[en] The importance of the standardization effort for computer systems containing software important to safety is increasingly reflected by the many national and international efforts currently in progress. IEC TC65 and IEC TC45, notably, have working groups dealing with generic and nuclear safety related and safety critical computer systems. There are notable military standards efforts in this area. The U.K. Ministry of Defence has issued Interim Defense Standard MOD 00-55 for 'The Procurement of Safety Critical Software in Defense Equipment' The U.S. Department of Defence has initiated an effort to extend DOD-STD-2167-A to address formal methods for safety and security systems with critical requirements. The Canadian Standards Association is developing a national standard for nuclear safety critical computer systems based mainly on the results of an extensive program undertaken to address licensing issues associated with the safety shutdown computer-based systems for the Darlington Nuclear Generating Station. SC7 within JTC1, the joint ISO and IEC standards committee, is producing standards to handle generic software engineering issues, and is attempting to rationalize the many available standards into a coherent set. This paper identifies the current issues that are facing the nuclear power industry (but are generically applicable to other industries) in the area of software engineering of safety related software, reviews the current related IEC, ISO and other standards work activities to assess the trends on how these issues are being addressed, and identifies areas for further work that need to be undertaken to address the issues. (Author) 5 refs., 3 tabs

[en] Probabilistic risk assessment (PRA) results and methods are used for evaluating several emergency response strategies for areas surrounding a nuclear power plant. A methodology is developed for assessing the expected reduction in public health risk from any given emergency response strategy. Then the methodology is used to compare risk reductions for several emergency strategies at Indian Point 2. These include the present planning basis within a ten-mile radius emergency planning zone (EPZ); a graded response within the present EPZ; a reduced, two-mile radius EPZ; and an unpreplanned, ad hoc response. Only health risks cause by early (first 24 hours) exposure of persons within 10 miles of the plant are analyzed, since these are the exposures that emergency response actions within the EPZ are intended to avert. The sensitivity of the results to the assumed magnitude of radiological source terms is tested by using full Reactor Safety Study (WASH 1400) source terms and two levels of reductions to them. The results indicate that (a) any of the planned responses would provide significantly more risk reduction than an unplanned response, (b) there is relatively little difference among the three planned emergency response bases in the degree of protection they afford against prompt health effects (even at full source term levels), (c) almost all of the early health effect risks will occur to those people within a few miles of the release who do not take protective action before exposure to the radioactive plume, and (d) the differences in degrees of protection become even smaller as the magnitude of the source term is reduced. The quantitative results of the case study and the comparative result (b) above are quite sensitive to the assumptions made about the effectiveness with which those people most at risk take timely protective action. (author)

[en] The S.O.S. diagnostic system is analyzed and compared with KOMPARACE and MIN-MAX type diagnostic systems. Designed for the identification of failed sensors, the S.O.S. dynamic algorithm is based on a digital monitoring of output signals from a pair of sensors measuring the same technological parameter. The last 3 output signal data from the two sensors are stored in the algorithm memory. The analysis indicates that S.O.S. is no major achievement in the field of diagnosis because its properties are nearly identical with those of the conventional MIN-MAX system. Some degradation failures of the sensor are incorrectly interpreted by the new algorithm, some failures are not detected at all. From this point of view the new algorithm is inferior to the KOMPARACE type algorithm. (J.B.). 2 figs., 5 refs

[en] A study was performed to evaluate different international standards for software verification and validation of digital safety systems suitable for nuclear power plant applications. Since the verification and validation of the digital safety system should be considered from the entire digital system life-cycle point of view, the standards for each phase of the life cycle of the safety system were compared. The major phases of the digital system life cycle considered are system requirements, system test-bed requirements, design and construction, system hardware and software specifications, designs, test, integration, plant implementation, and maintenance phases. Some of the conclusions are: 1) there are too many standards; 2) none of the existing standards provide complete guidance to the developer, regulator, and managers for consistently and practically applying the standards at each phase of the life-cycle; 3) there is no uniformity among the international standards concerning the level of depth and details to be followed by the users; 4) inconsistencies among the standards and their interpretations have led to practical difficulties among developers and regulators; 5) practical guidance on how to handle verification and validation issues such as how to identify and test unintended functions, how to handle common cause failures, what are the qualitative and quantitative reliability measures to use, how much testing is good enough is either missing or not addressed. The authors recommend that a uniform international standard and a practical framework for the digital safety system verification and validation should be developed and the efforts in this direction should start now. (Author) 37 refs., 5 tabs., 2 figs

[en] The standard is applicable to nuclear reactor protection systems and, in particular, to all interfaces between the reactor protection system and facilities beyond this system, except for (i) the physical connection between the protection system sensors and physical quantities monitored by them; (ii) the electric interconnection between the protection system and reactor control rods or other mechanisms; and (iii) the electric and pneumatic connection to electric supply and pneumatic distribution systems feeding energy to the protection system. The standard lays down definitions of interconnection, principles of protection system uses, requirements placed on facilities interfaced to signals entering the protection system and signals within that system, general requirements placed on facilities interfaced to signals from the protective system, and provisions to ensure protection system independence of the control systems. (J.B.)

[en] This paper summarizes the development results of the Korea Nuclear Instrumentation and Control System (KNICS) project sponsored by the Korean government. In this project, Man Machine Interface System (MMIS) architecture, two digital platforms, and several control systems are developed. One platform is a programmable Logic Controller (PLC) for a safety system and another platform is a Distributed Control System (DCS) for a non safety system. With the POSAFE Q PLC, a Reactor Protection System (RPS) and an Engineered Safety Feature Component Control System (ESF CCS) are developed. A Power Control System (PCS) is developed based on the DCS. The safety grade platform and the digital safety systems obtained approval for the Topical Report from the Korean regulatory body in February of 2009. Also a Korean utility and a vendor company determined KNICS results to apply them to the planned Nuclear Power Plant (NPP) in March 2009. This paper introduces the technical self reliance experiences of the safety grade platform and the digital safety systems developed in the KNICS R and D project

[en] In this paper we present the design of a prototype of the C A R E M Reactor Protection System, which is implemented on a basis of the digital platform T E L E P E R M X S.The proposed architecture for the Reactor Protection System (R P S) has 4 redundant trains composed by a complete set of sensors, a data acquisition computer and a processing computer.The information from the 4 processing computers goes into to a two voting units with a two out of four (2004) logic and its outputs are combined by a final actuation logic with a voting scheme of one out of two (1002).The prototype is implemented with a unique train.The train inputs are simulated by an Automatic Testing Unit.The pre-established test case or procedure results are fed back into the A T U.The choice of the digital platform T E L E P E R M X S for the R P S implementation allows versatility in the design stage and permits the prototype expansion due to its modular characteristic and the software tools flexibility

[en] Software inside of digitalized system have very important role because it may cause irreversible consequence and affect the whole system as common cause failure. However, test-based reliability quantification method for some safety critical software has limitations caused by difficulties in developing input sets as a form of trajectory which is series of successive values of variables. To address these limitations, this study proposed another method which conduct the test using combination of single values of variables. To substitute the trajectory form of input using combination of variables, the possible range of each variable should be identified. For this purpose, assigned range of each variable, logical relations between variables, plant dynamics under certain situation, and characteristics of obtaining information of digital device are considered. A feasibility of the proposed method was confirmed through an application to the Reactor Protection System (RPS) software trip logic

[en] The study on the qualitative risk due to cyber-attacks into research reactors was performed using bayesian Network (BN). This was motivated to solve the issues of cyber security raised due to digitalization of instrumentation and control (I and C) system. As a demonstrative example, we chose the reactor protection system (RPS) of research reactors. Two scenarios of cyber-attacks on RPS were analyzed to develop mitigation measures against vulnerabilities. The one is the 'insertion of reactor trip' and the other is the 'scram halt'. The six mitigation measures are developed for five vulnerability for these scenarios by getting the risk information from BN

[en] Software configuration management (SCM) is an activity, which configures the form of a software system (e.g., design documents and programs) and systematically manages and controls the modifications used to compile the plans, development, and operations resulting from software development and maintenance. The SCM tool, NuSCM, has been specifically developed for the software life-cycle configuration management of developing the KNICS plant protection system (PPS). This paper presents the application of NuSCM to the KNICS project