Use of STPA in digital instrumentation and control systems of nuclear power plants

Nuclear power plant operators increasingly face the task of replacing their instrumentation and control systems with modern (digital) systems. In this work the "System Theoretic Process Analysis" (STPA) risk analysis method was adapted and amended to enable it to be used in digital instrumentation and control systems. 1 Background Information Nuclear power plant operators increasingly face the task of replacing their instrumentation and control (I&C) systems with modern systems to ensure their availability, reliability and safety in the future as well. Replacement of these systems typically features simultaneous transition from primarily analog systems to softwarebased, digital systems. The "System Theoretic Process Analysis" (STPA) risk analysis method specifically investigates risks which are generated by functional interaction between the control units present in the system as well as risks caused by component failure [Le11]. As a result, STPA is suitable for analysis of software-based and dynamic systems for which it is indeed typical that system failures occur without actual component failure. Modern digital I&C systems belong to this category of systems. 2 Applying STPA to digital insturmentation and control systems In collaboration with swissnuclear and the Gösgen nuclear power plant, the STPA method was adapted and amended to enable it to be used in digital I&C systems. The actual implementation was demonstrated and discussed on the basis of a case study. Among others, the following aspects formed the focus of the work: Representation of the system as a hierarchical control structure is a basic prerequisite for carrying out STPA analysis. One of the first questions is therefore how a hierarchical