Draft Safety Guide DS431 „Design of Instrumentation and Control Systems for Nuclear Power Plants“ Status: For submission to NUSSC Members for submission to CSS
COMMENTS BY REVIEWER RESOLUTION Reviewer: Federal Ministry for the Environment, Nature Conservation and Nuclear Safety (BMU) (with comments of BfS and GRS) Page 1 of 10 Country/Organization: Germany Date: 26.10.2012 Rele- Comment Para/Line Proposed new text Reason Accepted Accepted, but modified Rejected Reason for modi- vanz No. No. as follows fication/rejection 1 1 1.4, 6th Exchange the existing text: At this highlighted bullet place (“main topic Data transport between systems im- areas”) the SG should portant to safety among others with state the general topic special requirements for cases where ‘data transport between the system receiving data is of a systems important to higher category than the system safety’. The second part sending data. of the proposed sen- tence deals with a spe- cial case of data trans- port between systems of different safety categor- ies and expresses that in this case special re- quirements are to cope with. The DS 431 guid- ance should directed towards avoiding such cases where ever pos- sible as well as to justi- fy unavoidable exclu- sions. 1 2 1.18 Proposal: Why is there a focus on … and the measures needed for I&C HDL? There are differ- functions realized with PLDs. ent kind of modules available and are to be Relevanz: 1 – Essentials 2 – Clarification 3 – Wording/Editorial expected in future.
1 3 1.26 Proposal: Focus on HDL is not … and certain technologies such as reasonable. digital systems and devices realized with PLDs 1 4 After Add a new par. under 2.4: Beside a possible negat- 2.4. The management systems should ive impact as stated in consider and utilize synergisms 2.4 there are also syner- between safety and security meas- gisms between safety ures and precautions. and security which should be considered and utilized. In this sense 2.4 (alone standing) is too negat- ive concerning the rela- tion of safety and secur- ity measures.
2 5 2.14, 1st … depends upon software or such as Code = SW bullet HDL code… 2 6 2.14/13 HDL (VHDL) should be defined ad- Standartization of the 2.29/17 equately in whole text: definitions hardware description languages (code? or program?) please refer to the source of the defi- nition e.g. IEEE /Verilog/Ver- ilog-AMS/SystemVerilog 1 7 2.23, a) To a) Cyber controls Fig. 1, Add at the right (under Interaction play a certain role in the part De- with Cyber Security program): detailed design tailed Cyber Security Controls design To b) Wording and im- b) Change title of boxes:
Relevanz: 1 – Essentials 2 – Clarification 3 – Wording/Editorial plement- Software lifecycle design To c) For completeness ation Hardware lifecycle design
c) Complete the reference to chapters: Box Hardware design: (Sections 2, 6, 7) 2 8 2.27, Box title: For completeness Fig. 2 Installation and Commissioning 1 9 2.27 Figure 2: Interaction between hard- ware and software design and be- tween hardware and software imple- mentation should be considered. 1 10 2.84, 4th To both bullets add: Quantitative methods and 5th Applicable on hardwired I&C only are not state of the art in bullet safety assessment of SW-based I&C in the nuclear field. 1 11 2.89 Give reference or theoretical evid- There is no reference to ence for such figures or (better) re- the provided reliability phrase the paragraph without such figures; IEC 61226 con- figures. tains another (agreed) limit according to which the safety demonstration for a SW-based I&C function can be treated as ac- ceptable. 1 12 2.144 Rephrased text: Quantitative methods Statistical testing may provide addi- are not state of the art in tional confidence … safety assessment of SW-based I&C in the nuclear field. 1 13 3.15 b.3, Change the text to: Quantitative methods
Relevanz: 1 – Essentials 2 – Clarification 3 – Wording/Editorial lines 2 System and component reliability are not state of the art in to 4 and availability limits should be spe- safety assessment of cified using probabilistic SW-based I&C in the criteria, using qualitative determin- nuclear field. istic criteria (e.g., compliance with single failure criterion or specific procedures and verification methods for software) , or both .
Some member states use quantitat- ive system and component reliability and availability criteria. 3 14 4.1, last … signal connections such as the Wording bullet, status … 3rd line 1 15 4.10 Defence-in-depth within the overall Not only one attribute is I&C architecture is achieved sufficient but at least through a combination of redundan- several. Diversity cy (both should be considered in within systems and across systems), general and not only physical segregation, independence, certain types of it. functional diversity and design diversity. The required achievement of safety goals by im- plementation of diversity measures hast to be analyzed adequately. 2 16 5.2 c) Complete sentence: … to perform a Wording safety function 2 17 5.2 d) Complete the text. Incomplete sentence (?). 2 18 5.11, 1st One word modification: Otherwise the listed line … components include are those items must be complete. provided …
Relevanz: 1 – Essentials 2 – Clarification 3 – Wording/Editorial 1 19 6.51, 1st The communication transfer of data The term communica- line … tion associates too much the protocol driv- en data exchange, which - from the cyber security point of view - is not the recommended option in comparison with stateless data transfer. 1 20 6.54 + Rephrase and combine the both par.: See IAEA Security 6.55 In justified cases signals may be series No. 17. send from systems of lower to sys- tems of higher safety classification via individual analogue or binary signal lines, provided that a. Completion of safety actions can- not be interrupted by commands from the system of lower safety classification, and b. The potential for failures in the system of lower safety classification that cause spurious actuation is assessed and shown to be acceptable. 1 21 6.59 Sentence should be deleted Diversity does not worse the cause of CCF but even more avoids or controls effects of it. 1 22 6.62 Examples of different types of di- Order of enumeration versity include: should be changed be- Design diversity: achieved by ginning with the most using different design approaches to important and most ef- solve the same or a similar ficient types of di-
Relevanz: 1 – Essentials 2 – Clarification 3 – Wording/Editorial problem; versity. Signal diversity: achieved by systems in which a safety action Logic diversity repeats may be initiated based upon the different types of di- value of different plant parameters; versity already listed Equipment diversity: achieved before and thus should by hardware that employs different be deleted. technology (e.g., analogue vs. digital, solid-state vs. electro- magnetic, computer-based vs. FP- GA-based);
Functional diversity: achieved by systems that take different ac- tions to achieve the same safety intent;
Human diversity: achieved by using different design personnel; Logic diversity (including soft- ware diversity): achieved by using different programs using, for example, different programmers, languages, methods, or tools.
1 23 6.63. 6.63. Where diversity is provided It has to be added con- the choice of the types of diversity cerning what diversity used should be justified under con- has to justified. sideration of DiD and diversity. 1 24 6.65 6.65. Functional and signal diversity If functional diversity is are considered to be particularly ef- really effective is fective methods to protect highly discussed among against common cause failure due to experts. Further already design errors. These methods might a form of technical
Relevanz: 1 – Essentials 2 – Clarification 3 – Wording/Editorial not be sufficient by solution is proposed. themselves to protect against com- This should be avoided. mon cause failure. Thus the whole sen- tence should be deleted. 1 25 6.66 6.66. Diversity need not always be Allowance. Text should implemented in separate systems. give requirements, thus For example, functional diversity deletion of the whole and signal diversity may be imple- paragraph. mented within a single system to protect against errors in require- ments. Some Member States require application of functional and signal diversity within protection systems for such reasons. 2 26 6.75, 1st Modified text: Design CCF is the most and 2nd The failure modes that might result unpredictable mode. line from systematic errors in the design or operation of hardware or software are essentially unpre- dictable. 1 27 New The provision to manually reset a par. protection system function should be after specified and implemented accord- 7.47 ing to the requirements on safety systems. 3 28 7.131 Data communication Wording 1 29 7.138/86 HDL configured devices are pro- HDL configured de- grammable electronic modules inte- vices may comprise dif- grated circuits providing logic struc- ferent parts: e.g. ICs, tures (e.g. arrays of gates and flash memories, micro- switches) which are customized by processors, network the I&C developer to provide specif- features ic functions.
Relevanz: 1 – Essentials 2 – Clarification 3 – Wording/Editorial 1 30 7.139/86 This customization involves special Presents one specific tools to formally describe the re- solution of the FPGA quired functions, to build technology only and an electronic scheme which imple- should be generalized. ments these functions on program- mable devices and to map this elec- tronic scheme on the available logic structures of the inte- grated circuit. The mapping infor- mation transferred to the electronics is referred to as ‘bit- stream’. 2 31 7.142/86 The HDL design should guarantee Why synchronous only? synchronous and deterministic be- Is synchronous behav- haviour of the component. ior of the hardware best way to fulfill safety cri- teria? Or it is possible cause for CCF?
2 32 7.142/86 Synchronous and deterministic be- What does mean “syn- haviour favours correctness and chronous behavior”? testability and allows for the best Why synchronous? use of the design and verification Is synchronous behav- tools. ior of the hardware best way to fulfill safety cri- teria? Or it is possible cause for CCF? 2 33 7.159 Add: Consider tools as a po- Particularly the potential of system- tential source for CCF atic failures should be considered. 2 34 7.160, Delete bullet Each tool can be con- 1st bullet Tools that have the ability to intro- sidered in general as a duce faults need to be verified to a source to introduce greater degree than tools faults.
Relevanz: 1 – Essentials 2 – Clarification 3 – Wording/Editorial that do not have that capability; 1 35 7.174, Add: Quantitative methods last bul- . Statistical testing are not state of the art in let applied to hardwired I&C safety assessment of SW-based I&C in the nuclear field; statistical testing is not commonly accepted as compensatory evidence in the nuclear safety do- main. 1 36 8.17 Add: Accessibility in accident situations should be considered. 1 37 New Add: par. The HMI design should support the After development of a common situation- 8.58 al awareness of the control room crew, e.g. via large wall mounted plant status displays. 3 38 9.9 Word: … should hav e … 1 39 9.11 g, h Combine the both par. as following: Quantitative methods Identify and meet the supporting are not state of the art in software requirements needed to en- safety assessment of sure that the required level of reliab- SW-based I&C in the ility and availability are achieved. nuclear field. The level of reliability might be defined qualitatively. Some member states use quantitative requirements. 1 40 9.17, 1st Delete: correct If ever achievable in line practice, to prove SW or correctness might be the objective of valida- add a note to declare that correct tion (after HW and SW
Relevanz: 1 – Essentials 2 – Clarification 3 – Wording/Editorial does not mean freedom from faults integration). 2 41 9.42 a, Delete: and design If ever achievable in 1st line practice, to prove SW correctness might be the objective of valida- tion (after HW and SW integration); Design verification is a different step which has to be finished before the implementation step can start.
Relevanz: 1 – Essentials 2 – Clarification 3 – Wording/Editorial