软件安全生命周期和核电厂的可编程电子安全系统的方法.pdf

J.Grski(Ed.):SAFECOMP 2006,LNCS 4166,pp.85 98,2006.Springer-Verlag Berlin Heidelberg 2006 Software Safety Lifecycles and the Methods of a Programmable Electronic Safety System for a Nuclear Power Plant Jang-Soo Lee1,Arndt Lindner2,Jong-Gyun Choi1,Horst Miedl2,and Kee-Choon Kwon1 1 KAERI:Korea Atomic Energy Research Institute,Daejeon,Korea jslee,choijg,kckwonkaeri.re.kr 2 Institut fuer Sicherheitstechnologie,Postfach 12 13,85740 Garching,Germany arndt.lindner,horst.miedlistec.grs.de Abstract.This paper describes the relationship between the overall safety life-cycle and the software safety lifecycle during the development of the software based safety systems of Nuclear Power Plants.This includes the design and evaluation activities of the components as well as the system.This paper also compares the safety lifecycle and planning activities defined in IEC 61508 with those in IEC 61513,IEC 60880,IEEE 7-4.3.2,and IEEE 1228.Using the Ko-rean KNICS(Korean Nuclear Instrumentation and Control System)project as an example,the software safety lifecycle is described by comparing it to the software development,testing,and safety analysis processes of international standards.The safety assessment of the software for the KNICS Reactor Protec-tion System and Programmable Logic Controller is a joint Korean/German pro-ject.The assessment methods applied in the project and the experiences gained from this project are presented.1 Introduction This paper introduces the lifecycle based software safety analysis tasks for the KNICS(Korean Nuclear Instrumentation and Control System)project.The objectives of the safety analysis tasks are mainly to develop the programmable logic controller(PLC)for safety-critical instrumentation and control(I&C)systems,and then to apply the PLC to developing the prototype of the safety-critical software based digital protec-tion system in nuclear power plants.Safety-critical systems are those in which a failure can have serious and irreversi-ble consequences.For the past two decades,digital technology has been applied rapidly to I&C systems for nuclear power plants,railways,airplanes,vehicles,com-munication networks,etc.In nuclear power plants more and more digital technology is being applied to I&C systems,too.Programmable logic controller based platforms(e.g.,TELEPERM XS,Common Q and Tricon)have been prototyped,evaluated for nuclear safety applications,and installed in several applications.The PLC is a special 86 J.-S.Lee et al.purpose digital controller,originally designed to replace the industrial hard-wired control systems.As PLCs are more widely used in digital I&C systems,the safety of the PLC software has become a primary consideration.Fig.1 shows the developed PLC prototype of the KNICS project,which mainly consists of power modules,a processor module(embedded with the real-time operat-ing system pCOS),communication modules(HR-SDL,HR-SDN),and I/O modules.Power ModulesCPU ModuleComm.ModulesI/O ModulesPower ModulesCPU ModuleComm.ModulesI/O Modules Fig.1.POSAFE-Q KNICS PLC pCOS is the software to control the hardware,such as the processors,storage,I/O device,and data communication.It is composed of five components:a scheduler,the inter-tasks communication part,a tick timer,an interrupt handler and application tasks.As shown in Fig.2,the plant protection system(PPS)consists of the reactor pro-tection system(RPS)and the engineered safety feature component control system(ESF-CCS).RPS generates the reactor trip signals and ESF actuation signals auto-matically whenever the monitored processing variables reach their predefined setpoints.PPS is designed as a PLC-based architecture with four redundant chan-nels/divisions(A,B,C,and D).The software of the prototype of the qualified PLCs(i.e.POSAFE-Q)is implemented by the proprietarily developed engineering tool pSET.The engineering tool pSET is used for developing the functional block dia-grams,and for downloading the functional block diagram based programs into POSAFE-Q PLCs via RS-232C interface.The following chapters deal with the relationship of the overall safety lifecycle to the software safety lifecycle for the development of the components(e.g.,KNICS PLC)and the Reactor Protection System(RPS).The software safety lifecycles of the IEC 61508-3,IEC 60880,IEEE 1228-1994,and IEEE standards 7-4.3.2-2003 are com Software Safety Lifecycles 87 CPC/RCPSSSCPC/RCPSSSCPC/RCPSSSCPC/RCPSSSAuxiliary EquipmentControl Cabinet(Safety)S-FPDUController BS-FPDUMultiplexer Train AReactorTripSwitchgearLocal BusTrain BSafety ConsoleS-FPDUController ASafetyLogicCabinet Train AS-FPDU Multiplexer Train BLocal BusTrain DLocal BusTrain AESF-CCSActuationCabinet(Train B)ReactorProtectionCabinet(B)ReactorProtectionCabinet(A)ESF-CCSActuationCabinet(Train A)VDUControllerS-FPDUController DS-FPDUMultiplexer Train CLocal BusTrain CS-FPDUController CSafetyLogicCabinet Train CS-FPDU Multiplexer Train DSafetyLogicCabinet Train DESF-CCSActuationCabinet(Train D)ReactorProtectionCabinet(D)ReactorProtectionCabinet(C)ESF-CCSActuationCabinet(Train C)SafetyLogicCabinet Train BQIAS-PEx-CoreIn-CoreSOE(S)Auxiliary Equipment ConsoleCPC/RCPSSSCPC/RCPSSSCPC/RCPSSSCPC/RCPSSSCPC/RCPSSSCPC/RCPSSSCPC/RCPSSSAuxiliary EquipmentControl Cabinet(Safety)S-FPDUController BS-FPDUController BS-FPDUMultiplexer Train AReactorTripSwitchgearLocal BusTrain BSafety ConsoleS-FPDUController AS-FPDUController ASafetyLogicCabinet Train AS-FPDU Multiplexer Train BLocal BusTrain DLocal BusTrain AESF-CCSActuationCabinet(Train B)ReactorProtectionCabinet(B)ReactorProtectionCabinet(A)ESF-CCSActuationCabinet(Train A)VDUControllerS-FPDUController DS-FPDUMultiplexer Train CLocal BusTrain CS-FPDUController CS-FPDUController CSafetyLogicCabinet Train CS-FPDU Multiplexer Train DSafetyLogicCabinet Train DESF-CCSActuationCabinet(Train D)ReactorProtectionCabinet(D)ReactorProtectionCabinet(C)ESF-CCSActuationCabinet(Train C)SafetyLogicCabinet Train BQIAS-PEx-CoreIn-CoreSOE(S)Auxiliary Equipment Console Fig.2.KNICS Plant Protection System pared.The software safety lifecycle for the KNICS RPS and PLC systems is introduced and the relationship of the safety analysis and testing for a software safety lifecycle is identified.Finally,software safety assessment methods are described for the KNICS RPS and PLC systems.Experiences of the software safety analysis in the KNICS project are given.2 Safety Lifecycles in IEC and IEEE Standards The safety assessment of the software for the KNICS RPS and PLC is an ongoing joint Korean/German project.In the cases where the documents have been evaluated by KAERI,ISTec has checked the results of the evaluation by supplementing spot checks for the development documents according to the following IEC and IEEE standards.-IEC 61508-1,Functional safety of electrical/electronic/programmable elec-tronic safety-related systems Part 1:General requirements 6-IEC 61508-2,Functional safety of electrical/electronic/programmable elec-tronic safety-related systems Part 2:Requirements for electrical/electronic/programmable electronic safety-related systems 7-IEC 61508-3,Functional safety of electrical/electronic/programmable elec-tronic safety-related systems Part 3:Software requirements 8-IEC 60880,Nuclear Power Plants I&C systems important to safety Software aspects for computer-based systems performing category A functions 9-IEC 61513,Nuclear Power Plants Instrumentation and control for systems important to safety General requirements for systems 10-IEEE Std.7-4.3.2-2003,IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations 11-IEEE Std.1228-1994,IEEE Standard for Software Safety Plan 12 88 J.-S.Lee et al.In order to follow both the frameworks of the standards,IEC and IEEE,it is nec-essary to compare the safety lifecycle,and identify the differences of the frame-works.Table 1 shows a comparison of the safety lifecycles for the general safety electronic systems in IEC 61508 and that for the instrumentation and control system of nuclear power plants in IEC 61513.The E/E/PE safety-related systems:realisation phase of IEC 61508-1 and the system safety lifecycle of IEC 61513 cover the whole hardware and software safety lifecycles of IEC 61508-2 and IEC 61508-3.Table 1.Comparison of the safety lifecycles in IEC 61508 and IEC 61513 IEC 61508-1 overall safety lifecycle IEC 61513 overall safety lifecycle IEC 61508-2 hardware safety lifecycle IEC 61508-3 software safety lifecycle IEC 61513 system safety lifecycle Concept I&C system requirements from the safety design base E/E/PES safety requirements specification Software safety requirements specification System requirements specification Overall scope definition E/E/PES safety validation planning Software safety validation planning System planning Hazard and risk analysis E/E/PES design and development System specification Overall safety requirements Overall re-quirements specification of the I&C system Software design and development System detailed-design and implementa-tion Safety requirements allocation Design of the I&C architec-ture and as-signment of the I&C func-tions General requirements Architecture Design Constraint,System architecture Overall operation and maintenance planning Overall operation and maintenance plan Requirements for hardware safety integrity Software sys-tem design Design constraint requirements Overall safety validation plan-ning Overall inte-gration and commissioning plans and security plan Requirements for the avoid-ance of failure Individual software mod-ule design System safety cycle Overall installa-tion and commis-sioning planning Overall integration and commissioning plans Requirements for the control of systematic failure Support tools and program-ming lan-guages Defense against propagation of failures Software Safety Lifecycles 89 Table 1.(continued)E/E/PE safety-related systems:realisation System safety lifecycle Requirements for system behavior on detection of a fault System architecture,self-monitoring and toler-ance to failures Other technology safety-related systems:realisation Requirements for E/E/PES implementation Detailed code implementation Selection of equipment External risk reduction facili-ties:realisation Requirements for data com-munication Software mod-ule testing Internal behavior of the system Overall installa-tion and commis-sioning Overall integration and commissioning Software Inte-gration testing Overall safety validation Overall com-missioning and system qualification E/E/PES integration E/E/PES integration(hardware and software)System integration Overall operation,maintenance and repair Overall operation and maintenance E/E/PES op-eration,and maintenance procedures Software op-eration and modification procedures System operation plan Overall modifica-tion and retrofit Implicitly covered E/E/PES safety validation Software safety validation System validation Decommissioning or disposal E/E/PES modi-fication Software modification System modification Verification Overall quality assurance programs E/E/PES verification Software verification System verification plan Functional safety assessment E/E/PES functional safety assessment Software functional safety assessment Table 2 shows the differences of the safety lifecycles in IEC 60880,IEC 61513,IEEE 7-4.3.2 and IEEE 1228.Table 2.Comparison of the Safety Lifecycles between IEC and IEEE standards IEC 61513 system safety lifecycle IEC 60880 software safety lifecycle IEEE 7-4.3.2 computer system safety lifecycle(Annex D)IEEE 1228 software safety lifecycle System require-ments specification Software require-ments specification Hazards identifica-tion and evaluation plan Software safety plan System planning Safety system haz-ard identification Software safety analyses preparation 90 J.-S.Lee et al.Table 2.(continued)System specification Computer system hazards identification System detailed design and implementation Software require-ments hazards i dentification Software safety requirements analysis System architecture Software design Software design hazards identification Software safety design analysis Design constraint requirements Defense against propagation of failures System architecture,self-monitoring and tolerance to failures Implementation of new software in general purpose language Selection of equipment Implementation of new software in application-oriented language Software implemen-tation hazards iden-tification Software safety code analysis Internal behavior of system Configuration of pre-developed soft-ware and devices Evaluation of haz-ards in previously developed systems System integration Software aspects of integration Computer system integration testing for hazards conditions Software safety test analysis System operation plan System validation Software aspects of validation Computer system validation testing System modification Maintenance and modification hazard analysis Software safety change analysis System verification plan Most of the IEC and IEEE standards consist of three main phases,planning phase,realization phases according to the plan,and the validation phase.The safety lifecy-cles for the industry specific standards,for example,IEC 62279 for a railway,IEC 61513 for nuclear power plants,inherit the definition of phases from the generic IEC standard of IEC 61508.However,the detailed phases of the safety lifecycles for the specific industries are different from IEC 61508.Table 2 shows for instance the dif-ferences in the safety lifecycles between the IEC and IEEE standards.The safety lifecycles in the IEEE standards require a direct safety analysis at each phase of the lifecycle.Software Safety Lifecycles 91 3 Software Safety Planning In Table 2,there is a safety planning phase in the IEC and IEEE safety lifecycles.However,there are differences in the required activities in the planning between the IEC and IEEE standards.Table 3 shows the differences of the required activities in the planning phases for the IEC and IEEE standards.Table 3.Planning activities between the IEC and IEEE standards IEC 61508-3 software safety lifecycle IEC 61513 I&C system safety lifecycle IEEE 7-4.3.2 com-puter system safety lifecycle(Annex D)IEEE 1228 soft-ware safety lifecycle Software safety validation planning System planning Hazards identification and evaluation plan Software safety plan schedule System quality assurance programs Identify critical functions 1.Purpose,2.Definitions qualifier System verification plan Identify top-level undesired events 3.Software safety management operation mode System configura-tion management plan Identify organizational responsibilities 3.1 Organization 3.6 Software safety program record safety-related soft-ware System security plan Select the techniques to be used 3.7 Configuration management 3.9 Verification and validation activities Technical strategy System integration plan Identify analysis assumptions 3.10 Tool support 3.11 PDS,COTS Measures,tech-niques and proce-dures System validation