A patient undergoing radiation therapy for cancer wants to be sure that the radiation being delivered is just the amount prescribed and no more. Nuclear power plants must have systems installed to ensure that radiation leaks and accidents do not occur. Today, controlling these protection systems flawlessly depends upon computer software, which occasionally contains unforeseen "bugs." Software bugs on your computer at home are annoying, but at a nuclear power plant or during radiation therapy they can be life-threatening. At Lawrence Livermore, Gary Johnson's Computer Safety and Reliability Group--part of the Fission Energy and Systems Safety Program--has been working with the Nuclear Regulatory Commission for several years to avoid software problems in safety systems at nuclear power plants. Livermore brings to this job decades of systems engineering experience as well as a regulatory perspective from years of working with the NRC and other regulators. Johnson's group and the NRC developed software and computer system design guidance that the NRC uses to evaluate the design of safety-critical systems for U.S. plant retrofits. Overseas, where new nuclear power plants are being built, regulators and designers are using this state-of-the-art guidance to help assure plant safety. For the last few years, representatives from Hungary, the Czech Republic, Ukraine, Korea, Taiwan, and Japan have been calling upon Johnson and his group for assistance in setting criteria for their nuclear power plant control systems. This software design guidance is also applicable to other computer-controlled systems that could endanger human life if they are poorly designed--medical radiation machines, aircraft flight control systems, and railroad signals, for example.
When Software Fails
Engineering Reliable Software |
Many kinds of diversity are possible. Although only some scientific basis dictates what kinds of diversity are the best or how much diversity is enough, experience has shown an effective combination of protections to be the use of different hardware and software acting on different measurements to initiate different protecive actions. Based on that experience, the NRC's Standard Review Plan requires that at least two independent systems, incorporating multiple types of diversity, protect against each worst-case scenario.
Making the Systems Better |
Key Words: instrumentation and control systems, nuclear power plants, safety-critical systems, software engineering.
References
1. "An Investigation of the Therac-25 Accidents," IEEE Computer Applications in Power, July 1993, pp. 18-41.
2. U.S. Nuclear Regulatory Commission, Office of Nuclear Reactor Regulation, "Instrumentation and Controls," Chapter 7, Standard Review Plan, NUREG-0800, Rev. 4, June 1997.
For further information contact Gary Johnson (925) 423-8834 (johnson27@llnl.gov). Publications from Livermore's Computer Safety and Reliability Center are available at http://nssc.llnl.gov/FESSP/CSRC/refs.html.