WO2021229137A1 - System design model - Google Patents

System design model Download PDF

Info

Publication number
WO2021229137A1
WO2021229137A1 PCT/FI2020/050329 FI2020050329W WO2021229137A1 WO 2021229137 A1 WO2021229137 A1 WO 2021229137A1 FI 2020050329 W FI2020050329 W FI 2020050329W WO 2021229137 A1 WO2021229137 A1 WO 2021229137A1
Authority
WO
WIPO (PCT)
Prior art keywords
information element
protection
design
category information
equipment
Prior art date
Application number
PCT/FI2020/050329
Other languages
French (fr)
Inventor
Jarmo KORHONEN
Leena KAPPINEN
Original Assignee
Fortum Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fortum Oyj filed Critical Fortum Oyj
Priority to PCT/FI2020/050329 priority Critical patent/WO2021229137A1/en
Publication of WO2021229137A1 publication Critical patent/WO2021229137A1/en

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • G05B23/0286Modifications to the monitored process, e.g. stopping operation or adapting control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G21NUCLEAR PHYSICS; NUCLEAR ENGINEERING
    • G21DNUCLEAR POWER PLANT
    • G21D3/00Control of nuclear power plant
    • G21D3/04Safety arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02EREDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
    • Y02E30/00Energy generation of nuclear origin

Definitions

  • a computerized database may be employed.
  • database system it is herein meant a physical system configured to store a database, by which it is in turn meant an organized storage or assembly of information elements, which may be interrelated within the database system via associations and/or database relations.
  • the database system may be use a suitable system, such as for example a computer system, and suitable magnetic, solid-state, holographic or other kind of memory.
  • FIGURE 1 Such a database is illustrated in FIGURE 1 as database 150.
  • functional requirements and design principles may take the form of information elements. The information elements together may form a digital design.
  • FIGURE 2 illustrates an example database hierarchy in accordance with at least some embodiments of the present invention.
  • the example database hierarchy of FIGURE 2 involves a database hierarchy of a nuclear power station external threat protection system.
  • At the top level are disposed, optionally, external threat protection safety design requirements 210. These requirements may be derived from and/or be based on regulatory requirements, codes and/or standards.
  • nuclear safety design requirements 210 are absent from the database, for example where their content is taken into account, implicitly or explicitly, in other layers.
  • Unit 720 is a protection functional architecture, which may forms a basis for other architectures. Protection functional architecture 720 may be divided, for example, into information security protection functional architecture and other protection functional architectures. Protection functional architecture 720 leads to a preliminary security risk analysis 720A in the as-designed phase and a final security risk analysis 720B in the as- built phase. The hazard protection design 710 and the protection functional architecture 720 reflect plant-level risk analysis specifications and security function risk specifications, respectively. [0073] Unit 730 is an information security design. Information security design 730 leads to an as-designed architecture risk analysis 730A in the as-designed phase and to an as built design risk analysis 730B in the as-built phase.
  • DBT1 - DBT 3 are design basis threat classes
  • DET1 is a design basis extension threat class
  • SAT is a severe accident threat, which is associated with the protection category protection for severe accident management functions of the external threat protection system.
  • protection category PNO is associated with no design principle no redundancy.
  • Protection category PPF is associated with no design principles redundancy N+l and separation.
  • Protection category PEF is associated with design principles redundancy N+l, separation and diversity against PPF and PSF.
  • Protection category PSF is associated with design principles redundancy N+l, separation and diversity against all other protection categories.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Business, Economics & Management (AREA)
  • Emergency Management (AREA)
  • Plasma & Fusion (AREA)
  • High Energy & Nuclear Physics (AREA)
  • Automation & Control Theory (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

According to an example embodiment of the present invention, there is provided method of implementing a safety critical system, comprising defining, in a computerized database, a digital design comprising a protection category information element and a task category information element, each being associated with at least one functional requirement and at least one design principle, associating, in the computerized database, in the digital design, the protection category information element and the task category information element with at least one system-level information element having the design principles of the protection category information element and the task category information element and at least one second design principle, and verifying, in the computerized database, that the safety critical system described by the digital design is compliant with the design principles of the protection category information element and the task category information element.

Description

SYSTEM DESIGN MODEL
FIELD OF INVENTION
[0001] The present invention relates to the field of ensuring, enhancing and maintaining safety in safety critical systems.
BACKGROUND OF INVENTION
[0002] Safety critical systems, such as, for example, nuclear power stations and civilian aircraft are designed to safety standards. Safety standards may be set by national or international regulators, standard-setting bodies or certification agencies, for example. Safety standards may be defined for industries as a whole, for system classes or for individual systems, for example. Even in the absence of formal safety standards, equipment in a system may be designed with safety rules when this is seen as desirable, for example to protect biodiversity. [0003] A fission reactor, for example, must be designed and constructed in a way that enables operators to control its functioning protect it from external hazards. Such controlling may comprise, if necessary, causing the reactor to transition to a managed idle state when instructed. Such an idle state may comprise a state where fission reactions are subcritical and decay heat is removed from the reactor core to prevent its overheating, which might otherwise damage the core of the reactor, potentially leading to release of radionuclides.
[0004] To obtain safe operability in safety-critical systems, components comprised in such systems may be associated with safety conditions. For example, a flight computer of an aircraft may be made redundant, wherein an aircraft may be furnished with a plurality of flight computers, each individually being capable of controlling the flight. In this case, redundancy is a safety condition, or design principle, associated with the flight computer equipment. In case of a fault condition in one of the flight computers, another one of the flight computers may assume the task of controlling the flight, the faulty flight computer being set to an inactive state. [0005] Safe operation of safety critical systems includes operation in an environment which may pose external hazards to the operation of the safety critical system, such as a nuclear power station.
SUMMARY OF THE INVENTION
[0006] The invention is defined by the features of the independent claims. Some specific embodiments are defined in the dependent claims.
[0007] According to a first aspect of the present invention, there is provided a method of implementing a safety critical system, comprising defining, in a computerized database, a digital design comprising a protection category information element and a task category information element, the protection category information element and the task category information element each being associated with at least one functional requirement and at least one design principle, associating, in the computerized database, in the digital design, the protection category information element and the task category information element with at least one system-level information element of the digital design, the at least one system-level information element having the design principles of the protection category information element and the task category information element and at least one second design principle, and verifying, in the computerized database, that the safety critical system described by the digital design is compliant with the design principles of the protection category information element and the task category information element and with the at least one second design principle. [0008] According to a second aspect of the present invention, there is provided a method, comprising recording a first change in an information element in a digital design stored in a computerized database, the digital design comprising a protection category information element and a task category information element, wherein the protection category information element and the task category information element are each associated with at least one functional requirement and at least one design principle, the design comprising in the computerized database the protection category information element and the task category information element associated via database relations with at least one system-level information element of the digital design, the at least one system- level information element having the design principles of the protection category information element and the task category information element and at least one second design principle, and verifying the digital design is compliant with the design principles of the protection category information element and the task category information element, and with the at least one second design principle, after the first change.
[0009] According to a third aspect of the present invention, there is provided a computerized safety critical system, comprising a memory configured to store a digital design comprising a protection category database configured to store a plurality of protection category information elements comprising a protection for normal operation functions category and a protection for essential functions category, each protection category information element being associated with at least one technical functional requirement and at least one technical design principle, each technical design principle being comprised in a technical design principle list comprising redundancy, diversity, separation and isolation, each functional requirement being comprised in a functional requirement list, the functional requirement list comprising flooding and fire protection, airplane crash, cybersecurity, and natural hazards, a task category database comprising a plurality of task category information elements comprising at least two of preventive safety function, reactor protection and automatic back-up, each task category information element being associated with at least one technical functional requirement and at least one technical design principle from the technical design principle list, at least one system-level information element associated, via database relations, with one of the protection category information elements and one of the task category information elements of the digital design, the at least one system-level information element having the design principles of the associated protection category information element and the associated task category information element and at least one second design principle, and an equipment database configured to store at least one equipment information element, and at least one processor configured to, responsive to receipt in the computerized safety critical system of a failure notification concerning a first equipment information element, determine, using the digital design, a set comprising each technical design principle associated with each protection category information element and task category information element associated, via the database relations, with the first equipment information element, and to identify, based on each technical design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure identified in the failure notification, and to identify a second technical constraint of the action, based on the at least one second design principle, wherein the at least one processor is configured to control a transmitter to output the technical constraint of the action and the second technical constraint of the action to a user interface of the computerized safety critical system. In some embodiments, the computerized safety critical system is configured to automatically perform, at least partly, the action in accordance with the technical constraint and the second technical constraint.
Industrial Applicability
[0010] At least some embodiments of the present invention find application in protecting nuclear power generation hardware from external threats.
BRIEF DESCRIPTION OF THE DRAWINGS
[0011] FIGURE 1 illustrates an example system capable of supporting at least some embodiments of the present invention;
[0012] FIGURE 2 illustrates an example database hierarchy in accordance with at least some embodiments of the present invention;
[0013] FIGURE 3 illustrates an example apparatus capable of supporting at least some embodiments of the present invention;
[0014] FIGURE 4 illustrates an example database structure in accordance with at least some embodiments of the present invention; [0015] FIGURE 5 is a first flow chart of a first method in accordance with at least some embodiments of the present invention;
[0016] FIGURE 6 is a second flow chart of a second method in accordance with at least some embodiments of the present invention; [0017] FIGURE 7 illustrates example design verification in accordance with at least some embodiments of the present invention, and
[0018] FIGURE 8 illustrates a digital design comprising system-level information elements.
DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS
[0019] By assigning design principles to functional requirements, more efficient implementation and maintenance of safety critical systems, such as station external threat protection systems, may be obtained. Where design principles, such as redundancy or diversity, are assigned to individual equipment rather than higher-level functional requirements, over-implementation or degradation of a safety level may occur and/or refitting existing safety critical systems may be more constrained by equipment-specific requirements. By assigning design principles to functional protection categories rather than individual equipment, more flexible implementation of the safety critical systems is enabled. Further, by assigning second design principles to system-level categories or information elements, over-implementation of the systems concerned is avoided. While discussed herein primarily in terms of a nuclear power station, the principles of the present disclosure are applicable more broadly in safety critical systems with external threat protection systems, which include, for example, nuclear power stations, nuclear laboratories, biohazard laboratories, hydroelectric power plants, dams and aircraft.
[0020] FIGURE 1 illustrates an example system capable of supporting at least some embodiments of the present invention. The system of FIGURE 1 is a nuclear power station operating a fission-based reactor, and a system for protecting it from external threats, although in other embodiments of the invention, other kinds of systems or installations may be envisioned. The system of FIGURE 1 comprises building 100, which houses reactor 110. Building 100 is arranged to draw water for cooling from source 300, which may comprise an ocean, lake, river or other stable source of cooling water, for example. Source 300 may present a flooding risk, which is an example of an external threat. The system of FIGURE 1 further comprises building 200, which houses systems not housed in building 100. [0021] A nuclear power station and/or its external threat protection system may comprise a large number of systems, a subset of which is illustrated in FIGURE 1 to serve the purpose of illustrating the principles underlying the present invention. Systems comprised in a safety critical system may embody at least one design principle, such as for example a safety-related design principle. Examples of design principles include redundancy, diversity, separation, isolation, quality level, reliability level, seismic qualification and environmental condition qualification.
[0022] System 120 A, which may comprise, for example an internet firewall system, has a redundant system 120B. In other words, system 120 A and systeml20B are similar and enabled to perform a similar task. Either one, system 120A or system 120B, may alone be capable of performing the task. Systems 120 A and 120B may be configured to operate on the same, or similar, principles of action. In general where a similar redundant system or equipment is provided for a given system or equipment, this system or equipment is said to embody redundancy. A system embodying redundancy is more dependable than a system without redundancy, as a redundancy-embodying system can continue operation in case one system develops a fault, since the faulty system, for example system 120 A, may be switched off and the task may be assigned to the redundant system, for example system 120B.
[0023] System 130A, which may comprise, for example, a flooding protection safety system, has a physical backup diversity system 130B. In other words, system 130A and system 130B are enabled to perform a similar task. Either one, system 130A or system 130B, may alone be capable of performing its task. Systems 130A and 130B are configured to operate on different principles of action. Since systems 130A and 130B are configured to operate using different principles of action, they are less likely to fail at the same time as a response to an unusual operating condition. For example where these systems comprise safety systems, they may be based on different physical processes having the same overall functional specifications. In other words, designs may be developed independently for system 130A and system 130B. Such independent development may comprise using different design teams, different subcontractors, different materials and/or different principles of action, for example. As a consequence, if system 130A encounters an error in a certain unusual operating condition of the nuclear power station of FIGURE 1, it is unlikely that system 130B encounters an error in the same operating condition. In this case, responsibility can be re-assigned from system 130A to system 130B, to obtain uninterrupted and secure operation of the external threat protection system.
[0024] In general, where a system or equipment embodies diversity this system or equipment may be seen to comprise more than one subsystem, the subsystems or equipments being configured to operate on different principles and each being capable of performing the task of the system or equipment. Herein the term “system” may generally be used to refer to an equipment, system, architecture or installation.
[0025] System 140A, which may comprise, for example, a control system, has a diversity system 140B. System 140 A and system 140B are enabled to perform a similar task. Either system 140 A or system 140B may alone be capable of performing its task. System 140B, which may operate based on a same or a different principle as system 140A, is housed in building 200 while system 140 A is housed in building 100. That the systems are housed in different buildings, or more generally separate from each other, means the systems embody a separation design principle. Situating the systems separately from each other increases the dependability of the aggregate system comprising system 140 A and system 140B, since a problem affecting, say, building 200 may leave building 100 and systems housed therein unaffected. Additionally or alternatively to physical separation, systems may be separated electrically and/or functionally. The intent in separation overall is to avoid failures from progressing from a system to its back-up system, or from one protection category to another protection category. Electrical separation, for example, may be accomplished by either not connecting the separated systems to each other electrically, or by suitably filtering electrical connections arranged between the systems. Examples of suitable filtering include over-voltage protection, current protection and fibre-optic filters.
[0026] Where system 140 A and system 140B are based on the same, or a similar, operating principle the system comprising system 140 A and system 140B may be considered to embody separation and redundancy. Where system 140 A and system 140B are based on different operating principles the system comprising system 140A and system 140B may be considered to embody separation and diversity.
[0027] A system embodying the design principle isolation may comprise a system wherein the system, including equipment comprised in the system, is isolated from its surroundings. For example, being disposed inside a containment vessel and/or hardened building provides isolation. Isolation may be defined in various ways, for example, ability to withstand an impact of a passenger aircraft and/or ability to operate in a denial-of- service, DoS, cyberattack environment. A cyberattack may be prevented by not connecting certain systems to the public Internet, for example, a control room of an external threat protection system may be isolated from the public internet. Among further design principles, a quality level may comprise that a system embodying that design principle meets a standardized quality level. Further, a reliability level, a seismic qualification level and an environmental condition qualification are examples of design principles that may be embodied by systems comprised in safety critical systems.
[0028] When designing, maintaining, operating or refitting a safety critical system, it may be advantageous to associate design principles with functional requirements. This association may take place in a protection category and/or task category, which may comprise a database structure, such as an information element, which comprises or is associated with both the functional requirement and at least one design principle. The protection category may be associated with hierarchically lower levels of a computerized digital design in such a way that the design principles associated with the protection category and/or task category are embodied by the aggregate system that performs the functional requirement associated with the protection category and/or task category. The functional requirement associated with the protection category and/or task category may be referred to simply as the functional requirement of the protection category and/or task category. At least in some embodiments, a protection category information element or a task category information element does not define structure but is associated, directly or indirectly, with information elements of the digital design which do define structure. Examples of information element types that define structure include an architecture definition information element, a system-level information element and an equipment information element.
[0029] When a design principle is associated with a protection category or task category, implementing systems to perform the functional requirement of the protection category becomes more flexible, allowing more intelligent implementation that may result in a simpler and safer system. Requiring that each system and equipment in the system performing the functional requirement separately comply with the design principle is a more restrictive model, where equipment may be duplicated excessively. For example, where an equipment, such as for example a pump, is comprised in a system that performs a functional requirement of a protection category, it may be assigned another role in a system that performs a functional requirement of another protection category. The pump, for example, may embody diversity with respect to more than one system or protection category. In general, a system or equipment may embody a design principle with respect to more than one architecture and/or protection category/task category.
[0030] In a complex system such as a nuclear power station external threat protection system, the number of systems and equipment may be large. To enable use of protection categories and associated design principles, a computerized database may be employed. By database system it is herein meant a physical system configured to store a database, by which it is in turn meant an organized storage or assembly of information elements, which may be interrelated within the database system via associations and/or database relations. The database system may be use a suitable system, such as for example a computer system, and suitable magnetic, solid-state, holographic or other kind of memory. Such a database is illustrated in FIGURE 1 as database 150. In the database, functional requirements and design principles may take the form of information elements. The information elements together may form a digital design.
[0031] In database 150, information elements may be arranged in a hierarchical structure which is illustrated in FIGURE 2.
[0032] In the digital design, system-level information elements inherit the design principles of protection categories and/or task categories they are associated with. This entails, that where a protection category, for example, requires diversity of protection measures, a system associated with this protection category in the digital design, via database relations, also embodies diversity. However, at the system level this does not mean that each equipment comprised in the system needs to be duplicated to obtain diversity, rather, the protection system and its equipment performs a diversity role. In case the system is taken off-line, a deficit in required diversity may result in one or more other systems. A correcting action should ensure, that the restored functionality also serves in the diversity role(s) toward the one or more other systems. While system-level information elements thus inherit the design principles from higher-level information elements in the design, the system-level information elements may additionally have second design principles, distinct from the design principles of the protection categories and/or task categories. Examples of these second design principles include system technology induced safety and protection functions and related requirements. The second design principles are used to ensure the systems themselves perform on a technically dependable level. A system-level information element may serve, in a digital design, a pair comprising a task category information element and a protection category information element, the task category information element defining a function and the protection category information element defining a protection function whereby the function of the task category is protected from external hazards.
[0033] Benefits obtained from assigning the second design principles on the system level include fewer iterations in completing the digital design, faster development time, fewer mistakes in the resulting digital design, meaning a more dependable design and safety critical system, and conservation of resources in building the safety critical system based on the completed digital design. This in turn leads to faster completion of a building project and earlier availability of the safety critical system.
[0034] In a completed digital design, the digital design conforms to the design principles of the protection categories and task categories, and separately each system having second design principles conforms to its own second design principles. A system may comprise a set of equipment which together perform the function of the system, the equipment inheriting the second design principles from their system-level information elements, such that the second design principles are requirements of the system, which the equipment together satisfy. In other words, each piece of equipment comprised in the system need not satisfy all second design principles of the system, but the equipment may play a respective role toward satisfying the second design principles.
[0035] FIGURE 2 illustrates an example database hierarchy in accordance with at least some embodiments of the present invention. The example database hierarchy of FIGURE 2 involves a database hierarchy of a nuclear power station external threat protection system. At the top level are disposed, optionally, external threat protection safety design requirements 210. These requirements may be derived from and/or be based on regulatory requirements, codes and/or standards. In some embodiments, nuclear safety design requirements 210 are absent from the database, for example where their content is taken into account, implicitly or explicitly, in other layers.
[0036] The requirements of requirement layer 210 may be associated with, or comprised in, protection categories in layer 220, which corresponds to the level of the entire nuclear power station external threat protection system, for example. Layer 220 may be termed the plant layer. Each protection category may be associated with at least one design principle and at least one functional requirement, as described above. In detail, each protection category may, in some embodiments, be associated with one and only one functional requirement and at least one design principle. Protection categories included in the example of FIGURE 2 are protection categories 220A, 220B and 220C. In the database, protection categories may be present as protection category information elements.
[0037] Examples of protection categories comprise protection for normal operations functions, protection for preventive functions, protection for essential functions and protection for severe accident management functions.
[0038] Protection for normal operations comprises functional entities, which in at least some embodiments enable redundancy, aiming to defend against the threats jeopardizing systems meant for normal operations.
[0039] Protection for preventive functions comprises functional entities, which in at least some embodiments enable separation and prevention of single fault failure, aiming to defend against the threats jeopardizing preventive functions.
[0040] Protection for essential functions comprises functional entities, which in at least some embodiments enable separation and diversity and prevention of single fault failure, aiming to defend against threats jeopardizing essential functions. These functional entities may additionally or alternatively comprise systems designed to prevent anticipated transients, which are expected error conditions falling short of accidents.
[0041] Protection for severe accident management functions comprises functional entities, which in at least some embodiments enable separation and diversity and prevention of single fault failure, aiming to defend against threats that can potentially jeopardise systems designed to manage severe accidents.
[0042] Examples of task categories comprise preventive safety function, reactor protection and automatic back-up. Examples of functional requirements comprise accident frequency, pollutant leakage rate, maintenance intervals and emergency landing frequency of an aircraft. [0043] Under plant layer 220 is disposed architecture layer 230. Layer 230 may comprise architecture definition information elements, at least some such information elements being associated with at least one protection category information element on level 220. The architecture definition information elements may comprise indications as to the way in which the architecture therein defined contributes to embodiment of the design principles associated with associated protection categories. In other words, the architecture definition information elements may comprise information as to how the design principles of the higher-level protection categories are implemented in the architecture level. Architecture definition information elements included in the example of FIGURE 2 are architecture definition information elements 230 A, 230B and 230C.
[0044] Examples of architectures include functional architecture, hazard layout architecture, information security architecture, physical security architecture, control room architecture and hazard human factor architecture. Hazard layout architecture may describe, the application of protection engineering principles. Information security architecture may describe strategies to prevent cybersecurity attacks, such as denial-of- service attacks and hacking. Control room architecture may describe how the control room is arranged to control functioning of the protection system, and hazard human factor architecture may describe the application of human factor engineering to prevent unintentional errors.
[0045] Under architecture layer 230 is disposed system layer 240. System layer 240 may comprise system-level information elements, each such information element being associated with at least one architecture definition information element on level 230. The system-level information elements may comprise indications as to the way in which the systems therein defined contribute to embodiment of the design principles associated with associated protection categories, wherein protection categories are associated with system- level information elements via architecture definition information elements on architecture level 230. System-level information elements included in the example of FIGURE 2 are system-level information elements 240A, 240B, 240C and 240D. In some embodiments, the protection categories are directly associated, via database relations, with system-level information elements and the digital design does not comprise a separate architecture layer with architecture definition information elements. [0046] Examples of systems of an external threat protection system include protection systems which may be active functions like initiating alarms due to a fire or a security breach, or passive systems such as fire resistant walls or implemented one way- only data communication.
[0047] Under system layer 240 is disposed equipment layer 250. Equipment layer 250 may comprise equipment-level information elements, each such information element being associated with at least one system-level information element on level 240. The equipment- level information elements may comprise indications as to the way in which the equipment therein defined contribute to embodiment of the design principles associated with associated protection categories, wherein protection categories are associated with equipment- level information elements via system- level information elements on system layer 240 and, optionally, architecture definition information elements on architecture level 230. Equipment-level information elements are illustrated in FIGURE 2 collectively as elements 250 A.
[0048] In some embodiments, regulatory requirements may be assigned to individual systems or pieces of equipment. Such system-level or equipment-level regulatory requirements may be recorded in system-level or equipment-level information elements and used as additional constraints in implementing methods in accordance with the present invention.
[0049] Using the hierarchical database system described above it can be determined, which pieces of equipment in the plant contribute to which plant-level functional requirements and design principles. As a consequence, when a piece of equipment is replaced with a new type of equipment, it can be assessed, what the implications are for the plant overall in terms of design principles of the external threat protection system. For example, where a computer is replaced with a new kind of computer, for example, a computer based on a complex instruction set computing, CISC, processor is replaced with a computer based on a reduced instruction set computing, RISC, processor, the new computer may be able to perform as a diversity computer to an already present CISC computer in the external threat protection system. In this case, installing the RISC computer to replace an older computer may enable removal of a further computer from the plant, the diversity role of the further computer being thereafter performed by the new computer. The further computer may be comprised in a different system or architecture, and it may be associated with a different protection category than the old computer the new RISC computer replaces, for example.
[0050] In general, the equipment information element of the piece of equipment which is replaced may describe how the new piece of equipment needs to operate. Thus the new equipment need not be a like-for-like replacement, which might be difficult in case a long time has elapsed since the equipment to be replaced was manufactured. Furthermore, when other equipment in the protection system have in the meanwhile been replaced with potentially more capable devices, the technical requirements for the replacement equipment may be less stringent as those of the original equipment which is being replaced with the new equipment. An advantage of a digital design is its iterative updating, when information elements are updated. This achieves the technical benefit of avoided over construction of the protection system.
[0051] Running the database system as described above may at least in part automate such design considerations of the safety critical system. Each equipment-level information element storing or being associated with information describing each role the described equipment performs in the external threat protection system, a user may interact with the database system to identify whether replacing the piece of equipment with a new piece of equipment enables a simplification in the overall system, or whether characteristics of the new piece of equipment necessitate a further modification to the overall system to maintain the design principles of the protection categories.
[0052] A further modification may be necessary where, for example, the new piece of equipment is unable to perform a role the previous piece of equipment performed, for example as a redundancy or diversity element to a further piece of equipment, which may be comprised in a different system or architecture. Thus instead of assigning requirements to individual pieces of equipment, design principles are associated with task categories and/or protection categories to enable smart plant management and selection of replacement pieces of equipment in such a way that the plant overall may be simplified. A simplified plant provides the technical effect that running it consumes less energy, for example.
[0053] Similarly, using the database system enables a fuller understanding of fault conditions, since the database system identifies the roles each piece of equipment registered therein performs. Therefore, when a piece of equipment develops a fault, it can be identified, using the database system, which other systems have less redundancy, or suffer a drawback with respect to another task or protection category design principle, as a consequence of the fault. At least one constraint of a correction action may then be presented to users. For example, the correcting action must provide diversity for an equipment in another system of the overall external threat protection system, and redundancy for an equipment in yet another system of the overall external threat protection system. A second constraint may be determined based on a second design principle, associated with a system-level information element which controls, in the digital design, the equipment which developed the fault. Both constraints may be displayed or otherwise provided to users to provide technical information on a corrective action.
[0054] For example, access control function belonging to protection category protection for essential functions may have a requirement N+l, which means that one fault must be tolerated without losing the function. Thus, the function has to have two methods of controlling the access, for example a pin code and fingerprint or two pin codes. The protection category does not yet define specific solutions. The function is, in this example, allocated to protection zone 1. That means that on the perimeter of this zone the two methods of controlling the access have to be implemented. First and second systems may be allocated to the protection zone 1. Thus, both of those systems have to have equipment that realizes two methods of controlling the access. In some embodiments, if a user has identified himself to either of those systems the other one is available for use without further access control method. Requirements assigned to a protection category may be linked to the protection category, function, zone, system and equipment allowing transparency of design and simplifying modifications during operation.
[0055] FIGURE 3 illustrates an example apparatus capable of supporting at least some embodiments of the present invention. Illustrated is device 300, which may comprise, for example, a device such as database system 150 of FIGURE 1. Comprised in device 300 is processor 310, which may comprise, for example, a single- or multi-core processor wherein a single-core processor comprises one processing core and a multi-core processor comprises more than one processing core. Processor 310 may comprise a Xeon or Opteron processor, for example. Processor 310 may comprise more than one processor. A processing core may comprise, for example, a Cortex- A8 processing core manufactured by ARM Holdings or a Ryzen processing core produced by Advanced Micro Devices Corporation. Processor 310 may comprise at least one application-specific integrated circuit, ASIC. Processor 310 may comprise at least one field-programmable gate array, FPGA. Processor 310 may be means for performing method steps in device 300. Processor 310 may be configured, at least in part by computer instructions, to perform actions.
[0056] Device 300 may comprise memory 320. Memory 320 may comprise random- access memory and/or permanent memory. Memory 320 may comprise at least one RAM chip. Memory 320 may comprise magnetic, optical and/or holographic memory, for example. Memory 320 may be configured to store information elements of a database system, for example. Memory 320 may be at least in part accessible to processor 310. Memory 320 may be means for storing information. Memory 320 may comprise computer instructions that processor 310 is configured to execute. When computer instructions configured to cause processor 310 to perform certain actions are stored in memory 320, and device 300 overall is configured to run under the direction of processor 310 using computer instructions from memory 320, processor 310 and/or its at least one processing core may be considered to be configured to perform said certain actions. Memory 320 may be at least in part comprised in processor 310. Memory 320 may be at least in part external to device 300 but accessible to device 300.
[0057] Device 300 may comprise a transmitter 330. Device 300 may comprise a receiver 340. Transmitter 330 and receiver 340 may be configured to transmit and receive, respectively, information in accordance with at least one communication standard. Transmitter 330 may comprise more than one transmitter. Receiver 340 may comprise more than one receiver. Transmitter 330 and/or receiver 340 may be configured to operate in accordance with wireless local area network, WLAN, Ethernet and/or worldwide interoperability for microwave access, WiMAX, standards, for example.
[0058] Device 300 may comprise user interface, UI, 360. UI 360 may comprise at least one of a display, a keyboard and a touchscreen. A user may be able to operate device 300 via UI 360, for example to interact with a database system comprised in, or controlled by, device 300.
[0059] Device 300 may comprise or be arranged to accept a user identity module 370. User identity module 370 may comprise, for example, a secure element. A user identity module 370 may comprise cryptographic information usable to verify the identity of a user of device 300 and/or to facilitate encryption and decryption of database contents. [0060] Processor 310 may be furnished with a transmitter arranged to output information from processor 310, via electrical leads internal to device 300, to other devices comprised in device 300. Such a transmitter may comprise a serial bus transmitter arranged to, for example, output information via at least one electrical lead to memory 320 for storage therein. Alternatively to a serial bus, the transmitter may comprise a parallel bus transmitter. Likewise processor 310 may comprise a receiver arranged to receive information in processor 310, via electrical leads internal to device 300, from other devices comprised in device 300. Such a receiver may comprise a serial bus receiver arranged to, for example, receive information via at least one electrical lead from receiver 340 for processing in processor 310. Alternatively to a serial bus, the receiver may comprise a parallel bus receiver.
[0061] Processor 310, memory 320, transmitter 330, receiver 340, UI 360 and/or user identity module 370 may be interconnected by electrical leads internal to device 300 in a multitude of different ways. For example, each of the aforementioned devices may be separately connected to a master bus internal to device 300, to allow for the devices to exchange information. However, as the skilled person will appreciate, this is only one example and depending on the embodiment various ways of interconnecting at least two of the aforementioned devices may be selected without departing from the scope of the present invention.
[0062] FIGURE 4 illustrates an example database structure in accordance with at least some embodiments of the present invention. Layer 410 corresponds in terms of FIGURE 2 to the protection category layer, storing protection category information elements. This layer comprises associated with the protection categories also technical design principles 410A, as described herein above. Optional layer 420 corresponds in terms of FIGURE 2 to the architecture layer, storing architecture definition information elements. Layer 430 corresponds in terms of FIGURE 2 to the system layer, storing system-level information elements. This layer comprises associated with the system-level information element also second design principles 430A, as described herein above. Finally, layer 440 corresponds in terms of FIGURE 2 to the equipment layer, storing equipment- level information elements. A database relation layer may be disposed between layer 410 and layer 420, between layer 420 and layer 430, and/or between layer 430 and layer 440. [0063] FIGURE 5 is a first flow chart of a first method of implementing a nuclear power station external threat protection system in accordance with at least some embodiments of the present invention. The phases of the illustrated method may be performed in database 150 of FIGURE 1 or on device 300 of FIGURE 3, for example.
[0064] Phase 510 comprises defining, in a computerized database, a digital design comprising a protection category information element and a task category information element, the protection category information element and the task category information element each being associated with at least one functional requirement and at least one design principle. Optional phase 520 comprises associating, in the computerized database, in the digital design, the or each protection and task category information element with at least one architecture definition information element of the digital design. Phase 530 comprises associating, in the computerized database, in the digital design, the protection category information element and the task category information element with at least one system- level information element of the digital design, the at least one system- level information element having the design principles of the protection category information element and the task category information element and at least one second design principle. Where phase 520 is present, the at least one system-level information element of the digital design is associated with the protection and task category information elements(s) via architecture information elements. Finally, phase 540 comprises verifying, in the computerized database, that the safety critical system described by the digital design is compliant with the design principles of the protection category information element and the task category information element, and with the at least one second design principle. The associations between the information elements may comprise database relations, for example.
[0065] FIGURE 6 is a second flow chart of a second method in accordance with at least some embodiments of the present invention. The phases of the illustrated method may be performed in database 150 of FIGURE 1 or on device 300 of FIGURE 3, for example.
[0066] Phase 610 comprises recording a first change in an information element in a digital design stored in a computerized database, the digital design comprising a protection category information element and a task category information element, wherein the protection category information element and the task category information element are each associated with at least one functional requirement and at least one design principle, the design comprising in the computerized database the protection category information element and the task category information element associated via database relations with at least one system-level information element of the digital design, the at least one system- level information element having the design principles of the protection category information element and the task category information element and at least one second design principle. Phase 620 comprises verifying the digital design is compliant with the design principles of the protection category information element and the task category information element, and with the at least one second design principle, after the first change. The method may further comprise materially producing a safety critical system defined by the digital design. The method may further comprise operating the safety critical system defined by the digital design.
[0067] In general, there is provided a method, comprising defining a protection category information element, the protection category information element being associated with at least one functional requirement and at least one design principle, associating the protection category information element with at least one architecture definition information element, associating each of the at least one architecture definition information element with at least one system-level information element, and verifying the system described by the at least one architecture definition information element and associated system-level information elements is compliant with the at least one design principle. The method may be performed using a database system, for example. The associating phases comprised in the method may comprise defining information element association properties in the database system. The verifying may comprise running a verification algorithm on the information elements comprised in the database system.
[0068] The verifying may comprise checking that for each design principle, the architecture, systems and pieces of equipment associated with the design principle together embody the design principle. The verifying does not, in some embodiments, require that each information element directly or indirectly associated with the design principle embodies the design principle. For example, where the design principle comprises redundancy, not all pieces of equipment directly or indirectly associated with a protection category associated with redundancy need be made redundant in the sense of installing duplicate pieces of the equipment. In these embodiments, it suffices that the function defined by the associated information elements as a whole is redundant. In other words, should any individual piece of equipment comprised in this function fail, its purpose may be served by another piece of equipment which need not be identical to it, and need not be comprised in the system or protection category in question. The safety critical system may comprise systems or pieces of equipment that do not need redundancy or diversity, for example. The information elements describing these pieces of equipment may comprise information indicating the way in which the design principle is implemented with respect to the functions of these pieces of equipment.
[0069] In at least some embodiments, the database system stores sequence information elements, each sequence information element describing a sequence of actions, each sequence information element being associated with a triggering event and each sequence information element being associated with a protection category information element. The sequence may control the consequences of the occurrence of the event. For example, an event may comprise a point failure in a system or an interruption in communication apparatus function, and the sequence of actions may comprise a pre planned response to the threat whereby the consequences of the threat are controlled.
[0070] FIGURE 7 illustrates example design verification in accordance with at least some embodiments of the present invention. Of the W-shaped FIGURE 7, the left-most prong corresponds to architecture of an external threat protection system, the mid prong corresponds to risk analysis of the protection system as designed, and finally the right-most prong corresponds to risk analysis of a completed, built safety critical system external threat protection system.
[0071] Unit 710 is a hazard protection design, which leads to a preliminary plant level risk analysis 710A in the as-designed phase. A corresponding final plant level risk analysis 710B is conducted in the as-built phase.
[0072] Unit 720 is a protection functional architecture, which may forms a basis for other architectures. Protection functional architecture 720 may be divided, for example, into information security protection functional architecture and other protection functional architectures. Protection functional architecture 720 leads to a preliminary security risk analysis 720A in the as-designed phase and a final security risk analysis 720B in the as- built phase. The hazard protection design 710 and the protection functional architecture 720 reflect plant-level risk analysis specifications and security function risk specifications, respectively. [0073] Unit 730 is an information security design. Information security design 730 leads to an as-designed architecture risk analysis 730A in the as-designed phase and to an as built design risk analysis 730B in the as-built phase.
[0074] Unit 740 is a physical protection design. Physical protection design 740 leads to an as-designed architecture risk analysis 740A in the as-designed phase and an as-built design risk analysis 740B in the as-built phase.
[0075] Unit 750 is a human factor protection design, which leads to an as-designed design risk analysis 750 A in the as-designed phase and an as-built design risk analysis 750B in the as-built phase. Information security design 730, physical protection design 740 and human factor protection design 740 are examples of design solutions for implementing protection functions.
[0076] System requirement specification 760 and system level design 765 are validated by system-specific risk analysis 760A in the as-designed phase and system- specific risk analysis 760B in the as-built phase.
[0077] Unit 770 denotes an equipment level design, which leads to an equipment- level risk analysis 770B as designed, and an equipment-level risk analysis 770B as built. Overall, the database system comprising protection category information elements, architecture definition information elements, system-level information elements and equipment- level information elements enables verifying the design correctly embodies the design principles associated with the protection category information elements.
[0078] In the following table, allocation of protection categories to threat classes is laid out in accordance with at least some embodiments. DBT1 - DBT 3 are design basis threat classes, DET1 is a design basis extension threat class and SAT is a severe accident threat, which is associated with the protection category protection for severe accident management functions of the external threat protection system. In this example, protection category PNO is associated with no design principle no redundancy. Protection category PPF is associated with no design principles redundancy N+l and separation. Protection category PEF is associated with design principles redundancy N+l, separation and diversity against PPF and PSF. Protection category PSF is associated with design principles redundancy N+l, separation and diversity against all other protection categories.
Figure imgf000023_0001
[0079] At least in some embodiments, where a piece of equipment is associated with two protection categories having different design principles, the more stringent design principle, safety class or quality requirement may be arranged to prevail concerning the function of the piece of equipment. For example, diversity may be seen as more stringent than redundancy, since in addition to another unit, an additional requirement of different operating principle is assigned to the units. As another example, where differing environmental safety requirements apply, the more stringent requirement may be arranged to prevail. [0080] FIGURE 8 illustrates a digital design comprising system-level information elements. FIGURE 8 illustrates how an equipment-level information element is, in part, determined based on higher-level information elements of the digital design. In other words, FIGURE 8 illustrates how requirements stemming from protection categories and task categories are combined, and how they are supplemented on the system level by SOC and SPC category additional requirements. The figure illustrates requirement allocation as a digital design progresses. The intention is to predefine a solid design process with interfaces, such that native requirements can be classified and refined, and on the other hand to obtain predictability and transparency in the design process.
[0081] Element 810 denotes protection categories, protection functions and security architectures. These inform the definition of vulnerabilities 820, such as system-internal hazards. In defining vulnerabilities 820, security targets and acceptable risk levels may be defined in the process.
[0082] Element 830 denotes a system-level information element, such as a system protection category, SPC. The system-level SPC information element may define, whether it relates to critical or non-critical protection, for example. In case a piece of equipment may be lost with no impact on safety, the corresponding system-level SPC information element may relate to non-critical protection. For example, it may be determined that an opening or closing of a valve must stop when a torque limit is reached. Further, it may be determined that a pump has to stop when the valve is closes, to preserve the pump and its functionality. Critical protection category elements may relate, for example, to protection of safety class 2 functions/equipment. Non-critical protection category elements may relate, for example, to protection of safety class 3/EYT functions/equipment.
[0083] Element 840 denotes equipment-internal hazard vulnerabilities, such as leaks, flying objects, overheating, fires, overpressure situations and cavitations. System protection category 830 informs the definition of system element 870.
[0084] Element 860 denotes a combination of safety critical system and architecture design, for example in terms of task categories. These inform the definition of targets concerning system operation 880. In detail, the features of element 860 may provide insight into maintenance, testing, reliability, availability and limitations relating to operating targets 880.
[0085] System operational categories, SOC, 890 include, for example, operational system requirements and inform the definition of the system elements 870. Examples of SOCs include main system operation (voting, system structure, limits, hysteresis variation), supporting safety operations (monitoring, system power supply, cooling solutions) and supporting normal operation (monitoring, switchover, hysteresis value). In general the main system operation SOCs are basic functions of the safety critical system, which are needed to perform its function. In general the supporting safety operations SOCs comprise supporting functions which are needed to maintain the functionality of the safety critical system. In general, the supporting normal operation SOCs may comprise other supporting functions needed to serve purposes such as usability and performance level maintenance applications. [0086] Element 8100 denotes target for equipment operation. Such may comprise, for example, a length of time the piece of equipment should operate, whether the piece of equipment should be maintained on power, whether maintenance requires specialized tools and whether the piece of equipment has to be testable.
[0087] Element 850 denotes system element protection categories, SEPC. Such categories may comprise, for example, critical protection and equipment protection. Critical protection of equipment may require equipment shutdown, in which case equipment protection may be more highly prioritized than function implementation. For example, a piece of equipment may comprise an innate protection function (for example against overcurrent or overheating), which may have a higher priority than maintaining the piece of equipment active based on input from a safety function.
[0088] Elements 850, 8100 and system elements 870 inform the definition of system element S800 Element S800 comprises equipment element 8120 (e.g. cabinets, rooms, pump, panel/monitor ergonomy) and component element 8130 (e.g. HW components, SW components, structure, motors, control ergonomy). Element S800 in turn informs the definition of one or more equipment-level information elements 8140, which may comprise system elements such as, for example, equipment specifications.
[0089] In some embodiments of the invention, a computerized monitoring system is provided, wherein the computerized monitoring system is configured to receive, from the external threat protection system, failure notifications. Each failure notification may relate to a failure of an item of equipment, for example one represented by an equipment information element, a system-level information element and/or an architecture information element in a database arranged in accordance with the principles of the present invention. The failure notifications may be automatically generated from sensors arranged to monitor how equipment comprised in the nuclear power station or aircraft perform, for example.
[0090] The computerized monitoring system may be configured to, responsive to a failure notification, determine, using a database such as one described above, an effect of the failure on how a design principle is complied with. A design principle may comprise at least one of the following: redundancy, diversity, separation, isolation, quality level, reliability level, seismic qualification and environmental condition qualification. For example, where an item of equipment fails, and the failed equipment played a role in providing for a design principle with respect to another item of equipment, a visual or other kind of indication may be provided, in a user interface, the indication conveying that the design principle is not sufficiently provided for as it relates to the another item of equipment.
[0091] Thus, for example, where a first equipment fails and the first equipment provided, prior to the failure, at least partly, redundancy for a second equipment, the computerized monitoring system may determine the redundancy effect of the failure of the first equipment, using the protection category associated with the functional requirement and the at least one design principle to determine the systems and/or equipment the redundancy of which is affected by the failure. An indication may be provided of a reduced redundancy level, and the systems and/or pieces of equipment that the reduced redundancy level affects. The reduced redundancy level is a technical characteristic of the external threat protection system and the equipment comprised therein.
[0092] The first equipment corresponds in the database to a corresponding first equipment information element. Where the first equipment information element is associated, via database relations, to more than one task or protection category information element in the database, the computerized monitoring system may be configured to determine a set comprising each design principle associated with each task or protection category information element associated, via database relations, with the first equipment information element, and to identify, based on each design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure identifier in the failure notification. For example, a technical constraint of an action may comprise that the action must provide redundancy or diversity for a function of a further equipment. A second constraint may be determined based on a second design principle, associated with a system-level information element which controls, in the digital design, first equipment. Both constraints may be displayed or otherwise provided to users to provide technical information on a corrective action. The system may be configured to perform, for example automatically, at least part of the corrective action. The corrective action may comprise, for example, activating a reserve unit selected in accordance with the technical constraints.
[0093] Thus, for example, where a pump in an external threat protection system develops a failure, a sensor comprised in the pump may provide a failure notification to the computerized monitoring system. Responsive to the failure notification, the computerized monitoring system may determine that an equipment information element in the database corresponding to the pump is associated, via database relations, with the protection category information elements corresponding to the protection categories protection for essential functions and protection for normal operation functions. In this example, protection category protection for essential functions is associated with design principles redundancy and diversity, and protection category protection for normal operation functions is associated with design principles redundancy, diversity and separation. Thus, the set of design principles comprises redundancy, diversity and separation.
[0094] The computerized monitoring system may further be configured to identify, based on each technical design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure associated with the failure notification. In the example above, compensating actions would be constrained with respect to equipment unit count to meet the design principle redundancy, equipment principle of action to meet the design principle diversity, and equipment location to meet the design principle separation. The technical constraint, or an indication thereof, may be provided to users of the external threat protection system, for example via a user interface.
[0095] Where a system information element the equipment information element corresponding to the pump is associated with, via the database relations, has at least one second design principle, at least one second technical constraint may be determined based on these at least one second design principle acting on the system level. A technical effect is thus obtained from the second design principle(s) on the system level, that the second design principles need not be specified for each piece of equipment of the system, and over-implementation of the system may be avoided. Equipment comprised in the system may perform tasks with respect to each other, such that the pieces of equipment can embody the second design principle with respect to more than one other piece of equipment of the system, for example. Overall, less equipment is needed and replacement of failed equipment is easier as a like-for-like replacement is not necessary.
[0096] For example, where a second design principle on the system level comprises system technology induced safety, the corresponding technical constraint, the second technical constraint, may be that the piece of equipment is allowed to run until failure, or is stopped before it develops a failure, depending on a value of the system technology induced safety design principle. Running until failure in an error state provides a longer running time and makes repairs more difficult, while stopping a piece of equipment before failure enables an easier repair, albeit the device is not available for as long a time during an error state. Second design principles may also, or alternatively, comprise redundancy and/or diversity, for example, resulting in the corresponding second technical constraints.
[0097] Thus in accordance with the invention, personnel are enabled to become aware of which aspects of a failed piece of equipment are relevant for safe operation of the external threat protection system, for example. Expressed in other words, the computerized monitoring system is configured to provide information concerning the operational status of the external threat protection system, and deviations from a nominal operational status that result from the failure.
[0098] A technical effect provided by the computerized monitoring system and associated database lies in enabling reaction to the actually relevant aspects of an equipment that has developed a failure. In prior systems, a decision tree may be employed, for example. However, a decision tree in the case of an external threat protection system is very difficult to maintain due to the highly complex nature of such a system. Furthermore, a decision tree does typically not provide information on the actual aspects of a failed equipment that are of significance, rather, a decision tree simply informs concerning actions needed to replace the failed equipment with an identical one. The technical constraints described herein, on the other hand, enable reacting to a failure in a way that addresses the technical situation, rather than requires simple duplication of an original design and like-for-like replacement of a failed piece of equipment.
[0099] It is to be understood that the embodiments of the invention disclosed are not limited to the particular structures, process steps, or materials disclosed herein, but are extended to equivalents thereof as would be recognized by those ordinarily skilled in the relevant arts. It should also be understood that terminology employed herein is used for the purpose of describing particular embodiments only and is not intended to be limiting.
[00100] Reference throughout this specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment.
[00101] As used herein, a plurality of items, structural elements, compositional elements, and/or materials may be presented in a common list for convenience. However, these lists should be construed as though each member of the list is individually identified as a separate and unique member. Thus, no individual member of such list should be construed as a de facto equivalent of any other member of the same list solely based on their presentation in a common group without indications to the contrary. In addition, various embodiments and example of the present invention may be referred to herein along with alternatives for the various components thereof. It is understood that such embodiments, examples, and alternatives are not to be construed as de facto equivalents of one another, but are to be considered as separate and autonomous representations of the present invention.
[00102] Furthermore, described features, structures, or characteristics may be combined in any suitable or technically feasible manner in one or more embodiments. In the following description, numerous specific details are provided, such as examples of lengths, widths, shapes, etc., to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention can be practiced without one or more of the specific details, or with other methods, components, materials, etc. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
[00103] While the forgoing examples are illustrative of the principles of the present invention in one or more particular applications, it will be apparent to those of ordinary skill in the art that numerous modifications in form, usage and details of implementation can be made without the exercise of inventive faculty, and without departing from the principles and concepts of the invention. Accordingly, it is not intended that the invention be limited, except as by the claims set forth below.

Claims

CLAIMS:
1. A computerized safety critical system, comprising:
- a memory configured to store a digital design comprising:
a protection category database configured to store a plurality of protection category information elements comprising a protection for normal operation functions category and a protection for essential functions category, each protection category information element being associated with at least one technical functional requirement and at least one technical design principle, each technical design principle being comprised in a technical design principle list comprising redundancy, diversity, separation and isolation, each functional requirement being comprised in a functional requirement list, the functional requirement list comprising flooding and fire protection, airplane crash, cybersecurity, and natural hazards;
a task category database comprising a plurality of task category information elements comprising at least two of preventive safety function, reactor protection and automatic back-up, each task category information element being associated with at least one technical functional requirement and at least one technical design principle from the technical design principle list;
at least one system-level information element associated, via database relations, with one of the protection category information elements and one of the task category information elements of the digital design, the at least one system-level information element having the design principles of the associated protection category information element and the associated task category information element and at least one second design principle, and
an equipment database configured to store at least one equipment information element, and at least one processor configured to, responsive to receipt in the computerized safety critical system of a failure notification concerning a first equipment information element, determine, using the digital design, a set comprising each technical design principle associated with each protection category information element and task category information element associated, via the database relations, with the first equipment information element, and to identify, based on each technical design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure identified in the failure notification, and to identify a second technical constraint of the action, based on the at least one second design principle, wherein the at least one processor is configured to control a transmitter to output the technical constraint of the action and the second technical constraint of the action to a user interface of the computerized safety critical system.
2. The computerized safety critical system external threat protection system of claim 1, wherein the at least one processor is configured to determine a constraint of increased unit count responsive to the set comprising the technical design principle redundancy.
3. The computerized safety critical system external threat protection system of any of claims 2 - 3, wherein the at least one processor is configured to determine a constraint of principle of action responsive to the set comprising the technical design principle diversity.
4. The computerized safety critical system external threat protection system of any of claims 1 - 3, wherein the at least one processor is configured to determine a constraint of location responsive to the set comprising the technical design principle separation.
5. The computerized safety critical system external threat protection system of any of claims 1 - 4, wherein the at least one processor is configured to determine a constraint of physical separation responsive to the set comprising the technical design principle isolation.
6. The computerized safety critical system external threat protection system of any of claims 1 - 5, wherein in the digital design, the first equipment information element is associated, via database relations, with than one protection category to ensure a design principle is respected in implementing technical functional requirements of the more than one protection category.
7. A method of implementing a safety critical system, comprising: defining, in a computerized database, a digital design comprising a protection category information element and a task category information element, the protection category information element and the task category information element each being associated with at least one functional requirement and at least one design principle; associating, in the computerized database, in the digital design, the protection category information element and the task category information element with at least one system-level information element of the digital design, the at least one system-level information element having the design principles of the protection category information element and the task category information element and at least one second design principle, and verifying, in the computerized database, that the safety critical system described by the digital design is compliant with the design principles of the protection category information element and the task category information element, and with the at least one second design principle.
8. The method according to claim 7, wherein each system-level information element is associated with at least one equipment information element.
9. The method according to claim 8 or 9, further comprising defining a second protection category information element and a second task category information element, and associating the second protection category information element and the second task category information element with at least one second system-level information element.
10. The method according to any of claims 7 - 9, wherein at least one of the at least one task category information element is comprised in the following list: preventive safety function, reactor protection and automatic back-up.
11. The method according to any of claims 7 - 10, wherein at least one of the at least one system-level information element is comprised in the following list: active function protection system information elements and passive protection system information elements.
12. The method according to any of claims 7 - 11, further comprising modifying at least one of the protection category information element, the task category information element and the system- level information element responsive to the verification indicating the safety critical system described by the digital design is not compliant with the at least one design principle.
13. The method according to any of claims 7 - 12, further comprising at least one of building the safety critical system described by the digital design and operating the safety critical system described by the digital design to protect the safety critical system from external threats.
14. A method, comprising: recording a first change in an information element in a digital design stored in a computerized database, the digital design comprising a protection category information element and a task category information element, wherein the protection category information element and the task category information element are each associated with at least one functional requirement and at least one design principle, the design comprising in the computerized database the protection category information element and the task category information element associated via database relations with at least one system-level information element of the digital design, the at least one system-level information element having the design principles of the protection category information element and the task category information element and at least one second design principle, and verifying the digital design is compliant with the design principles of the protection category information element and the task category information element, and with the at least one second design principle, after the first change.
15. The method according to claim 14, wherein the database further comprises at least one equipment information element.
16. The method according to claim 14 or 15, further comprising defining a second protection category information element and a second task category information element, and associating the second protection category information element and the second task category information element with at least one second system-level information element.
17. The method according to any of claims 14 - 16, wherein, responsive to the verification indicating the system does not comply with the at least one design principle, the method comprises recording a second change in the database system and performing a second verification as to whether the system complies with the at least one design principle after the second change.
18. The method according to claim 17, wherein the second change does not modify the same information element as the first change.
19. A method according to any of claims 7 - 18, wherein the at least one design principle comprises at least one of the following: redundancy, diversity, separation, isolation, quality level, reliability level, seismic qualification and environmental condition qualification.
20. A method according to any of claims 7 - 19, wherein the at least one functional requirement is comprised in the following list: flooding and fire protection, airplane crash, cybersecurity, and natural hazards e.g. earthquakes.
PCT/FI2020/050329 2020-05-15 2020-05-15 System design model WO2021229137A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/FI2020/050329 WO2021229137A1 (en) 2020-05-15 2020-05-15 System design model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2020/050329 WO2021229137A1 (en) 2020-05-15 2020-05-15 System design model

Publications (1)

Publication Number Publication Date
WO2021229137A1 true WO2021229137A1 (en) 2021-11-18

Family

ID=78525353

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2020/050329 WO2021229137A1 (en) 2020-05-15 2020-05-15 System design model

Country Status (1)

Country Link
WO (1) WO2021229137A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023103667A1 (en) * 2021-12-09 2023-06-15 中国核电工程有限公司 Design method for automatic nuclear power plant start-up and shutdown and intelligent monitoring system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140064426A1 (en) * 2006-05-26 2014-03-06 Gregory J. Hess System and method for implementing unified computer-based management of fire safety-related risk and compensatory measures management in nuclear power plants
WO2016120532A1 (en) * 2015-01-30 2016-08-04 Fortum Oyj Safety critical system
US20170046458A1 (en) * 2006-02-14 2017-02-16 Power Analytics Corporation Systems and methods for real-time dc microgrid power analytics for mission-critical power systems

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170046458A1 (en) * 2006-02-14 2017-02-16 Power Analytics Corporation Systems and methods for real-time dc microgrid power analytics for mission-critical power systems
US20140064426A1 (en) * 2006-05-26 2014-03-06 Gregory J. Hess System and method for implementing unified computer-based management of fire safety-related risk and compensatory measures management in nuclear power plants
WO2016120532A1 (en) * 2015-01-30 2016-08-04 Fortum Oyj Safety critical system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023103667A1 (en) * 2021-12-09 2023-06-15 中国核电工程有限公司 Design method for automatic nuclear power plant start-up and shutdown and intelligent monitoring system

Similar Documents

Publication Publication Date Title
KR102642462B1 (en) Nuclear reactor protection systems and methods
Leveson Software safety in embedded computer systems
EP3251121B1 (en) Safety critical system
US8977848B1 (en) Method and system for reconciling safety-critical and high assurance security functional requirements between safety and security domains
US20180211734A1 (en) Reactor protection-processor-to-reactor-trip breaker interface and method for operating the same
CN102708028A (en) Trusted redundant fault-tolerant computer system
WO2021229137A1 (en) System design model
Hunton et al. Vendor-Independent Design Requirements for a Boiling Water Reactor Safety System Upgrade
CN110570960A (en) Fault degradation operation method and system for nuclear power station control room
WO2021229138A1 (en) External threat protection system
Poresky et al. Cyber security in nuclear power plants: Insights for advanced nuclear technologies
Nazemzadeh et al. Fault modeling in discrete event systems using petri nets
Eggers et al. Cyber-Informed Engineering for Nuclear Reactor Digital Instrumentation and Control
Ibrahim et al. Instrumentation and controls architectures in new NPPs
Tommila et al. Challenges in Defence in Depth and I&C architectures
CN105404278A (en) Safety-critical software health management method
Cook et al. LI Reclassification
Yoshikawa et al. Integrated functional modeling method for configuring NPP plant DiD risk monitor and its application for AP1000
Swarts Evaluation of selected digital Instrumentation & Control architectures for nuclear power plants to determine compliance with the NNR position paper PP-0017 requirements
Jusuf et al. Review on defenses against common cause failures on digital safety system
Kabra et al. Dependability analysis of proposed I&C architecture for safety systems of a large PWR
Hansen et al. DP dependability
Bianco et al. Control system design of nuclear applications: from theory to realization
Tikku et al. Safety System and Control System Separation Requirements for ACR-1000™ and Operating CANDU® Reactors
Yuxiang et al. Study on New Considerations of Defence in Depth Strategy for Nuclear Power Plants

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20935741

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20935741

Country of ref document: EP

Kind code of ref document: A1