Use of STPA in digital instrumentation and control systems of nuclear power plants

Nuclear power plant operators increasingly face the task of replacing their instrumentation and control (I&C) systems with modern systems to ensure their availability, reliability and safety in the future as well. Replacement of these systems typically features simultaneous transition from primarily analog systems to software-based, digital systems. The "System Theoretic Process Analysis" (STPA) risk analysis method specifically investigates risks which are generated by functional interaction between the control units present in the system as well as risks caused by component failure [Le11]. As a result, STPA is suitable for analysis of software-based and dynamic systems for which it is indeed typical that system failures occur without actual component failure. Modern digital I&C systems belong to this category of systems. In collaboration with swissnuclear and a Swiss nuclear power plant, the STPA method was adapted and amended to enable it to be used in digital I&C systems. Conclusion: STPA is one of several methods which can be used for analysis of nuclear power plant systems. Optimum benefit is generated when the various methods can be combined in suitable fashion. The adapted and amended process of the STPA method was thus designed to allow interfaces to other methods to be realized and, for example, to enable the causes of hazards which have already been established during the course of fault tree analyses to be incorporated in STPA