Off-The-Shelf Software Components in systems important to safety (EPR - European Pressurized water Reactor) Nguyen N.Q. THUY RESEARCH AND DEVELOPMENT DIVISION Power Plant Control Branch 6, quai Watier, BP 49 CEDEX, Chatou, France Tel: , Fax: Françoise FICHEUX-VAPNE ENGINEERING AND CONSTRUCTION DIVISION Computer Systems Quality Group Immeuble Lorraine, Boulevard de France, BP 128 CEDEX, Evry, FRANCE Tel: , Fax:
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 2 / 27, SES’98, Monterey EDF (Electricité de France) French electric power utility 56 nuclear power plants in activity 75% of French electricity from nuclear power plants Dampierre
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 3 / 27, SES’98, Monterey EPR - European Pressurized water Reactor Design of future French and German nuclear power plants: EDF, 9 German Utilities Siemens, Framatome French and German licencing authorities Experience from N4 and Konvoï series Extensive use of Off-The-Shelf computer-based systems Work still in progress
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 4 / 27, SES’98, Monterey Classification of systems in nuclear power plants 3 classes of systems important to safety: IEC IEC (draft) N4 series EUR (European Utilities Requirements) EPR Defense in depth
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 5 / 27, SES’98, Monterey Overall gradation of requirements - Class 1 Low complexity Deterministic behavior for computer-based systems: cyclic behavior preferably stateless behavior load independent of external conditions static resource allocation guaranteed response times single (random) failure criterion robustness with respect to errors Software developed according to stringent nuclear industry standards (e.g., IEC 60880)
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 6 / 27, SES’98, Monterey Overall gradation of requirements - Class 2 Controlled complexity Confidence based in particular on analysis of system design High quality software, not necessarily developed according to nuclear industry standards
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 7 / 27, SES’98, Monterey Overall gradation of requirements - Class 3 No specific limit for complexity Confidence mainly based on: proven application of quality standards global demonstration of fitness Specific demonstrations may be required on identified topics
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 8 / 27, SES’98, Monterey Assessment of components Objective: contribute to confidence that system conforms to safety requirements Stringency of assessment depends on: safety class of system how component is used consequences of component errors and failures intrinsic component properties (e.g., complexity)
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 9 / 27, SES’98, Monterey Off-The-Shelf Software Components (OTS-SCs) OTS-SCs usually assessed as « black-boxes »: Specification is available No information on design and implementation No detailed information on development processes « Clear-box » assessment necessary only in some cases: Class 1: normal practice, with exceptions Class 2: required only when black-box assessment not sufficient Class 3: not required Black-box hardware components may contain software
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 10 / 27, SES’98, Monterey Main requirements for assessment of OTS-SCs Precise and complete specification Quality and reliability demonstrated as appropriate Component functionally suitable Use consistent with specification Component and use consistent with system level constraints
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 11 / 27, SES’98, Monterey Component specification Precision and completeness sufficient for: functional assessment of component reliability assessment (e.g., testing) correct use, integration and maintenance Mandatory for all Classes Mainly provided by component supplier may be completed after tests, measurements, operating experience
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 12 / 27, SES’98, Monterey Quality and reliability of OTS-SCs Direct demonstrations: Testing Analysis Certification Operating experience Indirect demonstrations: Quality of development processes Supplier ’s proficiency
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 13 / 27, SES’98, Monterey Testing Development tests (Class 1, clear-box components): coverage of component specification, design & coding documented tests or documented processes Type testing (Class 1, black-box components): based on complete component specification independently of component supplier Testing in conditions of use (Classes 1 & 2)
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 14 / 27, SES’98, Monterey Analysis Applicable to clear-box components only (Class 1) Analysis of: structural complexity quality of design and coding quality of development documentation conformance to applicable software standards behavioral complexity
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 15 / 27, SES’98, Monterey Certification Independent certification may be taken into account if: certifying authority is identified, competent and independent component certified is the one used in the system properties and values certified are identified and appropriate methods, tools and results are documented and appropriate Properties and values required but not certified still need to be demonstrated
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 16 / 27, SES’98, Monterey Operating experience Conditions: components fully identified and similar to the one used conditions of use documented and similar to those in system failures during operating experience are detected and reported Also to be taken into account: functional complexity of the component likely consequences of component failures volume of operating experience (number of components, duration)
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 17 / 27, SES’98, Monterey Quality standards, Proficiency of component supplier Conformance to AIEA 50 CQ-A (Class 1) Level equivalent to ISO 9000 series (All Classes) Certification of supplier may be taken into account if: certifying authority is identified, competent and independent reference for certification is identified and appropriate Proven experience of supplier in developing successfully similar products (Classes 1 & 2)
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 18 / 27, SES’98, Monterey Functional suitability, Complexity Functional suitability of component (Classes 1 & 2): component satisfies documented needs and constraints complexity not out of proportion with needs and constraints Complexity of component and of « binding » code: functional complexity structural complexity behavioral complexity
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 19 / 27, SES’98, Monterey Use in the system Conditions of use proven to remain within component specification (Classes 1 & 2) Restricted use may ease demonstration of reliability Caution recommended (Classes 1 & 2): stable conditions of use possible errors and failures of component detected as early as reasonable reasonable defense against unacceptable consequences
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 20 / 27, SES’98, Monterey Consistency with system level constraints Predictable behavior (Classes 1 & 2): precise specification of component behavior documented conditions of use in system Deterministic behavior (Class 1): static resource allocation static parameterization preferably stateless behavior clear-box (with limited exceptions) proven maximum response time proven robustness against consequences of errors
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 21 / 27, SES’98, Monterey Black-box OTS-SCs in Class 1 systems Very large operating experience Low functional complexity Stable conditions of use System protected as appropriate against propagation and consequences of errors
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 22 / 27, SES’98, Monterey Example: OTS-SCs in a Class 2 Supervision system Typical OTS-SCs Real Time Operating System (RT-OS) Graphic-HMI libraries Basic communication software Software buried in dedicated OTS hardware components Black-boxes
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 23 / 27, SES’98, Monterey RT-OS Main characteristics: ` functionally complex ` errors & failures may be subtle + some already in use in systems important to safety Operating experience necessary, but not sufficient Confidence mainly based on: pre-existing certification, if any very cautious use extensive testing in conditions of use
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 24 / 27, SES’98, Monterey Graphic-HMI libraries Main characteristics: ` functionally complex ` not developed specifically for safety applications + modular + very wide market + in some cases, source code is public Operating experience necessary, but not sufficient Confidence mainly based on: supplier ’s proficiency quality of development processes very cautious use extensive testing in conditions of use
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 25 / 27, SES’98, Monterey Basic communication software Main characteristics: + functional complexity reasonably low + very wide market + some already in use in systems important to safety + failures unlikely to go unnoticed Confidence mainly based on: low functional complexity large operating experience pre-existing certification, if any testing in conditions of use
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 26 / 27, SES’98, Monterey OTS-HC embedding software Main characteristics: + functional complexity reasonably low + wide market Confidence mainly based on: low functional complexity very large operating experience very cautious use testing in conditions of use
Research and Development Division / Power Plant Control Branch Off-The-Shelf Software Components in systems important to safety Page 27 / 27, SES’98, Monterey Conclusion OTS-SCs unavoidable, even in systems important to safety No simple magic formula for assessing OTS-SCs Engineering judgement still needed