Design Verification of Instrumentation and Control Systems of Nuclear Power Plants

IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 61, NO. 2, APRIL 2014 921

Design Verification of Instrumentation andControl Systems of Nuclear Power Plants

Lalit Kumar Singh, Gopika Vinod, and A. K. Tripathi

Abstract—Instrumentation and Control systems are the nervoussystem of a nuclear power plant. They monitor all facets of theplant’s health and help respond with care and adjustments needed,thus ensuring goals of efficient power production and safety. Dueto safety significance of I&C, it becomes increasingly important tohave a design verificationmethodology which ensures I&C systemsfully functional. The strategy discussed the systemmodeling for de-sign verification using Petri Net, converting it into Markov Chainand solving the linear system mathematically. It also exploits thebest attribute of the createdMarkovmodel. The approach has beenvalidated on seven sets of operation profile data of reactor controlsystem of seven Nuclear Power Plants.

Index Terms—Instrumentation and Control, Markov chain, Nu-clear Power Plant, Petri Net.

ACRONYMS

MC Markov Chain

CBS Computer Based System

NPP Nuclear Power Plant

DCC Digital Control Computer

RRS Reactor Regulating System

ACL Adjuster Control Logic

ChPU Channel Processing Unit

DU Display Unit

RTD Resistance Temperature Detector

AERB Atomic Energy Regulatory Board

NOTATION

Probability of transition from state i to j

Transition rate from state i to state j

Probability that a component is in state i

Manuscript received December 01, 2013; revised February 07, 2014; ac-cepted February 07, 2014. Date of publication March 20, 2014; date of currentversion April 10, 2014.L. K. Singh is with the Department of Atomic Energy, NPCIL, R&D-Elec-

tronics Systems, Government of India, Varanasi, Uttar Pradesh 221005, India(e-mail: [email protected]).G. Vinod is with the Department of Atomic Energy, Reactor Safety Division,

Bhabha Atomic Research Centre, Government of India, Maharashtra 400094,India (e-mail: [email protected]).A. K. Tripathi is with the Deparment of Computer Engineering, IIT (BHU),

Varanasi 221005, India (e-mail: [email protected]).Digital Object Identifier 10.1109/TNS.2014.2305656

1The singular & plural of an acronym are always spelled the same.

Estimated Reliability of ACL module using MC

Actual Reliability of ACL module usingoperational profile

Estimated Unreliability of ACL module using MC

Actual Unreliability of ACL module usingoperational profile

I. INTRODUCTION

N PP contains at least a control system, whose functionsare performed by DCC that can adjust reactor power to

produce the desired amount of electricity [1]–[6]. Consideringthe importance of NPP control system, it must be designed tomeet high reliability requirements, as specified by the AERBguidelines of the respective country.The research work in this paper focuses on the improvement

of the existing approach to give a reliable prediction of designmetrics of control system of NPP. Moreover, this can be appliedto all the kinds of systems, of all domains; provided it is possibleto design or model it. We have taken a small module of RRS,known as ACL as a case study.Section II discusses the existing approaches that can be im-

proved for estimating the design metrics of safety related, safetycritical and information systems of NPP. Section III gives acomplete case study of RRS and its failure impact. We describeACL module of RRS in detail. Section IV, we describe ourgeneric framework for estimating the design metrics of a com-puter based system along with its application on ACL. In Sec-tion V, we validate our approach on the 7 sets of operationalprofile data of ACL, collected from 7 atomic power stations.Section VI concludes this paper.

II. RELATED WORK

Reliability prediction approach for component based soft-ware architecture has been proposed by Reussner [9]. But thisapproach is like a black box approach and based on Markovchain and UML and can predict software reliability. Also, thetransition probabilities between the states of the Markov chainhave been assumed.Gokhale and Trivedi [10] also propose methodology for soft-

ware reliability prediction based on MC by assuming the tran-sition probabilities in between the states of the MC.Another approach for reliability prediction has been proposed

by Cheung [11], which is based on Hidden Markov Chain. Thisapproach uses five sources from system experts. This paper alsolacks themethod to compute the transition probabilities between

0018-9499 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

922 IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 61, NO. 2, APRIL 2014

the states of the Markov chain. They state that the transitionprobabilities can be obtained by assembling and deploying thecomponents and executing the expected usage profile againstthem. However, for this software practitioners need to set up thewhole system during architecture design, which is often neitherdesired nor possible.Recent approaches by Sharma et al. [12] and Wang et al. [13]

extend Cheung’s work to support different architectural stylesand combined performance and reliability analysis. However,they rely on testing data or the software architecture’s intuitionto determine the transition probabilities.Sato and Trivedi [14] combine a system model and resource

availability model but assume fixed transition probabilitiesamong services.F. Brosch et al. [15] devised an approach based on Palladio

Component Model which automatically gets transformed intoa formal MC. They state that they compute ,the probability of success on condition that the system is instate , without giving any computational evidence. Moreovertheir basis to estimate the transition probabilities is MTTF andMTTR, which cannot be determined during architectural ordesign phase.Gokhale et al. [16] again tried to address this issue up to some

extent using Bayesian approach but they define a posterior dis-tribution of the random variable to find the transition probabili-ties based on any priori knowledge, which is also an analyticalapproach.Goseva-Popstojanova et al. [17] proposed the method of mo-

ments to calculate the sensitivity of a system’s reliability to com-ponent reliabilities and transition probabilities analytically. In-dika et al. [18] proposed a method to evaluate reliability basedon the architecture. They try to compute the transition probabil-ities in the MC from the expected number of visits to a com-munication link. But the uncertainty that is associated with thisapproach is to quantize the parameters which are required tocompute the estimate of the number of visits.Some approaches [19] also quote that usage profile should be

used to find the transition probabilities of the system but thisis not a generic solution as a same software may have differentusage profile in it is installed at different locations.All of the above methods have taken an analytical approach

to quantify the sensitivity, where the applicability is limited toanalytically solvable models. However, these analytical sensi-tivity analysis methods are hard to generalize.

III. A CASE STUDY

A. Reactor Regulating System

A nuclear chain reaction in the NPP is controlled by RRS,which is a CBS. RRS is a process system that is continuouslyactive in the normal control of reactor power. The reactor regu-lating system allows the reactor power to be reduced to about 60percent of full power and operation continued indefinitely at thatlevel or to be quickly reduced to zero power and then restartedwithin 35 minutes (which is the xenon override time)[5]. Tomaintain reactor power at the desired set point, RRS adjuststhe reactivity control devices. The reactivity devices include

Fig. 1. Architecture of Reactor Regulating System.

(i) liquid zones (ii) control absorbers (iii) adjusters. RRS mon-itors power level over the full operating range. RRS containsseveral modules, known as logic blocks. Each logic block is im-plemented as a program, some are shown only for convenienceand do not necessarily imply separate, self-contained programs.All the functions of RRS are achieved by these logic blocks.The functions of RRS are given in detail in [5]. The failure ofRRS increases the reactor power which is an indicator of un-controlled nuclear fission reaction which will invoke the safetysystems and there will be loss of one safety boundary. Subse-quently, the failure of the safety systems [5] may lead to coremelting (fuel failure), due to which the radioactivity may getreleased to the public. All the major nuclear disasters [20] ofLevel 7 on International Nuclear Scale Event has happened dueto the core melting. Hence the reliability requirements of RRSare very high, which is .

B. Architecture of RRS

The architecture of RRS is two-tier as shown in Fig. 1. Thereare three triplicated ChPU; and two LANs and two DUs for re-dundancy purpose. The triplicated ChPU gets data from tripli-cated field sensors in the form of voltage or current or RTD.ChPU works on 3 by 2 logic, which means that if any parameterin one ChPU deviates by , from the rest of two, the deviatedvalue gets replaced by the value that is in the other two ChPUs.All ChPU communicates to both the DU, through dual redun-dant LANs for monitoring and actuation of reactivity devices.The field sensors are required to know the dynamics of the RRSparameters like position of reactivity devices. Monitoring is re-quired to know the status of the RRS parameters. Apart frommonitoring DU send commands to ChPU for alarm generation,in case of any critical parameter deviates from normal operatinglimit or to actuate the reactivity controlling devices.ChPU is a real time; the software has been developed on real

time operating system VxWorks, using C language and burnedon EPROM -Motorola 80280, using RT-20. DU, a non-real timesystem, used for monitoring and sending commands (to ChPU)is developed on Linux and platform, using QT libraries.

C. Adjuster control logic Module of RRS

This is one of the module/program/block of RRS. It incorpo-rates ‘in drive’, ‘out drive’, ‘end stop’ logics for adjuster rods.The commands for ‘drive in’ or ‘drive out’ are initiated by thecontrol room operator. DU sends the command to ChPU to drive

SINGH et al.: DESIGN VERIFICATION OF INSTRUMENTATION AND CONTROL SYSTEMS OF NUCLEAR POWER PLANTS 923

Fig. 2. Transition Probability prediction framework.

the rod following which ChPU reconfirms with the DU. Aftergetting reconfirmation from DU, ChPU starts driving the rodby creating the logic and by opening the clutch. It also readsthe position of the rod along with the time stamping. All thestatus related messages are communicated to DU. Each com-mand, received from DU is executed by ChPU and in responseto it ChPU sends the acknowledgement back to the DU. If anyacknowledgement message gets miss, there is a communicationerror. Further, if there is a mismatch in between the given (com-mand) and actual position of the rod, DU generates alarm inthe alarm window of GUI as well annunciates the alarm in thecontrol room. The operators are required to take the necessaryaction on alarm annunciation. For communication in betweenChPU and DU, the following communication protocol has beenimplemented (Section III-c1).Protocol: The communication protocol between the commu-

nication modules of ChPU and DU is given below:ChPU waits for an acknowledgement after a single transmis-

sion of a message. The packet is retransmitted up to maximumnumber of 5 transmissions if the timer expires or a negative ac-knowledgement comes after some acknowledgement time valueof 2 seconds. For the retransmission mechanism, ChPU has aretry count which represents the number of transmissions for aspecific packet send. In DU there is a state variable sR whichstores sequence number of the packet to be received. This isused to detect duplicate packet to avoid duplicate status andalarm messages. After receive variable lifetime of 2 secondstimer expires, associated with receive lifetime value ( ), sR isdestroyed or reset. ChPU has a variable sS to store the sequencenumber of packet to be transmitted or outstanding transmission.sS is used to relate a received acknowledgement to outstandingtransmission and allow DU to detect duplicate frames. The mo-ment transmit variable life time timer expires, sS is reset. Thefollowing algorithm has been developed:1) Whenever ChPU sends a new packet, value of count is setto 1.

2) ChPU waits for acknowledgement for T1, after sendingpacket.

3) If ChPU receives acknowledgement before 2 seconds,packet send is successful and sS is set to 0/1(complement).

4) If and acknowledgement is not being received,ChPU transmits packet and set , elseChPU terminates send process unsuccessfully, where sSwill not change.

5) If 2 seconds elapsed after last data send, sS is destroyed.6) At initial stage , is source place, in which atoken can enter at any time. and are sink placesin which token exits immediately.

TABLE IEU PLACES AND TRANSITIONS

IV. THE PROPOSED METHOD FOR DESIGN VERIFICATIONWITH ITS APPLICATION

We extend and improve the existing approaches to proposea framework to estimate the design metrics for its suitability tofulfill the requirements as specified in AERB. We use it for thevarious systems of NPP. We choose stochastic process becauseof the many abstractions like internal architecture of the oper-ating system, hardware, etc on which the system performancedepends. Our framework contains six phases as shown in Fig. 2.Each phase is described as follows.

A. Phase 1: Petri net model creation

Based on the communication protocol of ACL; we generatea Petri net model of EU and DU communication. The details ofplaces and transitions of EU are given in Table I. The methodsto create Petri net model can be found in many papers [21]. Thecreated Petri net model is shown in Fig. 3.


Fig. 3. SPN of Embedded Unit.

TABLE IICHPU TRANSITIONS WITH DELAY

B. Phase 2: Model Parameter assignment

We use a tool Time NET [22][23] for SPN creation. We keepa delay transitions as per the tolerant limit that is given in thespecification of the system, as given in Table II.

, , , represent events that are supposedto occur within 1 millisecond, we set the value. As per the speci-fication of the system the waiting time of the acknowledgementmust not be more than 2 seconds, so we associate a delay of2 seconds for .The long-time behavior of this SPN can be studied by

so-called stationary or steady-state evaluation, the method ofwhich has been described by many authors. Time NET givesthe throughput, as shown in Table III.

C. Phase 3: Reachability Graph creation

The creation of reachability graph is explained in many pa-pers [21]. Table IV shows the marking of SPN of EU with theirtypes. The full reachability graph is shown in Fig. 4.

TABLE IIITHROUGHPUT OF THE TRANSITIONS

For the sake of convenience, we map the throughput in thefollowing sequence:

(1)

D. Phase4: Markov Chain creation

The MC of a SPN, shown in Fig. 3, is given in Fig. 5 and canbe obtained from the reachability graph of the Petri net.


TABLE IVMARKINGS OF EU GSPN MODEL

Fig. 4. Reachability graph.

The transition rate matrix Q is given in equation (4). The ratesfor a given state should sum to zero, yielding the diagonal ele-ments to be

(2)

E. Phase 5: Transition Probability computation

The transition probability of the MC, created from SPNcan be computed with the help of transition rate matrix Q. Sincetransition rate represents the transition of a state to anotherstate per unit time and therefore if we take the ratio of transitionrate (of going from state i to state j) and the sum of all tran-sition rates except it transits to itself, we will get the transitionprobability from one state to other ( ).

Fig. 5. Markov chain creation.

Clearly if it transits to itself infinitely, it will not be ergodicand in this case will be zero i.e.

(3)

[Equation (4) is displayed on the next page.]From this transition probability matrix P can be written as:

The transition probability matrix is given in equation (5) on thenext page.

F. Phase 6: Design metrics estimation

After estimating the transition probabilities in between thestates on MC, we estimate the design metrics. Design metricsand its severity are specific to domain of the projects. NPP sys-tems must be designed such that they are able to fulfill the re-liability and performance requirements as per the guidelines ofthe AERB. By reliability of a NPP system means the failure freeoperation of NPP system up to a given period of time under cer-tain conditions. Performance of a NPP system means how muchtime the NPP system takes to perform a function. For the pur-pose of safety, control systems and other monitoring systems ofNPP have strict reliability requirements while safety systems ofNPP have strict reliability and performance requirements. Wedescribe the method to estimate them, as follows. RRS does nothave stringent Performance requirements, and hence not esti-mated for ACL.


A) 4.6.1 Reliability Estimation: There are only two failurestates in the created MC , rests of the states are Be-havioral states. Let be the probability that a component isinstate i at time t. When component executes for a very longtime ( , these probability converges and leads to sta-tionary distribution. The proof is given in [25].

(6)

Also,

(7)

(8)

These are the linear equations and can be solved by standardnumerical techniques [26]. Hence

(9)

So, from equation (8), we get equation (10).Solving the equation (10) [on the next page], we get the fol-

lowing linear equations

(i)

(ii)

(iii)

(iv)

(v)

(vi)

(vii)

(viii)

(4)

(5)


(ix)

(x)

Also, using equation (7),

(xi)

Solving the above 11 equations (i to xi), we get; ; ; ;

; ; ;.

P is like a sparse matrix; hence it can be improved to takevery less storage and computation time.So, using equation (6), we get

Hence the reliability of the communication module, using equa-tion (9) is given by:

Rewriting the reliability,

Performanceestimation: We can estimate the performance ofa system, if we know the time spent in each state when controlreaches to it. The time spent in any state is known as sojourntime. For each state , the amount of time spent in that state ina given visit is an exponentially distributed random variable,

with parameter . In the case where the state is absorbing, i.e.,where state never transits, we define to be equal to zero. Inthis section, we derive the holding times from the transition ratematrix. Let’s define . Fix a state . If , statenever transits and hence for all times t, we have

(12)

Thus we conclude that if , then for all statesj.We now consider the more interesting case where . Let

us make the approximation that in a small time , the chain willmake only at most one jump; this approximation is not valid ifis large, but is asymptotically valid as . First consider astate , we have:

(13)

The approximation we used is that if the chain goes fromin time , then the chain must make one jump in the interval

, and when it makes this jump it must go to state j.Similarly, for :

(14)

(10)


TABLE VCOMMAND MESSAGES AND ACKNOWLEDGEMENT MESSAGES OF ACL

Fig. 6. Reliability Computation framework.

Combining this with our analysis for the case where ,we find:

(15)

From these equations and above, we perceive that given thetransition rate matrix, we can compute the transition probabilitymatrix and the holding times. Thus the transition rate matrixcontains the same modeling information as the holding timechain specification.

V. DESIGN VALIDATION

We validate the correctness of estimated design metricsof ACL i.e. reliability by comparing it with the computedreliability based on operational data of two years. We useRamamoorthy and Bastani model [27]. We present the methodby proposing a framework, containing four phases, given inFig. 6.These phases are illustrated as under:

A. Phase 1: Data Collection

DU maintains the record of every analog and digital data upto 3 years. This RRS architecture is running in 7 units, namely(i) Tarapur Atomic Power Station-3 (TAPS-3) (ii) TarapurAtomic Power Station-4 (TAPS-4) (iii) Rajasthan AtomicPower Station-5 (RAPS-5) (iv) Rajasthan Atomic PowerStation-6 (RAPS-6) (v) Kaiga Generating Station-3 (KGS-3)(vi) Kaiga Generating Station (KGS-4) (vii) Rajasthan AtomicPower Station-3 (RAPS-3). We could able to collect all therecords of 720 days from the permission of shift charge en-gineer of the respective stations, from all the 7 units. The

TABLE VIOPERATIONAL PROFILE DATA

operational profile data of Tarapur Atomic Power Plant-3 isgiven in Table VI.

B. Phase 2: Data analysis

Every command initiated by the operator and its responsefrom the ChPU is recorded with the time stamping to knowthe successful or unsuccessful operation. This is also veryimportant for performing analysis in case of any fault, failureor event. The time stamping is done by the ChPU. There aremessage codes for each message, which is sent by ChPU andthe actual message is generated by DU. For acknowledgementpurpose a different message code is being sent by DU toEU. Every data is time stamped by ChPU in the format of“dd/mm/yyyyhr:min:sec:msec”. The command messages andacknowledgement messages of ACL are given in Table V.Let number of runs in 1 .


C. Phase 3: Reliability Computation

We use Ramamoorthy and Bastani model [27] for reliabilitycomputation, which represents the reliability as under:

(16)

where,;

,of testing process relative to operational

distribution;For operational data, we can assume . Hence

reliability equation becomes

(17)

Hence, the reliability of the ACL module of RRS based onoperational profile is given by

(18)

In case of safety systems, the performance requirements can alsobe validated by computing performance using operational pro-file and comparing it with the estimated performance in Sec-tion IV-f2. We did it for shut down system-2 and got goodresults.

D. Phase 4:Reliability comparison

In this phase, we validate reliability requirements by com-paring its estimated value (equation 11) and actual value (equa-tion (18)). Correct validation of reliability also validates the pre-dicted transition probability that was an issue in the existing ap-proaches as discussed in Section II.

(19)

We get the magnificent results as the difference is negligible.We investigated the results and came to the following noticeablefacts to justify this small difference.1) We have shown the reliability figure using operational pro-file of two years. The reason is that, we have installed a newversion of this software in all units of NPP and collecteddata from the time at which it started in operational phase.As we can see, when time elapse is very long, reliabilitymay get slightly better because of errors get stabilized.

TABLE VIIACCURACY OF PREDICTED UNRELIABILITY FIGURE OF ACL MODULE FOR

GIVEN SEVEN STATIONS

2) In this case there will a definite very slight increment in thereliability figure .

3) Error in parameter assignment in Section IV-B.Interestingly, the unreliability figure is more of interest, espe-

cially if we deal with the safety critical or safety related systemsof NPP.The predicted unreliability figure, we got from our approach

is given by

(20)

The unreliability figure, based on the operational profile canbe computed as

(21)

Hence, the difference between the predicted and actual unrelia-bility is given by:

(22)

We get the accuracy of 89.73% in the predicted and actual(based on operational profile) unreliability figure which is quiterewarding.Similarly we compute the for rest of the

6 atomic power stations and compared with the predicted reli-ability. The accuracy in the predicted and actual unreliabilityfigure of ACL module of RRS for all the 7 stations are given inTable VII.

VI. CONCLUSION

In this paper we proposed an approach for design verificationof I&C systems of NPP. From the literature survey, we foundthe potential approaches, based on MC, that can be modified tobe used for design verification. The design metrics are based ontransition probability. In Section II, we infer that in the existingapproaches authors have either assumed them on the basis ofsome coarse knowledge or computed, using analytical methodswhich do not give accurate values. Some authors have com-puted them using operational profile but that is possible only


after deployment of the system and hence it is not an early pre-diction. Our framework addressed the existing limitations andis described in Section 4. We also applied this framework onAVL module of RRS. Further, we also illustrated the techniqueto compute the sojourn time, which helps in estimating the per-formance metrics. We have validated our approach on the sevendifferent sets of operational profile data of NPP in Section V, forwhich Ramamoorthy and Bastani model. We also drew somenoteworthy facts for getting small difference in the predictedand computed reliability figure.Our evaluation results indicate that our framework provides

meaningful estimation of design metrics. The estimation of de-sign metrics for a small module will lead to estimation of designmetrics of whole system to take early preventive action. Ouron-going research is to extend our approach in diversified di-rections that include, defining new constructs for modeling andanalysis of fault tolerant systems of NPP and a method to ana-lyze them for estimating the design metrics.

REFERENCES[1] Deterministic Safety Analysis for NPP, IAEA SSG-2, Austria, 2009.[2] Core Knowledge on Instrumentation and Control Systems in NPP,

IAEA NP-T-3.12, Austria, 2011.[3] Software for Computer Based Systems Important to Safety in Nuclear

Power Plants, IAEA NS-G-1.1, Austria, 2000.[4] Implementing Digital I&C Systems in the Modernization of NPP,

IAEA Nuclear Energy Series NP-T-1.4, Austria, 2009.[5] Instrumentation and Control Systems Important to Safety in Nuclear

Power Plant, IAEA No. NS-G-1.3, Austria, 2002.[6] The Role of I&C Systems in Power Uprating Projects in NPP, IAEA

Nuclear Energy Series NP-T-1.3, Austria, 2008.[7] “Integration of analog and digital instrumentation and control systems

in hybrid control rooms,” IAEA Nuclear Energy Series NP-T-3.10Austria, 2010.

[8] Preparing and Conducting Review Missions of I&C Systems in Nu-clear Power Plants, IAEA TECDOC 1662, Austria, 2011.

[9] R. H. Reussner et al., “Reliability prediction for component based soft-ware architectures,” J. Syst. Softw., vol. 66, pp. 241–252, 2003.

[10] S. Gokhale, W. E. Wong, K. S. Trivedi, and J. R. Horgan, “An analyticapproach to architecture-based software reliability prediction,” inProc.Int. Performance and Dependability Symp., Durham, NC, USA, Sep.1998, pp. 13–22.

[11] L. Cheung et al., “Early prediction of software component reliability,”in Proc. ICSE, Leipzig, Germany, 2008, pp. 111–120.

[12] V. Sharma and K. Trivedi, “Quantifying software performance, reli-ability and security: An architecture-based approach,” J. Syst. Softw.,vol. 80, pp. 493–509, Aug. 2007.

[13] W.-L. Wang, D. Pan, and M.-H. Chen, “Architecture-based softwarereliability modeling,” J. Syst. Softw., vol. 79, no. 1, pp. 132–146, Jan.2006.

[14] N. Sato and K. S. Trivedi, “Accurate and efficient stochastic relia-bility analysis of composite services using their compact markov re-ward model representations,” in Proc. IEEE Int. Conf. Services Com-puting, IEEE Computer Soc., 2007, pp. 114–121.

[15] F. Brosch, H. Koziolek, B. Buhnova, and R. Reussner, “Parameterizedreliability prediction for component-based software architectures,” inProc. 6th Int. Conf. Quality of Software Architectures, 2010, vol. 6093,pp. 36–51, ser. LNCS, Springer.

[16] L. Fiondella and S. Gokhale, “Importance measures for modular soft-ware with uncertain parameters,” Softw. Test., Verf. Rel., vol. 20, no. 1,pp. 63–85, Mar. 2010.

[17] K. Goseva-Popstojanova and S. Kamavaram, “Software reliability es-timation under uncertainty: generalization of the method of moments,”in Proc. IEEE Symp. High Assurance Systems Engineering, 2004, pp.209–218.

[18] I. Meedeniya, I. Moser, A. Aleti, and L. Grunske, “Architecturebased reliability evaluation under uncertainty,” in Proc. 7th Int. Conf.Quality of Software Architectures, New York, NY, USA, 2011, pp.85–94, ACM.

[19] H. Koziolek and F. Brosch, “Parameter dependencies for componentreliability specifications,” in Proc. 6th Int. Workshop FESCA, 2009,vol. 253, pp. 23–38, ser. ENTCS, Elsevier.

[20] [Online]. Available: http://en.wikipedia.org/wiki/Lists_of_nu-clear_disasters_and_radioactive_incidents

[21] T. Murata, “Petri nets: Properties, analysis and applications,” in Proc.IEEE, 1989, vol. 77, pp. 541–580.

[22] C. Kelling, “TimeNET-Sim-a parallel simulator for stochastic Petrinets,” in Proc. 28th Annu. IEEE Simulation Symp., Apr. 1995, pp.250–258.

[23] C. Kelling, “TimeNET: evaluation tool for non-Markovian stochasticPetri nets,” in Proc. IEEE Int. Computer Performance and Depend-ability Symp., 1996, p. 62.

[24] J. D. Musa, “Operational profiles in software-reliability engineering,”IEEE Softw., vol. 10, no. 2, pp. 14–32, 1993.

[25] [Online]. Available: http://www.dis.uniroma1.it/~leon/didat-tica/webir/pagerank.pdf

[26] W. Stewart, Numerical Solution of MC. New York, NY, USA: CRC,1991.

[27] C. V. Ramamoorthy and F. B. Bastani, “Software reliability – Statusand perspectives,” IEEE Trans. Softw. Eng., vol. SE-8, no. 4, pp.354–371, Jul. 1982.

Documents

Design Verification of Instrumentation and Control Systems of Nuclear Power Plants