digital instrumentation and control systems in nuclear power plants docx

Digital Instrumentation hag 4 and Control Systems in Nuclear Power Plants SAFETY AND RELIABILITY ISSUES Final Report

‘Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety

Board on Energy and Environmental Systems ‘Commission on Engineering and Technical 5 National Research Council

NATIONAL ACADEMY PRESS 2101 Constiaom Aven, NM + Wasngton, B.C, 20418 [NOTICE Te proj hat he abet fhe ep a apron by the Geveng Bose of te atonal Research Cnc hve mere re ns rm the conc he Namal Acaleny nie responsible fo the pot wee chen or hi al compen td with gad fr ert ace "Trepm hachen reviewed au ote han te ators cnn proces prone “Fer andthe td ich ita khai xơ supe by Corsa No, NRC 485 rom te US Male Reulitery Comaussin Tocco peared an sou f work pone an ages of he i Ses Covers ‘nen, Netherihe Une Stes Gover! bra ag het tự s fi emplyes aes {ny marany.eguesed or pio aos 2) Klay espn ay ti pay TT ese ay fran apart ret pres sen cis ep treet that ey ach nl pan wold ot ege privy sna eke The ews

‘The Nation Academy of Seenessapvate, appa se yerpetuig sve of singled seals engage sn Sic ad engineering reser deca the onan of cee and ‘ecology sn tothee oth ener nelle: Upon he astro char rly I

“lui andtechical mate Dr Brae M Albers pric he Neon Caley of ences “Fe Nats Acar af Enos obese cae fhe Ns Aeadeny of Scents aa rganiaton toesanding epee is salenomos ei Fern nine leqenofietmenh hay with Natesl Acar of Sciences the pe Siig foradving tera govemmen The Nason Acleny of Eau ko ps eg ering progr ined a ect snl ees encourage dai and seach a copes ức up acest engoe, De Wil A of menmiveuiemgrbe NaienAeah ny of Enger "Tent of Meine was extalahed in 17D he Nata cae of sees ose te

sere eminent cmb fepopetepoeos nth exarsintn of ply aes enaing istic lth ofthe pub Te lout as dee espnsy gre the Nata Ay of Slemes by le congresilchaner he vẽ hư othe federal goveramen sn ngọc fon Inve ident see mea care nacre andeducain De Kean Shite presidental ‘The Natal Resch Counc was onze ty the National Acad of Sees in 1916 10 associate the od commu cence Me opy Wi the Aces prone of athe {nosed nd avsng te oder goverment anctoniag in acodance wih general paces Ste ned by the Aran, te Counc ha ce the cpl operating ey of bt he Naa !Rcdemy of Seer dhe National Acide of Engneriog eon scene goer ‘ete pbc anihe sleai a enposerig cms, The Cor amir ly By eh Actes the nie of Mice, Dr Bree M Albers aod De Wl A Wal ề Lined copes of is rapa aval fom Addo cope ar asta for ale from

"` nh Nate Academy Pres

2101 Conon Aven 210, Coton Avene NW ‘Washington DC 20818 Washing BC 20055

fom sheet espana, ups? aaedahees 'Waseingie Menpohia Ae) 24 63427 2923343913 in te apitan nape

Lary of Congres Calo Cat Nore 97884

‘COMMITTEE ON APPLICATION OF DIGITAL INSTRUMENTATION AND CONTROL ‘SYSTEMS TO NUCLEAR POWER PLANT OPERATIONS AND SAFETY

DOUGLAS M CHAPIN (chat) MPR Associates Alexa Virginia JOANNE BECHTA DUGAN, University of Virginia, Chalotenile

[BONALD A BRAND, NAE Pace Gas and Else Company (eied), Novato, Calera JAMES R CURTISS, Winston and Strawn, Washington, D.C (om October 1998) D, LARRY DAMON, Bechel Research and Development San Francisco, Califrnia

(MICHAEL DeWALT, Feral Aviation Administration, Seale, Washington from October 1998) JOHN D_ GANNON, University of Maryland, College Park

[ROBERT L GOBLE, lak University, Worcester, Massachusens DAVID J HILL, Argonne National Laboratory Argeane Iinois PETER E KATZ, Calvert Clif Niclear Power Plat, Lasby, Marland NANCY G LEVESON, Univeniy of Washington, Seale

(CHRISTINE M MITCHELL Georgia laste of Technology Alana ‘CARMELO RODRIGUEZ, General Atomics Company, Sun Diego, California SAMIES D, WHITE, Oak Ridge National Laboratory Oak Ridge, Tennesse Project Statt

‘TRACY D WILSON, dy director, Board on Energy and Environmental Systems (BEES) SUSANNA F CLARENDON, senior projet assim, BEES (from May 1996) ‘THERON FEIST project asisant, BEES (unl June 1995) HELEN JOHNSON, administrative ssociate, BEES (util uly 195)

WENDY LEWALLEN senior projet assistant, BEES Ce 1995 to May 1996)

MAHADEVAN MAN, astocist executive director, Commision on Engietring and Technical Systems from January 1996) AMES J.ZUCCHETTO, dưetoc BEES (rom Janay 1996),

BOARD ON ENERGY AND ENVIRONMENTAL SYSTEMS

ROBERT L HIRSCH (chs, Energy Tecnology Collaborative, I, Washington, D.C RICHARD MESERVE (vise etn, Covington and Burling, Wasingion, D.C

JAN BEYEA, Consultant, New York, Now York

E GAIL de PLANQUE, NAB, Contant, Potomac, Maryland INDAC, DOLAN, Lockhesd Marin Hetrnis and Mase, Orlando, ida WILLIAM FULKERSON, University of Temessce, Kaowille

JACQUES GANSLER, TASC, In, Arington, Virginia

ROY S, GORDON, NAS Harvard University Cambridge, Mascachusets FRANCOIS E HEUZE, Lawrence Liveomore National Laboratory, Livermere, California LAWRENCE T PAPAY NAE, Bechtel Group, In, Sua Frane'sco, Califia

RUTH A RECK Argonte National Laboratory Argonne ios

JOEL SPIRA, NAE, Lotron Electonics Co, Ie, Ceoperburp, Pensyania JAMES LEE SWEENEY, Stanford Universi, Stanford, Calera IRVIN L WHITE, UTECH, Ine Fain, Vigiie

Former Members Active during Reporting Period:

HLM (HUB) HUBBARD (chain, Pacific Icrational Cente for High Techalogy Research etsed), Houoal, Hawaii ROBERT D, BANKS, World Resouces Insite, Washington, DC,

ALLEN J BARD, NAS, University of Texas, Ain DAVID E DANIEL University of Tess, Austin

LUalson Members from the Commission on Engineering and Technical Systems RICHARD A CONWAY NAE, Union Caride Corporation, South Charleston, West Vignia SERRY SCHUBEL, New England Aquarium, Boston, Massachsens

staff

JAMES 1, ZUCCHETTO, director since January 1996) SUSANNA F CLARENDON, administrative asian

WENDY LEWALLEN, senior project assist (nil May 1996) SILL WILSON, senior program offices

Preface

‘The nuclear industry and the stat ofthe US Nuclear Regulaery Commission (USNR) have worked fo several arson how best to safely introduce digital instrumentation “nd conta systems nt clear power plants But ggeber ‘hey have fall to reach consests This lack af consensus led the USNRC to request the National Research Coun, through its Board on Energy and Environmental Systems of ‘the Commission on Engiecrng and Teeical Systems, (0 conduct he sty whose results are reported hee The Ne ‘nal Research Council's Computer Seince apd Telecom ‘miications Board and the Couns Division on Ec ton, Labor and Homan Performance provided aionat techni spot “The Commie on Application of Digital Instruments tion and Contrl Systems te Nuclear PowerPlant Operations land Safety (8 Appi A) was appointed by the Natio

Research Council on December 20,199, examine the we of digal istration and contol systems in cleat owe plants, This work was toe conducted in wo phases “The final report suamarzes the work of both Phase I and Phase 2 Tn Phase 1, the commie was charged to define the in nant safety and reabily issues (concering ha, Software, and human-machine imerfoces that arise fom the inreduction of ig instrumentation and conta tech gy in muclear power plan operations, including operations Under arma ransiat, and accident condons a esponse tothischarge the committee wdenied igh ke tot reo fiated with the use of digital instrumentation and contol URC) systems i existing and advanced nuclear power Plants The eighr sues separate i sin technical sues and two strategic Hess, The í tecnica ses ae: systems speci of digital IC technology: sofware quality ass take: cramion-modesltvare (ale poten salty and reliability assessment methods; uma factors and human ‘machine interfaces: and dedication of commercial off theif ardware and oftware Te io sratgi ses athe csvcb se len proces and he adequacy of he tech ca ifestrcture, Th committee recognizes thatthe te

‘ot the ony sues and topics of concer an debate in tis trea, Nevertheless, te commitee considers thal developing somsenss on these Key ess wil ea major sep forward tnd accelerate the appropriate use and ering of dg TAC systems in ncler power plants, mn Phase 2 ofthe study the commitee was charged 10 Sent enter review and accepance of gal nt ‘mentation and consol ehology in bt etait reactors tn row rectors of advanced design to characterize and ‘raat alleratve approaches othe cericaten er ien {ng ofthis technology and, where suicient scenic basis sslqe, recommend guidelines on the asi of which the ‘USNR ean egulate and cenit fr eens) digital inst ‘mentation ad consol technology inching meas for iden Uitying and addressing new sues that may result fom fe (ure development e0 bai exists to mae uch recommendations the com of his ectnology Where isin

since was to sugzest ways in which the USNRC could ac quire the required information Ta caring ot its Phase 2 charge, the commie limited fis work to tose sues identified in Phase 1 Futer the reader should not form to Ira an expectation that the commize has povided a cogent st of pancples design {uidelnes, and specific requirement or ready we by the UUSNRC we ates, tt, cese andr ceri proposed 53s tems and upgrades Rather, the fests of the commute's effort are presented inthe orm of conclusions and recom mendations reatedtocach key iss and primaiyadreset {o the USNRC for thei consideration and se foe seting

for improving communication and stengthening technical infastrotre al the USNRC To carryout is work the com- rites eld 8 numberof mosis, coding ale vss to Several power pan ais and simulators (sce Appendix 3) The come aso hed dealled discussions with mem ber ofthe staf ofthe U.S, Nuclear Regulaory Commis- sion, the Nuclear Safty Resarch Review Commitee, he ‘Advisory Commie USS and foreign nicer industries, andreqresesatives fom on Reactor Sieguards, member ofthe ter safely-citcalindostes, who provided a ware of ‘Perspectives and information on dil fsiromenistion and onto! technology and its regulation The commits is ‘rate to the many individuals who provided technics!

infra

"The chairman is als paiculay grateful tothe members ‘ofthis commince who worked dilgenlyandeffecuvely on 4 very demanding schedule to meta very dificult carpe tnd prosice thin work Special commendation and thanks tMealoextended to Tracy Wikon ofthe staf of te National Research Council who was a pillar of strength and whose never fing energy and focus great facilialed the work of the commits

nan insghison tis topic dering briefings and

Contents

Ngler Power Phøt Tewnennbin ad Conn Sans, Tan from Anaog a Dil eszuenlation abd Cool Sass, 19 ¿chu sf Insamneatton and Cons! Seton 17

‘Gallenges te nuction f Dig Ineromentaion and Cone Systems, 1X Response of he US Nuclear Reulsory Commission and Norley Fi tte Challenges, 19 Tis Sil, 2

Developing te Key Haues (Phan 12 ‘Addesuns the Key Taues(Phss 3

Carre U.S” Nuon Regulatory Comunsson Regultry Psion and Pans, 28 Develoomeats nine US Nacleor Indore, 72

Development inthe Fonsi Nock Insiry 22

Devclepmeats in Ot Salety Cia! Isis, 80 Son

4 SorIWaué QUALITY ASSURANCE x

(Coren US Nectear Reguatory Commission Rpuatry Poston and Pans 8 Desclogmwats ete US, Note Jaa 37

Develeaes wie Fveign Nucleae Ins 37 DDevelopmest: in Oe Soe -Crinal dons, 38

vú

contents 5 COMMON ODE SOFTWARE FAILURE pOTENTIA Tection ad Backrest, 43 2

(CS Nueiear Reglatry Commision Postion DDeveloprein tthe Foreign Nuclear fy 1S Development ir Osher Safety -Cral Indus, 5

(5 Resiear Regulatory Cunsrisioa Resear Acts, #2 SAFETY AND RELLAWILITY ASSESSMENT AE feiss

(Curent 1S, Nuclear Regulatory Commissioe Regulatory Psion and Plans $3 Develgments inthe US Nectar Instn 5 DDevelopmcit the Forcgn Nuclear ery, $8 eselopninis in Othe Sate Cres Insts, Se

ODS 2

a

7 HUMAN FACTORS AND HUMAN-MACHINE INTERFACES Tuuiuelen “ (Curent US, Nacenr Regulstry Commission Regulstry Potions and Pans, Developm inthe US, Raster Int 2

‘Development rhe Foreign Nosiear indy, 2 Developninis in Osher Safety-Crlca Indus 62 Aras Re 62 §_—_ DEDCATION.OE.CONOIEBEia “ss _ Inunle-ien 7L

(Caren US, Nile Regulston Commission Regulny Poions and Pans, 72 Developments ete U.S NesiarIndvary 72 ‘Develops ate Fowegn Nuclear ed, 74

Development ir Other Safe Chia Indust, 74

‘Goochusios an Recommendations 76

neon 78

ogulacey Frasers for Evaluating Dig Upgrades 79 reriew of Nciesr Appisunons of Digial Techacigy #0 Reguluery Response 0 Aporoaces to Repultion in Other Counce, $1

Rescush aed Plans #1 Analisi $1 Concisngs and Recommend

(0 ABBQUACY OE-TECHNICAL INERASTRUETURE In ss USS Nuclear Regulatory Commission Regulatory Pontos nd Pt 8S

Developmen inthe US Nuclear Indy, Dselopmeni inthe Foreign Nucl Indy, #7 Developmen in Over Safety Chul Inst, £7

‘A Riggaphicel Sketches of Commitce Members os

B_ Commitee Mecings Vases | and rm

CUS, Nuclese Reeulory Comision Licey of Dal Jnsrunstion ‘a Conia Techy tớ D_Develognent of he Fin] List of Tht In, mỊ

E_ Bsespt on Lieming Regddlone m7

Digi Insertion and Con Stem Fees 8

ape ABWR ACRS ANS ‘ANSI APWR ASC ATWS BEES cers cer cots EM EPRI EPS ESFAS FPGA SAR FIA, or L1 He HSI Acronyms

‘Asea Brown Bovers

‘vanced boing water reacor

‘Advinory Commitee op Reetor Safeguards ‘American Nuclear Society

“American Nationa Standards Instn advanced pressurized water reactor pplicaton-speciie integrated eireit Biipated ransient without evans

‘Board on Energy and Environmental Systems Commission on Engineering and Technical Systems Code of Federal Regultons ‘common-mode faire ‘commer of the-shelf Het de France clecromagnetcinererence ete Power Resear insite croergency power system

ngiecred Safety features actuation system eld programmable gate ansys

Sal le analysis repent fault ee analysts Genera Electric eeneic leter — human-system inerface NRR sere NUSMG pic PSA RES RPS SAR uswee usa instrumentation sd contol

Intemational Elsttecnicl Commission Intl of Eerie! and Dlecunnis Engineers

Institute for Nuclear Power Operations Intemational Society for Measurement and Conia

ean cnet faite ‘Nuclear Energy Isite

Office of Nocear Reactor Regulation (USNRC)

[Noclear Safety Research Review Commitee Nocleat Ulli Software Management Group programmable logic convoler

probabil risk asesanent probabilistic ae sessment Oftce of Nectar Regulatory Research CUENRC)

radiofrequency interference reactor protection sytem fey analysis rept Standard Review Plat

Executive Summary

INTRODUCTION

Nuclear power plans ey on instrumentation and contol (48) systems fr monitoring, contol, and protection Du ing their extensive sevie history analog LC sytem ave ‘Performed tee intended monitoring and contol functions Satisfactory Although there have been some design peab- lems, sch as inaccurate design specifications and susept- Diy to cern envionment conditions the primary con ‘corn with he extended use of analog systems effects of ‘aging eg mechanical ares, envionment degradation, and obolescence, “The indoerial tase has largely moved o digital based systems! and vendors are gradually discontinuing supprt and stocking of needed analo spare pars The reso ot ‘the ransiion to dita IAC systems es in thei imporant vantages ove existing analog sysers Digital electronics fe excell feof the dei tha ais aoaog electeon ics so they maintain their calbation better They have in proved sytem performance in terms of accuracy and com- utatonl capaites Tey ave higher data handing and Storage apie, s operating conditions can be moe fly measured and displayed Properly designed, they can be ‘sie touse and more lexi in application, Idee digital Sgstems have the potential for improved capabilities ( Fault olrance, sles, signal valulslo, pydees tem diagnostics that could form the ass fr entely acw approaches to achieve the requied elas Because of Sch potential advantages and because ofthe gener shit {oil systems and waning vendor supe for analog 33- tem, the US mulear power indus expects substan Ta il yee

src se on ek

‘ecm stata compen esse pei Se

Sioa expe dt

replacement of existing aging analog sytems wit digital TAC technology For the same reasons, designs for nea ‘anced nuclear power plans ely exclusively on digital &C systems

Challenges to Successful Introduction of Digit Instrumentation and Control Systems

Suecesflitrdaction of digital L&C systems into US nuclear powerplants faces sever ehllenpe:

+ uncerainty inherent ininrodoton of new technology + shift of existing technology hase from analog experience + techoical probes identiied fom some applications of digital 1 in moteur power plans + dificult time-consuming approach and customized licensing

+ Tack of consensus (beeen the US Nuclear Regul tory Commission [USNRC] and the regulated indus {59 on isuesunderying elution and adoption of Agia IC technology std cans to obtain a aisles tof) resolution

In essence the problem isto develop a systematic regula tory review and approval methodology for digital 1&C sys tems tha allows obtaining the safety and eiabty benefits sailbie ram this ecology while avoiding the inoue in of offieting safety problems “The transition from analog to digital L&C systems in rucear power plas is ot staihtorvaz ne mus! cre fully secout forthe ways which ital LC implementa tions are ferent and fame regulations that reflect those ditereees

Response of the U.S, Nuclear Regulatory ‘Commission tothe Challenges

2 DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS IV NUCLEAR POWER PLANTS proces of reviewing designs of advanced plants However,

the review proces hes agely een customized for ath ape Plieaton because ofthe lack of agred-apon applicable teria Inakiton abnor commits, cdg the Ad sory Commit on Reactor Safeguas (ACRS) and the ‘Nuclear Safty Reseach Review Commitee (NSRRC), hse expressed concer ha the USNRC may be lagging behind Jn is understanding of dpa U&C sytens and have urged the development ofa framework to pide the rpulation of chgÌAI ME telaolagy “To adres echnical concems, nd in Ropes of develop- Ing 3 wide comennisacrns the USNRC tnd the noclear nds fr a epulatryproram the USNRC bel 2 ork shop in September 1993, While wel forum, the work shop didnt ead oa consensus, and ihe USNRC rested the sistance ofthe Nation Research Coxe

‘Tals STUDY ‘Committee's Task

“The Natonal Reseach Coun wa asked by the USNRC to conduct a sul including workshop on application of {igi UC technology to commercial milear power pnt ‘operations The National Reset Coun accordingly Pate a commie (herafer the coi) la cae ct ap the study, which was conducted into phases In Phase 1 the commitee was charged to define the importa safety and eiaityfases tat arse ons the itrdction a ip 1a LAC technology in alear power plan operations ‘lodng operations under steady-state wansien, and acc ‘ent operating cndiions In response to tis charge, the omnitieedetfed eight key ses associate with heute ft digital IAC systems in exiting snd advanced usar Powe plans In Phase 2 of the study, the commitee was charged deoiy itera for review and sccepance of ipa IEC teetuoogy in bth revolted actos and new reactors of Advanced desig: to characterize and evaluate aferative "pproaches fo the cetiation or Hcensng of ti technol ‘jy: and where alicient cemfc hats ena econsmend fulelines om the basis of which the USNRC can repute nd cenily (or cess) igtal EXC technology including reams for idenitying and addressing new ses ạt nay ‘esl ren fare developoent of ths tchuoloy bn areas

tno koe a ence

‘hea Fo Rep Por sO pene 8 Tne Tl tne lng ton ried se ee a ah

lacking sii! siemiic basi to make such recommen latins the commitce was to suggest ways in Which the LUSNRC could acgire the equred information In caying outs Phase 2 charge, the commie limited is work to thove oe eid in Phase 1."The issues Were chosen because they Were difficult and controversial Farther tbe committee recognized tht by lathe respons "My lọ setig icensing criteria and pidlines for pital &C apleatins to ouclar pln eels wi the USNR “Thus, the reader stould not form too Malan expectation ‘hat the comminee has provided a cogent st of principles ‘design guidelines, and specifi equtements for ready use by the USNRC w aunt, st ese, andor cet pro- posed systems or upgrades Rather, the resus ofthe study tne presntd inthe orm of conchisions and recommend tins related 0 ea issbe and primarily addressed to the UUSNRC for thei consideration snd ue the comnitee'+ ‘ow there i substan further work tobe accomplished ‘The committe expects the USNRC andthe nuclear industry torextend the work of erteria development beyond sere this Phase 2 report faves i To gui further work, the ommice’s report efes Findings and recommendations i four broad categories) curem practice thal is essentially ‘tisactory oe requires some Fine tong () pont of weak nes it the USNRC's approach, sues hat mei farther lnạ and esearch before stsfactory repultry ira an be developed and (d)eiteria and guidlines hac ae tnresonable expect inthe nea tre,

KEY ISSUES,

Digital instrumentation ang control systems for noclear owe pln have echnologicalcharslentiesequpeent, ‘sponse time, input and output range and accuraey—very ‘inl to tose of digital insirumenation and cove ss fem for ther saety-rvalappliaions sch as chemical plants pd acral What distinguishes digital LC appics tion in ucla power plants ram edhe digital appli tions isthe ned 0 establish very high levels of relay and sfety under wide range of conitions, Because of the potently far greater comsequenesof acide in cleat ower plans he JAC systems mst be lied upon to reduce the tiktiiood of even low probability events The USNRC as develope a reglatory process wth the goa facie dng ose ph levels of relly and ths assuring public Safety This proces is subject publi sertny

Developing the Key lsues (Phase 1)

tmdinenince f ch deme, si regulators la te nogler industry, The process the cơnnifee folowe lo lđenHfY these tues cused nthe Phase I port ad sony briefly unsaved ber Tn esenes, the committee considered the impact of Aigitl L&C systems against a set of standard regulatory pproaches lo assessing and ensuring safety (defense-n depth safety margins, environmental qualification, qual tủy assurance, and failure Invulnerablty) From this analysis the commitce identified a numberof questions Sand ise Aller extensive deliberations the commitee Selected eight key issues, “The eight ses can be separated in sic echnical ses and vo static sues The teeMjeM leues den Aspects of digital HAC technology software quality assur ance, common-mode software (sre potenti sfey and {ebatility assessment metbods, hum actos and hur Imachine inerfaces, and dedition of comes off the ‘shelf hardware ad woftwae, The to strategic ses are the cxe hy cee heendng re an the ade of techn

al nfeasteture Ge unig ting sear plan) The ‘ommitcerecogeizs that these are no he only sues and topics of concern and debate in thi ara, Neves, he commie realms is jodgmen inl formed ding Phase i at developing consensus on hee eight sues Will Rea major step forward and acelerate the appropiate te and licensing of digital IC systems in mick power plants

‘Analyzing the Key Issues (Phase 2)

In conducting Phase 2 of ts study the commits em ployed a syseraic proces, which i efleced i the ste {ure of most of the chapters in this repr The comvmitce reviewed a large number of documents made avalale by the USNRC and variety of oer soures The commitee also interviewed selected personel rm te USNC, from the two advisory commits discussed ahove (ACRS, [NSRRC), rom the mtclear industry and footer indus tees" sing egal ystems in sftycrdeal applications ‘Te commie ako sought the view of individuals from academia and esearch organizations a aon hệ com, ‘ite visited contol oom simular, anos plan forsl-fieled powerplant withestensve digital A&C systems, ‘The commit ako bad frequent and detailed intemal ds cussions a facet face ava paper ad ele com munications, The commitee also Brought to be a wide range of experience n and Brow ofthe fed

mm ` sy ta

aly iy

Carrying Out the Charge

“The committe tok seriously the charge that city erie forreview at acceptance of digital 1&C technology and hat wt rccommendgudeine oe regulation and cert fication, In carrying outs charge, the commie recog nized that

+ Inorderto ero tes could be dealt wih the elatvely bet develop wel guidance onl ited nam aration ofthe oy,

+ Genera high level criteria would not be parielady +The final era iy Furter, sine the nuclear power indus is heavily ae lepally the USNRC's esponsibil- reputed inthe pubic intrest, the sensing ceria thou be forged in a deta interaction among the regulators, dhe inst andthe public

+ The committe has a wide range of expense ‘ence in digital systems ad miler power lant bat it and expe- ‘eno a sarogate for this inaction among the sake holden Here, the commit could serve by clearly đElaesing and defining issues and providing gsdance for resolving these ines rather han developing spe cif censing evita

— "11" land worked on tone iss, These igh sues aes Be ‘wo myorinterwined themes associated withthe se fig {at instumentation and contol im neler power plants ‘These ae

1 Dealing withthe specifi characteris of digital 1&C lechnology a applied to mclar power pits, 2 Dealing wi a tehology that more avaced han the one widely in we inthe exiting nuclear power plans This technology is apy advancing ata ete tnd in directions largely unconled bythe moclear Jndostry but atte sme time tly lo havea sign can impacto the operation and regulation af the clea indus

Asthe committee worked trough the issues it discovered theresa major impeiment to progres This the comm ication bari tht exist among the key technica om ties and individuals involved Te ase enon forthe cn ‘munication dificly is apart Work i siputancously ting on in many ares, each wih itso echo Search fous, and agenda Unfotunntely, hough ny a these areas doe common es, these tens fen have dil Fereotmeaningsto deren groups, sulting inet ck ‘of eommuniaton or very dificult communication, This Teiulndy oablesorne forthe mocler power indy ard le regulates, who ase not dominam ds technology sd mus ry to sythesie sinformation and experience fon a ‘arity of soures and apply iin power plas where safety hazards ust be dal with a gerous way, under paie Seestny 18 Chaper 11 the commute dscses this cam ‘munication problem in more etal an provides suggestions fora way forward Making subtrial rogress inthis rea should hive a mulipieae effect si eases the resolution of many specifi technical and suategc sues ‘Overall while there are important steps that remain o be taken by the USNRC and industry as adresse inthis ort the commute found ne esurnounabe hares othe the of igi insrumesiation and contol technology tơ ociear power pints The committer also Boies tha & forward-looking regulatory process with good an ont ing regulations an industycommunicallon and interaction ‘wl ep AIL paicipants must recognize that esp, hand Slged cñteia a parculsly dieu wo come by inthis rapidly moving area and ood practices and enpinering {ingen wll oni io be need and velied upon, For the key technial issues (systems aspects of dial 1&C technology softwar quality wstrance common-mode software alae potenti safety and reishity assessment ‘neta: hun acters and human-machine interac: nd edison of commercial offhe-abll hardware cd 0 ‘ware tbe committee provides specifi ecommpendatons and conclusions which inclade a numberof specific ener, “These ae Tisted in each chapter (se Chaps 3 dough 8) Bat recognizing the dificuly of defising specific cetera, andthe need for the nuclear techoolgy stakeholders, par telly the USNRC, lo make the ial decisions, the com mince focused on (a) providing process guidance bol i ‘developing guidelines and inthe shor-crnsccepance of the new eenogy (8 identtying promising approaches developing eteria and suggestions for avoiding dates tnd (@) mechanics for impeoving communication and Sengtening echnical infrastructure Tor the key sates ses he case-by-case Ticensing procedure and adegutcy’ ofthe echoes infrastruc) the + Emphasizes guidance to implement a generically ap- pliable rameseork for regulation thal fellows erent USNRC practice and draws a iviacien between

major and ior safety mifcatons The commit also provides guidance forthe cvlution and updating ‘ofthis reulaloy framework (se Chap 9

+ Lesion ‘al infasructse and suggest speiic esearch at ee to upprde th caren USNRC th tes tha will suppor she aceded regulatory program ‘nd USNRCsrevearch nee The commie sls several inprovemenls the chica ines alo so

ture to improve and mainiaintchoial capabilities this rapily moving technically challenging aca The results this paces are set fort below, where te commiteeiaces each of he ke issues—fsat the ec ‘ical thea the stratgic—with an “issue statement devel ‘oped during Phase | ofthe toy Following each sve sae ‘ment are the contusion and recommendations formated bythe comic ding Phase 2 of the sty

TECHNICAL ISSUES

Systems Aspects of Digital Instrumentation ‘and Control Technology

Issue Statement Alone wit oporsmthenefie gio t&C stems ivoduce potential ew fare modes thal ea {eet operations and margins of safety Therefor, digital 1&C stems eur igoros eaten of he systems aspects of {hei design and implementation What methods to address his concern? How can te experience and best are needed ‘rates ofthe varius technical commutes involved 1s applying digital 1&C technologies be best integrated and pple to mclaz power plans? What proces can be po In place co updste the methods and We expericnce base a ow dial IC technologies and equipment are inoduced fn he fat

Conclusion 1 Coste efforts warranted by the USNRC and the nls indusry wo deal withthe stems aspects of {igi 18 in nuclear power pans

‘Copetuson 2 The lack of seta design aniplemetation oflege IAC systems for US, aclea power late mths ‘iu to ose leening from expericace as bs or roving how the miler index and the ƯSNRC den with ‘stems aspects

(Conctasion 3 The USNRC's nen to upgrade te repule tory guidance i the systems aspects of gi L&C applic tions alear power plans ts enely supported by the ‘comme’ otnevatios about systems aopect,

‘Conetason 4: Existing regulatory guidance acs the speci- Seiy needed tobe effective and the revision shold adress this shortcoming

existing and in progres, In particular this review should focus onaeesting wheter oro the revived guidance docu rent have the necessary level of specifi 10 adequately address the systems aspects of miclear plat digital L&C implementations

Recommendation 2 The USNRC shou dey and ‘ew systems aspects guidance documcns povided in eher Indus, such as chemical processing and acospae, whore large-scale digital HAC sysers ae sed The foes ofthis review would eto compare theater guidance documents ‘vith thore being developed by the USNRC, paying duc atetion to common problems and apptication-speciic differences,

‘Recommendation 3 To obtain peartialexpeiene, the LUSNRC should fon sa personal eraps cna eprcal ‘ss, oer agencies involved in regulating or oveneinE large safetycricl digital IC ystems,

‘Recommendation 4 The USNRC should require contin ing prtesional caisng for appropiate sf in echaclo- ses particularly germane to systems aspects, sib as fal {otean, dtabuted ystems

Software Quality Assurance

Insue Statement The use of softwares prncpat dier: cence between digital and analog L&C systems Quality of ‘Soares measured in trms oft abi 10 perform ie ivended fonctions This in tur, is traced 10 software speci feations and compliance with these specification Nether ‘ofthe casi approaches of () controling the software de ‘lopment pres or (b) veri the end-product appears {o be fully slsactory in assuring adequate quality of so ‘ware, partially for se with safety-critical systems How ‘an the USNRC and the suclear indi define a genesly ‘zceped technically sound soluson to specyng produ ing andconreling oftvare ceded indigial IAC stems?

Conclusion 1 Sofware quality san procedures pi cally motor process compliance rahe han product got iy in parclu, there ae no generally accepted evaluation rita for safety-related software rather, standards and [uidelines hep repeat best practices Because 0H sf ‘are qualities related o system safety, eg, munainabiy, comecnes and Security cannot be measured dec 1

rust be assumed hata rationship exists Between meas able wriables ap the quis to be ensared To dea with 1 itaton care must he taken 1p validate such models, sing past development activities andio asa that he Imessuremnts being made ae approprinte and acurate in sessing the desired software quale

‘Conclusion 2 Poe operating experience with pancula software does not necessarily ensure reliability oF safery operon new application Aina reviews, analysts

‘or tetng bya uty or hind pany dedicate may he neces ‘Sry to each an adequate evel of asrance Conclusion 3 Testing must aot Be the sole quality ass ance technigh, In genera iis not Feasible 10 ass ste wae comecness through extiv testing for most eal practi LC sytem

Conclusion 4 USNRC sf reviews of he verification nd ‘alidation process use during sftware development sem ‘gate bora

Conclusion 5 Exposing software Mas demonstating lable behavior of software, and finding unimtended fun tionality and aw in requirements are different concepts an shouldbe atessed by 3 combination of lehnigues 0 chung

+ Systematic inspections of software ‘with representative inputs from diferent pars of the an planned esting Systems domai can ep determine if Oa exit inthe software + Functional ests an be chosen mal nd oundary cates ml me of est coverage to expose eres in nor

an be reported fo thes

+ Testing besed on larg numbers lected fom the operational profiles ofa progam can of iapts anton se te ned to assess the liklinod tha softare wl fa der specific operating comitions

+ Requirement inspections can he an effective method for detecting software dees, provided equrements are uiie by several experienced people who dd not Pareipte inter comsructon The effectiveness of These reviews aso depends om the quality af th quieren

+ Asystem-ove ‘combined sith environmental coniton,can le lờ za analysis can deny tats tha cides The alysis should extend into software ‘omponens te ensure at software doesnot combate to system hazards, ‘Conctuson 6 The USNRC research programs related to softvare qualiy assurance apear to be skewed tard in- ‘vesigaingcodelevel estes, eg coding in different lan [pages to achieve diversity an program sing 1 denlly ‘hres containing convnon code

‘Conclusion 7 Rigorous configuration management must be ‘seo assure tatchanges ‘mente and thal ratonship etweedillerent sofware a re ome designed and pe

‘ats re msn

6 DIGITAL INSTRUMENTATION AKD CONTROL SISTEMS IV NUCLEAR POWER PLANTS (Geld programmable gate arays), However the commitee roves that these technologies may be weft ia addressing

some configuration masagement probe

Recommendation Cure the USNRC's path sto de- ‘elop regulatory guides to endorse vary of industry staards The USNRC should develop (with possible exceptions) is own guidelines for software quality assurance hat focus ‘onaccepance ereria abe than prescriptive sftins The raft epulatry guide, Software in Protection and Control Systems by Canada's Atomic Energy Conta Bosid i an ‘example of his type of approach The USNRC guidlines Should be subjected 1 broad-based eternal eer review proces ling (a the nuclear dusty, () aber salty: ‘eal indusees and) bu the commercial and academic ‘oftware comnts

Recommendation 2 Sysers requirements shold he wi tem in a language wi precise meaning so that general ropeaics ike consistency and completeness a well a ap- Plieaon-specific properties can be analyzed, Cognizant Personne ck x plant eniner, replat, system archi ‘Ee and software developers shel be able understand the language

Recommendation 3 USNRC research the software qual ity asurnce era sbould be balanced in emphasis tween carly pases fhe software lie cycle and code level issues Experience shows tht he early phases convibute mere fe ‘oem othe generation of software eno

Recommendation 4 The USNRC should regute 4 com rmensurate quality assurance process for ASICS, PLC, and ‘ter imlsrleebnologit

‘Common-Mode Software Failure Potentis

Issue Statement Digital technology introduces «posi ity ta common-mode software flues may case reds in sfety systems ofl in sucha wy tha here los of Safety fonction Various procedures have been developed and evolved for esluaing common-mode file potential Inanalog devices D these sre proceduses apply lo com ucts and software rare diferent approaches to ensuing reliblty needed? What does software diversity mean? Cn ibe achieved and asessed and fs, how? Do techniques fis or assessing common cause fall and common-mode Failure when computers are involved? What arte implica tions ommend offare ue forthe sensing ro: se and the ue of component diversity? Are redundancy nd vest the ost eecuve way to achieve reli for igi sjtems?

Conclusion 1 The USNRC postion of assuming that com moa-mode software failare could occur scribe, coors to engineering practice and should be retained

Conclusion 2 The USNRC position with expect dive: sige an stated nthe deat branch echo] postion, Digit Instumeniation and Conuol Systems in Advanced Pans, and its ounterpet or exiting plans i appropiate ‘Conclusion 3 The USNRC guidelines on assessing wheter Adequate diversity exists need tobe reconsidered With fut these pidelines: (2) The commit agrees that pro- ‘ing digital systems (components) that perform differen fuetions sa pen effective means of achicving diver sity Analysis of software uscionl divers showing tht Independence i maintained at the system level und 0 ne failure modes have been introduced bythe use of digital tect soy sn diferent rom he for upgrades ce dsigs ha

fnclade analog istmenatio.¢b) The comminee consid stat he use of ciferent hardware real-time operating "ystems ie potently effective in achieving diversity pro ‘ied functional diversity has heen demonstrate With gard to real-sme operating spe, hs apis oaly 0 0p ‘ring systems developed by difeent companies of shown tobe functionally divers.) The commit that ase of diferent programing languages eiferent does ot agree

Gp approaches mecting ie same functional eure ‘beret design teams o differen vendors equipment axed 4o perform the same faction is likely to be effective in schevig diversity Tals none ofthese mtd 3 poo! ‘of independence of failures Conversely, neither ithe pres ence of hese eo of dependence of ules

Conetason 4, Tere appears abe no geerally applicable elfetve way to evalutediversiy between to pesos of Sofiare performing the sae fnction Superior su fice sync) differences do at imply fare indepen dence, nor does thew of diferent algorithms to achieve he Same functions Therefore funding esearch oy to eva ste design diversity des not appear to bea reasonable use of LUSNRC research ands,

‘Conetoson 5 Alhongh many inthe software commun tbeleve that thee are more cost-effective techiques for scheving high software relblity ha redundancy aml ức ‘verity there no agreement ast what these aiematives ‘maybe The mot promising ofthese appear ote the exten sion of standard safety analysis and design tecnigues to Sefivare andthe use of formal (matbemarcl analysis Conclusion 6, The vse of sl-checking to detect hardware falues and some spe software errs i effective tad shoud be incorporated However, care must Be Laken to s« Sore that he selchecking features themselves dono inso- ——

‘Recommendation 1 The USNRC should retin ts position of assuming that common-mode software failure is credible

EXECUTIVE SUMMARY

Insirmemation and Comtol Systems in Advanced Plats ‘ee Chapter 5 and is counterpart fr existing plans

Recommendation 3 The USNRC should revs is guide Hines on assessing whether adequate diversity exit, The UUSNRC should no place reliance on ifreat programing Tanguages diferent design approsshes meeting the same Funetonal requirements, diferent design cams oF sig ai ferent vendor” equipment ("amepite diveriy) Rather, the USNEC should phasing potently ore rabus ch niques such s the we of functional diversi different hard ‘wae, and diferent real-sime operating sytem,

Recommendation 4 The USNRC should reconsiertbe use ‘of tescarch funding Woy io establish diversity between v0 pcees of vfiwae performing the same function This does otappeariote pssble Specifically i ppears the USNRC funding ofthe Urea! fol tase onthe we ofthis oo) Fortis purpose and, a uch ueikly to be sel

Safety and Reliability Assessment Methods

Issue Statement fective, elfen methods assess the safety and reliability of digital IRC systems ia ae needed to nuclear powerplants These methods are needed t help 480i potently usa or uncible ppictons and aid in identifying and accepting safety-nhancing and reliability ‘enhancing applieaons What methods shouldbe sed for taking these sary and reliability assessments of gal

1&C gems?

Conclusion 1 Deterministic ‘lading design bass acient analysis, haard ali, and axsessment methodologies, n- ‘other formal analysis procedures, re applicable digital systems Conclusion 2 There i controversy within the software en- nceiogcommsnity as whether an scart failure prob- ability can be asested for software of even Whether sof ‘eae fils randomly (see Chopier 6), However the commit: tee agreed that solivare itr probability canbe wed for the purposes of pecorming probabilistic risk assessinent (RA) im order to determine the elaive infusnce of dig system failure onthe overall sytem Expicly inloding Software fails in a PRA Tora nuclear power plant i pret: rable to the alternative of gnoving software Falues,

cision 3 The assignment of probeblis of faire for softwar (and more general for digital syste ino sob antl ferent fom the handing of many ofthe prob aMalies for are events A good sotvare ual assurance ethology is prerequisite to providing basis forthe eneration of hounded etimates fr software faire pro li ghi the PRA, uncertainty and ensivity analyis ‘an lp the analyst asae thatthe result are aot unduly ‘dependent on paranctes tat ar uncer Asin other PRA ‘computations, bounded estimates for software fare

probabilities ean be obtained by processes that isha valid ‘andor testing and expe judgrect

‘Conclusion 4 Probabilistic analysis i thecal ap cable in the rame manner to commercial off-the-shelf {COTS) equipment, but he practical application may be i Ful The dieu aries when atcmpting to xe Geld ex evence to assess failure probably in thatthe experience ‘may or may not he equivalent For programmable devices {he softare failure probability may be unique for eich ap plication However, sl of rigorous tess may tl te ap able 1o bounding the fale pecbay as kh cơươm systems A long history of successful eld experince may ‘be useful in ehieting expe judgment

‘Recommendation 1 The USNRC should rie that the felative influence of software failure on system rliabi- ity be included ia PRAS for systems that include digital component

‘Recormmendation 2, The USNRC should strive o develop methods for estimating the failure probabiies of digital ‘ystems, including COTS, for vse im probabilistic isk ‘samen These methods should include aceepance enter, ‘uelnes and mations for use, and ay seeded rationale sd jsuication

Recommendation 3 The USNRC and indodry should eaalele the eapabiles and develop sfc level of expose to understand the requirement fo gaining cont ‘ence in digital implemenatons of sem funtons andthe Jimiations of quaitaive assesment

‘Recommendation 4, The USNRC should consider support of programs thutae aimed at developing advanced tech nies fo analysis of digital systems that might be wsed 10 increas confidence and rice vncersniy i quaiaive

# DIGITAL INSTRLMENTATION AND CONTROL SYSTEMS IV NUCLEAR POWER PLANTS Conclusion 2 The methodology and approach adopted by

the USNRC for reviewing human factors and human machine inerfaces provides anil and acceptable fist Step in review, Existing USNRC procedures or bth the ‘esignprodoct Indust, The guidelines are based on Huy ch audl- and process, are consent with ihe of eer able inthe Tieatueo developed by specific industries The methodology for reviewing the design proces is based on sound system engineering principle consistent wth he val ‘ation and verifies fefective burn factors

Conclusion 3 Adequate design must zo beyond guides “The đacaedon in NUREGO7IT on advanced technology and human performance andthe design prinepes ston)

‘Appendix A of NUREG-O700 Re 1 provide a famework in which be nuclear indosty can speci protype, and rir evaluate A dsign adheres to general principles of good human- a proposed design Demonstration thịt System integration and ake into secoual known character isis of human performance provides viable framework in hích implenentsie of somewhat intangible, bat impor Tan, concepts can be assed

Conclusion 4 Thre isa wide range inthe type and nani tude ofthe digital uperades that canbe made safety and safety-related systems is important forthe magnitose of the human fastrs review and eration to be comment rate with the magnitode of the change Any change, bow ve, that alfets whl infermaton the operator ses othe Sen S response 10 a contol int mit be empirically talus to ensure tha the ew design docs not compro ‘ise human system interaction effectiveness

CConetution The USNRC snot sulfichenly ative in the public Raman factors frum Fr exsnple,prposed har factors procedures and policies o sponsored research such 6 NUREG-070 Rev I are not regularly presented and ‘ewe by the more general atonal ad jtemationa bọ ‘man Factors communities, ieluding such organizations 3 the US Human Factors and Ergonomics Society In of Bletical and Electonics Engineers (IEEE) Soie ơn Systems, Man, and Ceres ad the Associaton of Com: puting Machinery Spacat Interest Group on Comper Human Interaction European nuclear huran factors ee searchers have used nuclear powerplant human factors esearch lo farther beter understanding of human perfor mance issues in both uclear powerplant and other safety crcl industries Otber safery-crucal U.S indus, such 8 space aviation, an defense, pancipae actively benef sng from the review and experience of oes

‘Recommendation 1, The USNRC shoul continue to we where appropri, review guidlines for both the sign Fro nd press Care shoul he taken to update these {uelines s knowledge and conventional wisdom evolve fn both nuclear and nonnucear ppietions,

Recommendation 2 The USNNRC should asa that sr views are ot Limited 0 godelines or eheklists Designs steal he assessed wth espe (a th operate modes hat tndetiethe them (bay in which be designs ates cs ‘se human system dencuon design problems (6) pero ‘ances ealuations Moevver, erations mts ero ‘evcttve sks, atl system dynamics, and el operator,

‘Recommendation The USNRC should expand its review rier to elude catalog ot listing of classic human ‘Machine interaction deficiencies tht ecu in man safety trical applications Understanding the problems and pro- posed sions im other istrict acostetive way 40 Soi epating the mistakes of oer as git echeology {svodiced it safety and safety tlated nuclear syste ‘Recommendation 4 Complementing Recommendation 2 lthoogh human actors review should he undertaken ser taaÌy cự ae pefemaneeused manner with vale ondons sad operator, the magnitude and range of the feview shouldbe commensurate With the nature and magi: tae ofthe digital change

‘Recommendation 5 The USNRC andthe clear ndasty at lrg shuld regularly parscpaein he publi forum AS ‘tote in NUREG-O711, advanced human interface echnoo- ies potently inteshce many now and as ye unresolved Dua factors ses I is eri that the USNRC May seas of eusent earch and best practices in ther snus fries and conubute findings from it own applications to the research and practitioner communities at arge—for both review and eduation (See alo Techniea! Infrastructure

‘hap for addtional dscussion)

Recommendation 6 The USNRC should casounge searchers withthe Halden Reactor Projet to atively pa ‘eipate inthe ttermaional esearch frum tooth share tet ‘ests and lean fom the effets of ter

Recommendation 7 As funds are available, the USNRC's Office of Sucka Repultry Research should oppor research exploring higher-level aries of hurasysem integration ‘ont and aưunutin Suh neeuch should ince expo- ‘ato, specifically for nocear powerplant applications of ‘design ethos such a operator models for more flee: ‘ely specifying adesien Mowcove, extensive Feld sues Stouldbe conducted to deny nucearspecific echoology ‘problems and to compare and contrast the experiences It clea pplication with hose of ete safety eis! ind ts, Such esearch wll do the aa of rcuring det ‘ences and potently link then to propose sous

executive souatany

simulators of significant portions of conta roms Other industries make extensive sof worktation-bsed paras fimulitor (eg aviation); resls are fund 4 ace quite sell the systems aa whole

Dedication of Commercial Off-the-Shelf Hardware and Software

Iesue Statement, Wha ethos shouldbe sped! un by the epultrs andthe licenses lo eva and accep hề we of commercial of-he shel digital L&C sysens in saety Applications in maces per plants?

CConctuson 1 Use of COTS hard at satan án tractive posi for he nuctear industry to use po- ‘ied that techni adequate deicaion proces cn be formulated and tat this proves does nt nepal Te cos advanages of COTS

‘Conctsion 2 The een devsloped daft guideline of the Electric Power Research Inte (EPRD working Ep Guietine on Evaluation and Acceptance of Commercial ‘Grade Dial Equipment for Nuclear Safety Applications appar to bave poeta s the bai fo reaching ndusey tnt USARC comms onthe COTS iss In vie of ie pesibiliy the commie notes tha he guideline and te follow-on seeosdle? guidance shuld asue tate ne cssary andi stuf dil L&C appliton ae tine for bo hardware and stare Once these a tnbutes are well-defined, various acepale mtd sessing he ality ofthe guibues cụt be ore realy of >

Cerained ad se and he eqs expienc gied As tn example ofthe yp o approach aprons the EPRI sorting soup and the USNRC sf he commit consider Should eoesider he FAA's DO-UTHB pide for il onc Software Coeierations a Alene Syst snd Ta ———¬ ‘Conclusion 3 Software quy svunmee analy ad shing sucane net ae engl ned COTS The ommitee’s contusions in Chapters 4 and 6, repecively, ‘ul theses lobe considered: Deion pos fr {COTS sould so prove eleva in cos where aie software eased umong snl ees pplions ‘Concason The USNRC inva eneain the EPRL Nace ‘inn Software Manages Interationl Society for Measirement and Control (ISA) Group (NUSMG), IEEE nd ‘woking group sry seta nd sould ithe USNR Aoveoping apie pudance io addes ths COTS issu ‘Concusion S, The approach to COTS must apply exter and verification activi commenurate with he sey i Aifeance and comply of» spot plication Fore plete lvl of yriaon ster api os xoleElsecmensofteeoder amlimlicdloe xui xe lẹ {hese as hal applied io ages replacers of re tor proction stems

Recommendation 1 Te USNRC staf should sore tat their involvement inthe EPRI, NUSMG, IEEE and ISA ‘working groupe mean at USNRC concerns and postions fe being addressed 0 ha any standards ogden de ‘eloped hy these groups can he quckly accepted and et dosed by the USNRC

Recommendation 2 The USNRC shold etblish what search needed to saport USNRC acseptnce of COTS in Safety applications in muclear plans Ths esearch should then be incorporate ino the overall eeath plan,

Recommendation 3 The USNRC repultory dance on the use of COTS should recognize an be based onthe pin tiple that criteria and veicaon ative ar to e sm rmensuat withthe safety signficance and complexity af the spect appiation,

STRATEGIC ISSUES

(Case-by-Case Licensing Process

[ese Statement: Wha hangcs shoul regulary process provide more efficient and effective be considered in the regultion of dial K&C systems in pocear power plats? ow can slice exibity be inconpoated to aes the rapidly changing nature of the digital IAC technology sed etter match the ime tesponse ofthe repustory process to the technology it cont? How can te regulatory process te made more ficient while mating technica teeny?

Conclusion 1 Asa pene observation, the rol ofthe eeu lator in ovesceing the implementation of cyt upgrades ‘ean be a valuable an important one Paiculey ina area suchas digital &Csptems, where thesia of ear evelses rapidly and where freota-kind nuclear applications are ‘contemplated the oversight role of he regulator ean bing ‘lable sgh lo the implementation of such upgrides Tadeed, the comic fond several specie examples of this happening

CConelason 2 Nevertheless, the commits found thatthe requlsloy response wo the development and implementation tiga HEC upgrades ucla plants as prcseded ina manner at eailed in sone degree f confusion and uncer pliable epustoryrequement and the procedr fame Tay within he sence community with regard the ap

‘work for plementng such upgrades Ts uncertain and the resultant incremental ost has been a mjor contributor tothe reluctance onthe pr of wits in proceeding with Sigal uperades

" DIGITAL INSERLMENTATION AND CONTROL SYSTEMS I NUCLEAR POWER PLANTS But the USNRC now has a sufficint body of experience

it sfety-eate digital upgrades sind over recent years snd supplemented bythe extensive experience tes and other industries, to enable the agency to establish oe coun enerially aplicabereglatery regime tha would gover the review and approval of uch upgrades

Conelusion 4 The process established in 10 CFR 5089, wherein the agency his defied those cieunstances where a Tcensee may make a mesfication without pri USNRC review nd approvals fundamentally sound nesesiy, and ‘onsen tl the USNRC's responsiblity to protect the Public ea nd safe In priculay.eeengoizes he pric cal necessity Yor licenses to make Facility modifications consistent for prior USNRC resiew and approval Morcover, the pro wi ter facility icensing bass, without te need ‘sss appropriately eles the gradation of siuiianee in ‘anges that might be ade in a nuclear plant and the UUSNRC's attendant role sed upon these gradations this regard, the commie suongly believes thi 6 iporaat forthe USNRC to distinguish eewcon digital upgraes that ane significant fie, pose unreviewed safely questions) and thos tha ae not and tao the scope and depth the eg Intry review in'a manne that comnmensrte wid this gadaion

Conclusion § The commitee believes that dining oll safety-related digital upgrades a resulting nan unreviewed ‘fey question, ated inthe USNRC's raft generic eter (of gust 1992 is contrary to bom he eter and spit of 10CTR 5039, Conclusion 6 The ageny hat mo formal process fr eat Joguing deteminaions made uader 10 CFR 50.59 wit fa 0 digital upgrades andthe bases fr these determina tions Sack information would assist bo the USNRC and

‘heise deterning wheter patil uppades pone unreviewed safety questions

Cooetosion 7 Early interaction terween ality applicant andthe USNRC ean be extremely help nideoiying nd Meshing out important issues, Where this proactive iter ‘ston bse occured te commie found ta the subg tepulaory review was more efficent and food, minim Ing resoures hat wool atheraine be rere on the pt of

Dosh he lity and the USNC

Recommendation 1, The USNRC should place «high pri- ‘onty on ts effort to develop a generally applicable name trork for he review apd evatton of digital 1 upg

Foropeating racers

Recommendation 2 n si ofthe rapid evolution faii- taltechnolgy a process should be extabished tense at the teglaoy framework is updated say breast of a ‘evelopment, To ensure tha this Tgrnewafi takes no ouot the Best practices in ater saety-rial indus, ‘enteral a pubbe rove i bighly desirable

‘Recommendation 3 The USNRC shoud consider a tional ways in which he pudeine development proces ea, be accelerated and steamlie Fe example considerate ‘could be given to esablishing chartered task groups ino {ng representatives from the USNRC the indsiry, 28 ‘scderin, These groups woul be tasked and managed ons ‘roel bois o investigate and resolve unreviewed men St posible safety significance that arise athe developmest and use of dig ystems

Recommendation 4 In developing its reglaoryrequte sents, the USNRC should ensure that where issues aie that are unique to digital systems, they are weted prep ely On the other Ran, where sss aie wih regan ly Sigal upgrades hat are no different from sues posed ft ftalog systems, such sues should be weuted coast ‘The gpponani (or ebligation) for the USNRC to review and approve digtal upgrades should not be Seen an pp tunity lo pose ne requirements on eid heensocs

ess hehe i uigue tothe application proposed ‘Recommendation Sn view of the substantial benefits of srl interaction with inva ties considering digital “parades, swell the beef of woring closely with dusty groups and ter intrested members of the puble the development of salads and guidelines, the USNRC should uaderake proactive efor interact early and fe ‘gun with advil ies ane with ada groupe aed ter inresed members ofthe publi nado, would ‘eof benefit forthe USNRC to be familar with he broader ‘volving aplicitions of ipa I&C systems in bh nuclear Se nonnuclear applications This, ture, will provide 8 Foundation for a eboperatve woking elaonship Recommendation 6, The USNRC should revisi the “ys tems level" nse aresed in Generic Leter 95.02 3d EPRI Report T:102348 to nse that this poston con sistent wih the histone sterpetation of 10 CFR 50.39 The commits strongly endorses maintaining and forms ing the dsinetionbetncen major and mir safety syste perads containing digital cchaoogs

Recommendation 7 The USNRC shoul establish a po- <2 forcatlogving $039 evalations of digital upgrades a some centralized shi, so hatin utes conse ‘ing Such upsrade can review and consider terminations regarding when a pariclar moification has past 80 59 de- eon found io ret nan unreviewed safety question

‘Adequacy of Technical infrastructure

EXECUTIVE SeMMARY

snaitains it efletivenets inthe face of rapidly coving and ‘developing techoolony and generally declining budeets?

(Conctuson 1 The USNRC shou make changes int staff ing training, and research progam to support is epuation of digital IAC technology in mclee power planes, Specific recomendations are provided belo

‘Concusion 2 The sue of adequate techicalinfasractre js applicable not ony othe USNR but also to the nuclear fndusty a a whole Many ofthe commite'secomends Hos forte USNRC have pull appicatons tothe cleat —

CConetason 3 The USNR mast ancy that he reps: tory technical infastracture wil continue tobe challenged by advancing digital &C teehnlogy, The focus ofthe nea tem licensing effort wil be on digital upgrades an cet ation ofthe advanced plans The USNR wl ave to con tinue to expand is technial infrastructure a se of digital technology expands and it sophistication increases ‘Conclusion 4 Tere are problems inherent in the historical proces for developing tandnds and fndotry guidelines, Parcualy those appli to te eapdly advancing digital technology Pending development of sltemate approaches, aly involvement bythe USNR in developing standards Sd industry pdelines wil foster mor timely aay ‘of regulary uidance and aeceptaceeriria

‘Conclusion S.A strategic pln is needed forthe USNR researeh program on digital &C applications Te curren ‘search program iv djoned collection of studies lek ing an underlying strategy and in some specific cases pus ing opis of questionable wor The staff stature ofthe USNR whic separates the sta ofthe Office of Nuclear

Reactor Regulation (NBR) rom the tal of the Office at [Nuclear Regulatory Research (RES) and mandates thatthe RES stuff respond to NRR “use seeds.” may bean obstacle to development of = coherent plan that halnces nearer regulatory decision making a long-term research into problems on he hoizn, Periodic ouside review ofthe TUSNRC research program could elpasste tat the right Issues are being adressed and cold alo ead to areas of collaborative research The commits is ware of apd notes fivorably the impact ofthe existing Nuclear Safety RE- search Review Commitee, However, a more fom, out ‘ide review would be sel, Perhaps this could be done oF fn exchange bass with eter agencies to reduce reource demands

Recommendation I Despite difficulies posed by dectning ‘adel and staffing levee inthe face of rapily moving tech: ‘ology and signing ater indy the USNR inst explore ways improve effceny fe review process ‘with exsng sta and resources,

Recommendation 2 The USNRC shoul define ast of mi smal and continuing wasing neds for exising and recruited

„ fl Particular attention shoul be pido slware quality surance experts Once defae, the USNRC wang poe 1m shold be subjected to appropriate extra review Cerication of USNRC expenin levels ope pony the USNRC may wish to consider

Recommendation 3 Consistent with Conclusion 5 above, the USNRC should develop a state pln forthe esearch ‘rogram conte bythe RES and NRK offices The plan ‘Shouldemphasize hlancing rate means of leveraging avalable resources accomplish Tong-tem anticipatory sesearch needs and should tncofe- shore regulatey needs ad olhseh ofrekefchobjecike.ồeuld reach out more effectively to relevant technical communities (eg by the stalishment of esearch simulators fe burma fone r= Search), tothe Elect Poser Research Inne, othe De- tent of Ener, to foreign icles ogatirations nd to Caer suey cial industries dealing with digit L&C i Sus Ia making this recommendation, te commiteerec08- aes the Halden Reactor Projet provides an example of ‘ch coperative research: Bt mich ofthe Halen werk a tot be published widely and therefore lacks the beni of ‘igorous peer sơn,

Recommendation 4 Becnine research inthe digital L&C area may requ longer ie fre than that of ingle is al ears, the USNRC should give consideration to phang and aanging fending on a mulyear bass

Recommendation 5 Consistent with Concason 4 above, ‘he USNRC should consider ays t aceleate preparation land updating of needed standards and guidance documents In patculr he USNRC should consider using chanered task groups (see Recommendstion pertaining othe ene Họ sec heymúng process

‘CONCLUDING STATEMENT

The commie has resend what believes tobe pag mai ppeouch for mcetng the challenge Oe hey obstacle iS overcoming impediments communication “Thee area numberof way to ares the commana: ion dticly Some are lady being pursed some ned tobe inated, The commie pariculny emphasizes Fe cas of net:

"`" ofthe tegulaory concern andthe appropiate accepance feta tha ae valida any poi i ine

„ DIGITAL INSTRUMENTATION ND CONTROL SYSTEMS IN NUCLEUR POWER PLANTS + the need io tune up the epultory mechan that re ‘employed when an advanced technology, Uke digital

1c has temporary curpaced the regulations ‘Turning to hiheve ses more specifically related vo Aigialechooogy the commits emphasizes the following

+ The use of iia A&C technology doesnot obviate the standard methods (or safety atestnens of aueeaF powerplants

+ Digial IC systems (and digital systems in general) should ot be adresse only in ems of hardware ot software

+ Most practical digital 1&C systems eannot be

exhaustively tested and therefore cannot he shown o be fee fom any and all errs

Introduction

NUCLEAR POWER PLANT INSTRUMENTATION ‘AND CONTROL SYSTEMS

Role of Instrumentation and Control in ‘Nuclear Power Plants

Nuclear power plants ely on instrumentation and con- tel (L&C) systems for monitoring, contol, and protection ‘The eouping of functions (monitoring, conte, and protection) is dis- of LAC systems according to these thee pes

fussed in ome dtall tlw, There is, however, another ‘ison of IAC systems nto 140 alegre called within ‘he nuclear iodusty "nonsafry” and "safety." The non safety systems are used the opertrso monitor and con- tcl the norma operation ofthe plant inca tarp an shuudow, and to miligte and prevent plant opertional ttansients These nonsafety systems are backed up by a set of indepeadem (noninteracting), redundant safety systems that are designed Yo take automatic action to prevent and mitigate accident conditions ifthe operators andthe ‘onset systems fail oman te plant within nora ‘operating conditions Thus to some extent (but not entirely) tonsafty systems coincide with monitoring and contol syste, salty yMemx wih protection systems, This dis ‘hued further below “The wo categories of systems, safety and nensafety, are thought ofa being consistent with and pr ofthe defese- fn-doph approach to suey The dsincion between thers {S imporantsisce essentially nly the safety systems are redited” (Le relied upon by the duy and the US [Nociear Regulatory Commission (USNRC] asa basis for snaking jdgents about safety) nthe oral safety analy Ss ofthe plane The safety stems are thus of pacar concern inthe USNRC's licensing procedures, Whereas ery Tew of the nonsafty systems fall under the same rigorous TT en Sk igen ne an ara

tich ri ou aT pac roe aed ru ‘Shepmes ere penn ond pt ene ca

4

regulatory consol Before proceeding to furher discussion Df safety systems, however in inorder to dese the tree "ypesof LC aysems in miclear powerplant

‘Types of Instrumentation and Control Systems ln a mclear power plan the 1&C sytems—inespetive of whether they ae analog o digital echnalogy—aze gener ally grouped into thee rye: plant monitoring and display ystems plant com! systems and plan proton and it sation systems

Plant Monitoring and Display Systems

Plant monitoring nd pay systems monitor plant vas bes and provide dl to ther IRC systems ao he pant operators fr use in convo tbe operation ofthe plan “Typical examples include systems that moniter and display the sts ofthe fire protection stem, fad temperate and resures These systems also normaly provide visual fd sodibe alas a various coat ston, paricltly the aim conta ror that oy operaters ticular valves requiring ation by the operator to aver an ef treads of pat actual problem or eretgency, Us tere ae fora pro ears the operators follow when such a alarm or noi tion aceurs ith th ala Setpoint and required response time coordinated o give the operator adegoate time wake action Typally the espnse ties are on the ler of ens of minus inadequate ime ess, an automated response is provided

Plant Control Systems

“ DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR POWER PLANTS ‘event sage failures anticipated events rom escalaing To plan shutdowns, tis or accidents endangering plant

‘equipment, personel andthe public Typical examples ‘elude feedvater and steam contol systems, turbine ge rato coals, and the mid of systems used o consol ‘he many circuit breakers, pumps and valves trooghout the pan

Plant Protection and Mitigation Systems

Pant protection and mitigation systems are an ational, separate lye of systems tht monitor the plant variable I they detect that the above-described plant monitoring and onto systems have not kept the plant wih a predeined fet of condons they take ston automatically to rapidly ‘Shut dw th plan (up a "sera are ems tha ecw ‘ately convey the ature of the eespnse and stan any oer needed systems to mitigate the detected problem and place the plant ina safe tate These protection snd mitigation sys- tens havea numberof import chararteistis (@) They ae physically Separate systems dat generally do rot share hardware and software with the plat opersting and contra systems (Some limited amounts of eqipment ‘Sich as sensors maybe shared eovided safety qua requirements) This extends 1 and includes the equipment ects needed auxiliary systems such as heating ventilation and sir condioningelectical or hydraulic power supplies: ed enling water stems (b) They ate enviromental qual fd fr the harshest ancpated opeatingacidem cond tins including highly unusual events sch as age ear ‘giakes and trades, 6) When eile up ch hey 89 10 completion of thet itnded function.) Me peszction and mfgaton systems donot conto or modula the ops tion ofthe systems they contol They shut down he eater trp the trie generate, sar needed cooling water 58 tems and go o preset operating conditions tha re sae ar the plato maintain fr extended perio fm addition, () they are designed to be single-faire roof That 0 single alr at the component oyster {evel neon failure internal othe protection and eit {ston systems inadtion tothe initng event Fare Sod any direct consequence orm single pero ror can reve them rom sucecflly operating Asa el hey {ke redndancy Thats ere ae typically mulipl, ep ‘at, parallel es of equipment apd stems to cary out the xemefuncion tmthe L&C system npr, this don: ancy i usualy provided by Raving four paral channels thar actus the systems if aeded The four pall chase sels a fed 1 a Togic system tha requires any two valid ‘gna to case acteation, This loge shares tht no single fare will preven or ease the drastic actions ken by ‘hese spstems I als allows complete (ensorse-actuten) {esting of one chanel at time wile he plant at power ‘without causing or inibting the praeetion ad mitigation Tuneton

Im addition to being single-Fllre proof (f) the prot tion and mitigation systems ave the Fetes to enhance their and increase thei effectiveness against har ads For example, two eator shutdown mechanisns ate Provided—inserion of control rods and injection of foluble neutron poison Also, or any given ecient, tw0or ‘ore lferent ation signals wil be peered nd sent 10 te protection and tigation system (For example, + lossofsow accent trough the reactor will be detected by a high reactor outlet temperature and high pressure sipral,) Thistypeofedundaney provides protection against fener lasses of common-mode failares—Falures in ‘hich single enor en safer fantions (Redundancy is discussed farther in o problem disables multiple indepen ChaperS) Ts lnportant co note tha the requirements of nuclear plant L&C systems, including the protection and mitigation ‘ystems, are well within the capabilities ofcurten IC tech nology—aalog or dgitl fp terms of respons time and curacy (or empl) the cleat plan TC requirements ae relauvely modest

Safety Systems

Te USNRC's sefry evaluation of ucla power plans primarily addresses the protection and mitigation systems ‘The monitoring and conrl systems are usally nt given credit ce bef dicusion of “red” abv nthe hazard land safety analyses of the plats However, upsets o fai ‘res nthe monitoring and contol systems re usally con ‘ered the initiating events for he protection and mip tion systems and a6 3 resul the USNRC cae impose re quirements oa the monitoring and coawol systems as well ‘The monitoring and contol systems ae also analyzed ex- plc n the probabilistic ik sssesmen (PRA) ofeach plato asens how wel the plant does in comparison tothe USNRC safety goals fr ncler plas, In general, Bo ver the USNRC and he licensing applicant deine ase of fey systems" for cath plant lưạnhy comprised of the protection and mization stems these safety systems that are subject othe most porous ieasing an eepul tory controls, This isan important distinction because asub- antal efot is equiredo design, quail, wtall te, and

Operating Conditions for instrumentation ‘and Control Systems

Nuclear power plant desig includes spectc conser: aon ofa variety of plan operating conditions Steady-state, transient and accident conditions ae covered bythe rp latory regirements: these requirements he conol hơn sand by wha etera the transients and accidents mast be fnalyaed These analyses, in tam speify Operational re ‘quirements the plan equipment and sjsems mus sats For the I&C systems these specifications inclae bath ‘tument characteristics (such as input and ouput range, responte tine, and accuracy) and the exironmctal cond tions (eg temperature, humidity adaton effets, power supply lactatons ner wbich he L&C equipment = ‘quired 0 operat Except forthe sensors LC systems have ben speially placed in peoteced ates so thatthe envzonmental cond ios they are exposed wo are generally rather mil akin an “fice environment” Bit the 1&C rates st al ane to inte environment and under the conditions tt ad to ‘transent or acim condition and tha velop inthe plant asa transient Aion typically rete a wider and harsher range of operat ot acidentprogeses Because acide con ing envitounents, and becuse L&C equipment ond sytem ‘must survive and funtion in sah environments, he equp- ‘ment and systems must be qualified sual by et In gen ‘ral, this harsher operating environment exits ony a the ‘Sensors and in mot of the lgaltranamisson netork the ‘ther components are in elavely well retected (sheded) ooms and benign environments Most sensors curently ‘employ analog technology W gal sensors ae wed they wil have wo be designed and tested to show they can ih ‘und thee harsher environment, TRANSITION FROM ANALOG TO DIGITAL INSTRUMENTATION AND ‘CONTROL SYSTEMS sckground

During thei extensive service history, analog L&C sys tems have performed their intended monitoring and cont Fanetons saisfactorily Although there Rave been some de ‘sign prablms cha inaccurate design speiietons and ‘susceptbliy te cenain envionment conditions, te mary concer withthe extended ure of analog systems jx effects of ing, eg mechanical ales, entironmenta Seradation, and obsolescence The industrial base has largely moved to dipitl-based systems and vendors ate gradually discontinuing support and stocking of needed ana log spare pas

‘Some ties of dial technology in US nuclear power plants go back more than to decades These early appli tons were limited but fcladd safety-related applications

Is suchas core protection calcul In he ely 1980s thề ecronics indus began rapidly shifting to microproces- So-ased dig technology Early implementations of this Technology Ho nacear pan were sucess edcing -wlended plant shutdowns (ep) and mitenace bu ‘dene This succes red increased intrest nda ‘ion and provided a raining ground for ening prot ‘eney and confidence 0 ating dpa equipeen AU the ‘Sane ime, umber of vendor of instrunettation snd con ‘aol began to reduce their spon ofthe anslg equpmen tthich tn tum gave aditonl practical impetus othe ws of igi sytem "The milea indsty has wot been aloe Many oer safeyctcal induce extensively lize digital systems ‘These include aviation and space cerca pemuleum ra ‘essing aie, defense and medical appications These indus face safety Sous similar to thse faced by the sea indy “The reason forthe transition to digital 1 sytem es in their important advantages ovr existing analog stems Digital electronics ate esseallyfce ofthe det haf fits analog elects, so Uey maintain thei ealibeation better They have improvedsytem perfomance ners of accuracy and computational capabilites Tey hive higher shaban and storage capaccs, so operating comlitons an be more Fully eased and displayed Property de igned they cn be ease fo ue and moe eben app Cation They are more widely avilable Inded, digit ss tems have the potenti for impeonedeapbilis (eg aut tolerance selPesting signal validation process system di agnostics) that could form the basis for enuely new áp proaches to achieve the required relates Because uf och potential advantages, and because ofthe general sit toil systems and wang vendor suppor fr analog ys tems, the US nuclear power industry expects substantial replacement of existing, ang analog spslems with digital TAC tecnology Fr the same reasons, desis fre a ‘vrced nuclear poser plans ely exclusively on digial &C systems Tm summary, the experience of other safety-critical in ti and he creasing ae ad dbsolesence ofthe ex- {sting analog systems suggest that he nereasing use of dig fal IRC technology is evitable in noclear power pnt Digital 1&C technology is expected to enane the safety and performance of nuclear powerplants by offering re es contol improvements, such a reduced instrument

6 DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR POWER PLANTS Openlens,mavdenshce and manogement te

‘rocessng: Tecnica rd business perorance, ‘Marterance ord resin plans, pare pars venti, a i

Engineering data processing Every aes ery ol i fo T8 ãoadadơn and nanding ala nary Poo oo) ie Lo (redundant communications) FIGURE Justin of lear lane 1&C sss calibration requzements snd improved plat condition ‘monitoring displays (ee, 8, Gil etal, 1394),

‘Applications to Nuclear Plants

Figure 1-1 strates a moder digal LAC system sọc ‘ied oa nuclear power plan Blocks on the let represent the dsebted cor syste, These are the systems that re wed (0 regulate plat conditions darog sat, power ‘penton, and shutdown They ae responsible for maine ing plant systems and components within ther operating anges, and they normaly operat in a regulating mode ‘Nai that Figure I-lshows redundant data buses in ‘ese contol systems These data buses are used to ass ‘or the large amounts large generating station, The use of dala huss reduces and of information typically handed ina simplifies plant wiring and consequenly reduces the re (quirement Tor managing and mining Wing configu- ‘avon Redundancy and separation (including diferent ‘oting) provide for increased data bs reliability bn this Operator workstation Control — incepandentsystoms Protection (redundant channels)

protetion systems, which provide for more deere land predictuble data communicaons forthe fewer data Prints that are normally needed and handled in suey $3 tems Notice aso the independent manual nps bypassing al reroprocstor bined spon ‘Varually al of the 109 mucear powerplant units in op- eration today have digital JRC components, Some ofthese ‘were prof te orginal desig, for example, digital rai tion monitoring equipment and diese encrtorsequencers The east implementations used soi-stte lpi opera fing at higher andrlatively siffer voltage level than those of tody'+ mictoprocesor-bved desig, Moreover, these her stems did ot employ the signal eaeentations of ‘uliplxed microprocessors systems Modern ystems also employ faster clock specds, ager memories, and ex panded word lengtsthit have alowed new developments ‘the stare aea aswell This orn ha eo ght ed inrest by the USNRC ‘More recenly many plants have reofited some 1&C components and systems with moder digi technology ACRS, 19986), Although many ofthese retrofits have Been ‘elavelysmall-seale, oneforone replacements for such ‘components a coger meters, and displays, insect yeas some relatively large-scale microprocessor hase 59 temvievel retrofits have been made (Palo Verde Noclear ‘Generating Station, 1998: Pa sland Nlear Generating Plan 1993; Turkey Poi Plant 1990; USNRC 1993, 'USNRC, 1993), Tes include:

+ retcor protection systems at Northeast Unites Companys Haddarn Neck plant; Tennessee Valley “Autoritys Sequoyah plant: Commonwealth Edison ‘Company's Zion plant Unit 2: and Pacific Gas and Elec Companys Dihlo Canyon plant lipid aint without ramen at Arizona Public Service Company's Palo Verde plat, Units 2uand 3

load tequencers in the emergency power system at Fionda Power and Light Company's Tukey Pot lane, Unis and

‘ation blackouvlesrical safeguards upgrades st Northern States Power Company's Pair sland pan, Unie Tad?

‘Applications in Advanced U.S Plants

le the United States, the advanced reactor design being developed incorporate ll-tigalsptems intended walze and exploit the new technology They also feature enhanced human machine interface such ak more veri daplays ‘vith integrated process information (ACRS, 199) These features, along wih the the features of advanced pans, are intended wo make the advanced plans simpler and afer Certification of thee desig has been sought (ander the provisions of 10 CFR $0.5), ” LICENSING OF INSTRUMENTATION AND CONTROL SYSTEMS Design Guidance

“ DIGITAL INSTRUMENTATION AND CONTROL SUSTEMS IV NUCLEAR POWER PLANTS Review Panis curetyin progres ally apt it an the

associated regulatory guides, branch echnical postions, nd USNRC endorsements of nduty stands to digital LC systems Nove ha resol of al hee documents here tof ising hgh level guidance which is generally seeped ard Saplied For example nuclear plants including the ipa TAC systems, are routinely required to undergo extensive hazards alyssa oh cesing proces The ela toys expect and the industry provides formal systema ếc ‘ews ofthe hardware and software wang formal rue tment specifications and independent reviews I iso at this high evel hat addtional entra o guidance i needed The ‘tical arise 9 eying implement hs hgh Bevel gid: toe athe working level and ying wo establish working consensus in particular areas onside fr example, com ‘on-mode software flue USNR regulators roi that this problem be abesed sod «potential corwo-mode failure concer i detect then it ust be det with The exact methodology by which peal common-mode fail ‘re mo! be deal with arent trsghforward and thee is comderable controversy over what may Be appropriate

Quality Assurance

‘There ate basic requirements for quality assurance ‘Within de coment of these requirements, quali is demon stray mecing the Qualy Assurance Criteria or nuclear power plan Tile IOCFR Pan $0, Appendix B, 1995) and the eited subsidiary inde standas including Dose cạn enMoanenal qualifications These asic equsements ae supplemented by more specie epultry guidance tha ‘sas orginally based on analog eguipment bts being r= vised vo specially addres digi equipment in these Son paces dosribed above (see Table I=

Modifications and Upgrades

Another import aspect of any system modiiatons and replacement ‘AppentixE), which ao apples o IRC systems The poe of existing equipment is 10 CFR 5.59 sce ‘pont of his regulation i 0 define the ereunstances under ‘which che Heebses may without poor USNR approval make changes spciialy provided for inte facityKeenes Since i= and conduct experiments and tess that are not

‘aly allU'S-nter plans have orignal analog equipment, 10CER $0.50 is of pticularieestifalheense conten plating a eigital moieaton or upgrade I the enter for ‘making change without prior epuatry approval dined Ander 10 CER 509 se ut isi, a forma change to he Tense is needed under ances past ofthe federal code 10 CFR $0590 The process required to formally change the license under 10 CFR 50.90 ss more eicul proce

ural is more only an sequies a longer schedule Cot land sthedule Become increasingly important a5 willy

companies fe the presse of increasing ecnomic core tion ands proposed investments such as distal uprades and moditiations face sagen economic tests Sch as ‘api lu on investment The canons an upgrade or maifcation must meet © be cared oat under 10 CFR $0.59 ae, fr tht i must sero the design and operating conditions formally docu- ‘mented in the technical specifications fr the ens See- fond, the change mos! not resin an “unreviewed salty ‘queion”(USQ), The chien for determining wheter ‘ta USQ exss ae stated in 10 CFR 80 591012) (se AP- {endix E).Toavoida USQ the change must aot allow (aan Increased proability of excureace or consequences of an scoden or malfunction of egspment pia sae 8 ‘viously evalsted in the Heensing basis (afety analysis ‘epor:() posible creation of an accident o malfunction ‘of ileret type than previo evauaed i the licensing Ins rfc) a Fedoced targa of safety a8 defined i he

lensing bas for any techaea speiision, 'USNRC regulatory teatment of upgrades oF moi ‘ations to nuclear power plants may be summarized as follows

+ aber isa change in techie specifications, the ensce must eck pioe USNRC approval via 10 CFR Ihe teense analysis shows the presence of USQ er 10 CFR 5D %90)C), 1h licensee MUS eck eit LUSNRC approval via 10 CFR 5000, Te ehere imo change i tehnical specifications and 9

UsQis uncovered the lense ean ake the change upgrade without pioe USNRC approval via 10 CFR 509,

“Tere has ben continuing iscusion and convert a0 exactly how tsnterpret 10 CFR 0.39 when applied to digs ‘al modifications: hs is isussd furthrin this repo sce CChaper 9, Nevereless many digital rots have Been rade without the creation of « USQ as delned in 10 CFR ‘5059 (See AppendisC)

CHALLENGES TO THE INTRODUCTION (OF DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

Suecesflitoduction of dita IRC ystems ilo US nuclear power plans fees several challenges These ctl lenges hove several ested scutes

current high eel of industrial and publ safety is at Kast ‘gitsined and preferably increased The halen istorake advantage the performance and safety enhanccments po- {ently avilable fom the uve of digital ecology wont inoducig offen potential hazaeds Fue he f, assessment, and regulatory approach ofthese new digital tem must alo provide some means of nsesing the re Slat gins of salts:

Ship of Existing Tetology Base fom Anaiog Espen cence Much of tie experience with U.S clea pla design Sind operation has evolved primaniy within the conte! of analog technology as his the regulatory framework, Hence, J addition 1o coping with uncertainties arsine om digital tectinology ellis use may eure changes or adtons to ‘he underyigLechnicalnfeasretire ad elton frame: work

Technical Problems emi from Some Applcaions af Digital 18C in Nuclear Power Plots The intedoon na ts of digial systems has at been rouble re, For expe fn he bass of recent plan experience with several dtl FC reroits the USNRC his identified the following potential problem areas with digital 1&C systems

‘Muck 1985)

* common-mode faite n software + commecildedicton of hardware and software + pole lack of onsite plant expeience withthe ew technology and stems

+ configuration management

* increased complet edn o posible programming ror and lacorect outputs + teh of standard satware eas

+ envronmenal semi eleetomagnetic or raion regen inerence, eget, poner ty, + effects on plan margin of ary

Similar problems have sso accu i eter applications another inate lee 195)

Difficult Time Consuming and Customized Licensing Approach Licensing of dig technology is presented 3 ptcular challenge forthe USNRC Becatse the epulatory Sppeoach has evolved with ned explicit consideration of digital technology snd because the response met develop ‘new rultory bic and documentation ison the pace of ‘hangs in LC systems has ined the regulatory proces ‘Asa est the ceasing process to date for regulatory r= ‘Sew and approval of new dighal L&C splem am nodfSt- tins to exiting systems has en dificut time consaming, “chr ie opi ot me see en ————=.——

„ and largely customized foreach aplication Many utes erecta to sek a change tha could othe cated out tinder 10 CFR 50.38 hat wou pre reputory ap- proval (Se below for dicunsin om revent USNR ett thes i the pial LEC heensing process.)

Lack of Consensus berween the USNRC an the Ree ote IeleMn Dan Iowet Undcrhung Evaluation and Ad tion of Digital 14C Tecnology und Means to Obtain St IsfctoryReselaton, I onder to del ffstely with these stallenges an effestive comsnais needs to esis Tis will ‘ilo the ones of he new technology ‘Mile assuring that safely an public conlence areal toe fall exploited tained’ However he iadasry and eglators have ctpc rience wit hie somewhat vam technology and hve a fic i eacing is ampovtat to noe thatthe Lek of ensenss ot am elective consents about the use of gia spsens per se Rather, mach of he ‘onirovery revolves around speii ses, he pen til for common mode fares, andthe fk of eonsensus 08 these specific sacs tends a cou whether ot the vee all advantages of using digital JAC in clear power plans ‘outweigh the disadvantages, Tiss made more dificult by the fact thatthe US commercial cler pdve misuy envly epulated, The rls for design and evaluation wc subject olga scrutiny and inerpetation wih secre pe ales for ilations an very rea possibilties fo gation Forher there are large amounts of capital evestnt at

sae Hence, delays in evolving fea if ransaed ata ‘elas allowing» nler powerplant o operat can cos upto hundreds of thvands of dallas per day Ava res The definition of consng enters mst follow systematic Sty and evaluation snd sound syatesis of differing ec nical viewpoints esa process oto Be underaken Lightly

RESPONSE OF THE U.S NUCLEAR

REGULATORY COMMISSION AND NUCLEAR INDUSTRY TO THE CHALLENGES

[Activities of the U.S Nuclear Regulatory ‘Commission

‘The USNRC bac reviewod a number of reo of plant 1&C systems from analog fo dit I hs also begun e owing designs of advanced pants (USNR, 199], Ho ‘ver the review proces for bth refit and advanced plant ‘esi as hen cotomized foreach application Tas a turn, his provoked eric of the USNRE far fling to Pe cetacean ee a [ie comnts te sean as

opt generically applicable standards nan ff intended {fo adress tis rte, the USNR has process under _uselines goveming reviews of L&C stems Wiha vi to ‘daping them fr digital I&C techology Wermiel 1998) “Te proces s de to he completed in 1997 ne iter the USNRC has provided ene by case approvals in specific plans, sought suggestion by i advisory comminees for {aking broad ation tea woekstop seeking consensts ona regulatory program, and conducted esearch inking eps {ory decision making tothe comteat of IC tecbologs A Iwi acount follows (A more deed discussion appeas in Appendix C) Sal digit L&C wprades ave heen outnely aeceped: large retrofits have al Been made ut the review process ths been ore difficult These eviews ave lt apple ata numberof nuclear power pls (se ©, USNRC 193m) Reviews of design for advanced pln ae also in propre Forenunpeafial design approval of the System oe adsanced plant design hasbeen completed (USNRC, 9940, The USNRC and is wal receive adc fom 3 number of advisory commie The Advisory Commitee on Rede tor Safeguards ACRS), established by Congtess in 1987 ‘roves advice tthe USNRC on sally specs of crrent Sod planned maces facies and the aequay of saety ‘Muar, I has a subeommiace tha enanines the use of ‘computes in quclear power plat operations The USNRC's ‘Otice of NoclearRepuaiory Research conducts a esearch ‘program test the organiatons repuatry deesion Faking This program cludes ares of focus eleva othe problem of evaluating and regulating digital L&C teshool- ‘ony in nuclear power plans The Nuclear Safety Research Review Commitee (NSRRC) it 212 member group of ex ‘pers who advise the USNRC"s Office of Naclee Repl tory Reseach on the quality and management ofits esearch ‘rogram, “The ACRS and NSRRC have both expressed concern that ‘he USNRC staff may be lngging behind the mclear indus tryin oth the United Stats and forcign counts, nie tundrsanding ofthe application of digital IC systems ‘These commites have sso uped he development of a8 ‘overrching framework guide USNRC regulation of new Aigtal 1&Ctechroogy(see.e 2 ACRS, 12,1989) The AACRS examined dial I&C technology and wend sev cal eoneems (CRS 19), ielding

+ thelack ofa cohereatand effective review pla, itlud- ing acceptince enter, for digital 1&C technology + thenced ares softare specification deelopnent software verification and valkstion? envionment

seen ne sss ah

fects on hardware, diversity at protection against Ccommon-me faire,” and prediction of L&C rl aby

The NSRRC (1992) has expressed concerns that partially ‘overlap with hose ofthe ACRS, sch ác

+ the need tn develop criteria for sic sues as andre relay, solvate verification an validation, ea fenmena effets (eg eecwomagntic interference ‘common-mode fire, configuration management” nd ysens imegration the ned for an overarching sategy to guide regula tory development and the creation process forthe

new technology j— n

stem, lading development i the areas of aii clalimeigene, expert sjsems, neural networks fzzy logic genetic algo and chao theory

“Toadies technical concer, und in hopes of develop Ing a wide consensus acoss the USNRC and the auclear {dsc Fora epulairy progam the USNRC held a werk sop on digital systems reability and wile safety Sponsored by the National lest of Standards ad Tech nolgy-n Setember 1993 (USNRC, 19980),

Activites of the Nuclear Power Industry

document (USNRC, 19940) did no resolve basi sues bere in digital [RC technology implementation However, the USNRC review id produce ast of agreed-ypon high level rte for advance plat designs, wel ak defining ‘he poces the USNR would use o complet thir view and approval ofthese designs, The USNRC did accept dig tal technology forall the T&C systems ofthe advanced roctear plants However, for the advanced pins, the de tailed nses that are being adesed in existing plans have yetio be adaressed, ‘Other industry ffors include those ofthe nlear steam supply sytem venders, each of which has an ongoing ro: ‘ram for developing digital L&C systems, both for ees ‘and upgrades in existing plans and for fue plans Developments Overseas

“Thereis worldwide interest in digital LC technology for nuclear powerplants For example theres already signif ‘ant pplication of digital WRC technology to mica power plants Canada Japan, and Wester Europe (ACRS 9826: ‘White 194), The Canadians have extensive opeaing các perience wih digital systems Digital systems were ist Smplemenie 25 years ago because hey were beer suited to provide online contol of their natural uraniun-fusled heavy water-moderated (*CANDU") plants, specifically to ‘monitor and contol the power eel ad xenon osiliions ‘The British have adoped dig based systems throughout ther lates plat, Sizewell and they hve operated with fut incident during the fst ix months of plant operation (Nocleonics Week 1998) The French have proceeded by agravally and systematically expanding the vse of digital {stems ia each subsoqent generation of their highly sen arized plants The atest espns completely digital tased land is implemented inthe NE series the fest of wich located at the Choor-B ste (Noeleonics Week, 1995)-In pan, digital systems have Deen implemented ia several exist {ng plats, including Oh 3, which stated commercial opes- tin in 1992 The mos recent plato go nt operation in Japan, the ABWR located at the Kashawaraki ste, is 3

sigal-based desi Tn addvon, the United States, trough both the Depa ment of Energy and the USNC, participates in infers tional ealaboratve programs sich asthe Halden Rescor Project of the Organization of Economie Cooperation and Developneat

Standards Development

‘A umber of standards, USNRC regulations and pul tory guidlines (see for example ỦSNRC, 1981), and USNC poblcatins exis to gute censing of tbe current ‘analog IEC systems Since they were developed for analog, ‘sysems, dey cane dificult apply abd interpret for dai- {al T&C systems, Nevertheless, pending the extensive

mr ‘vison ofthe USNRCs applicable documentation, which Iscurrenly underway, hese documents have been ec fot reviewing dial 18C systems Stars developed for dtl L&C systems in nuclear poser plants exist These elude Tnlermatioal Elect {echaical Commission (IEC) Standard HNO, Softwaze for ‘Computers in the Safety Systems of Nuclear Power Plants 986 and TEC Standard 987, Programmed Digital Con pss kmprtat o Salty for Neclear Power Pans AUS, “and ho củea, IEEE 7-432, Applicata Cetera for Programmable Digtat Computer ystems in Nuclear Power Generating Stations (1993) promulgated by the Inte of Eletical and Eletonis Engineers While not yt formally ‘endorsed by the USNRC, ths tna has been employed in the safety evaluation of digital L&C rewoits in nuclear power plans

‘THIs STUDY Committee's Task

‘The National Research Coun ws asked y the USNRC to conduct a ty icing a workshop) on application of Aigial 1&C technology to commercial poctear poser plant ‘operations, The National Research Covel appoint com tice hereafter panes In Phas I, the commitce was charged to define the he coma} to eamy out stad io inporewf sức snlrelahiM hecxeuneeminganhere, solar, and Roman machine eece) tha ane fom the {nueductio of digtal asramenttion and convo ech ogy im miclear power plan operations including operations der steay-ate, transient, al accent operating cond tions (NRC 1995) Ta tespnse to his charge the commie idatiied eight sey ioe assowited withthe we of dig [AC systems in xining and advanced nscear power plans, The eight is thes separate ino six echnical seoe and wo stooge Sues The sn technical issues ae systoms aspects of digital 18 technology sofware quality assurance: common-mode software ailure potent safety ane reibility assesment ‘metbods: human factor and heman machine interfaces: and ‘edison of commercial off-the-shelf hardware and of ‘re The two seatepessuesare te case-by-case licensing Procedire and adeqicy of he technical tfasnctre The fwomidee recognizes these are not the only issue an ợc fev ofconcer and debts in his are Nevertheless, becom tite btives that developing consensus on these Key i es il be & major stp forward and accelerate the app pte use and licensing of digital LC systems in aucear owe plants These issues were peseted inthe Phase ‘epom Boh the USNRC (presente bythe sa of the OF fice of Nuclear Regulsory Research and the Office of [Nuclear Reactor Regulation) aad the Advisory Commitee on Reactor Safepuais expressed agreement that hese were portant sues and tha work hy the corte in Phase 2

2 DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR POWER PLANTS in elping it at a satisfactory reoltion ofthese iasves

would be very wef Tn Phase 2 of the study, she commie was charged 0 ieoify criteria for reviw and accepance of digital L&C Technology in bth retofited reactor and new racer of vanced devgh:characonice and evaluate alleraive ap- prouches othe erifiaton or hcesing ofthis technology: indi die scintii bass eited, recommend pide Tins onthe has of which the USNRC can repolte and ‘ety (or lense) digital L&C tesla ineldng meas for identifying and addressing new issues that may result from fue development of hs echnology, In areas where incon scenic basis exist To make such recommen sions, the comanitee wast suggest ways in whieh thề USNNRC could acquire te required information In carying outs Pase 2 charge the commits Hmited tus work to tens ites enti in Phase 1 The issues were chosen beause they were difficult and contoversa Furr the commie recognized tht by la, he respons tility Tor seting licensing citera and guidelines for Sigal 1&C application in nuclear plans ets wh the USNC ‘Thus, the reer should not orn too eal an expectation thatthe commits bas provide a cogent set of principles design guidlines and specie reqirements for ready use hy the USNRC 1 aset et, ieene, and ceil ro: posed systems or upgrades Rather the resus ofthe study te presented not inthe form of simple generic criteria sae ‘ent (am high eel of abortion) bi the form of onclosions and recommendations related to each se and Primarily addessed to the USNRC for their consideration nd ws Inthe commie ew, there substan fuer ‘work to be accomplished The commitee expects the UUSNRC andthe nace industry io extend he work of exe: sa developeent beyond where this Phase 2 report leaves To guide further work os the cight key iss studied, tbe committees report oes Findings and recommendations in four broad eatepres: (2) eument practice to te USNRC ‘nde US commercial miler industry) thats esentally Sssfactory or requires some fin ting () pints of weak nes inthe USNREC'sapprach, (sues tht meri farher ng and yeseach belo stsfacory regulatory criteria can be developed, and (4) eiteria and guidlines tht are nreasonabl to expect inthe near future

Conduct of the Study

In conducting is sud the commie reviewed a age numberof documents made available by the USNRC and ‘arity of other sources The comme aso interviewed telete personnel fom the USNC, from the oo advisory commites discussed above (ACRS, NSRRC), from the ae industry and fom oer indasris using digital sy tems in safety cnieal applications The comnitee also Sought th view of individuals ram acaderaa and research organizations In akiton, the commie Visited contol

room simulators, 8 nuclear plant and fossi-fuled power ‘lant wih extensive dial IAC systems ace Appendix By ‘Te commie also had frequent and detailed internal is consions, koh face-to-face and va paper and electronic ‘unictions The commie also brovght to beara wide £m ‘ange of experience in and Kanwledge ofthe eld (see Ap pendix A,

carrying Out the Charge

The commie tok seriously the carpe that it deny criteria for review and aecepance of sigtal IC technol- ‘gy and that i recommend pldsins for eepuation and cetfiation In carrying out Hs charge the commie Fee- ognized ha: + Inonderto develop wel gidane, only atimited nm her fies could be del with nthe easively bese gio of the sud

General high evel criteria would not be paricularly wef

‘The inal criteria se lgally the USNRC's responsi iy Faerie the mclear power indus is heavily regulated in the public imerest the Hcensing cites sould be forged in a detailed intretion aznong the ‘epulatrs the industry, andthe publ

‘The commie has a wide range of experts and expe ence in digital systems and acter powerplants butit ‘snot srogate for this interaction among the lake holden Hens, the commie could seve by clearly delisting end defining issues and proving guidance for resolving these issues ater than developing spe li ceasing cites,

Accordingly, the commitee selected eight ines for stay land worked on those ieses, These eight sues adden he {to majorinirwined hemes sociated with the se Od tal instumenation and contol in nuclear power pants,

‘These ae

(AROD0CHON

uữ valodeinfennadon shot ho thế safety ciel ine Gustries and thir regulators dest with these sues Als, thrgh the technical expense and knowledge of ts various members, the commitee explored work done by the digital systems community at largenluding both research at ‘sand academic work ‘Ashe commitce worked hough he issues i discovered there sa major impediment to progres Ths the comma ‘cation barers hat exis among the key techie! comm ‘sand individual involved The base reason fo the cor ‘munication difficulty i appre Wodk is simultaneously sing on in many areas each with is own technology re Search foes, and agenda Unfortunately, though many of these areas use common terns, ee lets oten ave di ferent mesnngsodifferent groups, resulting nether ack ‘of communication oe very dificll communication Tiss pticlarly teublesome fo the nilear power industry and As eegulators, wo ae wt dominant nti ecology and ‘must uy 1 Symes information an experience fom & ‘variety of scores and apply it in powerplants where safety hazards mast be deal within a igoreus way ender public seruuay In Chaper 11 the commitee dcises thi com ‘munication problem in more det an provides suggestions fora way forward Making substantial popes inthis rea

shout have a multiplicative effect set se the elution fof many specifi echnical and xatepc ites, Overall while tere re important steps that remain to be taken bythe USNRC and indusuy a edessea io this ort the committe found no insurmountable bats tthe xe of igitl instrumentation and contol technology 10 nuclear powerplants The commits also believes that & forward-looking regulatory process with good and continu ing regulation nd industry commonicaion and interaction sil hep All paeipans must eecogeize that csp hard ‘edged cra ze paicualy dificult come by in his jgment wl continu oe needed and elied upon, rapidly moving rca and good practices and enginering

For the hey technical issues (stems aspects of digital aC techoology sofware quay storance; common-mode software fare potenti: safety and eaiiy asexsmest ‘methods: hun facors and human-machine interfaces; and Sedieaton of commercial ofthe sel hardware and so ‘ware the commite provides pie ecommendaons conclusions which include u numberof specie entra, and “These are listen each chapter (ce Chapters But recognizing the diiculty of detning specific enter, 3 through

‘and the ned forthe nuclear leehnology stakeholders, pat ‘ularly the USNR to make he final decison the com mites focused on (a) providing process guidance both in ‘eveloping sidelines and in the short-term acceptance of ‘the new technology (b)ientiyng promising approaches 0 developing criteria and suggestions Tơ skeudng dead-end land (e) mechanics for improving communication and xengUesingteclmsllrsdnchire

or tbe hey stele issues Ihe case-by-case ens

2 cedure and adequacy ofthe echiclinfasructr) the + Enpasizes guidance wo implement a generically ap pliable tramework fr regulation tat follows euent UUSNRC practice and which in panicular draws dis tiacuonetwcen nsjoranl mingrfqy modiicdHom ‘The eonumivee nko provides guidance forthe eval Vion and updating of this regulatory framework (ace

Caper denies need to upgrade the coment USNRC tech cal infastrctre and sopgests speci research stv ‘es tha will supp the needed epulatry program and USNRC’sreverch needs, The commie aso sug {ests ceveral improvement othe technica ae {tre to improve and aajnhinke-đmjedl capabiTiet tà ‘his apidly moving techaialychallongig are ‘The spsifc recommendations made by the comitee thus offer guidance town implementing and maintaining the curency ofa genecclly applicable mower for ees: lain that follows curent USNRC practice and draws ds: tinction Beeen major and minor safety eaifctions The commie pot this program and makes © nurber of suggestions for suggest spec research atts that wil sp Improving USHRC copabiiies for adessng these sues

Contents of This Report

„ DIcITAL INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR POWER PLANTS + Sin Camm USNRC Mach L188 Wasaga DE nh

‘ice Pn sin Queene Aaa

beta ate fy ag

ACIS 190 Pod eal Aen of Seen Rech ‘CaaS tal Renn peace a to

Cairn Moreh and Wien 84 Nes HA ‘anced ena Cane Eat hgh line cca Ra Set (RAIPAN Contec Aes ¬ "on Apps Dg Coed ys na Com

Sete ras Wap De Repay Comicon Hin Say oh 38 Nog {Scr ety USNR: Noe Wag De aoe eM Nt Sp Sể So-on 00 p) S0.80950 uelAmeudnrepOerang ‘ithe ‘ln eco Sree Repo Revie fe en etc Ps Splomta Say ae

“outage Sten cute opr pe: Pe ‘enon ctype ie DPR nD ah Goi ens Px ys 8 ‘Toe 10 CHt Par Arena BTS Guay Asura Cote “rey et Pat 90 Sey Ea ep ye fet Resor kept fhe Ln Seen Ean Pane Sovran i Sm ie eg ca ete a Dyna Qan ot Mech ‘an cea ups Entwmens! Quiet ot ti nl hina epi Thal an a De ‘nc Opens! ss Rosa es S13 [USAHC 2 Sal Evan Ree Rela Ae Se 27 weft rg me DR fon Nc foe Se USNC: ‘tng 8 Saray Come Spe Pct Dg ens Reb and Nee USNR 1H suey Eaton ep hee of Nave Resor ‘epson STD at Amen nenimet Nessa Open ene Pty Ope ee Se

Dp tem ei sc =

Tithe yee Denge NORE Ta Yuk 2 Wap {Ent Val nc 2 Wage BUR

Tew Dips pes Deeg he sepa tenis Ale De edeceeee Lực 10 C9) NRC ‘Grn’ uate #232 Nati De USANC

em lo Cpe aon so Cn Se Son

‘Se EAE apt Pg

2

Key Issues

Digital instrumentation and conta ystems fr sar power plans have very sir echpolopical characteris 'Ses—the equipment, espose tie, pst and ou rng, and accuscy 1o dil ioseumenttion and conta 98 {ems for eher safetyzrieal applications such as chemical plants and arr What distinguishes dial IC Gas ‘mentation and contol) applications in ater power plans from other digital L&C application i the nocd wo etabish ‘very high levels of reliability under a wide ange of eon ‘ons, Because ofthe potentially far greater consequeaces of stdent in neler power plats, he HC systems must De feed upoa to educe the likelhond of ever ow probability vents The US Nucla Regulatory Coesisson (USNR) Js developed a regulatory process withthe goal of aches ‘ng these high levels of eiabity and thus assuring public safety This process is sbjet o public sertny

DEVELOPING THE KEY ISSUES (PHASE 1) In Phase { ofthe stady, he commits idee cit sey issues associated wit the we of digi LAC syste in sisting and advanced aucear power plants la the com file's view, hee nes noe to be aressed and a werk ing consensus neds tobe established egading hese noes “among designers opeatrs and manaiers and regulators inthe nclear industry The proces the commie flowed to dentiy these sues in Phase is ciconed nthe Pha | ‘eon (NRC 195) andi only briefly surmarized here Tn essenee the commitce considered th impact of ig tal L&C sjstems against a set of standard regulatory ap proaches toanesing and ensing safety (defenc-i- depth, Eafey enarpins, environmental qalifiation, requisite qual ity asrance and ature invari) Pom his analy sis the commit identied a number of questions sss and facets of issues (see Append D) Aira numberof <elteraions te commineewinnowed the Ut down to eight ey issues “The igh asus separate into six technical sues and wo straegi nses, The sit etic nes are systems arpcts

2

of digital L&C technology software quaity assurance com non-mode sofware failure potential, valey am rÏahiley {sesemen methods, man factors and hitan-machine ferfaces, and dedication of commercial ofthe self hart tere and software The two stratepc issues ae the case by-case Hiensing process and he adequacy of technical infrastructure (se taining staffing researc pla) The ‘commie recognizes that hese are no the only sabe snế topics of concer and debate inthis area (ae Appendix) Neverbeless the comic raf judgment itlly {ome during Phase, hat developing aconsesus on these ight sees wil Bea aor step forward and accelerate the Sppropine use and Hens of gta HRC syste in ‘clear power plats "At the nd of Phise It became clear to the commit tee thatthe sftware-reated issues andthe epulting ro- cess would be particularly challenging aspects of the Study Accordingly the commits strengtheneds capa bility by adding to its oumbers two exports in these reas (see Appendin A),

” DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS 18 NUCLEAR FOMER PLANTS PRESENTING THE KEY ISSUES

The issues are discussed individually ia Chapters 3 through 10 of hs repo The commits has inane the separation beeen technical ses and stacy ses in the Phase 2 report, eventhough as work proceeded in Phase 2 became increasingly apparent at the tecnica issues andthe srategic issues are gly interven The echnical fan discussions (Chapters 3 hough 8 generally foes on the technical basis of the es and how pertinent technical Saostedge or the lack thereof) affects How the iste i ức resid in US nuclear plans, foreign plants, and chen ‘hse and her replat For each soe th commer ‘eas conclusions and provides recommensations Discussion ofthe tw state ses (Chaps 9 and 10} focuses onthe licensing press and key underlying are, the way in which the USNRC tas developed and continues

to develop its technical neasiseture (saling alain ‘esearch pln) inthe digital I&C area In Phase 1 the com- ‘miles became convinced tht even fhe six echnical ses ‘were resold and po conrovers of Lack of comers ex [sted hee strategie ses would sl ned oe carefully ‘considered inses reflects the recognition hat ipidly moving and adesod, Concer with these two strategic aod evoly= ing lechaologes preset pois difiuly fora nduery anditregulatrs whet licensing and ecto processes {generally move mote slowly than te technology they are Intended to regu

Because the anes ae highly Hnterelted and ave re tively gencral the commitee dated thei elt unper tance and hei order of presentation which warrant the f- losing tri dkeueion of their arrangement inthis ep

The committee chon to preset the lehnial es Fit to provide a bass and context for the salle aes re ‘ented la Of al the eehiel su systems septs of Aigiad 1&C technology i reset (a Chapt 3) be au iis abroad isn hat encompass many others Next (in Chapter 48 and) thecommitec thet issues primarily elatedto softwar! Sofware co has chosen present tts a major difference between arlog an digital TC Applications, and its we raises some concerns Slates & fevgnanifact and, because is tere I icy showing ‘efntveythatthas po crcl eons Software also more fmenable to the addition of features and enancements (Gocaled “creeping comple") not needed Tori baie

fupedon, whereby the system becomes more dificult © un <erstand AS the most general of the tre software issues software quality asoance ie dicused fre (Chaptr 4) The ihe of software commen-mde failures is discsted next

(Chap 5) Comman-node Tauri software i closely reltedo software quality assurance but warans discussion BH topic Beene of is ngifcance to the sale rca dial applications, with hr emphasis on adept ‘ence, edundaney, aod diversity The fal issu discussed inte primarily software elated groups quanta and reality asessnent methods (Chapter 6) safety The consis then tars othe nse of hua factors and th bumat-achis intertace (Chapt 7) ane se nant in bah aealog and dial systems Digital IC tech ogy hs the potenti t0 geal improve the hm f= tors and human-machine interfaces a0 thal te combination ff tie human operator and the computer could provide realy improved process convo andeshanced safety The are however unique design challenges tht digit eco ty HRC presents "The ast technical sue discuss is dlistion and use of ‘commercial off he-shef (COTS) digital 18C systems and equipment in miclear power plans (Chaper 8), This topics nga because mich ofthe existing IEC equipment in clear powerplants i becoming able and vendo sip- ots waning The maclearplans markets rlatvely small and COTS offers a potentially cn-effestive way to adress this problem, Other indies have rachel the tre com tlusion and are reportedly finding some suceess (Leva 1996) This is a lative new area for nclar plants pa {cular i say stem applications, bt thee consider se inƯuem§ aindy and repaltoy nvavereat uly the connrite tums tothe two step sues, ease-by-cibe Heeasing and adequacy ofthe echnical na strutare(iseussed in Chapters 9 and 10) Both the Adv tory Consmitee on Reactor Safeguards and the Nuskar Safety Research Review Commitee shure the comic's ‘ew tat soceafl resolution ofthese ues ea necessry rerequsite to soccesselly applying gal [Csysems io ucla powerplants