Evaluating the Safety of Digital Instrumentation and Control Systems in Nuclear Power Plants

control actions and feedback paths. For example, the control structure may represent an aircraft flight crew as a single controller with high-level control actions like execute maneuver and abort maneuver. A complex software system could be represented by a single controller labeled engine controller with basic control actions like increase power and decrease power. Once the analysis has been done for each controller at an abstract level, more detailed control structures can be constructed to analyze lower-level design details. For example, the flight crew might be decomposed into Captain and First Officer with distinct responsibilities and control actions. In this way, each step in the STPA process can be applied in an iterative, top-down fashion to refine the safety constraints as needed. If the hazardous behavior can be eliminated at any point, further refinement may not be necessary. How much refinement is necessary for mitigation measures will be problem specific.