This paper describes the Software Criticality Analysis (SCA) approach that was developed to suppo... more This paper describes the Software Criticality Analysis (SCA) approach that was developed to support the justification of commercial off-the-shelf software (COTS) used in a safety-related system. The primary objective of SCA is to assess the importance to safety of the software components within the COTS and to show there is segregation between software components with different safety importance. The approach taken was a combination of Hazops based on design documents and on a detailed analysis of the actual code (100kloc). Considerable effort was spent on validation and ensuring the conservative nature of the results. The results from reverse engineering from the code showed that results based only on architecture and design documents would have been misleading.
12th Nuclear Plant Instrumentation, Control and Human-Machine Interface Technologies (NPIC&HMIT 2021), 2021
Abstract Head) Embedded digital COTS devices are increasingly being used in Nuclear Power Plants.... more Abstract Head) Embedded digital COTS devices are increasingly being used in Nuclear Power Plants. Although these devices are often not developed according to nuclear standards, they still need to be justified to be deployed in nuclear applications. Different countries have been developing their own processes to justify COTS digital devices. In many cases, this justification is based on the assessment of the development process. This is consistent with traditional standard-based approaches to safety justification – compliance to accepted practice was deemed to imply adequate safety. This could be demonstrated either directly through a review of the development artefacts or indirectly through consideration of existing certification, e.g., IEC 61508. However, over the last 20 years, there has been a trend towards explicit claim-based approaches, where specific safety claims are supported by arguments and evidence at progressively more detailed levels. The standards-based approach and the claim-based approaches are not mutually exclusive, and a combination can be used to support a safety justification. In fact, for the most critical systems, it can be argued that a safety case should consider both aspects. In this paper, we discuss the use of development process-based approaches to the safety justification of EDDs COTS components, the link between development processes and reliability, how certification may support the justification, and some of the pitfalls of relying on certification.
Abstract. This paper describes the Software Criticality Analysis (SCA) approach that was develope... more Abstract. This paper describes the Software Criticality Analysis (SCA) approach that was developed to support the justification of commercial off-the-shelf software (COTS) used in a safety-related system. The primary objective of SCA is to assess the importance to safety of the software components within the COTS and to show there is segregation between software components with different safety importance. The approach taken was a combination of Hazops based on design documents and on a detailed analysis of the actual code (100kloc). Considerable effort was spent on validation and ensuring the conservative nature of the results. The results from reverse engineering from the code showed that results based only on architecture and design documents would have been misleading. 1
This paper describes research work done on approach es to justifying smart instruments, and in pa... more This paper describes research work done on approach es to justifying smart instruments, and in particular, how some of this research has succes sfully been applied to the safety substantiation of such instruments. From a management perspective , we examine both the issues involved gaining access to information required for this jus tification and the necessity for a sustainable long-term approach for the justification of smart s en ors that is acceptable to both suppliers and customers. From a technical perspective, we examine both overall safety justification approaches and specific techniques that can be used in the jus tification of the instruments’ software. Our smart device assessment work covered both management and technical issues. Many of the approaches that were initially developed in research projects have now been applied in practice to smart devices that will be used in nuclear applications. We anticipate that further analysis techniques developed in our research progra...
This paper describes work funded by Energiforsk to consider the feasibility of using harmonised c... more This paper describes work funded by Energiforsk to consider the feasibility of using harmonised component level safety demonstration and, in particular, on using aspects of the UK approach to licensing and qualification of smart devices in Finland. We concluded that the use of harmonised component justification is feasible. In shorter timescales, this seems more likely to succeed if such an approach is developed within Finland. Using the assessments performed in the UK in Finland would have several advantages, but there are a number of technical and commercial issues that would need to be overcome for this to be feasible.
The reliability of computer-based systems implementing safety functions is a critical issue for t... more The reliability of computer-based systems implementing safety functions is a critical issue for the modernization and construction of nuclear power plants, in particular because software can usually not be proven to be entirely free of defects. The differences in regulation and safety justification principles between different countries restrict efficient co-operation and hinder the emergence of widely accepted best practices. This paper gives an introduction to an EU FP7 project HARMONICS (Harmonised Assessment of Reliability of Modern Nuclear I&C Software, 2011-2014) which has an overall objective to ensure that the nuclear industry has well founded and up-to-date methods and data for assessing software of computer-based safety systems.
This paper discusses work done by the authors to develop an IAEA Nuclear Energy Series report to ... more This paper discusses work done by the authors to develop an IAEA Nuclear Energy Series report to provide guidance on what would constitute an adequate justification process for a COTS device to be installed in a NPP for important to safety applications such that there is reasonable assurance of high quality and that the application of the COTS does not introduce new, unanalysed failure modes. The publication provides a process for justification of digital COTS devices that may be used to guide the incorporation of these devices into the design of I&C systems important to safety, such that there is sufficient evidence to demonstrate that these products have adequate integrity to meet the requirements for their intended nuclear applications.
We compare verification and validation (V&V) techniques for FPGA and microprocessorbased instrume... more We compare verification and validation (V&V) techniques for FPGA and microprocessorbased instrumentation and control (I&C) systems from the point of view of standards compliance, an approach based on behavioural properties, and the analysis of vulnerabilities. We found that the non-technology-specific elements of the standards considered are very similar. Differences are more marked when considering behavioural properties and vulnerabilities: the amount of effort required and confidence level obtained depend on a number of properties of the particular design under
This paper describes the Software Criticality Analysis (SCA) approach that was developed to suppo... more This paper describes the Software Criticality Analysis (SCA) approach that was developed to support the justification of commercial off-the-shelf software (COTS) used in a safety-related system. The primary objective of SCA is to assess the importance to safety of the software components within the COTS and to show there is segregation between software components with different safety importance. The approach taken was a combination of Hazops based on design documents and on a detailed analysis of the actual code (100kloc). Considerable effort was spent on validation and ensuring the conservative nature of the results. The results from reverse engineering from the code showed that results based only on architecture and design documents would have been misleading.
12th Nuclear Plant Instrumentation, Control and Human-Machine Interface Technologies (NPIC&HMIT 2021), 2021
Abstract Head) Embedded digital COTS devices are increasingly being used in Nuclear Power Plants.... more Abstract Head) Embedded digital COTS devices are increasingly being used in Nuclear Power Plants. Although these devices are often not developed according to nuclear standards, they still need to be justified to be deployed in nuclear applications. Different countries have been developing their own processes to justify COTS digital devices. In many cases, this justification is based on the assessment of the development process. This is consistent with traditional standard-based approaches to safety justification – compliance to accepted practice was deemed to imply adequate safety. This could be demonstrated either directly through a review of the development artefacts or indirectly through consideration of existing certification, e.g., IEC 61508. However, over the last 20 years, there has been a trend towards explicit claim-based approaches, where specific safety claims are supported by arguments and evidence at progressively more detailed levels. The standards-based approach and the claim-based approaches are not mutually exclusive, and a combination can be used to support a safety justification. In fact, for the most critical systems, it can be argued that a safety case should consider both aspects. In this paper, we discuss the use of development process-based approaches to the safety justification of EDDs COTS components, the link between development processes and reliability, how certification may support the justification, and some of the pitfalls of relying on certification.
Abstract. This paper describes the Software Criticality Analysis (SCA) approach that was develope... more Abstract. This paper describes the Software Criticality Analysis (SCA) approach that was developed to support the justification of commercial off-the-shelf software (COTS) used in a safety-related system. The primary objective of SCA is to assess the importance to safety of the software components within the COTS and to show there is segregation between software components with different safety importance. The approach taken was a combination of Hazops based on design documents and on a detailed analysis of the actual code (100kloc). Considerable effort was spent on validation and ensuring the conservative nature of the results. The results from reverse engineering from the code showed that results based only on architecture and design documents would have been misleading. 1
This paper describes research work done on approach es to justifying smart instruments, and in pa... more This paper describes research work done on approach es to justifying smart instruments, and in particular, how some of this research has succes sfully been applied to the safety substantiation of such instruments. From a management perspective , we examine both the issues involved gaining access to information required for this jus tification and the necessity for a sustainable long-term approach for the justification of smart s en ors that is acceptable to both suppliers and customers. From a technical perspective, we examine both overall safety justification approaches and specific techniques that can be used in the jus tification of the instruments’ software. Our smart device assessment work covered both management and technical issues. Many of the approaches that were initially developed in research projects have now been applied in practice to smart devices that will be used in nuclear applications. We anticipate that further analysis techniques developed in our research progra...
This paper describes work funded by Energiforsk to consider the feasibility of using harmonised c... more This paper describes work funded by Energiforsk to consider the feasibility of using harmonised component level safety demonstration and, in particular, on using aspects of the UK approach to licensing and qualification of smart devices in Finland. We concluded that the use of harmonised component justification is feasible. In shorter timescales, this seems more likely to succeed if such an approach is developed within Finland. Using the assessments performed in the UK in Finland would have several advantages, but there are a number of technical and commercial issues that would need to be overcome for this to be feasible.
The reliability of computer-based systems implementing safety functions is a critical issue for t... more The reliability of computer-based systems implementing safety functions is a critical issue for the modernization and construction of nuclear power plants, in particular because software can usually not be proven to be entirely free of defects. The differences in regulation and safety justification principles between different countries restrict efficient co-operation and hinder the emergence of widely accepted best practices. This paper gives an introduction to an EU FP7 project HARMONICS (Harmonised Assessment of Reliability of Modern Nuclear I&C Software, 2011-2014) which has an overall objective to ensure that the nuclear industry has well founded and up-to-date methods and data for assessing software of computer-based safety systems.
This paper discusses work done by the authors to develop an IAEA Nuclear Energy Series report to ... more This paper discusses work done by the authors to develop an IAEA Nuclear Energy Series report to provide guidance on what would constitute an adequate justification process for a COTS device to be installed in a NPP for important to safety applications such that there is reasonable assurance of high quality and that the application of the COTS does not introduce new, unanalysed failure modes. The publication provides a process for justification of digital COTS devices that may be used to guide the incorporation of these devices into the design of I&C systems important to safety, such that there is sufficient evidence to demonstrate that these products have adequate integrity to meet the requirements for their intended nuclear applications.
We compare verification and validation (V&V) techniques for FPGA and microprocessorbased instrume... more We compare verification and validation (V&V) techniques for FPGA and microprocessorbased instrumentation and control (I&C) systems from the point of view of standards compliance, an approach based on behavioural properties, and the analysis of vulnerabilities. We found that the non-technology-specific elements of the standards considered are very similar. Differences are more marked when considering behavioural properties and vulnerabilities: the amount of effort required and confidence level obtained depend on a number of properties of the particular design under
Uploads
Papers by Sofia Guerra