NUCLEAR POWER SAFETY
If you are looking for experience with safety analysis of:
- Control Systems
- Shutdown Systems, or
- Fuel-Handling Systems
we can provide a substantial amount of expertise in these areas.
Some of our contracts include:
- Ontario Hydro Software Hazard Analysis Procedure
- Darlington Shutdown System Software Analysis
- Fuel-Handling Software Safety Analysis Following LOCA
- Control System Software Safety Analysis
- Nuclear Containment Indication System Safety Analysis
- EPRI, TVA, et al Software Safety Training
A FEW OR OUR NUCLEAR POWER CONTRACTS
SOFTWARE HAZARD ANALYSIS PROCEDURE
We were responsible for producing a customized formal procedure for hazard analysis of safety-critical software for the largest electric power utility at the time in North America - Ontario Hydro.
This procedure was one of a family of standards and procedures defining the engineering requirements for different classes of real-time software distinguished by complexity of system, source of supply and criticality of application.
This procedure was written to conform to and complement the standard for software engineering of safety-critical software.
The standard and its associated procedures are intended to ensure that reliability objectives are met by safety-critical software.
This procedure was one of a family of standards and procedures defining the engineering requirements for different classes of real-time software distinguished by complexity of system, source of supply and criticality of application.
This procedure was written to conform to and complement the standard for software engineering of safety-critical software.
The standard and its associated procedures are intended to ensure that reliability objectives are met by safety-critical software.
SHUTDOWN SYSTEM SOFTWARE ANALYSIS
We applied a technique known as Program Function Table (PFT) analysis to the Darlington shutdown systems.
PFT analysis represents the code and the software design specification in a very thorough fashion.
Tables are constructed for each software module describing output variables in terms of input variables and constants for each possible module operating mode.
These tables are then linked, thus permitting the description of system outputs in terms of system inputs.
This result is then compared against a tabular interpretation of the software design specification.
Disagreements between the two are then analyzed.
We were also a major contributor with respect to establishing the rules for PFT analysis.
This work resulted in a published paper.
PFT analysis represents the code and the software design specification in a very thorough fashion.
Tables are constructed for each software module describing output variables in terms of input variables and constants for each possible module operating mode.
These tables are then linked, thus permitting the description of system outputs in terms of system inputs.
This result is then compared against a tabular interpretation of the software design specification.
Disagreements between the two are then analyzed.
We were also a major contributor with respect to establishing the rules for PFT analysis.
This work resulted in a published paper.
FUEL-HANDLING SOFTWARE SAFETY ANALYSIS
Ontario Hydro experienced a substantial radioactive heavy water spill accident (LOCA), during the re-fueling process of one of its reactors.
The brakes, which prevent bridge motion while holding the fueling machine, were accidentally released while the fueling machine was clamped onto a fuel channel end-fitting.
The fueling machine dropped a distance of 40 cm. badly damaging the end-fitting. The heavy water leak (initially 1400 kg/h) dropped to 18 kg/h when the heat transport system was de-pressurized.
The incident was traced back to a software error which was introduced into one of the protective computer systems approximately four years previous.
Due to previous contract work with post-accident safety analyses, we were called in to perform a safety analysis of this software.
This work resulted in a published paper "Fault Tree Analysis Of Software At Ontario Hydro" coauthored by HCRQ's director of consulting.
The brakes, which prevent bridge motion while holding the fueling machine, were accidentally released while the fueling machine was clamped onto a fuel channel end-fitting.
The fueling machine dropped a distance of 40 cm. badly damaging the end-fitting. The heavy water leak (initially 1400 kg/h) dropped to 18 kg/h when the heat transport system was de-pressurized.
The incident was traced back to a software error which was introduced into one of the protective computer systems approximately four years previous.
Due to previous contract work with post-accident safety analyses, we were called in to perform a safety analysis of this software.
This work resulted in a published paper "Fault Tree Analysis Of Software At Ontario Hydro" coauthored by HCRQ's director of consulting.
TELEVISION APPEARANCE
As a result of our reputation in system safety, and our conducting 2 post-accident safety analyses, we were interviewed on television. The last question we were asked was "should we feel safe if we live next to a nuclear power plant"?
INDICATION SYSTEM
We were consulted by a nuclear power producer after they had designed a safety-critical indication system.
Our client was interested in performing a safety analysis of this system.
We quickly advised them that, due to the way their system was designed, a safety analysis was impossible.
The indication system had to be redesigned.
They regretted not contacting us earlier.
Our client was interested in performing a safety analysis of this system.
We quickly advised them that, due to the way their system was designed, a safety analysis was impossible.
The indication system had to be redesigned.
They regretted not contacting us earlier.
ANOTHER NUCLEAR POWER INVOLVEMENT: TRAINING
HCRQ taught a software safety course to an audience consisting of representatives from the Electric Power Research Institute (EPRI), Tennessee Valley Authority (TVA), and others.
NUCLEAR POWER GENERATION: SAFE IF
- properly designed (including safeguards) by competent people,
- thoroughly analyzed by expert system safety and software safety engineers,
- thoroughly tested by competent people,
- systems are properly constructed and installed, and
- operated and maintained (systems, hardware, software) by competent people.
SOME DISMAY
In our travels in the nuclear power world, regrettably it was once our experience to have heard "why should we analyze the safety of something which has not had any accidents"? Making the situation even worse was the fact that the statement was made by the general manager of a nuclear generating station.