Suitability of Fault Modes and Effects Analysis for Regulatory Assurance of Complex Logic in Digital Instrumentation and Control Systems (NUREG/IA-0254)

On this page:

• Publication Information
• Abstract

Download complete document

• NUREG/IA-0254 (PDF - 2.45 MB)

Publication Information

Manuscript Completed: April 2011
Date Published: June 2011

Prepared by:
Luis Betancourt,² Sushil Birla,² Jean Gassino,¹ Pascal Regnier¹

¹ Institut de Radioprotection et de Sûreté Nucléaire, France
   BP 17-92262 FONTENAY aux roses cedex—France

² U.S. Nuclear Regulatory Commission, USA
   Washington, DC 20555-0001

L. Betancourt, NRC Project Manager

Prepared for:
Division of Engineering
Office of Nuclear Regulatory Research
U.S. Nuclear Regulatory Commission
Washington, DC 20555-0001

Prepared as part of:
The agreement on technical exchange and cooperation between the U.S. Nuclear Regulatory Commission and the Institut de Radioprotection et de Sûreté Nucléaire of France in the field of nuclear safety research

Published by:
U.S. Nuclear Regulatory Commission
Washington, DC 20555-0001

Availability Notice

Abstract

The Institut de Radioprotection et de Sûreté Nucléaire (IRSN) and the U.S. Nuclear Regulatory Commission (NRC) jointly investigated and evaluated the suitability of applying fault modes and effects analysis (FMEA), as a technique for identifying faults attributable to Complex Logic in digital instrumentation and controls for safety functions in nuclear power plants. Complex Logic refers to logic in the form of software, or in the form of programmed hardware, for which it is not practicable to ensure the correctness of all behaviors through verification alone. Whereas the term, "failure modes and effects analysis" is used in the context of the overall DI&C system, the corresponding concept for software (and other forms of complex logic) in a DI&C system is "fault modes and effects analysis." When FMEA techniques, which have been used effectively for traditional hardware, are applied to Complex Logic, such extension does not yield a similar benefit to regulatory assurance, because of the fundamental differences in the nature of faults in traditional hardware versus Complex Logic. Whereas hardwired devices (such as electromechanical relays) have only a few predetermined fault modes, the potential fault space in Complex Logic is huge; yet the actual number of faults is an extremely small fraction of the potential fault space. Finding these faults through FMEA is akin to searching for a needle in a haystack. Through analysis and examples of several real-life catastrophes, this report shows that FMEA could not have helped in the discovery of the underlying faults. The report concludes that the contribution of FMEA to regulatory assurance of Complex Logic, especially software, in a nuclear power plant safety system is marginal. Further investigations, not in the scope of the current NRC-IRSN collaborative study, are needed to understand the appropriate roles and combination of FMEA and fault tree analysis and appropriate application constraints for reliable results from such analysis techniques.