality engineering practices, commensurate quality assurance applied, with continuous improvement through corrective actions based on lessons learned from operating experience). However, demonstrating adequate software quality only through verification and validation activities and controls on the development process has proved to be problematic. Therefore, this common position provides guidance for the assessment of the potential for CCF for software. It is recognized that programmable logic devices do not execute software in the conventional sense; however, the application development process using these devices have many similarities with software development, and the deficiencies that may be introduced during the application development process may induce errors in the programmable logic devices that can result in common cause failures of these devices of a type similar to software common cause failure. Although deficiencies with the potential to give rise to software common cause failures can be introduced at all phases of the software life cycle, this common position will only consider the potential for software common cause failures within digital safety system

Using Combined SFTA and SFMECA Techniques for Space Critical Software

Science.gov (United States)

Nicodemos, F. G.; Lahoz, C. H. N.; Abdala, M. A. D.; Saotome, O.

2012-01-01

This work addresses the combined Software Fault Tree Analysis (SFTA) and Software Failure Modes, Effects and Criticality Analysis (SFMECA) techniques applied to space critical software of satellite launch vehicles. The combined approach is under research as part of the Verification and Validation (V&V) efforts to increase software dependability and as future application in other projects under development at Instituto de Aeronáutica e Espaço (IAE). The applicability of such approach was conducted on system software specification and applied to a case study based on the Brazilian Satellite Launcher (VLS). The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software requirements.

V & V Within Reuse-Based Software Engineering

Science.gov (United States)

Addy, Edward A.

1996-01-01

Verification and validation (V&V) is used to increase the level of assurance of critical software, particularly that of safety-critical and mission critical software. This paper describes the working group's success in identifying V&V tasks that could be performed in the domain engineering and transition levels of reuse-based software engineering. The primary motivation for V&V at the domain level is to provide assurance that the domain requirements are correct and that the domain artifacts correctly implement the domain requirements. A secondary motivation is the possible elimination of redundant V&V activities at the application level. The group also considered the criteria and motivation for performing V&V in domain engineering.

Modeling interaction in the safety-critical embedded system using hybrid modeling language

International Nuclear Information System (INIS)

Lee, Na Young; Choi, Jin Young; Kim, Jin Hyun; Bang, Ki Seok; Lee, Jang Soo

2004-01-01

To adapt the advanced digital technologies in the Instrumentation and Control (I and C) system of Nuclear Power Plants (NPPs), the more rigorous certification process including a formal verification is required to apply the advanced digital technologies in the NPPs. In this work, we concentrated on development procedure of Real Time Operating System (RTOS) software for use in one of the safety critical systems, Plant Protection System (PPS). Statecharts is used during development process to specify and simulate the model RTOS model. Model certifier is used to verify properties, such as Schedulability, priority inversion. Since the RTOS cannot operate by itself, we assume set of tasks to check properties. Based on the assumption, two sets of tasks are implemented in this work. We executed simulation to check whether it shows correct behavior as we designed. Important properties are verified using Model certifier. For the RTOS, however, timing properties should be checked, and Statecharts has limitation since it does not support time in it, therefore, time is considered as discrete tick. So we chose timed automata based tool, UPPAAL to verify timing properties. Model was simplified and modified. But timing constraints can be more realistic. When properties are not satisfied we can modify scheduler based on timing records during simulation. (author)

Safety-Critical Partitioned Software Architecture: A Partitioned Software Architecture for Robotic

Science.gov (United States)

Horvath, Greg; Chung, Seung H.; Cilloniz-Bicchi, Ferner

2011-01-01

The flight software on virtually every mission currently managed by JPL has several major flaws that make it vulnerable to potentially fatal software defects. Many of these problems can be addressed by recently developed partitioned operating systems (OS). JPL has avoided adopting a partitioned operating system on its flight missions, primarily because doing so would require significant changes in flight software design, and the risks associated with changes of that magnitude cannot be accepted by an active flight project. The choice of a partitioned OS can have a dramatic effect on the overall system and software architecture, allowing for realization of benefits far beyond the concerns typically associated with the choice of OS. Specifically, we believe that a partitioned operating system, when coupled with an appropriate architecture, can provide a strong infrastructure for developing systems for which reusability, modifiability, testability, and reliability are essential qualities. By adopting a partitioned OS, projects can gain benefits throughout the entire development lifecycle, from requirements and design, all the way to implementation, testing, and operations.

Experience with performance based training of nuclear criticality safety engineers