Safety system containing software

There are five safety systems in Lungmen DCIS. They are Reactor Protection System (RPS), Neutron Monitor System (NMS), Process Radiation Monitoring System (PRMS), Containment Monitoring System (CMS), and Engineered Safety Features (ESF). The software development for all these safety systems follows the BTP-14 requirements. Along with the development, the IV V activities are performed. Of the safety systems, RPS, NMS, PRMS and CMS are designed by GE NUMAC, and ESF is sub-contracted by GE to Eaton Corporation. 

A complete lEC 61508 assessment includes a FMEDA, a study of Prior Use and adds an assessment of all fault avoidance and fault control measures during hardware and software development as well as detail study of the testing, modification, user documentation and manufacturing processes. The objective of all this effort is to provide a high level of assurance that an instrument has sufficient quality and integrity for a safety instrumented system application. This is clearly more important for products containing software as many end users have the strong opinion that software is "bad... 

The AOP 52 claims in chapter 2 to contain comprehensive list of best practices in the field of reducing the safety risk of software operating in software-related systems. As seen in the reference list of the AOP 52 the references that are used for AOP 52 are dated between 1983 and 1999. 

ISB (2009a) DSCN 14/2009 Application of patient safety risk management to the manufacture of health software. Information Standards Board for Health and Social Care ISB (2009b) DSCN 18/2009 Application of patient safety risk management to the deployment and use of health software. Information Standards Board for Health and Social Care MoD (1986) Def Stan 00-58 HAZOP studies on systems containing programmable electronics (withdrawn). Ministry of Defence... 

We have seen in the previous chapter that, as well as an obvious moral duty, systems designers and software engineers may have legal responsibilities under statutes such as the Health and Safety at Work Act to ensure that other people are not put at risk by their acts or omissions. Despite its apparently specific subject area, the general approach to safety matters contained in the Health and Safety at Work Act and associated regulations need not be confined to workplace safety. Indeed, the sequence— assess, control and monitor—found in the Control of Substances Hazardous to Health Regulations and the European regulations is capable of application to... 

The system is the combination or interrelation of hardware, software, people, and the operating environment. In system safety engineering, you must look at the system from cradle to grave. In other words, the system life cycle is the design, development, test, production, operation, maintenance, expansion, and retirement (or disposal) of the system. A nuclear power plant is one large system with operators, pressure subsystems, electrical and mechanical subsystems, structural containment, safety systems, etc. A far simpler example is a boy riding his bike. The bike, the boy, the street (with all its traffic conditions), the weather, the time of day, and even other children make up the system of boy on his bike. 

The CertPack of the COTS component will provide a source of evidence for the system s safety case. Figure 1 illustrates part of a proposed update to the BAE SYSTEMS Hawk T.Mk2 mission computer software safety case (Despotou et al. 2009), to incorporate COTS components. This safety case contains the arguments about the contribution of the COTS component to safety. The architecture of this modular safety case is intended to mitrimise the maintenance overhead during... 

Note the stages of the lEC model. The first 4 phases are concerned with design, then the realization phase is reached. This term describes in very general terms the job of actually building the safety system and implementing any software that it contains. 

The development of computer capabiUties in hardware and software, related instmmentation and control, and telecommunication technology represent an opportunity for improvement in safety (see COMPUTER TECHNOLOGY). Plant operators can be provided with a variety of user-friendly diagnostic aids to assist in plant operations and incipient failure detection. Communications can be more rapid and dependable. The safety control systems can be made even more rehable and maintenance-free. Moreover, passive safety features to provide emergency cooling for both the reactor system and the containment building are being developed. 

The first step in the acceptance process is the identification of the environment within which the pre-developed software will have to work. This environment is determined by the system-level safety function as described in the system requirements specification. Also the interface and performance requirements, as well as the safety category should be contained in the system requirements specification. This means, that during the establishment of the plant safety design base a risk and hazards analysis has been performed which rendered the categories of safety functions to be implemented by pre-developed software. This risk and hazard analysis - in spite of being out of the scope of I C engineering - has been taken as the first of four acceptance criteria that should be applied to pre-developed software independently of its safety category. 

Functional properties ( Arguments and evidence should be available that show (a) The source code contains a correct implementation of the functional properties of the software safety requirement, either directly or by means of intermediate design notations or stages. This includes those functional properties that have been derived from non-functional software safety requirements, (b) All parameters and constants used in conjunction with the software system have been checked for correctness and internal consistency. ),... 

In the system safety analysis process, you will come across IT-driven or microprocessor-based systems. While performing any of the system safety analyses, numerous hazardous situations will be discovered. The first step is to decide whether there are any software controls in those particular subsystems. If there are, then it can be considered a safety-critical subsystem. More formally, a safety-critical subsystem is one in which the operations must work properly or a hazardous situation will result. Safety-critical software is a software within a control system that contains one or more hazardous or safety-critical functions. 

The Physical Properties Data Service (PPDS) system is a combination of calculadonal software and associated databases which has been produced to satisfy these common engineering calculation requirements outlined above. The databanks and associated software have been developed over many years by the NEL Executive Agency, based at East Kilbride, Scotland. The complete PPDS system covers the full set of thermodynamic properties and contains some safety information in addition to the transport properties. The following sections of this chapter describe the main elements of the system and their operation. 

In Section 5 we propose and discuss the concept of security modules a security software layer, to retrofit security in PROFINET lO and PROFIsafe without any changes in the transmission system or standards. If the risk of security threats is not negligible, security modules can be used to add a security layer between PROFINET lO and PROFIsafe to reduce the possibihties of security attacks, and increase the overall availability. In addition for the studied system, the security modules will not forward safety containers that indicate compromised integrity, thus not putting the system in fail-safe mode due to spurious attacks on safety containers. 

---