WO2021229138A1 - External threat protection system - Google Patents

External threat protection system Download PDF

Info

Publication number
WO2021229138A1
WO2021229138A1 PCT/FI2020/050330 FI2020050330W WO2021229138A1 WO 2021229138 A1 WO2021229138 A1 WO 2021229138A1 FI 2020050330 W FI2020050330 W FI 2020050330W WO 2021229138 A1 WO2021229138 A1 WO 2021229138A1
Authority
WO
WIPO (PCT)
Prior art keywords
information element
protection
design principle
database
design
Prior art date
Application number
PCT/FI2020/050330
Other languages
French (fr)
Inventor
Jarmo KORHONEN
Leena KAPPINEN
Elizaveta VAINONEN
Original Assignee
Fortum Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fortum Oyj filed Critical Fortum Oyj
Priority to PCT/FI2020/050330 priority Critical patent/WO2021229138A1/en
Publication of WO2021229138A1 publication Critical patent/WO2021229138A1/en

Links

Classifications

    • GPHYSICS
    • G21NUCLEAR PHYSICS; NUCLEAR ENGINEERING
    • G21DNUCLEAR POWER PLANT
    • G21D3/00Control of nuclear power plant
    • G21D3/001Computer implemented control
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • GPHYSICS
    • G21NUCLEAR PHYSICS; NUCLEAR ENGINEERING
    • G21DNUCLEAR POWER PLANT
    • G21D3/00Control of nuclear power plant
    • G21D3/04Safety arrangements
    • G21D3/06Safety arrangements responsive to faults within the plant
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02EREDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
    • Y02E30/00Energy generation of nuclear origin

Definitions

  • the present invention relates to the field of ensuring, enhancing and maintaining safety in safety critical systems.
  • Safety critical systems such as, for example, nuclear power stations and civilian aircraft are designed to safety standards.
  • Safety standards may be set by national or international regulators, standard-setting bodies or certification agencies, for example.
  • Safety standards may be defined for industries as a whole, for system classes or for individual systems, for example. Even in the absence of formal safety standards, equipment in a system may be designed with safety rules when this is seen as desirable, for example to protect biodiversity.
  • a fission reactor for example, must be designed and constructed in a way that enables operators to control its functioning protect it from external hazards. Such controlling may comprise, if necessary, causing the reactor to transition to a managed idle state when instructed.
  • Such an idle state may comprise a state where fission reactions are subcritical and decay heat is removed from the reactor core to prevent its overheating, which might otherwise damage the core of the reactor, potentially leading to release of radionuclides.
  • a flight computer of an aircraft may be made redundant, wherein an aircraft may be furnished with a plurality of flight computers, each individually being capable of controlling the flight.
  • redundancy is a safety condition, or design principle, associated with the flight computer equipment.
  • another one of the flight computers may assume the task of controlling the flight, the faulty flight computer being set to an inactive state.
  • Safe operation of safety critical systems includes operation in an environment which may pose external hazards to the operation of the safety critical system, such as a nuclear power station.
  • a method of implementing a safety critical system external threat protection system comprising defining, in a computerized database, a digital design comprising a protection category information element, the protection category information element being associated with at least one functional requirement and at least one design principle, associating, in the computerized database, in the digital design, the protection category information element with at least one architecture definition information element of the digital design, associating, in the computerized database, in the digital design, each of the at least one architecture definition information element with at least one system-level information element of the digital design, and verifying, in the computerized database, that the external threat protection system described by the digital design is compliant with the at least one design principle.
  • a method comprising recording a first change in an information element in a digital design stored in a computerized database, the digital design comprising a protection category information element, at least one architecture definition information element and at least one system-level information element, and verifying the digital design is compliant with at least one design principle, wherein the protection category information element is associated with at least one functional requirement and at the least one design principle.
  • a computerized safety critical system external threat protection system comprising a memory configured to store a digital design comprising a protection category database configured to store a plurality of protection category information elements comprising a protection for normal operation functions category and a protection for essential functions category, each protection category information element being associated with at least one technical functional requirement and at least one technical design principle, each technical design principle being comprised in a technical design principle list, the technical design principle list comprising redundancy, diversity, separation and isolation, each functional requirement being comprised in a functional requirement list, the functional requirement list comprising flooding and fire protection, airplane crash, cybersecurity, and natural hazards and an equipment database configured to store at least one equipment information element, and at least one processor configured to, responsive to receipt in the computerized safety critical system external threat protection system of a failure notification concerning a first equipment information element, determine, using the database, a set comprising each technical design principle associated with each protection category information element associated, via database relations, with the first equipment information element, and to identify,
  • the computerized safety critical system external threat protection system may be configured to automatically perform, in accordance with the technical constraint(s), at least partly, the action compensating, at least partly, effects of the failure.
  • the action may comprise, for example, activation of a reserve unit selected based on the technical constraint(s).
  • a non- transitory computer readable medium having stored thereon a set of computer readable instructions that, when executed by at least one processor, cause a computerized safety critical system external threat protection system to at least store a digital design comprising a protection category database configured to store a plurality of protection category information elements comprising a protection for normal operation functions category and a protection for essential functions category, each protection category information element being associated with at least one technical functional requirement and at least one technical design principle, each technical design principle being comprised in a technical design principle list, the technical design principle list comprising redundancy, diversity, separation and isolation, each functional requirement being comprised in a functional requirement list, the functional requirement list comprising flooding and fire protection, airplane crash, cybersecurity, and natural hazards , and an equipment database configured to store at least one equipment information element, determine, responsive to receipt in the computerized safety critical system external threat protection monitoring system, of a failure notification concerning a first equipment information element, using the database, a set comprising each technical design principle
  • At least some embodiments of the present invention find application in protecting nuclear power generation hardware from external threats.
  • FIGURE 1 illustrates an example system capable of supporting at least some embodiments of the present invention
  • FIGURE 2 illustrates an example database hierarchy in accordance with at least some embodiments of the present invention
  • FIGURE 3 illustrates an example apparatus capable of supporting at least some embodiments of the present invention
  • FIGURE 4 illustrates an example database structure in accordance with at least some embodiments of the present invention
  • FIGURE 5 is a first flow chart of a first method in accordance with at least some embodiments of the present invention.
  • FIGURE 6 is a second flow chart of a second method in accordance with at least some embodiments of the present invention.
  • FIGURE 7 illustrates example design verification in accordance with at least some embodiments of the present invention.
  • FIGURE 1 illustrates an example system capable of supporting at least some embodiments of the present invention.
  • the system of FIGURE 1 is a system for protecting a nuclear power station operating a fission-based reactor from external threats, although in other embodiments of the invention, other kinds of systems or installations may be protected from external threats.
  • the system of FIGURE 1 comprises building 100, which houses reactor 110. Building 100 is arranged to draw water for cooling from source 300, which may comprise an ocean, lake, river or other stable source of cooling water, for example. Source 300 may present a flooding risk, which is an example of an external threat.
  • the system of FIGURE 1 further comprises building 200, which houses systems not housed in building 100.
  • a nuclear power station external threat protection system may comprise a large number of systems, a subset of which is illustrated in FIGURE 1 to serve the purpose of illustrating the principles underlying the present invention.
  • Systems comprised in a safety critical system may embody at least one design principle, such as for example a safety-related design principle. Examples of design principles include redundancy, diversity, separation, isolation, quality level, reliability level, seismic qualification and environmental condition qualification.
  • System 120 A which may comprise, for example an internet firewall system, has a redundant system 120B.
  • system 120 A and systeml20B are similar and enabled to perform a similar task. Either one, system 120A or system 120B, may alone be capable of performing the task.
  • Systems 120 A and 120B may be configured to operate on the same, or similar, principles of action. In general where a similar redundant system or equipment is provided for a given system or equipment, this system or equipment is said to embody redundancy.
  • a system embodying redundancy is more dependable than a system without redundancy, as a redundancy-embodying system can continue operation in case one system develops a fault, since the faulty system, for example system 120 A, may be switched off and the task may be assigned to the redundant system, for example system 120B.
  • System 130A which may comprise, for example, a flooding protection safety system, has a physical backup diversity system 130B.
  • system 130A and system 130B are enabled to perform a similar task. Either one, system 130A or system 130B, may alone be capable of performing its task.
  • Systems 130A and 130B are configured to operate on different principles of action. Since systems 130A and 130B are configured to operate using different principles of action, they are less likely to fail at the same time as a response to an unusual operating condition. For example where these systems comprise safety systems, they may be based on different physical processes having the same overall functional specifications. In other words, designs may be developed independently for system 130A and system 130B.
  • Such independent development may comprise using different design teams, different subcontractors, different materials and/or different principles of action, for example.
  • system 130A encounters an error in a certain unusual operating condition of the nuclear power station of FIGURE 1, it is unlikely that system 13 OB encounters an error in the same operating condition. In this case, responsibility can be re-assigned from system 130A to system 130B, to obtain uninterrupted and secure operation of the external threat protection system.
  • system In general, where a system or equipment embodies diversity this system or equipment may be seen to comprise more than one subsystem, the subsystems or equipment being configured to operate on different principles and each being capable of performing the task of the system or equipment.
  • system may generally be used to refer to an equipment, system, architecture or installation.
  • System 140A which may comprise, for example, a control system, has a diversity system 140B.
  • System 140 A and system 140B are enabled to perform a similar task. Either system 140 A or system 140B may alone be capable of performing its task.
  • System 140B which may operate based on a same or a different principle as system 140A, is housed in building 200 while system 140 A is housed in building 100. That the systems are housed in different buildings, or more generally separate from each other, means the systems embody a separation design principle.
  • situating the systems separately from each other increases the dependability of the aggregate system comprising system 140 A and system 140B, since a problem affecting, say, building 200 may leave building 100 and systems housed therein unaffected.
  • systems may be separated electrically and/or functionally.
  • the intent in separation overall is to avoid failures from progressing from a system to its back-up system, or from one protection category to another protection category.
  • Electrical separation may be accomplished by either not connecting the separated systems to each other electrically, or by suitably filtering electrical connections arranged between the systems. Examples of suitable filtering include over-voltage protection, current protection and fibre-optic filters.
  • a system embodying the design principle isolation may comprise a system wherein the system, including equipment comprised in the system, is isolated from its surroundings. For example, being disposed inside a containment vessel and/or hardened building provides isolation. Isolation may be defined in various ways, for example, ability to withstand an impact of a passenger aircraft and/or ability to operate in a denial-of- service, DoS, cyberattack environment.
  • a cyberattack may be prevented by not connecting certain systems to the public Internet, for example, a control room of an external threat protection system may be isolated from the public internet.
  • a quality level may comprise that a system embodying that design principle meets a standardized quality level.
  • a reliability level, a seismic qualification level and an environmental condition qualification are examples of design principles that may be embodied by systems comprised in safety critical systems.
  • a protection category which may comprise a database structure, such as an information element, which comprises or is associated with both the functional requirement and at least one design principle.
  • the protection category may be associated with hierarchically lower levels of a computerized digital design in such a way that the design principles associated with the protection category are embodied by the aggregate system that performs the functional requirement associated with the protection category.
  • the functional requirement associated with the protection category may be referred to simply as the functional requirement of the protection category.
  • a protection category information element does not define structure but is associated, directly or indirectly, with information elements of the digital design which do define structure. Examples of information element types that define structure include an architecture definition information element, a system-level information element and an equipment information element.
  • a computerized database may be employed.
  • database system it is herein meant a physical system configured to store a database, by which it is in turn meant an organized storage or assembly of information elements, which may be interrelated within the database system via associations and/or database relations.
  • the database system may be use a suitable system, such as for example a computer system, and suitable magnetic, solid-state, holographic or other kind of memory.
  • FIGURE 1 Such a database is illustrated in FIGURE 1 as database 150.
  • functional requirements and design principles may take the form of information elements. The information elements together may form a digital design.
  • database 150 information elements may be arranged in a hierarchical structure which is illustrated in FIGURE 2.
  • FIGURE 2 illustrates an example database hierarchy in accordance with at least some embodiments of the present invention.
  • the example database hierarchy of FIGURE 2 involves a database hierarchy of a nuclear power station external threat protection system.
  • At the top level are disposed, optionally, external threat protection safety design requirements 210. These requirements may be derived from and/or be based on regulatory requirements, codes and/or standards.
  • nuclear safety design requirements 210 are absent from the database, for example where their content is taken into account, implicitly or explicitly, in other layers.
  • the requirements of requirement layer 210 may be associated with, or comprised in, protection categories in layer 220, which corresponds to the level of the entire nuclear power station external threat protection system, for example.
  • Layer 220 may be termed the plant layer.
  • Each protection category may be associated with at least one design principle and at least one functional requirement, as described above.
  • each protection category may, in some embodiments, be associated with one and only one functional requirement and at least one design principle.
  • Protection categories included in the example of FIGURE 2 are protection categories 220A, 220B and 220C. In the database, protection categories may be present as protection category information elements.
  • protection categories comprise protection for normal operations functions, protection for preventive functions, protection for essential functions and protection for severe accident management functions.
  • Protection for normal operations comprises functional entities, which in at least some embodiments enable redundancy, aiming to defend against the threats jeopardizing systems meant for normal operations.
  • Protection for preventive functions comprises functional entities, which in at least some embodiments enable separation and prevention of single fault failure, aiming to defend against the threats jeopardizing preventive functions.
  • Protection for essential functions comprises functional entities, which in at least some embodiments enable separation and diversity and prevention of single fault failure, aiming to defend against threats jeopardizing essential functions.
  • These functional entities may additionally or alternatively comprise systems designed to prevent anticipated transients, which are predictable error conditions falling short of accidents.
  • Protection for severe accident management functions comprises functional entities, which in at least some embodiments enable separation and diversity and prevention of single fault failure, aiming to defend against threats that can potentially jeopardise systems designed to manage severe accidents.
  • Layer 230 may comprise architecture definition information elements, at least some such information elements being associated with at least one protection category information element on level 220.
  • the architecture definition information elements may comprise indications as to the way in which the architecture therein defined contributes to embodiment of the design principles associated with associated protection categories. In other words, the architecture definition information elements may comprise information as to how the design principles of the higher-level protection categories are implemented in the architecture level.
  • Architecture definition information elements included in the example of FIGURE 2 are architecture definition information elements 230 A, 230B and 230C.
  • Examples of architectures include functional architecture, hazard layout architecture, information security architecture, physical security architecture, control room architecture and hazard human factor architecture.
  • Hazard layout architecture may describe, the application of protection engineering principles.
  • Information security architecture may describe strategies to prevent cybersecurity attacks, such as denial-of- service attacks and hacking.
  • Control room architecture may describe how the control room is arranged to control functioning of the protection system, and hazard human factor architecture may describe the application of human factor engineering to prevent unintentional errors.
  • System layer 240 may comprise system-level information elements, each such information element being associated with at least one architecture definition information element on level 230.
  • the system-level information elements may comprise indications as to the way in which the systems therein defined contribute to embodiment of the design principles associated with associated protection categories, wherein protection categories are associated with system- level information elements via architecture definition information elements on architecture level 230.
  • System-level information elements included in the example of FIGURE 2 are system-level information elements 240A, 240B, 240C and 240D.
  • the protection categories are directly associated, via database relations, with system-level information elements and the digital design does not comprise a separate architecture layer with architecture definition information elements.
  • Examples of systems of an external threat protection system include protection systems which may be active functions like initiating alarms due to a fire or a security breach, or passive systems such as fire resistant walls or implemented one way- only data communication.
  • Equipment layer 250 may comprise equipment-level information elements, each such information element being associated with at least one system-level information element on level 240.
  • the equipment- level information elements may comprise indications as to the way in which the equipment therein defined contribute to embodiment of the design principles associated with associated protection categories, wherein protection categories are associated with equipment- level information elements via system- level information elements on system layer 240 and, optionally, architecture definition information elements on architecture level 230.
  • Equipment-level information elements are illustrated in FIGURE 2 collectively as elements 250 A.
  • regulatory requirements may be assigned to individual systems or pieces of equipment. Such system-level or equipment-level regulatory requirements may be recorded in system-level or equipment-level information elements and used as additional constraints in implementing methods in accordance with the present invention.
  • installing the RISC computer to replace an older computer may enable removal of a further computer from the plant, the diversity role of the further computer being thereafter performed by the new computer.
  • the further computer may be comprised in a different system or architecture, and it may be associated with a different protection category than the old computer the new RISC computer replaces, for example.
  • the equipment information element of the piece of equipment which is replaced may describe how the new piece of equipment needs to operate.
  • the new equipment need not be a like-for-like replacement, which might be difficult in case a long time has elapsed since the equipment to be replaced was manufactured.
  • the technical requirements for the replacement equipment may be less stringent as those of the original equipment which is being replaced with the new equipment.
  • Running the database system as described above may at least in part automate such design considerations of the safety critical system.
  • Each equipment-level information element storing or being associated with information describing each role the described equipment performs in the external threat protection system, a user may interact with the database system to identify whether replacing the piece of equipment with a new piece of equipment enables a simplification in the overall system, or whether characteristics of the new piece of equipment necessitate a further modification to the overall system to maintain the design principles of the protection categories.
  • a further modification may be necessary where, for example, the new piece of equipment is unable to perform a role the previous piece of equipment performed, for example as a redundancy or diversity element to a further piece of equipment, which may be comprised in a different system or architecture.
  • design principles are associated with protection categories to enable smart plant management and selection of replacement pieces of equipment in such a way that the plant overall may be simplified.
  • a simplified plant provides the technical effect that running it consumes less energy, for example.
  • the database system enables a fuller understanding of fault conditions, since the database system identifies the roles each piece of equipment registered therein performs. Therefore, when a piece of equipment develops a fault, it can be identified, using the database system, which other systems have less redundancy, or suffer a drawback with respect to another design principle, as a consequence of the fault. At least one constraint of a correction action may then be presented to users. For example, the correcting action must provide diversity for an equipment in another system of the overall external threat protection system, and redundancy for an equipment in yet another system of the overall external threat protection system.
  • access control function belonging to protection category protection for essential functions may have a requirement N+l, which means that one fault must be tolerated without losing the function.
  • the function has to have two methods of controlling the access, for example a pin code and fingerprint or two pin codes.
  • the protection category does not yet define specific solutions.
  • the function is, in this example, allocated to protection zone 1. That means that on the perimeter of this zone the two methods of controlling the access have to be implemented.
  • First and second systems may be allocated to the protection zone 1.
  • both of those systems have to have equipment that realizes two methods of controlling the access.
  • Requirements assigned to a protection category may be linked to the protection category, function, zone, system and equipment allowing transparency of design and simplifying modifications during operation.
  • FIGURE 3 illustrates an example apparatus capable of supporting at least some embodiments of the present invention.
  • device 300 which may comprise, for example, a device such as database system 150 of FIGURE 1.
  • processor 310 which may comprise, for example, a single- or multi-core processor wherein a single-core processor comprises one processing core and a multi-core processor comprises more than one processing core.
  • Processor 310 may comprise a Xeon or Opteron processor, for example.
  • Processor 310 may comprise more than one processor.
  • a processing core may comprise, for example, a Cortex- A8 processing core manufactured by ARM Holdings or a Ryzen processing core produced by Advanced Micro Devices Corporation.
  • Processor 310 may comprise at least one application-specific integrated circuit, ASIC. Processor 310 may comprise at least one field-programmable gate array, FPGA. Processor 310 may be means for performing method steps in device 300. Processor 310 may be configured, at least in part by computer instructions, to perform actions.
  • ASIC application-specific integrated circuit
  • FPGA field-programmable gate array
  • Device 300 may comprise memory 320.
  • Memory 320 may comprise random- access memory and/or permanent memory.
  • Memory 320 may comprise at least one RAM chip.
  • Memory 320 may comprise magnetic, optical and/or holographic memory, for example.
  • Memory 320 may be configured to store information elements of a database system, for example.
  • Memory 320 may be at least in part accessible to processor 310.
  • Memory 320 may be means for storing information.
  • Memory 320 may comprise computer instructions that processor 310 is configured to execute. When computer instructions configured to cause processor 310 to perform certain actions are stored in memory 320, and device 300 overall is configured to run under the direction of processor 310 using computer instructions from memory 320, processor 310 and/or its at least one processing core may be considered to be configured to perform said certain actions.
  • Memory 320 may be at least in part comprised in processor 310.
  • Memory 320 may be at least in part external to device 300 but accessible to device 300.
  • Device 300 may comprise a transmitter 330.
  • Device 300 may comprise a receiver 340.
  • Transmitter 330 and receiver 340 may be configured to transmit and receive, respectively, information in accordance with at least one communication standard.
  • Transmitter 330 may comprise more than one transmitter.
  • Receiver 340 may comprise more than one receiver.
  • Transmitter 330 and/or receiver 340 may be configured to operate in accordance with wireless local area network, WLAN, Ethernet and/or worldwide interoperability for microwave access, WiMAX, standards, for example.
  • Device 300 may comprise user interface, UI, 360.
  • UI 360 may comprise at least one of a display, a keyboard and a touchscreen.
  • a user may be able to operate device 300 via UI 360, for example to interact with a database system comprised in, or controlled by, device 300.
  • Device 300 may comprise or be arranged to accept a user identity module 370.
  • User identity module 370 may comprise, for example, a secure element.
  • a user identity module 370 may comprise cryptographic information usable to verify the identity of a user of device 300 and/or to facilitate encryption and decryption of database contents.
  • Processor 310 may be furnished with a transmitter arranged to output information from processor 310, via electrical leads internal to device 300, to other devices comprised in device 300.
  • a transmitter may comprise a serial bus transmitter arranged to, for example, output information via at least one electrical lead to memory 320 for storage therein.
  • the transmitter may comprise a parallel bus transmitter.
  • processor 310 may comprise a receiver arranged to receive information in processor 310, via electrical leads internal to device 300, from other devices comprised in device 300.
  • Such a receiver may comprise a serial bus receiver arranged to, for example, receive information via at least one electrical lead from receiver 340 for processing in processor 310.
  • the receiver may comprise a parallel bus receiver.
  • Processor 310, memory 320, transmitter 330, receiver 340, UI 360 and/or user identity module 370 may be interconnected by electrical leads internal to device 300 in a multitude of different ways.
  • each of the aforementioned devices may be separately connected to a master bus internal to device 300, to allow for the devices to exchange information.
  • this is only one example and depending on the embodiment various ways of interconnecting at least two of the aforementioned devices may be selected without departing from the scope of the present invention.
  • FIGURE 4 illustrates an example database structure in accordance with at least some embodiments of the present invention.
  • Layer 410 corresponds in terms of FIGURE 2 to the protection category layer, storing protection category information elements.
  • Optional layer 420 corresponds in terms of FIGURE 2 to the architecture layer, storing architecture definition information elements.
  • Layer 430 corresponds in terms of FIGURE 2 to the system layer, storing system- level information elements.
  • layer 440 corresponds in terms of FIGURE 2 to the equipment layer, storing equipment-level information elements.
  • a database relation layer may be disposed between layer 410 and layer 420, between layer 420 and layer 430, and/or between layer 430 and layer 440.
  • FIGURE 5 is a first flow chart of a first method of implementing a nuclear power station external threat protection system in accordance with at least some embodiments of the present invention.
  • the phases of the illustrated method may be performed in database 150 of FIGURE 1 or on device 300 of FIGURE 3, for example.
  • Phase 510 comprises defining, in a computerized database, a digital design comprising a protection category information element, the protection category information element being associated with at least one functional requirement and at least one design principle. More than one protection category may be defined.
  • Optional phase 520 comprises associating, in the computerized database, in the digital design, the or each protection category information element with at least one architecture definition information element of the digital design.
  • Phase 530 comprises associating, in the computerized database, in the digital design, each of the at least one architecture definition information element with at least one system-level information element of the digital design. Where phase 520 is absent, the at least one system-level information element of the digital design is associated with the protection category information elements(s).
  • phase 540 comprises verifying, in the computerized database, that the external threat protection system described by the digital design is compliant with the at least one design principle.
  • FIGURE 6 is a second flow chart of a second method in accordance with at least some embodiments of the present invention. The phases of the illustrated method may be performed in database 150 of FIGURE 1 or on device 300 of FIGURE 3, for example.
  • Phase 610 comprises recording a first change in an information element in a digital design stored in a computerized database, the digital design comprising a protection category information element, at least one architecture definition information element and at least one system-level information element.
  • Phase 620 comprises verifying the digital design is compliant with at least one design principle.
  • Phase 630 specifies, that the protection category information element is associated with at least one functional requirement and at the least one design principle.
  • a method comprising defining a protection category information element, the protection category information element being associated with at least one functional requirement and at least one design principle, associating the protection category information element with at least one architecture definition information element, associating each of the at least one architecture definition information element with at least one system-level information element, and verifying the system described by the at least one architecture definition information element and associated system-level information elements is compliant with the at least one design principle.
  • the method may be performed using a database system, for example.
  • the associating phases comprised in the method may comprise defining information element association properties in the database system.
  • the verifying may comprise running a verification algorithm on the information elements comprised in the database system.
  • the verifying may comprise checking that for each design principle, the architecture, systems and pieces of equipment associated with the design principle together embody the design principle.
  • the verifying does not, in some embodiments, require that each information element directly or indirectly associated with the design principle embodies the design principle.
  • the design principle comprises redundancy
  • not all pieces of equipment directly or indirectly associated with a protection category associated with redundancy need be made redundant in the sense of installing duplicate pieces of the equipment.
  • the function defined by the associated information elements as a whole is redundant.
  • the safety critical system may comprise systems or pieces of equipment that do not need redundancy or diversity, for example.
  • the information elements describing these pieces of equipment may comprise information indicating the way in which the design principle is implemented with respect to the functions of these pieces of equipment.
  • the database system stores sequence information elements, each sequence information element describing a sequence of actions, each sequence information element being associated with a triggering event and each sequence information element being associated with a protection category information element.
  • the sequence may control the consequences of the occurrence of the event.
  • an event may comprise a point failure in a system or an interruption in communication apparatus function, and the sequence of actions may comprise a pre planned response to the threat whereby the consequences of the threat are controlled.
  • FIGURE 7 illustrates example design verification in accordance with at least some embodiments of the present invention.
  • the left-most prong corresponds to architectures and external threat protection systems' design
  • the mid prong corresponds to risk analysis of the protection system as designed
  • the right-most prong corresponds to risk analysis of a completed, built safety critical system external threat protection system.
  • Unit 710 is a hazard protection design, which leads to a preliminary plant level risk analysis 710A in the as-designed phase. A corresponding final plant level risk analysis 710B is conducted in the as-built phase.
  • Unit 720 is a protection functional architecture, which may form a basis for other architectures. Protection functional architecture 720 may be divided, for example, into information security protection functional architecture and other protection functional architectures. Protection functional architecture 720 leads to a preliminary security risk analysis 720A in the as-designed phase and a final security risk analysis 720B in the as- built phase. The hazard protection design 710 and the protection functional architecture 720 reflect plant-level risk analysis specifications and security function risk specifications, respectively. [0069] Unit 730 is an information security architecture. Information security architecture 730 leads to an as-designed architecture risk analysis 730 A in the as-designed phase and to an as built architecture risk analysis 730B in the as-built phase.
  • Unit 740 is a physical protection architecture.
  • Physical protection architecture 740 leads to an as-designed architecture risk analysis 740A in the as-designed phase and an as-built architecture risk analysis 740B in the as-built phase.
  • Unit 750 is a human factor protection architecture, which leads to an as- designed architecture risk analysis 750 A in the as-designed phase and an as-built architecture risk analysis 750B in the as-built phase.
  • Information security architecture 730, physical protection architecture 740 and human factor protection architecture 740 are examples of architecture level risk specifications.
  • System level risk analysis design 760 is developed into system-specific risk analysis 760 A in the as-designed phase and system- specific risk analysis 760B in the as- built phase.
  • Unit 770 denotes an equipment level design, which leads to an equipment- level risk analysis 770B as designed, and an equipment-level risk analysis 770B as built.
  • the database system comprising protection category information elements, architecture definition information elements, system-level information elements and equipment- level information elements enables verifying the design correctly embodies the design principles associated with the protection category information elements.
  • DBT1 - DBT 3 are design basis threat classes
  • DET1 is a design basis extension threat class
  • SAT is a severe accident threat, which is associated with the protection category protection for severe accident management functions of the external threat protection system.
  • protection category PNO is associated with no design principle no redundancy.
  • Protection category PPF is associated with no design principles redundancy N+l and separation.
  • Protection category PEF is associated with design principles redundancy N+l, separation and diversity against PPF and PSF.
  • Protection category PSF is associated with design principles redundancy N+l, separation and diversity against all other protection categories.
  • the more stringent design principle, safety class or quality requirement may be arranged to prevail concerning the function of the piece of equipment. For example, diversity may be seen as more stringent than redundancy, since in addition to another unit, an additional requirement of different operating principle is assigned to the units. As another example, where differing environmental safety requirements apply, the more stringent requirement may be arranged to prevail.
  • a computerized monitoring system is provided, wherein the computerized monitoring system is configured to receive, from the external threat protection system, failure notifications.
  • Each failure notification may relate to a failure of an item of equipment, for example one represented by an equipment information element, a system-level information element and/or an architecture information element in a database arranged in accordance with the principles of the present invention.
  • the failure notifications may be automatically generated from sensors arranged to monitor how equipment comprised in the nuclear power station or aircraft perform, for example.
  • the computerized monitoring system may be configured to, responsive to a failure notification, determine, using a database such as one described above, an effect of the failure on how a design principle is complied with.
  • a design principle may comprise at least one of the following: redundancy, diversity, separation, isolation, quality level, reliability level, seismic qualification and environmental condition qualification. For example, where an item of equipment fails, and the failed equipment played a role in providing for a design principle with respect to another item of equipment, a visual or other kind of indication may be provided, in a user interface, the indication conveying that the design principle is not sufficiently provided for as it relates to the another item of equipment.
  • the computerized monitoring system may determine the redundancy effect of the failure of the first equipment, using the protection category associated with the functional requirement and the at least one design principle to determine the systems and/or equipment the redundancy of which is affected by the failure.
  • An indication may be provided of a reduced redundancy level, and the systems and/or pieces of equipment that the reduced redundancy level affects.
  • the reduced redundancy level is a technical characteristic of the external threat protection system and the equipment comprised therein.
  • the first equipment corresponds in the database to a corresponding first equipment information element.
  • the computerized monitoring system may be configured to determine a set comprising each design principle associated with each protection category information element associated, via database relations, with the first equipment information element, and to identify, based on each design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure identifier in the failure notification.
  • a technical constraint of an action may comprise that the action must provide redundancy or diversity for a function of a further equipment.
  • a sensor comprised in the pump may provide a failure notification to the computerized monitoring system. Responsive to the failure notification, the computerized monitoring system may determine that an equipment information element in the database corresponding to the pump is associated, via database relations, with the protection category information elements corresponding to the protection categories protection for essential functions and protection for normal operation functions.
  • protection category protection for essential functions is associated with design principles redundancy and diversity
  • protection category protection for normal operation functions is associated with design principles redundancy, diversity and separation.
  • the set of design principles comprises redundancy, diversity and separation.
  • the computerized monitoring system may further be configured to identify, based on each technical design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure associated with the failure notification.
  • compensating actions would be constrained with respect to equipment unit count to meet the design principle redundancy, equipment principle of action to meet the design principle diversity, and equipment location to meet the design principle separation.
  • the technical constraint, or an indication thereof may be provided to users of the external threat protection system, for example via a user interface.
  • the computerized monitoring system is configured to automatically perform, at least partly, the action in accordance with the technical constraint(s).
  • the action may comprise, for example, activation of a reserve unit selected based on the technical constraint(s).
  • the computerized monitoring system is configured to provide information concerning the operational status of the external threat protection system, and deviations from a nominal operational status that result from the failure.
  • a technical effect provided by the computerized monitoring system and associated database lies in enabling reaction to the actually relevant aspects of an equipment that has developed a failure.
  • a decision tree may be employed, for example.
  • a decision tree in the case of an external threat protection system is very difficult to maintain due to the highly complex nature of such a system.
  • a decision tree does typically not provide information on the actual aspects of a failed equipment that are of significance, rather, a decision tree simply informs concerning actions needed to replace the failed equipment with an identical one.
  • the constraints described herein enable reacting to a failure in a way that addresses the technical situation, rather than requires simple duplication of an original design and like- for-like replacement of a failed piece of equipment.

Abstract

According to an example embodiment of the present invention, there is provided a method of implementing a safety critical system external threat protection system, comprising defining, in a computerized database, a digital design comprising a protection category information element, the protection category information element being associated with at least one functional requirement and at least one design principle, associating, in the computerized database, in the digital design, the protection category information element with at least one architecture definition information element of the digital design, associating, in the computerized database, in the digital design, each of the at least one architecture definition information element with at least one system-level information element of the digital design, and verifying, in the computerized database, that the external threat protection system described by the digital design is compliant with the at least one design principle.

Description

EXTERNAL THREAT PROTECTION SYSTEM
FIELD OF INVENTION
[0001] The present invention relates to the field of ensuring, enhancing and maintaining safety in safety critical systems.
BACKGROUND OF INVENTION
[0002] Safety critical systems, such as, for example, nuclear power stations and civilian aircraft are designed to safety standards. Safety standards may be set by national or international regulators, standard-setting bodies or certification agencies, for example. Safety standards may be defined for industries as a whole, for system classes or for individual systems, for example. Even in the absence of formal safety standards, equipment in a system may be designed with safety rules when this is seen as desirable, for example to protect biodiversity. [0003] A fission reactor, for example, must be designed and constructed in a way that enables operators to control its functioning protect it from external hazards. Such controlling may comprise, if necessary, causing the reactor to transition to a managed idle state when instructed. Such an idle state may comprise a state where fission reactions are subcritical and decay heat is removed from the reactor core to prevent its overheating, which might otherwise damage the core of the reactor, potentially leading to release of radionuclides.
[0004] To obtain safe operability in safety-critical systems, components comprised in such systems may be associated with safety conditions. For example, a flight computer of an aircraft may be made redundant, wherein an aircraft may be furnished with a plurality of flight computers, each individually being capable of controlling the flight. In this case, redundancy is a safety condition, or design principle, associated with the flight computer equipment. In case of a fault condition in one of the flight computers, another one of the flight computers may assume the task of controlling the flight, the faulty flight computer being set to an inactive state. [0005] Safe operation of safety critical systems includes operation in an environment which may pose external hazards to the operation of the safety critical system, such as a nuclear power station.
SUMMARY OF THE INVENTION
[0006] The invention is defined by the features of the independent claims. Some specific embodiments are defined in the dependent claims.
[0007] According to a first aspect of the present invention, there is provided a method of implementing a safety critical system external threat protection system, comprising defining, in a computerized database, a digital design comprising a protection category information element, the protection category information element being associated with at least one functional requirement and at least one design principle, associating, in the computerized database, in the digital design, the protection category information element with at least one architecture definition information element of the digital design, associating, in the computerized database, in the digital design, each of the at least one architecture definition information element with at least one system-level information element of the digital design, and verifying, in the computerized database, that the external threat protection system described by the digital design is compliant with the at least one design principle.
[0008] According to a second aspect of the present invention, there is provided a method, comprising recording a first change in an information element in a digital design stored in a computerized database, the digital design comprising a protection category information element, at least one architecture definition information element and at least one system-level information element, and verifying the digital design is compliant with at least one design principle, wherein the protection category information element is associated with at least one functional requirement and at the least one design principle. [0009] According to a third aspect of the present invention, there is provided a computerized safety critical system external threat protection system, comprising a memory configured to store a digital design comprising a protection category database configured to store a plurality of protection category information elements comprising a protection for normal operation functions category and a protection for essential functions category, each protection category information element being associated with at least one technical functional requirement and at least one technical design principle, each technical design principle being comprised in a technical design principle list, the technical design principle list comprising redundancy, diversity, separation and isolation, each functional requirement being comprised in a functional requirement list, the functional requirement list comprising flooding and fire protection, airplane crash, cybersecurity, and natural hazards and an equipment database configured to store at least one equipment information element, and at least one processor configured to, responsive to receipt in the computerized safety critical system external threat protection system of a failure notification concerning a first equipment information element, determine, using the database, a set comprising each technical design principle associated with each protection category information element associated, via database relations, with the first equipment information element, and to identify, based on each technical design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure identifier in the failure notification, wherein the at least one processor is configured to control a transmitter to output the technical constraint of the action to a user interface of the computerized safety critical system external threat protection system. The computerized safety critical system external threat protection system may be configured to automatically perform, in accordance with the technical constraint(s), at least partly, the action compensating, at least partly, effects of the failure. The action may comprise, for example, activation of a reserve unit selected based on the technical constraint(s).
[0010] According to a fourth aspect of the present invention, there is provided a non- transitory computer readable medium having stored thereon a set of computer readable instructions that, when executed by at least one processor, cause a computerized safety critical system external threat protection system to at least store a digital design comprising a protection category database configured to store a plurality of protection category information elements comprising a protection for normal operation functions category and a protection for essential functions category, each protection category information element being associated with at least one technical functional requirement and at least one technical design principle, each technical design principle being comprised in a technical design principle list, the technical design principle list comprising redundancy, diversity, separation and isolation, each functional requirement being comprised in a functional requirement list, the functional requirement list comprising flooding and fire protection, airplane crash, cybersecurity, and natural hazards , and an equipment database configured to store at least one equipment information element, determine, responsive to receipt in the computerized safety critical system external threat protection monitoring system, of a failure notification concerning a first equipment information element, using the database, a set comprising each technical design principle associated with each protection category information element associated, via database relations, with the first equipment information element, and to identify, based on each technical design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure identified in the failure notification, wherein the technical constraint of the action is output to a user interface of the computerized safety critical system external threat protection system. The set of computer readable instructions may further be configured to cause automatic performing of the action, in accordance with the technical constraint(s), at least partly.
Industrial Applicability [0011] At least some embodiments of the present invention find application in protecting nuclear power generation hardware from external threats.
BRIEF DESCRIPTION OF THE DRAWINGS [0012] FIGURE 1 illustrates an example system capable of supporting at least some embodiments of the present invention;
[0013] FIGURE 2 illustrates an example database hierarchy in accordance with at least some embodiments of the present invention;
[0014] FIGURE 3 illustrates an example apparatus capable of supporting at least some embodiments of the present invention; [0015] FIGURE 4 illustrates an example database structure in accordance with at least some embodiments of the present invention;
[0016] FIGURE 5 is a first flow chart of a first method in accordance with at least some embodiments of the present invention;
[0017] FIGURE 6 is a second flow chart of a second method in accordance with at least some embodiments of the present invention, and
[0018] FIGURE 7 illustrates example design verification in accordance with at least some embodiments of the present invention.
DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS
[0019] By assigning design principles to functional requirements, more efficient implementation and maintenance of safety critical systems, such as station external threat protection systems, may be obtained. Where design principles, such as redundancy or diversity, are assigned to individual equipment rather than higher-level functional requirements, over-implementation or degradation of a safety level may occur and/or refitting existing safety critical systems may be more constrained by equipment-specific requirements. By assigning design principles to functional protection categories rather than individual equipment, more flexible implementation of the safety critical systems is enabled. While discussed herein primarily in terms of a nuclear power station, the principles of the present disclosure are applicable more broadly in safety critical systems with external threat protection systems, which include, for example, nuclear power stations, nuclear laboratories, biohazard laboratories and aircraft.
[0020] FIGURE 1 illustrates an example system capable of supporting at least some embodiments of the present invention. The system of FIGURE 1 is a system for protecting a nuclear power station operating a fission-based reactor from external threats, although in other embodiments of the invention, other kinds of systems or installations may be protected from external threats. The system of FIGURE 1 comprises building 100, which houses reactor 110. Building 100 is arranged to draw water for cooling from source 300, which may comprise an ocean, lake, river or other stable source of cooling water, for example. Source 300 may present a flooding risk, which is an example of an external threat. The system of FIGURE 1 further comprises building 200, which houses systems not housed in building 100.
[0021] A nuclear power station external threat protection system may comprise a large number of systems, a subset of which is illustrated in FIGURE 1 to serve the purpose of illustrating the principles underlying the present invention. Systems comprised in a safety critical system may embody at least one design principle, such as for example a safety-related design principle. Examples of design principles include redundancy, diversity, separation, isolation, quality level, reliability level, seismic qualification and environmental condition qualification.
[0022] System 120 A, which may comprise, for example an internet firewall system, has a redundant system 120B. In other words, system 120 A and systeml20B are similar and enabled to perform a similar task. Either one, system 120A or system 120B, may alone be capable of performing the task. Systems 120 A and 120B may be configured to operate on the same, or similar, principles of action. In general where a similar redundant system or equipment is provided for a given system or equipment, this system or equipment is said to embody redundancy. A system embodying redundancy is more dependable than a system without redundancy, as a redundancy-embodying system can continue operation in case one system develops a fault, since the faulty system, for example system 120 A, may be switched off and the task may be assigned to the redundant system, for example system 120B.
[0023] System 130A, which may comprise, for example, a flooding protection safety system, has a physical backup diversity system 130B. In other words, system 130A and system 130B are enabled to perform a similar task. Either one, system 130A or system 130B, may alone be capable of performing its task. Systems 130A and 130B are configured to operate on different principles of action. Since systems 130A and 130B are configured to operate using different principles of action, they are less likely to fail at the same time as a response to an unusual operating condition. For example where these systems comprise safety systems, they may be based on different physical processes having the same overall functional specifications. In other words, designs may be developed independently for system 130A and system 130B. Such independent development may comprise using different design teams, different subcontractors, different materials and/or different principles of action, for example. As a consequence, if system 130A encounters an error in a certain unusual operating condition of the nuclear power station of FIGURE 1, it is unlikely that system 13 OB encounters an error in the same operating condition. In this case, responsibility can be re-assigned from system 130A to system 130B, to obtain uninterrupted and secure operation of the external threat protection system.
[0024] In general, where a system or equipment embodies diversity this system or equipment may be seen to comprise more than one subsystem, the subsystems or equipment being configured to operate on different principles and each being capable of performing the task of the system or equipment. Herein the term “system” may generally be used to refer to an equipment, system, architecture or installation.
[0025] System 140A, which may comprise, for example, a control system, has a diversity system 140B. System 140 A and system 140B are enabled to perform a similar task. Either system 140 A or system 140B may alone be capable of performing its task. System 140B, which may operate based on a same or a different principle as system 140A, is housed in building 200 while system 140 A is housed in building 100. That the systems are housed in different buildings, or more generally separate from each other, means the systems embody a separation design principle. Situating the systems separately from each other increases the dependability of the aggregate system comprising system 140 A and system 140B, since a problem affecting, say, building 200 may leave building 100 and systems housed therein unaffected. Additionally or alternatively to physical separation, systems may be separated electrically and/or functionally. The intent in separation overall is to avoid failures from progressing from a system to its back-up system, or from one protection category to another protection category. Electrical separation, for example, may be accomplished by either not connecting the separated systems to each other electrically, or by suitably filtering electrical connections arranged between the systems. Examples of suitable filtering include over-voltage protection, current protection and fibre-optic filters.
[0026] Where system 140 A and system 140B are based on the same, or a similar, operating principle the system comprising system 140 A and system 140B may be considered to embody separation and redundancy. Where system 140A and system 140B are based on different operating principles the system comprising system 140A and system 140B may be considered to embody separation and diversity. [0027] A system embodying the design principle isolation may comprise a system wherein the system, including equipment comprised in the system, is isolated from its surroundings. For example, being disposed inside a containment vessel and/or hardened building provides isolation. Isolation may be defined in various ways, for example, ability to withstand an impact of a passenger aircraft and/or ability to operate in a denial-of- service, DoS, cyberattack environment. A cyberattack may be prevented by not connecting certain systems to the public Internet, for example, a control room of an external threat protection system may be isolated from the public internet. Among further design principles, a quality level may comprise that a system embodying that design principle meets a standardized quality level. Further, a reliability level, a seismic qualification level and an environmental condition qualification are examples of design principles that may be embodied by systems comprised in safety critical systems.
[0028] When designing, maintaining, operating or refitting a safety critical system, it may be advantageous to associate design principles with functional requirements. This association may take place in a protection category, which may comprise a database structure, such as an information element, which comprises or is associated with both the functional requirement and at least one design principle. The protection category may be associated with hierarchically lower levels of a computerized digital design in such a way that the design principles associated with the protection category are embodied by the aggregate system that performs the functional requirement associated with the protection category. The functional requirement associated with the protection category may be referred to simply as the functional requirement of the protection category. At least in some embodiments, a protection category information element does not define structure but is associated, directly or indirectly, with information elements of the digital design which do define structure. Examples of information element types that define structure include an architecture definition information element, a system-level information element and an equipment information element.
[0029] When a design principle is associated with a protection category, implementing systems to perform the functional requirement of the protection category becomes more flexible, allowing more intelligent implementation that may result in a simpler and safer system. Requiring that each system and equipment in the system performing the functional requirement separately comply with the design principle is a more restrictive model, where equipment may be duplicated excessively. For example, where an equipment, such as for example a pump, is comprised in a system that performs a functional requirement of a protection category, it may be assigned another role in a system that performs a functional requirement of another protection category. The pump, for example, may embody diversity with respect to more than one system or protection category. In general, a system or equipment may embody a design principle with respect to more than one architecture and/or protection category.
[0030] In a complex system such as a nuclear power station external threat protection system, the number of systems and equipment may be large. To enable use of protection categories and associated design principles, a computerized database may be employed. By database system it is herein meant a physical system configured to store a database, by which it is in turn meant an organized storage or assembly of information elements, which may be interrelated within the database system via associations and/or database relations. The database system may be use a suitable system, such as for example a computer system, and suitable magnetic, solid-state, holographic or other kind of memory. Such a database is illustrated in FIGURE 1 as database 150. In the database, functional requirements and design principles may take the form of information elements. The information elements together may form a digital design.
[0031] In database 150, information elements may be arranged in a hierarchical structure which is illustrated in FIGURE 2.
[0032] FIGURE 2 illustrates an example database hierarchy in accordance with at least some embodiments of the present invention. The example database hierarchy of FIGURE 2 involves a database hierarchy of a nuclear power station external threat protection system. At the top level are disposed, optionally, external threat protection safety design requirements 210. These requirements may be derived from and/or be based on regulatory requirements, codes and/or standards. In some embodiments, nuclear safety design requirements 210 are absent from the database, for example where their content is taken into account, implicitly or explicitly, in other layers.
[0033] The requirements of requirement layer 210 may be associated with, or comprised in, protection categories in layer 220, which corresponds to the level of the entire nuclear power station external threat protection system, for example. Layer 220 may be termed the plant layer. Each protection category may be associated with at least one design principle and at least one functional requirement, as described above. In detail, each protection category may, in some embodiments, be associated with one and only one functional requirement and at least one design principle. Protection categories included in the example of FIGURE 2 are protection categories 220A, 220B and 220C. In the database, protection categories may be present as protection category information elements.
[0034] Examples of protection categories comprise protection for normal operations functions, protection for preventive functions, protection for essential functions and protection for severe accident management functions.
[0035] Protection for normal operations comprises functional entities, which in at least some embodiments enable redundancy, aiming to defend against the threats jeopardizing systems meant for normal operations.
[0036] Protection for preventive functions comprises functional entities, which in at least some embodiments enable separation and prevention of single fault failure, aiming to defend against the threats jeopardizing preventive functions.
[0037] Protection for essential functions comprises functional entities, which in at least some embodiments enable separation and diversity and prevention of single fault failure, aiming to defend against threats jeopardizing essential functions. These functional entities may additionally or alternatively comprise systems designed to prevent anticipated transients, which are predictable error conditions falling short of accidents.
[0038] Protection for severe accident management functions comprises functional entities, which in at least some embodiments enable separation and diversity and prevention of single fault failure, aiming to defend against threats that can potentially jeopardise systems designed to manage severe accidents.
[0039] Under plant layer 220 is disposed architecture layer 230. Layer 230 may comprise architecture definition information elements, at least some such information elements being associated with at least one protection category information element on level 220. The architecture definition information elements may comprise indications as to the way in which the architecture therein defined contributes to embodiment of the design principles associated with associated protection categories. In other words, the architecture definition information elements may comprise information as to how the design principles of the higher-level protection categories are implemented in the architecture level. Architecture definition information elements included in the example of FIGURE 2 are architecture definition information elements 230 A, 230B and 230C.
[0040] Examples of architectures include functional architecture, hazard layout architecture, information security architecture, physical security architecture, control room architecture and hazard human factor architecture. Hazard layout architecture may describe, the application of protection engineering principles. Information security architecture may describe strategies to prevent cybersecurity attacks, such as denial-of- service attacks and hacking. Control room architecture may describe how the control room is arranged to control functioning of the protection system, and hazard human factor architecture may describe the application of human factor engineering to prevent unintentional errors.
[0041] Under architecture layer 230 is disposed system layer 240. System layer 240 may comprise system-level information elements, each such information element being associated with at least one architecture definition information element on level 230. The system-level information elements may comprise indications as to the way in which the systems therein defined contribute to embodiment of the design principles associated with associated protection categories, wherein protection categories are associated with system- level information elements via architecture definition information elements on architecture level 230. System-level information elements included in the example of FIGURE 2 are system-level information elements 240A, 240B, 240C and 240D. In some embodiments, the protection categories are directly associated, via database relations, with system-level information elements and the digital design does not comprise a separate architecture layer with architecture definition information elements.
[0042] Examples of systems of an external threat protection system include protection systems which may be active functions like initiating alarms due to a fire or a security breach, or passive systems such as fire resistant walls or implemented one way- only data communication.
[0043] Under system layer 240 is disposed equipment layer 250. Equipment layer 250 may comprise equipment-level information elements, each such information element being associated with at least one system-level information element on level 240. The equipment- level information elements may comprise indications as to the way in which the equipment therein defined contribute to embodiment of the design principles associated with associated protection categories, wherein protection categories are associated with equipment- level information elements via system- level information elements on system layer 240 and, optionally, architecture definition information elements on architecture level 230. Equipment-level information elements are illustrated in FIGURE 2 collectively as elements 250 A.
[0044] In some embodiments, regulatory requirements may be assigned to individual systems or pieces of equipment. Such system-level or equipment-level regulatory requirements may be recorded in system-level or equipment-level information elements and used as additional constraints in implementing methods in accordance with the present invention.
[0045] Using the hierarchical database system described above it can be determined, which pieces of equipment in the plant contribute to which plant-level functional requirements and design principles. As a consequence, when a piece of equipment is replaced with a new type of equipment, it can be assessed, what the implications are for the plant overall in terms of design principles of the external threat protection system. For example, where a computer is replaced with a new kind of computer, for example, a computer based on a complex instruction set computing, CISC, processor is replaced with a computer based on a reduced instruction set computing, RISC, processor, the new computer may be able to perform as a diversity computer to an already present CISC computer in the external threat protection system. In this case, installing the RISC computer to replace an older computer may enable removal of a further computer from the plant, the diversity role of the further computer being thereafter performed by the new computer. The further computer may be comprised in a different system or architecture, and it may be associated with a different protection category than the old computer the new RISC computer replaces, for example.
[0046] In general, the equipment information element of the piece of equipment which is replaced may describe how the new piece of equipment needs to operate. Thus the new equipment need not be a like-for-like replacement, which might be difficult in case a long time has elapsed since the equipment to be replaced was manufactured. Furthermore, when other equipment in the protection system have in the meanwhile been replaced with potentially more capable devices, the technical requirements for the replacement equipment may be less stringent as those of the original equipment which is being replaced with the new equipment. An advantage of a digital design is its iterative updating, when information elements are updated. This achieves the technical benefit of avoided over construction of the protection system.
[0047] Running the database system as described above may at least in part automate such design considerations of the safety critical system. Each equipment-level information element storing or being associated with information describing each role the described equipment performs in the external threat protection system, a user may interact with the database system to identify whether replacing the piece of equipment with a new piece of equipment enables a simplification in the overall system, or whether characteristics of the new piece of equipment necessitate a further modification to the overall system to maintain the design principles of the protection categories.
[0048] A further modification may be necessary where, for example, the new piece of equipment is unable to perform a role the previous piece of equipment performed, for example as a redundancy or diversity element to a further piece of equipment, which may be comprised in a different system or architecture. Thus instead of assigning requirements to individual pieces of equipment, design principles are associated with protection categories to enable smart plant management and selection of replacement pieces of equipment in such a way that the plant overall may be simplified. A simplified plant provides the technical effect that running it consumes less energy, for example.
[0049] Similarly, using the database system enables a fuller understanding of fault conditions, since the database system identifies the roles each piece of equipment registered therein performs. Therefore, when a piece of equipment develops a fault, it can be identified, using the database system, which other systems have less redundancy, or suffer a drawback with respect to another design principle, as a consequence of the fault. At least one constraint of a correction action may then be presented to users. For example, the correcting action must provide diversity for an equipment in another system of the overall external threat protection system, and redundancy for an equipment in yet another system of the overall external threat protection system.
[0050] For example, access control function belonging to protection category protection for essential functions may have a requirement N+l, which means that one fault must be tolerated without losing the function. Thus, the function has to have two methods of controlling the access, for example a pin code and fingerprint or two pin codes. The protection category does not yet define specific solutions. The function is, in this example, allocated to protection zone 1. That means that on the perimeter of this zone the two methods of controlling the access have to be implemented. First and second systems may be allocated to the protection zone 1. Thus, both of those systems have to have equipment that realizes two methods of controlling the access. In some embodiments, if a user has identified himself to either of those systems the other one is available for use without further access control method. Requirements assigned to a protection category may be linked to the protection category, function, zone, system and equipment allowing transparency of design and simplifying modifications during operation.
[0051] FIGURE 3 illustrates an example apparatus capable of supporting at least some embodiments of the present invention. Illustrated is device 300, which may comprise, for example, a device such as database system 150 of FIGURE 1. Comprised in device 300 is processor 310, which may comprise, for example, a single- or multi-core processor wherein a single-core processor comprises one processing core and a multi-core processor comprises more than one processing core. Processor 310 may comprise a Xeon or Opteron processor, for example. Processor 310 may comprise more than one processor. A processing core may comprise, for example, a Cortex- A8 processing core manufactured by ARM Holdings or a Ryzen processing core produced by Advanced Micro Devices Corporation. Processor 310 may comprise at least one application-specific integrated circuit, ASIC. Processor 310 may comprise at least one field-programmable gate array, FPGA. Processor 310 may be means for performing method steps in device 300. Processor 310 may be configured, at least in part by computer instructions, to perform actions.
[0052] Device 300 may comprise memory 320. Memory 320 may comprise random- access memory and/or permanent memory. Memory 320 may comprise at least one RAM chip. Memory 320 may comprise magnetic, optical and/or holographic memory, for example. Memory 320 may be configured to store information elements of a database system, for example. Memory 320 may be at least in part accessible to processor 310. Memory 320 may be means for storing information. Memory 320 may comprise computer instructions that processor 310 is configured to execute. When computer instructions configured to cause processor 310 to perform certain actions are stored in memory 320, and device 300 overall is configured to run under the direction of processor 310 using computer instructions from memory 320, processor 310 and/or its at least one processing core may be considered to be configured to perform said certain actions. Memory 320 may be at least in part comprised in processor 310. Memory 320 may be at least in part external to device 300 but accessible to device 300.
[0053] Device 300 may comprise a transmitter 330. Device 300 may comprise a receiver 340. Transmitter 330 and receiver 340 may be configured to transmit and receive, respectively, information in accordance with at least one communication standard. Transmitter 330 may comprise more than one transmitter. Receiver 340 may comprise more than one receiver. Transmitter 330 and/or receiver 340 may be configured to operate in accordance with wireless local area network, WLAN, Ethernet and/or worldwide interoperability for microwave access, WiMAX, standards, for example.
[0054] Device 300 may comprise user interface, UI, 360. UI 360 may comprise at least one of a display, a keyboard and a touchscreen. A user may be able to operate device 300 via UI 360, for example to interact with a database system comprised in, or controlled by, device 300.
[0055] Device 300 may comprise or be arranged to accept a user identity module 370. User identity module 370 may comprise, for example, a secure element. A user identity module 370 may comprise cryptographic information usable to verify the identity of a user of device 300 and/or to facilitate encryption and decryption of database contents.
[0056] Processor 310 may be furnished with a transmitter arranged to output information from processor 310, via electrical leads internal to device 300, to other devices comprised in device 300. Such a transmitter may comprise a serial bus transmitter arranged to, for example, output information via at least one electrical lead to memory 320 for storage therein. Alternatively to a serial bus, the transmitter may comprise a parallel bus transmitter. Likewise processor 310 may comprise a receiver arranged to receive information in processor 310, via electrical leads internal to device 300, from other devices comprised in device 300. Such a receiver may comprise a serial bus receiver arranged to, for example, receive information via at least one electrical lead from receiver 340 for processing in processor 310. Alternatively to a serial bus, the receiver may comprise a parallel bus receiver.
[0057] Processor 310, memory 320, transmitter 330, receiver 340, UI 360 and/or user identity module 370 may be interconnected by electrical leads internal to device 300 in a multitude of different ways. For example, each of the aforementioned devices may be separately connected to a master bus internal to device 300, to allow for the devices to exchange information. However, as the skilled person will appreciate, this is only one example and depending on the embodiment various ways of interconnecting at least two of the aforementioned devices may be selected without departing from the scope of the present invention.
[0058] FIGURE 4 illustrates an example database structure in accordance with at least some embodiments of the present invention. Layer 410 corresponds in terms of FIGURE 2 to the protection category layer, storing protection category information elements. Optional layer 420 corresponds in terms of FIGURE 2 to the architecture layer, storing architecture definition information elements. Layer 430 corresponds in terms of FIGURE 2 to the system layer, storing system- level information elements. Finally, layer 440 corresponds in terms of FIGURE 2 to the equipment layer, storing equipment-level information elements. A database relation layer may be disposed between layer 410 and layer 420, between layer 420 and layer 430, and/or between layer 430 and layer 440.
[0059] FIGURE 5 is a first flow chart of a first method of implementing a nuclear power station external threat protection system in accordance with at least some embodiments of the present invention. The phases of the illustrated method may be performed in database 150 of FIGURE 1 or on device 300 of FIGURE 3, for example.
[0060] Phase 510 comprises defining, in a computerized database, a digital design comprising a protection category information element, the protection category information element being associated with at least one functional requirement and at least one design principle. More than one protection category may be defined. Optional phase 520 comprises associating, in the computerized database, in the digital design, the or each protection category information element with at least one architecture definition information element of the digital design. Phase 530 comprises associating, in the computerized database, in the digital design, each of the at least one architecture definition information element with at least one system-level information element of the digital design. Where phase 520 is absent, the at least one system-level information element of the digital design is associated with the protection category information elements(s). Finally, phase 540 comprises verifying, in the computerized database, that the external threat protection system described by the digital design is compliant with the at least one design principle. [0061] FIGURE 6 is a second flow chart of a second method in accordance with at least some embodiments of the present invention. The phases of the illustrated method may be performed in database 150 of FIGURE 1 or on device 300 of FIGURE 3, for example.
[0062] Phase 610 comprises recording a first change in an information element in a digital design stored in a computerized database, the digital design comprising a protection category information element, at least one architecture definition information element and at least one system-level information element. Phase 620 comprises verifying the digital design is compliant with at least one design principle. Phase 630 specifies, that the protection category information element is associated with at least one functional requirement and at the least one design principle.
[0063] In general, there is provided a method, comprising defining a protection category information element, the protection category information element being associated with at least one functional requirement and at least one design principle, associating the protection category information element with at least one architecture definition information element, associating each of the at least one architecture definition information element with at least one system-level information element, and verifying the system described by the at least one architecture definition information element and associated system-level information elements is compliant with the at least one design principle. The method may be performed using a database system, for example. The associating phases comprised in the method may comprise defining information element association properties in the database system. The verifying may comprise running a verification algorithm on the information elements comprised in the database system.
[0064] The verifying may comprise checking that for each design principle, the architecture, systems and pieces of equipment associated with the design principle together embody the design principle. The verifying does not, in some embodiments, require that each information element directly or indirectly associated with the design principle embodies the design principle. For example, where the design principle comprises redundancy, not all pieces of equipment directly or indirectly associated with a protection category associated with redundancy need be made redundant in the sense of installing duplicate pieces of the equipment. In these embodiments, it suffices that the function defined by the associated information elements as a whole is redundant. In other words, should any individual piece of equipment comprised in this function fail, its purpose may be served by another piece of equipment which need not be identical to it, and need not be comprised in the system or protection category in question. The safety critical system may comprise systems or pieces of equipment that do not need redundancy or diversity, for example. The information elements describing these pieces of equipment may comprise information indicating the way in which the design principle is implemented with respect to the functions of these pieces of equipment.
[0065] In at least some embodiments, the database system stores sequence information elements, each sequence information element describing a sequence of actions, each sequence information element being associated with a triggering event and each sequence information element being associated with a protection category information element. The sequence may control the consequences of the occurrence of the event. For example, an event may comprise a point failure in a system or an interruption in communication apparatus function, and the sequence of actions may comprise a pre planned response to the threat whereby the consequences of the threat are controlled.
[0066] FIGURE 7 illustrates example design verification in accordance with at least some embodiments of the present invention. Of the W-shaped FIGURE 7, the left-most prong corresponds to architectures and external threat protection systems' design, the mid prong corresponds to risk analysis of the protection system as designed, and finally the right-most prong corresponds to risk analysis of a completed, built safety critical system external threat protection system.
[0067] Unit 710 is a hazard protection design, which leads to a preliminary plant level risk analysis 710A in the as-designed phase. A corresponding final plant level risk analysis 710B is conducted in the as-built phase.
[0068] Unit 720 is a protection functional architecture, which may form a basis for other architectures. Protection functional architecture 720 may be divided, for example, into information security protection functional architecture and other protection functional architectures. Protection functional architecture 720 leads to a preliminary security risk analysis 720A in the as-designed phase and a final security risk analysis 720B in the as- built phase. The hazard protection design 710 and the protection functional architecture 720 reflect plant-level risk analysis specifications and security function risk specifications, respectively. [0069] Unit 730 is an information security architecture. Information security architecture 730 leads to an as-designed architecture risk analysis 730 A in the as-designed phase and to an as built architecture risk analysis 730B in the as-built phase.
[0070] Unit 740 is a physical protection architecture. Physical protection architecture 740 leads to an as-designed architecture risk analysis 740A in the as-designed phase and an as-built architecture risk analysis 740B in the as-built phase.
[0071] Unit 750 is a human factor protection architecture, which leads to an as- designed architecture risk analysis 750 A in the as-designed phase and an as-built architecture risk analysis 750B in the as-built phase. Information security architecture 730, physical protection architecture 740 and human factor protection architecture 740 are examples of architecture level risk specifications.
[0072] System level risk analysis design 760 is developed into system-specific risk analysis 760 A in the as-designed phase and system- specific risk analysis 760B in the as- built phase.
[0073] Unit 770 denotes an equipment level design, which leads to an equipment- level risk analysis 770B as designed, and an equipment-level risk analysis 770B as built. Overall, the database system comprising protection category information elements, architecture definition information elements, system-level information elements and equipment- level information elements enables verifying the design correctly embodies the design principles associated with the protection category information elements.
[0074] In the following table, allocation of protection categories to threat classes is laid out in accordance with at least some embodiments. DBT1 - DBT 3 are design basis threat classes, DET1 is a design basis extension threat class and SAT is a severe accident threat, which is associated with the protection category protection for severe accident management functions of the external threat protection system. In this example, protection category PNO is associated with no design principle no redundancy. Protection category PPF is associated with no design principles redundancy N+l and separation. Protection category PEF is associated with design principles redundancy N+l, separation and diversity against PPF and PSF. Protection category PSF is associated with design principles redundancy N+l, separation and diversity against all other protection categories.
Figure imgf000021_0001
[0075] At least in some embodiments, where a piece of equipment is associated with two protection categories having different design principles, the more stringent design principle, safety class or quality requirement may be arranged to prevail concerning the function of the piece of equipment. For example, diversity may be seen as more stringent than redundancy, since in addition to another unit, an additional requirement of different operating principle is assigned to the units. As another example, where differing environmental safety requirements apply, the more stringent requirement may be arranged to prevail. [0076] In some embodiments of the invention, a computerized monitoring system is provided, wherein the computerized monitoring system is configured to receive, from the external threat protection system, failure notifications. Each failure notification may relate to a failure of an item of equipment, for example one represented by an equipment information element, a system-level information element and/or an architecture information element in a database arranged in accordance with the principles of the present invention. The failure notifications may be automatically generated from sensors arranged to monitor how equipment comprised in the nuclear power station or aircraft perform, for example.
[0077] The computerized monitoring system may be configured to, responsive to a failure notification, determine, using a database such as one described above, an effect of the failure on how a design principle is complied with. A design principle may comprise at least one of the following: redundancy, diversity, separation, isolation, quality level, reliability level, seismic qualification and environmental condition qualification. For example, where an item of equipment fails, and the failed equipment played a role in providing for a design principle with respect to another item of equipment, a visual or other kind of indication may be provided, in a user interface, the indication conveying that the design principle is not sufficiently provided for as it relates to the another item of equipment.
[0078] Thus, for example, where a first equipment fails and the first equipment provided, prior to the failure, at least partly, redundancy for a second equipment, the computerized monitoring system may determine the redundancy effect of the failure of the first equipment, using the protection category associated with the functional requirement and the at least one design principle to determine the systems and/or equipment the redundancy of which is affected by the failure. An indication may be provided of a reduced redundancy level, and the systems and/or pieces of equipment that the reduced redundancy level affects. The reduced redundancy level is a technical characteristic of the external threat protection system and the equipment comprised therein.
[0079] The first equipment corresponds in the database to a corresponding first equipment information element. Where the first equipment information element is associated, via database relations, to more than one protection category information element in the database, the computerized monitoring system may be configured to determine a set comprising each design principle associated with each protection category information element associated, via database relations, with the first equipment information element, and to identify, based on each design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure identifier in the failure notification. For example, a technical constraint of an action may comprise that the action must provide redundancy or diversity for a function of a further equipment.
[0080] Thus, for example, where a pump in an external threat protection system develops a failure, a sensor comprised in the pump may provide a failure notification to the computerized monitoring system. Responsive to the failure notification, the computerized monitoring system may determine that an equipment information element in the database corresponding to the pump is associated, via database relations, with the protection category information elements corresponding to the protection categories protection for essential functions and protection for normal operation functions. In this example, protection category protection for essential functions is associated with design principles redundancy and diversity, and protection category protection for normal operation functions is associated with design principles redundancy, diversity and separation. Thus, the set of design principles comprises redundancy, diversity and separation.
[0081] The computerized monitoring system may further be configured to identify, based on each technical design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure associated with the failure notification. In the example above, compensating actions would be constrained with respect to equipment unit count to meet the design principle redundancy, equipment principle of action to meet the design principle diversity, and equipment location to meet the design principle separation. The technical constraint, or an indication thereof, may be provided to users of the external threat protection system, for example via a user interface. In some embodiments, the computerized monitoring system is configured to automatically perform, at least partly, the action in accordance with the technical constraint(s). The action may comprise, for example, activation of a reserve unit selected based on the technical constraint(s).
[0082] Thus in accordance with the invention, personnel are enabled to become aware of which aspects of a failed piece of equipment are relevant for safe operation of the external threat protection system, for example. Expressed in other words, the computerized monitoring system is configured to provide information concerning the operational status of the external threat protection system, and deviations from a nominal operational status that result from the failure.
[0083] A technical effect provided by the computerized monitoring system and associated database lies in enabling reaction to the actually relevant aspects of an equipment that has developed a failure. In prior systems, a decision tree may be employed, for example. However, a decision tree in the case of an external threat protection system is very difficult to maintain due to the highly complex nature of such a system. Furthermore, a decision tree does typically not provide information on the actual aspects of a failed equipment that are of significance, rather, a decision tree simply informs concerning actions needed to replace the failed equipment with an identical one. The constraints described herein, on the other hand, enable reacting to a failure in a way that addresses the technical situation, rather than requires simple duplication of an original design and like- for-like replacement of a failed piece of equipment.
[0084] It is to be understood that the embodiments of the invention disclosed are not limited to the particular structures, process steps, or materials disclosed herein, but are extended to equivalents thereof as would be recognized by those ordinarily skilled in the relevant arts. It should also be understood that terminology employed herein is used for the purpose of describing particular embodiments only and is not intended to be limiting.
[0085] Reference throughout this specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment.
[0086] As used herein, a plurality of items, structural elements, compositional elements, and/or materials may be presented in a common list for convenience. However, these lists should be construed as though each member of the list is individually identified as a separate and unique member. Thus, no individual member of such list should be construed as a de facto equivalent of any other member of the same list solely based on their presentation in a common group without indications to the contrary. In addition, various embodiments and example of the present invention may be referred to herein along with alternatives for the various components thereof. It is understood that such embodiments, examples, and alternatives are not to be construed as de facto equivalents of one another, but are to be considered as separate and autonomous representations of the present invention.
[0087] Furthermore, described features, structures, or characteristics may be combined in any suitable or technically feasible manner in one or more embodiments. In the following description, numerous specific details are provided, such as examples of lengths, widths, shapes, etc., to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention can be practiced without one or more of the specific details, or with other methods, components, materials, etc. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
[0088] While the forgoing examples are illustrative of the principles of the present invention in one or more particular applications, it will be apparent to those of ordinary skill in the art that numerous modifications in form, usage and details of implementation can be made without the exercise of inventive faculty, and without departing from the principles and concepts of the invention. Accordingly, it is not intended that the invention be limited, except as by the claims set forth below.

Claims

CLAIMS:
1. A method of implementing a safety critical system external threat protection system, comprising: defining, in a computerized database, a digital design comprising a protection category information element, the protection category information element being associated with at least one functional requirement and at least one design principle; associating, in the computerized database, in the digital design, the protection category information element with at least one architecture definition information element of the digital design; associating, in the computerized database, in the digital design, each of the at least one architecture definition information element with at least one system-level information element of the digital design, and verifying, in the computerized database, that the external threat protection system described by the digital design is compliant with the at least one design principle.
2. The method according to claim 1, wherein each system-level information element is associated with at least one equipment information element.
3. The method according to claim 1 or 2, further comprising defining a second protection category information element, and associating the second protection category information element with at least one architecture definition information element.
4. The method according to any of claims 1 - 3, wherein at least one of the at least one architecture definition information element is comprised in the following list: hazard layout architecture, information security architecture, physical security architecture and hazard human factor architecture.
5. The method according to any of claims 1 - 4, wherein at least one of the at least one system-level information element is comprised in the following list: active function protection system information elements and passive protection system information elements.
6. The method according to any of claims 1 - 7, further comprising modifying at least one of the protection category information element, the architecture definition information element and the at least one system-level information element responsive to the verification indicating the external threat protection system described by the digital design is not compliant with the at least one design principle.
7. The method according to any of claims 1 - 6, further comprising at least one of building the external threat protection system described by the digital design and operating the external threat protection system described by the digital design to protect the safety critical system from external threats.
8. A method, comprising: recording a first change in an information element in a digital design stored in a computerized database, the digital design comprising a protection category information element, at least one architecture definition information element and at least one system-level information element, and verifying the digital design is compliant with at least one design principle, wherein the protection category information element is associated with at least one functional requirement and at the least one design principle.
9. The method according to claim 8, wherein the database further comprises at least one equipment information element.
10. The method according to claim 8 or 9, wherein the protection category information element is associated, in the digital design, with the at least one architecture definition information element and each of the at least one architecture definition information element is associated with at least one of the at least one system-level information element.
11. The method according to any of claims 8 - 10, wherein, responsive to the verification indicating the system does not comply with the at least one design principle, the method comprises recording a second change in the database system and performing a second verification as to whether the system complies with the at least one design principle after the second change.
12. The method according to claim 11, wherein the second change does not modify the same information element as the first change.
13. The method according to any of claims 8 - 12, wherein at least one of the at least one architecture definition information element is comprised in the following list: hazard layout architecture, information security architecture, physical security architecture and hazard human factor architecture.
14. A method according to any of claims 1 - 13, wherein the at least one design principle comprises at least one of the following: redundancy, diversity, separation, isolation, quality level, reliability level, seismic qualification and environmental condition qualification.
15. A method according to any of claims 1 - 14, wherein the at least one functional requirement is comprised in the following list: flooding and fire protection, airplane crash, cybersecurity, and natural hazards e.g. earthquakes.
16. A computerized safety critical system external threat protection system, comprising: a memory configured to store a digital design comprising a protection category database configured to store a plurality of protection category information elements comprising a protection for normal operation functions category and a protection for essential functions category, each protection category information element being associated with at least one technical functional requirement and at least one technical design principle, each technical design principle being comprised in a technical design principle list, the technical design principle list comprising redundancy, diversity, separation and isolation, each functional requirement being comprised in a functional requirement list, the functional requirement list comprising flooding and fire protection, airplane crash, cybersecurity, and natural hazards and an equipment database configured to store at least one equipment information element, and at least one processor configured to, responsive to receipt in the computerized safety critical system external threat protection system of a failure notification concerning a first equipment information element, determine, using the database, a set comprising each technical design principle associated with each protection category information element associated, via database relations, with the first equipment information element, and to identify, based on each technical design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure identifier in the failure notification, wherein the at least one processor is configured to control a transmitter to output the technical constraint of the action to a user interface of the computerized safety critical system external threat protection system.
17. The computerized safety critical system external threat protection system of claim 16, wherein the at least one processor is configured to determine a constraint of increased unit count responsive to the set comprising the technical design principle redundancy.
18. The computerized safety critical system external threat protection system of any of claims 16 - 17, wherein the at least one processor is configured to determine a constraint of principle of action responsive to the set comprising the technical design principle diversity.
19. The computerized safety critical system external threat protection system of any of claims 16 - 18, wherein the at least one processor is configured to determine a constraint of location responsive to the set comprising the technical design principle separation.
20. The computerized safety critical system external threat protection system of any of claims 16 - 19, wherein the at least one processor is configured to determine a constraint of physical separation responsive to the set comprising the technical design principle isolation.
21. The computerized safety critical system external threat protection system of any of claims 16 - 19, wherein in the digital design, the first equipment information element is associated, via database relations, with than one protection category to ensure a design principle is respected in implementing technical functional requirements of the more than one protection category.
22. A non-transitory computer readable medium having stored thereon a set of computer readable instructions that, when executed by at least one processor, cause a computerized safety critical system external threat protection system to at least: store a digital design comprising a protection category database configured to store a plurality of protection category information elements comprising a protection for normal operation functions category and a protection for essential functions category, each protection category information element being associated with at least one technical functional requirement and at least one technical design principle, each technical design principle being comprised in a technical design principle list, the technical design principle list comprising redundancy, diversity, separation and isolation, each functional requirement being comprised in a functional requirement list, the functional requirement list comprising flooding and fire protection, airplane crash, cybersecurity, and natural hazards , and an equipment database configured to store at least one equipment information element, determine, responsive to receipt in the computerized safety critical system external threat protection monitoring system, of a failure notification concerning a first equipment information element, using the database, a set comprising each technical design principle associated with each protection category information element associated, via database relations, with the first equipment information element, and to identify, based on each technical design principle comprised in the set, a technical constraint of an action compensating, at least partly, effects of the failure identified in the failure notification, wherein the technical constraint of the action is output to a user interface of the computerized safety critical system external threat protection system.
PCT/FI2020/050330 2020-05-15 2020-05-15 External threat protection system WO2021229138A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/FI2020/050330 WO2021229138A1 (en) 2020-05-15 2020-05-15 External threat protection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2020/050330 WO2021229138A1 (en) 2020-05-15 2020-05-15 External threat protection system

Publications (1)

Publication Number Publication Date
WO2021229138A1 true WO2021229138A1 (en) 2021-11-18

Family

ID=78525371

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2020/050330 WO2021229138A1 (en) 2020-05-15 2020-05-15 External threat protection system

Country Status (1)

Country Link
WO (1) WO2021229138A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4632802A (en) * 1982-09-16 1986-12-30 Combustion Engineering, Inc. Nuclear plant safety evaluation system
EP2667270A1 (en) * 2011-01-20 2013-11-27 Mitsubishi Heavy Industries, Ltd. Plant safety design assistance device and plant monitoring and maintenance assistance device
WO2016120532A1 (en) * 2015-01-30 2016-08-04 Fortum Oyj Safety critical system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4632802A (en) * 1982-09-16 1986-12-30 Combustion Engineering, Inc. Nuclear plant safety evaluation system
EP2667270A1 (en) * 2011-01-20 2013-11-27 Mitsubishi Heavy Industries, Ltd. Plant safety design assistance device and plant monitoring and maintenance assistance device
WO2016120532A1 (en) * 2015-01-30 2016-08-04 Fortum Oyj Safety critical system

Similar Documents

Publication Publication Date Title
EP3251121B1 (en) Safety critical system
Bozzano et al. Design and safety assessment of critical systems
CN110366760A (en) Reactor protective system and method
US8977848B1 (en) Method and system for reconciling safety-critical and high assurance security functional requirements between safety and security domains
CN102708028B (en) Trusted redundant fault-tolerant computer system
CN114629677B (en) Safety protection system and method for electric quantity charging system of thermal power generating unit
WO2021229137A1 (en) System design model
Poresky et al. Cyber security in nuclear power plants: Insights for advanced nuclear technologies
CN110570960A (en) Fault degradation operation method and system for nuclear power station control room
CN113742735A (en) Big data-based energy balance analysis platform safety system and use method thereof
Hollick et al. Resilient critical infrastructures
WO2021229138A1 (en) External threat protection system
Jackson Evaluation of resilience principles for engineered systems
EP3840326A1 (en) Systems and methods for mitigating electrical installation security threats
Oh et al. Fault-tolerant design for advanced diverse protection system
Tommila et al. Challenges in Defence in Depth and I&C architectures
Ibrahim et al. Instrumentation and controls architectures in new NPPs
CN114791830B (en) Method for controlling and automatically restarting a technical device
Luangdilok et al. Nuclear plant severe accidents: challenges and prevention
Choi et al. Effect-Centric Approach to Assessing the Risks of Cyber Attacks Against the Digital Instrumentation and Control Systems at Nuclear Power Plants
Cook et al. LI Reclassification
Yoshikawa et al. Integrated functional modeling method for configuring NPP plant DiD risk monitor and its application for AP1000
Kabra et al. Dependability analysis of proposed I&C architecture for safety systems of a large PWR
Sheldon et al. Autonomic approach to survivable cyber-secure infrastructures
Swarts Evaluation of selected digital Instrumentation & Control architectures for nuclear power plants to determine compliance with the NNR position paper PP-0017 requirements

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20935574

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20935574

Country of ref document: EP

Kind code of ref document: A1