ONTARIO-HYDRO EXPERIENCE IN THE IDENTIFICATION AND MITIGATION OF POTENTIAL FAILURES IN SAFETY-CRITICAL SOFTWARE SYSTEMS

Ontario hydro has had experience in designing and qualifying safety cr itical software used in the reactor shutdown systems of its nuclear ge nerating stations. During software design, an analysis of system level hazards and potential hardware failure effects provide input to deter mining what safeguards will be needed. One form of safeguard, called s oftware self checks, continually monitor tile health of die computer o n line. The design of self checks usually is a trade off between the a mount of computing resources required, the software complexity, and th e level of safeguarding provided. As part of tile software verificatio n activity, a software hazards analysis is performed, which identifies any failure modes that could,lead to the software causing an unsafe s tate, and which recommends changes to mitigate that potential. These r ecommendations may involve a re-structuring of the software to be more resistant to failure, or die introduction of other safeguarding measu res.This paper discusses how Ontario Hydro has implemented these aspec ts of software design and verification into safety critical software u sed in reactor shutdown systems.