SAMCHANG 8 th JANUARY 2007 Kim, Yun Goo IEC 61508(61513) Vs. IEEE7432 ? The era of IEC/IEEE Dual logo Std.
Background MGPi NPIC&HMIT 2006 Licensing Issues for Advanced I&C Technologies. Regulatory Guidance for Lightning Protection in Nuclear Power Plants, R. A. Kisner,J. B. Wilgen, P. D. Ewing, K. Korsah (ORNL), C. E. Antonescu (NRC) Cyber-Security and Wireless Applications. IEEE/IEC 표준 연구회 Workshop IEEE/IEC 소프트웨어 안전기준 비교 ( 이장수 KAERI)
Licensing Framework Licensing Framework for Digital I&C for Nuclear Industry IAEA-IEC framework USNRC-IEEE framework Harmonization of these two frameworks is critical The Nuclear Industry is a world market It requires too much engineering to comply with two sets. IEEE, IEC Dual Logo Standard. 2004, 1 st IEC/IEEE standard (New Standard) Communication protocols for devices connected via IEEE 488 ™ buses
Code & Standard in NPP I&C 10 CFR Part 50, App. A, General Design Criteria for Nuclear Power Plants 10 CFR Part 50 App. B,Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants 10 CFR Part 52 Standard design certifications; and combined licenses for nuclear power plants ANSI/IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations 1998 ANSI/IEEE 279 Standard Criteria for Protection Systems for Nuclear Power Generating Stations R.G Criteria for Digital Computers in Safety Systems of Nuclear Power Plants R.G Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems ANSI/IEEE ANS IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations ANSI/IEEE 379 Standard Application of the Single-Failure Criterion to Nuclear Power Generating Safety Systems ANSI/IEEE 1012/1128 ASME/ANSI NQA-1 ASME/ANSI NQA-2 ANSI/IEEE 730,983 IEC-880 ANSI/IEEE ANSI/IEEE 828, 1042 ANSI/IEEE 830 ANSI/IEEE 1016 ANSI/IEEE 1063 ANSI/IEEE 829 ANSI/IEEE 1008 ANSI/IEEE 982.1,2 ANSI/ANS 10.4 FIPS 101,132 ANSI/IEEE 352 QualitySafety Planning DevelopmentTesting NUREG-0493, NUREG-0800 SRP, SECY , SECY From 2003 Seminar Reference : ?
Licensing Framework of Safety Life Cycles IEC Functional safety of electrical, electronic / programmable electronic safety-related systems (1998~2000) IEC , General requirements IEC , Requirements for E/E/PE safety-related systems IEC , Software requirements IEC Nuclear Sector IEC 61513, Nuclear Power Plants-Instrumentation and control for systems important to safety – General requirements for systems (2001) IEC 60880, Nuclear Power Plants – I&C systems important to safety – Software aspects for computer-based systems performing category A function (2005) NRC-IEEE Framework IEEE Std , IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations. IEEE Std , IEEE Standard for Software Safety Plan NUREG Section 7.0 BTP-HICB 14, Guidance on Software Review for Digital Computer-Based Instrumentation and Control Systems NUREG-CR , Software Safety Hazard Analysis
Licensing Framework of Safety Life Cycles
Over View of IEC 61508
61508 : Overall Safety Lifecycle 1.Concept 2.Overall scope definition 3.Hazard and risk analysis 4.Overall safety requirement 5.Safety requirements allocation 6.Overall operation and maintenance planning 7.Overall safety validation planning 8.Overall installation and commissioning planning 9.E/E/PE safety-related systems : realisation 10.Other technology safety-related systems : realisation 11.External risk reduction facilities : realisation 12.Overall installation and commissioning 13.Overall safety validation 14.Overall operation and maintenance and repair 15.Overall modification and retrofit 16.Decommissioning or disposal 17.Verification 18.Functional safety assessment
Scope of E/E/PES system E/E/PES device Input devices e.g. sensor Output devices e.g. actuators interface E/E/PES: electrical, electronic, programmable electronic systems
E/E/PES safety lifecycle
Software Safety Lifecycle
SIL in IEC61508 Safety integrity levels: target failure measures for a safety function, allocated to an E/E/PE safety-related system operating in low demand mode of operation Safety integrity level SIL Low demand mode of operation (Average probability of failure to perform its design function on demand) High demand or continuous mode of operation (Probability of a dangerous failure per hour) to < to < to < to < to < to < to < to < 10-5
Recommendation Technique/MeasureSIL1SIL2SIL3SIL4 Data flow diagramsRRRR Finite state machinesRHR Formal methodRHR Performance modelingRHR Time Petri netsRHR Prototyping/animationRRRR Structure diagramsRRRHR Technique/MeasureSIL1SIL2SIL3SIL4 Computer-aided specification tools RRHR Semi-formal methodRRHR Formal methodRRHR SW Safety Requirements Specification (Table A.1) Modeling (Table B.5)
IEC 61508: V- model
IEC SC45A (sub committee) Instrumentation and control for nuclear facilities from 2003 May Technical Committee 45 Chairman, R. Schomberg (France) Secretary, S. Shumov (Russian Federation) Sub-Committee 45A (I&C of nuclear facilities) Chairman, E. Corte (USA) Secretary, J. P. Bouard (France) Sub-Committee 45B (Radio-protection) Chairman, I. Thompson (UK) Secretary, J. C. Thevenin (France) 150 SC45A experts 20 SC45A standards at draft stage (average number) 60 SC45A standard portfolio
IEC SC45A (sub committee) 7 Working Groups WG A2:Instruments and Sensors, Mr. Burel (France) WG A3:Application of digital processors to safety in NPP, Mr. Lindner (Germany) WG A5:Special process measurements, Mr. Reisch (Sweden) WG A7:Reliability of electrical equipment in reactor safety systems, Mr. Wall (UK) WG A8:Control rooms, Mr. Fujita (Japan) WG A9:Instrumentation systems, Mr. Quinn (USA) WG A10:Upgrading and modernization of I&C systems in NPP, Mr. Artaud (USA)
IEC SC45A : Global 20 countries participating & voting in the SC45A activities … Belgium and Norway joined Belgium, Canada, P.R. of China, Czech Republic, Egypt, Finland, France, Germany, Italy, Japan, Norway, Rep. of Korea, Romania, Russian Federation, South Africa, Sweden, Switzerland, United States, Ukraine, United Kingdom Development of IEC/IEEE dual logo documents in technical domains not already covered by IEC … and in the future IEC/IEEE dual logo documents likely for revised documents Establishment of a new liaison between IEC/SC45A/WG9 (Instrumentation systems) and IEEE/NPEC (Nuclear Power Engineering Committee) Enforcement of a SC45A presentation and terminology policy to garantee consistency between IAEA documents and SC45A documents
IEC SC45A : standard series IEC General requirements, 2001 IEC Classification of I&C functions, 2005 IEC Separation, 2005, IEC SW of CB systems performing A functions, end 2005 IEC SW of CB systems performing B and C functions, 2004
What’s new – IEC 60880, end 2005 Revision of the original 1986 version, referenced in many contracts, used by SA as reference in many countries … Taking into account the recent advances of software engineering techniques Integration of the IEC part 2 requirements on defense against SW CCF, SW tools and pre developped SW Alignment with IAEA documents NS-R-1 (Design) and NS-G-1.3 (I&C) Consistency with IEC 61513, IEC 61226, IEC 60709, IEC 62138, IEC 60987
IEEE Scope. 2. References. 3. Definitions and abbreviations 4. Safety system design basis. 5. Safety system criteria 6. Sense and command features—functional and design requirements. 7. Execute features—functional and design requirements. 8. Power source requirements Annex A (informative) Mapping of IEEE Std to IEEE Std Annex B (informative) Diversity requirements determination Annex C (informative) Dedication of existing commercial computers. Annex D (informative) Identification and resolution of hazards. Annex E (informative) Communication independence. Annex F (informative) Computer reliability Annex G (informative) Bibliography.
IEC/IEEE Differences in Safety Lifecycles IEC Generic(61508) Hazard Analysis in early phase to derive safety function requirement Risk Assessment in early phase to derive Safety Integrity Requirements (Safety Integrity Level) Safety Validation Plan Functional Safety Assessment shall be applied to the all phases throughout the overall, E/E/PES and software safety lifecycles( , 8.2.3) Software Functional Safety Assessment : Failure Analysis (FTA,FMECA) IEC Nuclear Sector (61513, 60880) Hazard Analysis is outside the scope of IEC (Software) Functional Assessment is not required in the Standard No Safety Validation Plan NRC-IEEE Framework IEEE Std , Software Safety Plan It defines the software safety analysis in each phase of the software lifecycle IEEE Std , Digital Computers in Safety Systems of NPP Annex D. Identification of Resolution of Hazards in each phase of the system lifecycle NRC Regulation NUREG BTP-14, Software Safety Analysis in each phase of the software lifecycle NUREG-CR , Software Safety Hazard Analysis in each phase of the software lifecycle
IEC/IEEE Differences in Security Criteria IEC Generic(61508) 1998~2000 Security is out of scope of IEC dose not cover the precautions that may be necessary to prevent unauthorized persons damaging Because the is focusing only to the Functional Safety IEC Nuclear Sector IEC Overall Security plan and systems security plan IEC Security Analysis Security Design User authentication Security during development NRC-IEEE Framework IEEE Std , Digital Computers in Safety Systems of NPP No security requirement IEEE Std , Software Safety Plan No software security requirement Reg. Guide rev Concepts Security Requirement Security Design Security Implementation Security Test Security Installation, Checkout and Acceptance Testing Security Operation Security Maintenance Security Retirement Security
Summary OVERVIEW of IEC Std. IEC IEC SC45A IEC Comparison of IEC and IEEE Harmonization of these two frameworks is current issue. IEEE, IEC Dual Logo Standard.
SAMCHANG
Contents 0. Background 1. IEC IEC SC45A, IEC Comparison of IEC and IEEE