Use of STPA as a diverse analysis method for optimization and design verification of digital instrumentation and control systems in nuclear power plants

Nuclear power plant operators increasingly face the task of replacing their instrumentation and control (I&C) systems with modern digital systems. This raises the question of safety as the characteristics of the new systems differ from those of the old ones, although they realize the exact same functionality. In the form of a research project and case study, the question about the safety of modern I&C systems was addressed using the risk analysis method Systems-Theoretic Process Analysis (STPA). STPA handles safety as an emergent system property and specifically investigates risks generated by functional interaction between system components. The method does not restrict safety only to component failures, and therefore it seems well suited to address the characteristics of today's I&C systems adequately. The STPA method was adapted and amended. The verification on a case study showed that STPA is very appropriate for the analysis of digital I&C systems, especially as the method takes a more holistic viewpoint than others. It supports the handling of functional redundancies - a very common design pattern in I&C systems - and allows priorities to be set at any point of the analysis. Focus of this research project was put on the methodology and not on the completeness of the findings resulting from the case study.