核能電廠儀控系統數位化後可提供更強大的整體運轉功能，及具有親和力之人機介面，運轉員可藉著電腦系統獲取更多資訊。然而儀控系統數位化時遭遇以下三點問題：(1)軟體共模失效、(2)運轉員與數位儀控系統介面互動過程失誤、與(3)軟體失效之不可偵測性，可能擊潰防禦階層，增加分析多樣性與深度防禦效能困難度。其中第(2)項運轉員與數位儀控系統介面互動影響最大，因為第(1)項與第(3)項對應至多樣性與深度防禦，而最後最重要一層為如何確認運轉員與數位儀控系統介面互動。本研究發展出一套整合性方法論以評估運轉員與數位儀控系統介面互動表現對核能電廠安全影響，並可據以提出改善建議。此整合性方法論包括組件層級的軟體故障樹分析與系統層級之序列樹方法及電廠電腦模擬程式分析方法。軟體故障樹可釐清數位儀控系統內軟體失效過程與肇因，序列樹方法可鑑別設計基準事件中運轉員與各多樣性與深度防禦層級數位儀控系統間之互動關係，電廠電腦模擬程式分析方法可進一步分析運轉員在數位儀控系統失效時可供運用之備用設施與容許手動動作之時間。將本方法論應用於評估數位化核能電廠深度防禦設計之效能，應可提升核能電廠運轉安全。運轉員在操作高度自動化之數位儀控設施時，將可更加信賴核能電廠。

The digitalized Instrumentation and Control (I&C) system of Nuclear power plant can provide more powerful overall operation capability, and user friendly man-machine interface. The operator can obtain more information. However, while I&C system being digitalized, three issues are encountered: 1) software common failure, 2) the interaction failure between operator and digital instrumentation and control system interface, and 3) the non-detestability of software failure. These failures might defeat defense echelons, and make it more difficult to analyze the perfiormance of Diversity and Defense-in-Depth (D3). This research developed an integrated methodology to evaluate nuclear power plant safety effect by interactions between operator and digital I&C system, and then propose improvement recommendations. This integrated methodology includes component level software fault tree, and system level sequence tree method and nuclear power plant computer simulation analysis. Software fault tree can clarify the software failure structure in digital I&C systems. Sequence tree method can identify the interaction process and relationship among operator and I&C systems in each D3 echelon in a design basis event. Nuclear power plant computer simulation analysis method can further analyze the available backup facilities and allowable manual action duration for the operator when the digital I&C fail to function. Applying this methodology to evaluate the performance of digital nuclear power plant D3 design, could promote the nuclear power plant operation safety. The operator would trust the nuclear power plant than before, when operating the highly automatized digital I&C facilities.

[1] NUREG/CR-6430, “Software Safety Hazard Analysis”, 1995
[2] Nancy G. Leveson, L. Denise Pinnel, Sean David Sandys, Shuichi Koga, Jon Damon Reese, “Analyzing Software Specifications for Mode Confusion Potential,” Presented at the Workshop on Human Error and System Development, Glascow, March 1997. (http://sunnyday.mit.edu/papers/glascow.pdf)
[3] IEEE Std 7-4.3.2-2003. "IEEE Standard for Digital Computers in Safety Systems of Nuclear Power Generating Stations."
[4] Shigenori Makino, “Operating Experience of Digital Safety-Related System of Kashiwazaki-Kariwa Unit No.6 and 7”, Nuclear Energy Agency Committee on the Safety of Nuclear Installations (NEA/CSNI), Reference 1,VOL 2, 2002
[5] William C. Bowman, Glenn H. Archinoff, Vijay M. Raina, David R. Tremaine, and Nancy G. Levesoin, “An Application of Fault Tree Analysis To Safety Critical Software At Ontario Hydro”, Probabilistic Safety Assessment and Management, G. Apostolakis, ed., Elsevier, New York, 1991, pp. 363-368.
[6] R. Reeves, G. Hicks, and B. Karrasch, “A case study of Abnormal Conditions and Events (ACE) analysis”, IEEE Transactions On Nuclear Science, VOL. 42, NO. 4, August 1995.
[7] L. Ristord, C. Esmenjaud “FMEA Performed on the SPINLINE3 Operational System Software as part of The TIHANGE 1 NIS Refurbishment Safety Case”, Nuclear Energy Agency Committee on the Safety of Nuclear Installations (NEA/CSNI), Reference 1,VOL 2, 2002.
[8] SECY 93-087, July 15 1993, “Defense Against Common-Mode Failures in Digital Instrumentation and Control System”, Staff Requirement Memorandum.
[9] NUREG-0493, March, 1979, “A Defense-in-depth and Diversity Assessment of the RESAR-414 Integrated Protection System”.
[10] UCRL-ID-114000, April 1993, “Defense-in-depth and Diversity Assessment of the GE ABWR Instrumentation and Control Systems”.
[11] NUREGCR-6303 (UCRL-ID-119239), December 1994, “Method for Performing Diversity and Defense-in-depth Analyses of Reactor Protection Systems”.
[12] NUREG-0800 "STANDARD REVIEW PLAN (SRP)" Section 7.0. Instrumentation and Controls. Rev. 4, USNRC, Washington, DC. USA, June 1997.
[13] Branch Technical Position HICB-14, Guide on Software Review for Digital Computer-Based Instrumentation and Control System, USNRC, Washington, DC. USA, 1997.
[14] IEEE Std 1228-1994. "IEEE Standard for Software Safety Plans."
[15] IEEE Std 7-4.3.2-1993. "IEEE Standard for Digital Computers in Safety Systems of Nuclear Power Generating Stations."
[16] 台電公司第四核能發電廠，“進步型沸水式反應器(ABWR)訓練教材”，2002。
[17] Micro-Simulation Technology, “PCTRAN ABWR Personal Computer Transient Analyzer for Advanced Boiling Water Reactor”, Version 4.0.0, May, 2002.
[18] General Electric Company, “LUNGMEN UNITS 1 & 2 Preliminary Safety Analysis Report”, 997.
[19] ANSI/IEEE Std 829-1983. "IEEE Standard for Software Test Documentation."
[20] EPRI Topical Report TR-106439. "Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications." Electric Power Research Institute, October 1996.
[21] IEEE Std 1042-1987. "IEEE Guide to Software Configuration Management."
[22] IEEE Std 1074-1995. "IEEE Standard for Developing Software Life Cycle Processes."
[23] IEEE Std 1219-1992. "IEEE Standard for Software Maintenance."
[24] IEEE Std 603-1991. "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."
[25] NUREG/CR-6101. "Software Reliability and Safety in Nuclear Reactor Protection Systems." 1993.
[26] Regulatory Guide 1.152. "Criteria for Digital Computers in Safety Systems of Nuclear Power Plants." Office of Nuclear Regulatory Research, U.S. Nuclear Regulatory Commission, January 1996.
[27] Branch Technical Position HICB-19, 1997, Guidance for Evaluation of Defense-in-Depth and Diversity in Digital Computer-Based Instrumentation and Control Systems, USNRC, Washington, DC., USA
[28] SECY 90-016, February 1991, “Evolutionary Light Water Reactor Certification Issues and Their Relationship to Current Regulatory Requirements.”
[29] NUREG-1503, July 1994, “Final Safety Evaluation Report Related to the Certification of the Advanced Boiling Water Reactor Design”, Chapter 7.
[30] 陳玉柱，“核電廠事故分析程式PCTRAN之引進與應用”，碩士論文，國立清華大學工程與系統科學系，2001。
[31] 李敏、洪國鈞，“PCTRAN程式輻射源項說明報告”，國立清華大學工程與系統科學系，2002。
[32] 林芳正，“核能電廠暫態事故分析程式PCTRAN之控制系統模組與熱流理論模式探討”，碩士論文，國立清華大學工程與系統科學系，2003。
[33] 邱茗秀，“核能電廠暫態模擬程式PCTRAN之熱流模式探討及廠外輻射劑量計算能力之建立”，碩士論文，國立清華大學工程與系統科學系，2003。
[34] 楊朝裕，“PCTRAN國聖核能電廠暫態事故模擬分析與研究”，碩士論文，國立清華大學工程與系統科學系，2005。
[35] 鄭源傑，“PCTRAN龍門核能電廠暫態事故模擬分析與驗證”，碩士論文，國立清華大學工程與系統科學系，2005。
[36] 施純寬、邱茗秀、楊朝裕、鄭源傑、陳俊宇、楊偉義、黃揮文，「儀控軟體風險分析發展及應用」委辦計畫94年結案報告，INER-A0854R，民國94年12月
[37] 施純寬、陳俊宇、楊偉義、杜宛慈、黃揮文，「數位儀控系統深度防禦能力模擬研究」委辦計畫95年結案報告，INER-A1225R，民國95年12月
[38] Swu Yih, Huei-Wen Hwang, Yuan-Chang Yu, “Development and Application of Risk Analysis Techniques for Digital I&C Systems”, Nuclear Plant Instrumentation, Control and Human-Machine Interface Technologies NPIC & HMIT 2004, September 19-22, 2004, Columbus, Ohio. INER-2912.
[39] Swu Yih, Lih-Yih Liao, Huei-Wen Hwang, Li-Hsing Wang, Regulatory Bases and Acceptance Criteria for Software Safety Analysis of Digital I&C Systems, Nuclear Plant Instrumentation, Control and Human-Machine Interface Technologies NPIC & HMIT 2004, September 19-22, 2004, Columbus, Ohio. INER-2909.
[40] Yuan-Chang Yu, Yen-Chang Tzeng, Ming-Huei Chen, Hui-Wen Huang, Li-Hsin Wang, Swu Yih, "Simulator Base Approach for Identifying Hazard Induced by Software Flaw", Symposium on Applications of Information Management and Communication Technology 2005( 2005資通技術管理與應用會議), INER-3392, June 27, 2005.
[41] 王立莘、游原昌、易俗、郭成聰、龍宜島、黃揮文，儀控軟體安全分析技術發展，INER-3014，民國93年9月
[42] 王立莘、游原昌、易俗、黃揮文，數位儀控系統安全分析之法規基準與接收準則，INER-3056，民國93年10月
[43] 王立莘、黃揮文、游原昌、易俗，數位儀控系統危險因子分析技術，INER-3371，民國94年7月
[44] 游原昌、黃揮文、王立莘、陳明輝，儀控系統安全分析工作站建置，INER-3495，民國94年9月
[45] 游原昌、陳仲緯、葉宏易、黃揮文、陳明輝，「數位儀控軟體失效模擬測試設備建立」，INER-4204，民國95年9月
[46] 游原昌、郭成聰、黃揮文、陳明輝、易俗、王立莘、王勳和，IEEE-1012 軟體驗證與確認本文 ，INER-A0985R，95年6月
[47] 王勳和、王立莘、游原昌、易俗、黃揮文、陳明輝、郭成聰，IEEE 7-4.3.2 核能發電廠安全系統之數位電腦，INER-A1067R，95年9月
[48] 王立莘、黃揮文、易俗、游原昌、王勳和，IEEE-1228軟體安全分析計畫書本文，INER-A1016R，95年6月
[49] 易俗、陳明輝、黃揮文、王立莘、游原昌、陳仲緯，核電廠儀控系統軟體危險因子分析技術，INER-A1068，95年8月
[50] 王立莘、易俗、游原昌、黃揮文、陳明輝，安全相關數位儀控系統RTIF軟體需求規格安全分析，INER-A1062R，95年9月
[51] 游原昌、易俗、王立莘、陳明輝、黃揮文、陳仲緯，安全相關數位儀控系統RTIF軟體設計規格安全分析，INER-A1047R，95年8月
[52] 黃揮文等，ABWR儀控系統之方塊概念法應用，核研季刊, 第二十五期, 面93-105，INER-1642，民國86年
[53] 黃揮文等，核電廠數位式儀控系統共模失效分析技術及應用現況，INER-T2351，民國86年
[54] 黃揮文等，ABWR 儀控系統深度防禦及多樣性評估技術研究，INER-T2438，民國86年
[55] 黃揮文等，核二廠MMS整廠模式之建立與校驗，核子科學, 第34卷第6期，INER-1640，民國86年12月
[56] 李紹光、黃揮文等，「核一廠模組化模擬系統計畫」第一次期中報告，INER-A0057，民國86年
[57] 李紹光、黃揮文等，「核一廠模組化模擬系統計畫」第二次期中報告，INER-A0068，民國86年
[58] 李紹光、黃揮文等，「核一廠模組化模擬系統計畫」第三次期中報告，INER-A0069，民國87年
[59] 黃揮文，核三廠模擬器熱交換器Handler程式FORTRAN語言改寫測試報告，INER-T2842，90年9月
[60] 黃揮文等，核三廠模擬器即時軟體作業平台測試報告，INER-T2836，90年6月
[61] Hui-Wen Huang, Chunkuan Shih, Swu Yih, Ming-Huei Chen, Jiin-Ming Lin, Model Extension and Improvement for Simulator-based Software Safety Analysis, Nuclear Engineering and Design 237 (2007) 955–971, INER-4538
[62] Hui-Wen Huang, Chunkuan Shih, Swu Yih, Ming-Huei Chen, Jiin-Ming Lin, Software failure events derivation and analysis by frame-based technique, Annals of Nuclear Energy (ANE),編號Manuscript # 1.05.06，95/2/24 完成所內審查，ANE於96/1/10接受論文，Elsevier公司正進行出版作業，編號ANE 1658
[63] Huei-Wen Hwang, Swu Yih, Yen-Chang Tzeng, Yuan-Chang Yu, Development and Application of a Simulation Framework for Investigating Human Computer Interaction Process, 19th Sino-Japanese Seminar on Nuclear Safety (台日核安學術研討會), Taipei, Taiwan, November 29, 2005.
[64] Hui-Wen Huang, Yen-Chang Tzeng, Yuan-Chang Yu, Li-Hsin Wang, Ming-Huei Chen, Swu Yih, Chunkuan Shih, Sheue-Ling Hwang, Development and Application of a Simulation Platform for Analyzing Nuclear I&C Software Safety, The 2005 Taiwan Atomic Energy Forum (台灣原子能論壇), Taoyuan, Taiwan, April 25, 2005.
[65] Hui-Wen Huang, Wei-Yi Yang, Chunkuan Shih, Swu Yih, Digital I&C Failure Events Derivation and Analysis for ABWR, Dependability of Computer Systems 2006 (DepCoS '06), Szklarska Poręba, Poland, 25 - 27 May 2006.
[66] Hui-Wen Huang, Chunkuan Shih, Swu Yih, Yen-Chang Tzeng, Ming-Huei Chen, Digital Instrumentation and Control Failure Events Derivation and Analysis by Frame-Based Technique, ICONE14, Miami, Florida, USA, 18-20 July, 2006.
[67] Hui-Wen Huang, Wan-Tsz Tu, Chunkuan Shih, Swu Yih, Cherng-Tsong Kuo, Ming-Huei Chen, Chun-Yu Chen, Wei-Yi Yang, Development of Evaluation Method for Software Safety Analysis Techniques, 15PBNC, Sydney, 15 - 20 October 2006.
[68] Hui-Wen Huang, Ming-Huei Chen, Chunkuan Shih, Swu Yih, Cherng-Tsong Kuo, Li-Hsin Wang, Yuan-Chang Yu, Chung-Wei Chen, Development of Evaluation Method for Software Hazard Identification Techniques, 5th NPIC&HMIT, Albuquerque, NM, USA, November 12 - 16, 2006.
[69] Hui-Wen Huang, Ming-Huei Chen, Chunkuan Shih, Swu Yih, Evaluation for Software Safety Analysis Techniques, 21st Sino-Japanese Seminar on Nuclear Safety (台日核安學術研討會), Taipei, Taiwan, 4-5 December, 2006.
[70] Hui-Wen Huang, Ming-Huei Chen, Chunkuan Shih, Swu Yih, Hung-Chih Hung, Jiin-Ming Lin, Preliminary Hazard Analysis using Sequence Tree method,15th International Conference on Nuclear Engineering (ICONE 15), April 22-26, 2007, Nagoya, Japan.
[71] Hui-Wen Huang, Chunkuan Shih, Swu Yih, Ming-Huei Chen, Shian-Shing Shyu, Jiin-Ming Lin, Chuan-Chung Chen, Chung-Lin Lee, Li-Hsin Wang, Yuan-Chang Yu, Wei-Yi Yang, Wan-Tsz Tu, System Level Hazard Analysis by Sequence Tree Method, International Symposium on Symbiotic Nuclear Power Systems for 21st Century (ISSNP), Tsuruga, Fukui , Japan, July 9-11, 2007.
[72] 黃揮文、易俗、李朝河、游原昌，數位儀控系統軟體文件審查接受準則，INER-2807R，民國93年7月
[73] 黃揮文、游原昌、易俗、王立莘等，PCTRAN ABWR版本再循環水系統模擬程式改進，INER-2870，民國93年9月
[74] 黃揮文、游原昌、王立莘、易俗、郭成聰，儀控軟體安全分析模擬個案設計，INER-3151，民國93年12月
[75] 黃揮文、陳明輝、王立莘、易俗、游原昌，數位儀控系統軟體失效資料蒐集分析，INER-3255，民國94年4月
[76] 黃揮文、王勳和、陳明輝、易俗、王立莘、游原昌，儀控系統事件過程推演分析技術建立，INER-3255，民國94年10月
[77] 黃揮文、李政達、陳明輝、游原昌，臺灣電力公司核二廠飼水控制系統升級改善工程安全評估報告，INER-A0907R，民國95年1月
[78] 黃揮文、陳明輝、王立莘、游原昌、王勳和，PCTran-ABWR主要控制系統模擬模式建立，INER-3906，民國95年3月
[79] 黃揮文、易俗、王立莘、游原昌、陳仲緯、郭成聰、陳明輝，軟體安全分析技術評估方法之發展，INER-4163，民國95年9月
[80] 黃揮文、郭成聰、陳明輝、易俗、王立莘、游原昌、王勳和，NUREG/CR 6430軟體安全危險因子分析，INER-A1007R，95年7月
[81] 黃揮文、陳明輝、易俗、王立莘、游原昌、陳仲緯，安全相關數位儀控系統RTIF軟體初期危險因子分析，INER-A1029R，95年8月