13 Embedded Nuclear Safety-Critical Systems

7/25/2019 13 Embedded Nuclear Safety-Critical Systems

1/69

Budapest University of Technology and Economics

Department of Measurement and Information Systems

Embedded Safety-Critical Systems in

Nuclear Power Plants

Brief Comparison of IEC 61508 and the

Design of Systems Important to Safety


2/69

Nuclear Power Generation

Introduction to Nuclear Energy and Nuclear Power Plants


3/69

Nuclear Power Is it even necessary?

Fossil fuel power plantso burn carbon fuels such coal, oil or gas to generate steam driving large

turbines that produce electricity

o non-renewable fuel: oil depletes soon, gas next, carbon later

o they produce large amounts carbon dioxide, which causes climate change

o they increase background radiation

Large hydro power plantso water from the dams flows through turbines to generate electricityo no greenhouse gas emissions

o impact on the ecology around the dam

o the number of sites suitable for new dams is limited

Other renewables

o wind, solar and small scale hydro produce electricity with no greenhouse gasemissions

o higher cost than other forms of generation, often requiring subsidies

o they do not produce electricity predictably or consistently

o they have to be backed up by other forms of electricity generation


4/69

The Two Types of Nuclear Energy Production

4

Fission

Energy yield from

nuclear fission

Fusion

Energy yield from

nuclear fusion


5/69

Comparison of Fission and Fusion

Fission Fusion

Mechanism splitting of a large atom into two

or more smaller ones

fusing of two or more lighter atoms

into a larger one

Conditions criticality (prompt subcriticality),

moderator, and coolant

high density, high temperature

(plasma), precise control

Energy produced much greater than conventional 3 or 4 times greater than fission

Byproducts highly radioactive isotopes, long

decay time, large residual heat

some helium and tritium (short half-

life, very low decay energy)

Nuclear waste byproducts, structural materials structural materials (lower half-life)

Fuel 235U (0.72%), 232Th, possibly 238U 2H (deuterium) and 3H (tritium)

Advantages no greenhouse emissions,

economical, highly concentrated

fuel, intrinsically safe

no greenhouse emissions, very low

amount of waste, abundant fuel,

intrinsically safe, low risk

Disadvantages high risk, radioactive waste commercial application is far away

5


6/69

Controllability of Nuclear Fission

Effective neutron multiplication factor (k) is theaverage number of neutrons from one fission to

cause another fissiono k < 1 (subcriticality): the system cannot sustain a chain

reaction

o k = 1 (criticality): every fission causes an average ofone more fission, leading to a constant fission (and

power) levelo k > 1 (supercriticality): the number of fission reactions

increases exponentially

Delayed neutronsare created by the radioactivedecay of some of the fission fragments

o The fraction of delayed neutrons is called o Typically less than 1% of all the neutrons

in the chain reaction are delayed

1 k < 1/(1-) is the delayed criticality region,where all nuclear power reactors operate

6


7/69

Inherent Safety of Nuclear Power Plants

Reactivityis an expression of the departure from criticality:

= (k - 1)/ko when the reactor is critical, = 0

o when the reactor is subcritical, < 0

The temperature coefficient (of reactivity) is a measure of

the change in reactivity (resulting in a change in power) bya change in temperature of the reactor components or thereactor coolant

The void coefficient (of reactivity) is a measure of thechange in reactivity as voids (typically steam bubbles) formin the reactor moderator or coolant

Most existing nuclear reactors have negative temperatureand void coefficients in all states of operation

7


8/69

(A Few) Types of Nuclear Reactors

NuclearReactors

ThermalReactors

Graphite-

moderatedreactors

Gas-cooledreactors

Water-cooledreactors

RBMK

Water-moderated

reactors

Heavy-water

reactors

CANDU

Light-water-reactors

BWR

PWRLight-element-

moderatedreactors

FastNeutronReactors

Generation IVreactors

8


9/69

Nuclear Reactor History and Generations

Generation II: class of commercial reactors built up to the end of the 1990s

Generation III: development of Gen. II designs, improved fuel technology, superiorthermal efficiency, passive safety systems, and standardized design

Generation IV: nuclear reactor designs currently being researched, not expected tobe available for commercial construction before 2030

9


10/69

Gen. II Water Moderated Reactor Types

Pressurized Water Reactor (PWR)

Cooled and moderated by high-pressure liquid water,primary and secondary loops

Boiling Water Reactor (BWR)

Higher thermal efficiency, simpler design (single loop),

potentially more stable and safe (?)

Pressurized Heavy Water Reactor (PHWR)

Heavy-water-cooled and -moderated pressurized-

water reactors, fuel in tubes, efficient but expensive

High Power Channel Reactor (RBMK)

Water cooled with a graphite moderator, fuel in tubes,cheap, large and powerful reactor but unstable

10


11/69

Common Light Water Moderated Reactors

11

P

ressurizedW

R

BoilingWR


12/69

Overview of a PWR nuclear power plant

12

Primary circuit

Reactor vessel

Pressurizer

Secondary Circuit

Steam GeneratorControl Rods


13/69

Risk of Nuclear Installations

Using the Terms of the Functional Safety Concept


14/69

Functional Safety Concept: Risk

Risk based approach for determining the target

failure measureo Risk is a measure of the probabilityand consequence

of a specified hazardous event occurring

o There is no such thing as Zero Risk A safety-related system both

o implements the required safety functions necessary to

achievea safe state for the EUC or

to maintaina safe state for the EUC

o is intended to achieve the necessary safety integrity

for the required safety functions

14


15/69

Consequence: Effects of Ionizing Radiation

Natural radiation

o Internal radiation: 40K

o External radiation

Background radiation

TENORM

o artificially increased

background radiation

15

Hats

100%

Ksz b Dzis

0%

Kockzat

Dzis

m=5*10-2/S v

Deterministic effect Stochastic effect

Artificial radiation

o Medical diagnosis and

treatment

o Industrial radiation sources

o Nuclear tests

o Nuclear waste


16/69

The Risk Assessment Framework

The three main stages of Risk Assessment are:

1. Establish the tolerable risk criteria with respect to

the frequency (or probability) of the hazardous event

and its specific consequences

2. Assess the risks associated with theequipment under control

3. Determine the necessary risk reduction needed to

meet the risk acceptance criteria this will determine the Safety Integrity Level of the safety-

related systems and external risk reduction facilities

16


17/69

Example Risk Bands for Tolerability of Hazards

17

Remote Unlikely Possible Probable

Significant

Major

Catastr

ophic

Consequence

Frequency (per year)10-4 10-3 10

-210-1 1

Zone 3

Tolerable

Risk Region

Zone 1

UnacceptableRisk Region

Zone 2

TransitionalRisk Region


18/69

Tolerable Risk of Nuclear Installations

Design BasisAccidents

Beyond DesignBasis Accidents

SevereAccidents

AnticipatedOperational

Occurrences


Beyond DesignBasis Accidents

NormalOperation

AnticipatedOperational

Occurrences


19

Probability of occurrence (in decreasing order)

Severityofcons

equence

100 10-4


19/69

Operational States and Transients of NPPs

Normal Operational State

o

most probable, most frequent state Operational Transients aka.

Anticipated Operational Occurrences (AOO)

o highly probable operational occurrences, having a minor effect

o

good chance of multiple AOOs during operational life-time Design Basis Accidents

o improbable accidents, these are included in the Design Basis

Beyond Design Basis AccidentsSevere Accidents

o extremely improbable accidentso the Design Basis of most existing units does not include BDBAs

o this is changing, many former BDBAs became DBAs in the caseof Generation III and Generation IV nuclear units

20


20/69

Classification of Events & Operating Conditions

21


21/69

Definition of Safety

Central concepts: Hazard,risk and safety

Safety

Harm

Risk

Hazard

Functional

safety

Combination of the probabilityof occurrenceof harm and the

severityof that harmTolerable risk: Risk which is

accepted in a given context

(based on the values of society)

Residual risk: Risk remaining after

protective measures have been taken


22/69

Postulated Initiating Events

A postulated initiating event (PIE) is an identified

event that leads to an anticipated operationaloccurrence (AOO) or accident condition and itsconsequential failure effects.

o All safety analysis, deterministic or probabilistic, begins

with definition of a set of PIEs PIEs may be defined from various sources:

o Formal analytical techniques, such as

Failure modes and effects analysis (FMEA), or

Hazards and operability analysis (HAZOP)o PIE lists developed for other, similar plants

o Operating experience with other plants

o Engineering judgement

23


23/69

Classification of PIEs

According to origin:

Internal eventso are those PIEs that arise

due to failures of systems, structures, or components within theplant, or

due to internal human error, ando provide a challenge to internal safety systems.

External events

o are those PIEs that arise from

conditions external to the plant, such as natural phenomena or off-site human-caused events and

o provide a challenge to safety equipment and/or to plantintegrity.

24


24/69

The Design Basis

The design basis specifies the necessary

capabilities of the plant to cope with a specifiedrange of operational states and design basisaccidents within the defined radiologicalprotection requirements

The design basis includes

o the specification for normal operation,

o plant states created by the PIEs,

o the safety classification,o important assumptions and,

o in some cases, the particular methods of analysis.

25

d f f l


25/69

Identification of Internal Initiating Events

Proper operation depends on maintaining the correct

balance betweeno power production in the core

o transport of energy in the reactor cooling system (RCS)

o removal of energy from the RCS, and

o production of electrical energy

Thus, PIE categories may include:

o change in heat removal from the RCS

o change in coolant flow rate

o change in reactor coolant inventory, including pipe breaks

o reactivity and power distribution anomalies

o release of radioactive material from a component or system

26

d f f l


26/69

Identification of Internal Initiating Events

Consider failures (including partial failures or malfunctions)of safety systems and components, as well as non-safetysystems and components that impact safety function

Consider consequences of human error:

o Faulty maintenance

o Incorrect settings or calibrations

o Incorrect operator actions

Include fires, explosions, floods which could cause failure ofsafety equipment

Some events from outside the plant may be analyzed asinternal events because of the nature of their impact

o Loss of off-site power

o Loss of component cooling water

27

Id ifi i f l I i i i


27/69

Identification of External Initiating Events

External events can lead to an internal initiating event

and failure of safety systems that provide protection. Naturally occurring events:

o Earthquakes

o

Fireso Floods and other high water events

o Volcanic eruptions

o Extremes of temperature, rainfall, snowfall, wind velocity

Human-caused events:

o Aircraft crashes

o External fires, explosions, and hazardous material releases

28


28/69

Nuclear Accidents

The Three Most Prominent Accidents in the History ofNuclear Power Generation, and Lessons Learned

M i T f N l R A id


29/69

Main Types of Nuclear Reactor Accidents

Accident initiated by sudden reactivity increase (e.g.control rod ejection) that causes reactor runawayo RIAReactivity Initiated Accident

o the nuclear chain reaction becomes uncontrollable prompt supercritical reactor

Accident initiated by insufficient cooling (e.g. due toloss of coolant)o the efficiency of heat removal from the core drops

o the reactor core cooling is lost

that can cause damage to the fuel claddingo LOCALoss of Coolant Accident

o LOFALoss of Flow Accident

o LOHALoss of Heat Sink Accident

30

R ti it I iti t d A id t


30/69

Reactivity Initiated Accident

31

L f C l t A id t LB LOCA


31/69

Loss of Coolant AccidentLB LOCA

32

I t ti l N l E t S l (INES)


32/69

International Nuclear Event Scale (INES)

Level 7: Major accident

Level 6: Serious accident

Level 5: Accident with wider consequences

Level 4: Accident with local consequences

Level 3: Serious incident

Level 2: Incident

Level 1: Anomaly

Level 0: Deviation (No Safety Significance)

33

D t il d E l f th INES S l


33/69

Details and Examples of the INES Scale

INES Level

Level 7: Majoraccident

Level 6: Seriousaccident

Level 5: Accidentwith wider

consequences

People andEnvironment

Major release ofradioactive material

Widespread effects

Significant release ofradioactive material

Limited release ofradioactive material

Several deaths

Radiological

Barriers andControl

Severe reactor coredamage

Significant releasewithin installation

Example

Chernobyl accident(Soviet Union),26 April 1986

Fukushima accident

Kyshtym disaster atMayak

(Soviet Union),29 September 1957

Three Mile Islandaccident

(United States),28 March 1979

34

Th Mil I l d A id t


34/69

Three Mile Island Accident

In 1979 at Three Mile Island nuclear power plant in USA a cooling

malfunction caused part of the core to melt in the #2 reactor

o A relatively minor malfunction in the secondary cooling circuit caused the

temperature in the primary coolant to rise

o This in turn caused the reactor to shut down automatically

o A relief valve failed to close, but instrumentation did not reveal the fact

o So much of the primary coolant drained away that the residual decay heat in

the reactor core was not removed

o The core suffered severe damage as a result

o The operators were unable to diagnose or respond properly to the

unplanned automatic shutdown of the reactor

o Deficient control room instrumentation and inadequate emergency response

training proved to be root causes of the accident

Some radioactive gas was released a couple of days after the accident,

but not enough to cause any dose above background levels

There were no injuries or adverse health effects from the TMI accident

35

Th Mil I l d A id t


35/69

Three Mile Island Accident

36

Ch b l A id t


36/69

Chernobyl Accident

The Chernobyl accident in 1986 was the result of a flawed reactor design thatwas operated with inadequately trained personnelo

The crew wanted to perform a test to determine how long turbines would spin andsupply power to the main circulating pumps following a loss of main electrical powersupply

o A series of operator actions, including the disabling of automatic shutdownmechanisms, preceded the attempted test

o By the time that the operator moved to shut down the reactor, the reactor was in anextremely unstable condition

o A peculiarity of the design of the control rods caused a dramatic power surge as theywere inserted into the reactor

The RBMK reactor can possess a positive void coefficient

o The interaction of very hot fuel with the cooling water led to fuel fragmentation

o Intense steam generation then spread throughout the whole core causing a steamexplosion and releasing fission products to the atmosphere

o A second explosion threw out fragments from the fuel channels and hot graphite The resulting steam explosion and fires released at least 5% of the radioactive

reactor core into the atmosphere

Two Chernobyl plant workers died on the night of the accident, and a further 28people died within a few weeks as a result of acute radiation poisoning

37

Chernobyl Accident


37/69

Chernobyl Accident

38

Fukushima Accident


38/69

Fukushima Accident

Following a major earthquake, a 15-metre tsunami disabled the power supply

and cooling of three Fukushima Daiichi reactors, causing a nuclear accident on

11 March 2011o The reactors proved robust seismically, but vulnerable to the tsunami

o This disabled 12 of 13 back-up generators on site and also the heat exchangers for

dumping reactor waste heat and decay heat to the sea

o The three units lost the ability to maintain proper reactor cooling and water

circulation functions, all three cores largely melted in the first three days Rated 7 on the INES scale, due to high radioactive releases over days 4 to 6

After two weeks the three reactors (units 1-3) were stable with water addition

but no proper heat sink for removal of decay heat from fuel

By July they were being cooled with recycled water from the new treatment

plant, and official 'cold shutdown condition' was announced in mid-December Apart from cooling, the basic ongoing task was to prevent release of radioactive

materials, particularly in contaminated water leaked from the three units

There have been no deaths or cases of radiation sickness from the nuclear

accident, but over 100,000 people had to be evacuated from their homes

39

Fukushima Accident


39/69

Fukushima Accident

40

Safety Relative to Other Energy Sources


40/69

Safety Relative to Other Energy Sources

Fuel

Immediate fatalities

1970-92 Who?

Normalized to

1/TWy* electricity

Coal 6400 workers 342

Natural gas 1200 workers & public 85

Hydro 4000 public 883

Nuclear 31 workers 8

41

Comparison of accident statistics in primary energy production

(Electricity generation accounts for about 40% of total primary energy)

Deaths from energy-related accidents per unit of electricity


41/69

Safety of Nuclear Power Plants

Overview of the Basic Concepts of Nuclear Safety

Characteristics of Nuclear Power Plants


42/69

Characteristics of Nuclear Power Plants

They contain a large amount of radioactive

material Employees need to be protected from radiation

even in normal operation

The release of radioactive contaminants must beprevented even in accident conditions!

Plans must exist to handle the problems if

radioactive contaminants are still released Residual (decay) heat removal (heat from the

decay of fission products) is of high importance

43

Safety Goals of Nuclear Power Plants


43/69

Safety Goals of Nuclear Power Plants

Normal operational state: intrinsically safe

o environmentally safe: no release of contaminantso intrinsic safety: negative void coefficient

But

Potentially hazardouso possibility of severe consequences due to an incident

o design flaws and incompetence can lead to accidents

Aim: avoidance of accidentso design and build a safe nuclear power plant

o safe operation and maintenance of the NPP

44



44/69


Nuclear power plants and its safety systems and

technical equipment must be designed so that thesafety of the environment is guaranteed even if an

accident occurs

Modern nuclear power plants satisfy these criteria

Periodic safety audits are required to

o assess the effectiveness of the safety management system

o and identify opportunities for improvements

The licensing authority permits the startup, operation

or maintenance of a nuclear power plants only if the

guaranteed safety of the reactor is proven

45



45/69


Nuclear safety has three objectives:

1. to ensure that nuclear facilities operate normally andwithout an excessive riskof operating staff and the

environment being exposed to radiation from the

radioactive materials contained in the facility

2. to prevent incidents, and3. to limit the consequences of any incidents that might occur

Aim: to guarantee in every possible operational and

accident conditions (above a certain occurrence

frequency and consequence, i.e. risk) that the

radioactive material from the active zone be

contained in the reactor building

46

The Basic Principles of Nuclear Safety


46/69

The Basic Principles of Nuclear Safety

Nuclear safety uses two basic strategies to

prevent releases of radioactive materials:o the provision of leak tight safety barriers

o the concept of defense-in-depth

applies to both the design and the operation of the facility despite the fact that measures are taken to avoid accidents,

it is assumed that accidents may still occur

systems are therefore designed and installed

to combat them and to ensure that their consequences are limited to a level that is

acceptable for both the public and the environment

47

Five Layers of Safety Barriers in NPPs


47/69

Five Layers of Safety Barriers in NPPs

1st layer is the inert, ceramic

quality of the uranium oxide 2nd layer is the air tight

zirconium alloy of the fuel rod

3rd layer is the reactor

pressure vessel made of steel 4th layer is the pressure

resistant, air tight

containment building

5th layer is the reactor

building or a second outer

containment building

48

Pressure Resistant Air Tight Containment


48/69

Pressure Resistant, Air Tight Containment

49

Structure of the Paks NPP and Safety Barriers


49/69

Structure of the Paks NPP and Safety Barriers

50

Main Systems Shown in the Previous Figure


50/69

Main Systems Shown in the Previous Figure

1. Reactor vessel

2. Steam generator3. Refuelling machine

4. Cooling pond

5. Radiation shield6. Supplementary

feedwater system

7. Reactor

8. Localization tower

9. Bubbler trays

10. Deaerator

11. Aerator12. Turbine

13. Condenser

14. Turbine hall15. Degasser feedwater tank

16. Feedwater pre-heater

17. Turbine hall overhead

18. Control and instrument

room

51

Levels of Defence in Depth


51/69

Levels of Defence in Depth

Level 1: Mitigation of radiological consequences of significant releases of

radioactive materials

Level 2: Control of severe plant conditions, including prevention of

accident progression and mitigation of the consequences of severe

accidents

Level 3: Control of accidents within the design basis

Level 4: Control of abnormal operation and detection of failuresLevel 5: Prevention of abnormal operation and failures

Conservative design and high quality in construction and operation

Control, limiting and protection systems and other surveillance

featuresEngineered safety features and accident procedures

Complementary measures and accident management

Off-site emergency response

52

Design Limits Design Basis Accidents


52/69

Design Limits Design Basis Accidents

The design limits prescribe that for any DBA:

o the fuel cladding temperature must not exceed 1200Co the local fuel cladding oxidation must not exceed 18%

of the initial wall thickness

o

the mass of Zr converted into ZrO2must not exceed1% of the total mass of cladding

o the whole body dose to a member of the staff must

not exceed 50 mSv

o critical organ (i.e., thyroid) dose to a member of thestaff must not exceed 300 mSv

53

Safety Functions


53/69

Safety Functions

To ensure safety

o in operational stateso in and following a design basis accident, and

o (to the extent practicable) on the occurrence ofselected BDBAs

The following fundamental safety functions shallbe performed:

1. control of the reactivity

2. removal of heat from the core3. confinement of radioactive materials and control of

operational discharges, as well as limitation ofaccidental releases

55

Main Safety Systems in Nuclear Power Plants


54/69

Main Safety Systems in Nuclear Power Plants

Reactor Protection System (RPS)

o Control Rods

o

Safety Injection/Standby Liquid Control Emergency Core Cooling System

o High Pressure Coolant Injection System (HPCI)

o Depressurization System (ADS)

o Low Pressure Coolant Injection System (LPCI)

o Core spray and Containment Spray System

o Isolation Cooling System

Emergency Electrical Systems

o Diesel Generators

o Motor Generator Flywheels

o Batteries

Containment Systemso Fuel Cladding

o Reactor Vessel

o Primary and Secondary Containment

Ventilation and Radiation Protection

56

Emergency Core Cooling System


55/69

Emergency Core Cooling System

1. Reactor

2. Steam Generator

3. Main Cooling Pump

4. Primary Pipe Rupture

5. Hidroaccumulator

6. Low Pressure CoolantInjection System Vessel

7. Low Pressure CoolantInjection System Pump

8. High Pressure CoolantInjection System Vessel

9. High Pressure CoolantInjection System Pump

10. Pressurizer

57


56/69

Instrumentation and control forsystems important to safety

Safety Life-cycle of I&C Systems in Nuclear Installations

Nuclear Standards: Differences from IEC 61508


57/69

Nuclear Standards: Differences from IEC 61508

Deterministic approach

o Safety function are classified into categories according to theirimpact on plant safety

o Systems are classified into categories according to the safetyfunctions they provide

o Requirements are assigned to categories

Requirements are drawn from the plant safety design base

Requirements are tipically deterministic

o Design for reliability

Single failure criterion

Redundancy Diversity

o Independence

o Avoidance of Common Cause Failures

59

Safety Classification of Nuclear I&C Systems


58/69

Safety Classification of Nuclear I&C Systems

60

Source: IAEA TECDOC-1066, Specification Requirements for Upgrades Using Digital I&C. January 1999.

The safety classification of nuclear systems is country and authority

dependant. The requirements for the design and operation of

systems important to safety, however, are similar.

Examples of I&C Systems Important to Safety


59/69

Examples of I&C Systems Important to Safety

61

IAEA Standards


60/69

IAEA Standards

International Atomic Energy Agency

IAEA Safety Standards Series No. NS-R-1(2000),Safety of Nuclear Power Plants: Design

(Requirements)

IAEA Safety Standards Series No. NS-G-1.3(2002),Instrumentation and Control Systems Important

to Safety in Nuclear Power Plants (Safety Guide)

IAEA Safety Standards Series No. NS-G-1.1(2000),Software for Computer Based Systems Important

to Safety in Nuclear Power Plants (Safety Guide)

62

IEC Nuclear Standards


61/69

IEC Nuclear Standards

International Electrotechnical Commission IEC 61226:2009, Nuclear power plants - Instrumentation and control

important to safety - Classification of instrumentation and controlfunctions IEC 61513:2001, Nuclear power plantsInstrumentation and control for

systems important to safetyGeneral requirements for systems IEC 60987-2:2007, Nuclear power plantsInstrumentation and control

important to safetyHardware design requirements for computer-basedsystems

IEC 60880-2:2006, Nuclear power plantsInstrumentation and controlsystems important to safetySoftware aspects for computer-basedsystems performing category A functions

IEC 62138:2004, Nuclear power plantsInstrumentation and control

important for safetySoftware aspects for computer-based systemsperforming category B or C functions

IEC 62340:2007, Nuclear power plantsInstrumentation and controlsystems important to safetyRequirements for coping with commoncause failure (CCF)

63

Correlation Between IEC Classes and Categories


62/69

Correlation Between IEC Classes and Categories

Categories of I&C functions

important to safety

(according to IEC 61226)

Corresponding classes of I&C

systems important to safety

(according to IEC 61513)

A (B) (C) 1

B (C) 2

C 3

64

I&C functions of category A may be implemented in class 1 systems only I&C functions of category B may be implemented in class 1 and 2 systems

I&C functions of category C may be implemented in class 1, 2, and 3

systems

The Use of Standards in the Design Process


63/69

The Use of Standards in the Design Process

Requirements from the plant safety design base

IEC 61226: Classification of I&C functions

I&C Architectural design

Assignment of functions to I&C systemsIEC 61513: General requirements for systems

Design andImplementation

of the I&C Hardware

IEC 60987: Hardware

design requirements

Design and Implementationof the I&C Software

IEC 60880: Softwareaspects for computer-

based systems performingcategory A functions

IEC 62138: Softwareaspects for computer-

based systems performingcategory B or C functions

65

Simplified Safety Life-Cycle


64/69

Simplified Safety Life Cycle

66

Requirements from the plant safety design base

I&C Architectural designAssignment of functions

to I&C systems

Safety life cycleof I&C system 1

System requirements specification

System installation

Overall operation and maintenance

Safety life cycleof I&C system n

System requirements specification

System installation

Overall integration and commissioning

Assessment of Components


65/69

p

Objective: contribute to confidence that system

conforms to safety requirements Stringency of assessment depends on:

o safety class of system

o how component is usedo consequences of component errors and failures

o intrinsic component properties (e.g., complexity)

Overall Requirements - Class 1


66/69

q

Low complexity

Deterministic behavior for computer-based systems:o cyclic behavior

o preferably stateless behavior

o load independent of external conditions

o static resource allocation

o guaranteed response times

o single (random) failure criterion

o robustness with respect to errors

Software developed according to stringent nuclear

industry standards (e.g., IEC 60880)



67/69

q

Controlled complexity

Confidence based in particular on analysis ofsystem design

High quality software, not necessarily developed

according to nuclear industry standards



68/69

q

No specific limit for complexity

Confidence mainly based on:o proven application of quality standards

o global demonstration of fitness

Specific demonstrations may be required onidentified topics

Consistency with System Level Constraints


69/69

y y

Predictable behavior (Classes 1 & 2):

o precise specification of component behavioro documented conditions of use in system

Deterministic behavior (Class 1):

o static resource allocationo static parameterization

o preferably stateless behavior

o clear-box (with limited exceptions)o proven maximum response time

o proven robustness against consequences of errors

13 Embedded Nuclear Safety-Critical Systems

Documents

Transcript of 13 Embedded Nuclear Safety-Critical Systems