Navigation and service

Research projects concerning digital instrumentation and control important to safety

In order to guarantee the safe operation of nuclear facilities according to the state-of-the-art of science and technology BfE supports the Federal Ministry for the Environment, Nature Conservation and Nuclear Safety with performing relevant research projects. To this end BfE initiates and controls research projects with a defined scope of work, e.g. to analyse the safety related characteristics of digital instrumentation and control (I&C) and to derive and refine safety related requirements for that technology.

Current research projects

Currently several research projects concerning IT security and complexity of digital I&C are planned, complementing the findings of the corresponding completed research projects.

Co-operation in the development of IEC (International Electrotechnial Commission) standards for software-based I&C important to safety in view of adopting these standards on the national levelshow / hide

Detailed requirements for software-based I&C important to safety are formulated on an international level as standards of the International Electrotechnical Commission (IEC). As software-based I&C equipment is subject to rapid technological innovation, existing standards are revised cyclically and projects for new standards are initiated, such as

  • standard IEC 62645 (Nuclear Power Plants - Instrumentation and Control Systems - Cybersecurity requirements for programmable digital systems), and
  • standard IEC 62859 (Nuclear Power Plants – Instrumentation and Control Systems - Requirements for coordinating safety and cybersecurity).

In order to integrate the high level German nuclear requirements into these standards, German experts with relevant experience collaborate in the IEC bodies that are developing standards for I&C important to safety.

Following their assessment by the national sub-committee UK 967.1 ("Reaktorinstrumentierung") of the German Commission for Electrical, Electronic and Information Technologies (Deutsche Kommission für Elektrotechnik Elektronik Informationstechnik - DKE) these IEC standards can be introduced in Germany as

  • national standards (DIN IEC) or
  • european standards (DIN EN).

The consistency of standards with the requirements of the main national nuclear regulations have to be maintained. Furthermore, selected standards will be adopted as European standards through a process agreed upon with the European Committee for Electrotechnical Standardization (CENELEC). These standards will then be binding in Germany.

This current research project is aimed at establishing a technical basis for developing international standards and European standards (EN-Normen) for digital I&C important to safety.

Completed research projects

IT-security in nuclear power plants – detection of unauthorised interventions in programme structures and the mode of operation of software-based I&C important to safety as well as countermeasuresshow / hide

The software-based I&C systems important to safety in nuclear power plants as well as the IT-systems used for the security of I&C were analysed regarding their ability to detect unauthorised interventions in their programme structures and mode of operation.

Research focused on technical aspects to guarantee the IT-security in case of offences directed against software-based I&C systems and controls which are memory programmable together with the associated serial interfaces to communicational technologies. The project took account of the experience gained from known offences on industrial I&C using computer viruses like STUXNET.

Complexity and error potential in software-based digital I&C show / hide

In the scope of an already completed investigation, a method was developed to measure the complexity of the application software of automation systems and devices. The method is based on the analysis of essential complexity features (such as the number of the system’s functional modules and their integration into function plans). This concept is applicable to different digital I&C systems and makes it possible to gain insights into the code structure and to identify potential weak points.

In another project a different method was developed to measure software complexity. The practical feasibility of this method could be proven for a test system.

The results of both investigations demonstrated the need of further development, which was taken into account in further investigation projects:

Based on the state of the art of science and technology, it was initially investigated to what extent the evaluation of the software complexity enables to draw conclusions about the reliability of the software implemented in digital I&C systems.

Subsequently, the complexity characteristics of digital I&C systems applied in nuclear facilities were determined in practice. Furthermore

  • the limits of the methodology and the related instruments,
  • the significance of the chosen metric, as well as
  • the exactness that can be achieved in practice and the coverage of data recording and data analyses for the measurement of software complexity

were shown.

To be able to measure and evaluate the complexity of a software system under specific aspects, the measuring method and the related instruments were subsequently be extended so that e.g. those function plans could be identified that are critical with regard to their complexity.

Finally, those prerequisites and restrictions were identified according to which this measuring method can also be applied to I&C devices that are based on programmable logic devices (PLD) and not on computer architectures. The results from sample applications were evaluated with regard to the reliability assessment of such components and the degree of the component testing coverage achievable in practice.

Development of an approach to analyse network technologies applied in I&C important to safety with regard to the propagation and consequences of postulated faultsshow / hide

In some nuclear power plants, software-based I&C systems have been used for reactor limitation functions which are important to safety. Furthermore, there is the trend to use software-based field devices with network interfaces to the central I&C, for example for transmitters and actuators.

Operational experience shows that the internal communication of a networked I&C system has an effect on its reliability. The effects of potential faults inside and outside communication networks on safety-related functions in nuclear power plants have been investigated by a project with the following objectives:

Work Package 1: Phenomenological investigations on potential network faults in I&C systems

At first, the state of the art of science and technology relating to applied network technologies and on methods to analyse network faults was documented.

Based on this study, safety-relevant aspects of the network technologies in I&C were determined and categorised with respect to the effects of potential faults in a generic network. For this purpose, different network topologies, communication protocols, interfaces, network operating modes with respect to safety-related aspects of the communication were taken into account.

Furthermore, methodical approaches to analyse potential network faults and to analyse the effects (propagation) of postulated faults in typical I&C networks were developed. A worst-case scenario for network faults was determined in order to be able to deterministically evaluate the failure behaviour of safety-relevant communication in I&C.

Work Package 2: Further development of the FTA methodology to model redundant or, respectively, networked systems

The proven method of fault tree analysis – FTA – was developed further for the modelling of complex networks and exemplarily tested on a generic I&C system.

For this purpose a programming interface was developed to develop and modify fault trees for redundant networked systems.

Final report

In the final report [GRS-377] on the project, general basics on typical network technologies are compiled which are industrially used for data communication. The main focus is on the characterisation of disturbances and failures in networks, network topologies with an evaluation with respect to the behaviour in case of disturbances and failures, characterisation of industrially used bus standards, among others with statements on the safety features and access methods as well as a comparison of different network transmission media such as cable or optical fibre. The basic principles of safety bus systems are dealt with especially (Grey and White-Channel).

Another main chapter of the report deals with methodical approaches for the analysis of potential network errors are explained and compared. The applicability of the fault tree analysis is evaluated according to criteria and confirmed for the project task of modelling of high-redundancy safety networks To demonstrate the applicability, an I&C system was chosen and its network was modelled, being representative for I&C architectures.

A tool developed for the automatic generation of structurally identical fault trees could be applied successfully.

The Annex includes a comparison of the reliability and safety assessment methods currently discussed at the international level. Furthermore, a generic reliability analysis – not restricted to network technologies – is examined and evaluated according to selected criteria. The fault tree analysis proves to be an established method that can be used for the quantitative reliability analysis of complex systems requiring only reasonable effort. Its applicability of the fault tree method to time-dependent systems, however, is restricted. Although there are special methodical approaches such as the Markov analysis or the Dynamical Flowgraph Method, their applicability to complex systems has not yet been proven sufficiently.

Compilation of the safety requirements for interfaces of the peripheral measurement and actuation equipment connected to software based instrumentation and control systems important to safety in nuclear power plantsshow / hide

Modern I&C systems build on bus systems for data communication. For safety reasons appropriate interfaces are required to connect the peripheral and central I&C equipment whereby the data communication and processing equipment shall meet a consistent set of requirements. By means of two representative bus types the safety properties were investigated and assessed.

Safety demonstration for computer-based I&C with off-the-shelf components for application in nuclear power plantsshow / hide

A structured safety demonstration procedure for software-based I&C is proposed including a systematic link to the detailed I&C specific regulatory framework. This systematic approach focuses in particular on the DIN IEC standards, i.e. international IEC standards endorsed for the application in Germany. This work also shows the complexity of distinct demonstration objectives. Consequently it may contribute to identifying and evaluating uncertainties in applying the requirements.

Note: Since 30 July 2016, the Federal Office for the Safety of Nuclear Waste Management (BfE) has supervised projects on safety I&C. It took over this task on 30 July 2016 from the Federal Office for Radiation Protection (BfS) that had been responsible until then.

State of 2018.09.04

© Federal Office for the Safety of Nuclear Waste Management