digital instrumentation and control systems in nuclear power plants docx

‘Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety Board on Energy and Environmental Systems ‘Commission on Engineeri

0010011100101010101011110010010011010111101101

111011100100010110110111011010110000000011111::

‘Committee on Application of Digital Instrumentation and Control Systems

to Nuclear Power Plant Operations and Safety

Board on Energy and Environmental Systems

‘Commission on Engineering and Technical 5

National Research Council

NATIONAL ACADEMY PRESS

Weshingion, D.C 1997

NATIONAL ACADEMY PRESS 2101 Constiaom Aven, NM + Wasngton, B.C, 20418 [NOTICE Te proj hat he abet fhe ep a apron by the Geveng Bose of te atonal Research Cnc hve mere re ns rm the conc he Namal Acaleny nie responsible fo the pot wee chen or hi al compen td with gad fr ert ace "Trepm hachen reviewed au ote han te ators cnn proces prone

“Fer andthe td ich ita khai xơ supe by Corsa No, NRC 485 rom

te US Male Reulitery Comaussin Tocco peared an sou f work pone an ages of he i Ses Covers

‘nen, Netherihe Une Stes Gover! bra ag het tự s fi emplyes aes {ny marany.eguesed or pio aos 2) Klay espn ay ti pay

TT ese ay fran apart ret pres sen cis ep treet that ey ach nl pan wold ot ege privy sna eke The ews

‘The Nation Academy of Seenessapvate, appa se yerpetuig sve of singled seals engage sn Sic ad engineering reser deca the onan of cee and

‘ecology sn tothee oth ener nelle: Upon he astro char rly I

“lui andtechical mate Dr Brae M Albers pric he Neon Caley of ences “Fe Nats Acar af Enos obese cae fhe Ns Aeadeny of Scents aa rganiaton toesanding epee is salenomos ei Fern nine leqenofietmenh hay with Natesl Acar of Sciences the pe Siig foradving tera govemmen The Nason Acleny of Eau ko ps eg ering progr ined a ect snl ees encourage dai and seach a copes

ức up acest engoe, De Wil A of menmiveuiemgrbe NaienAeah

ny of Enger "Tent of Meine was extalahed in 17D he Nata cae of sees ose te sere eminent cmb fepopetepoeos nth exarsintn of ply aes enaing istic lth ofthe pub Te lout as dee espnsy gre the Nata Ay of Slemes by le congresilchaner he vẽ hư othe federal goveramen sn ngọc fon Inve ident see mea care nacre andeducain De Kean Shite presidental

‘The Natal Resch Counc was onze ty the National Acad of Sees in 1916 10 associate the od commu cence Me opy Wi the Aces prone of athe {nosed nd avsng te oder goverment anctoniag in acodance wih general paces Ste ned by the Aran, te Counc ha ce the cpl operating ey of bt he Naa

!Rcdemy of Seer dhe National Acide of Engneriog eon scene goer

‘ete pbc anihe sleai a enposerig cms, The Cor amir ly By

eh Actes the nie of Mice, Dr Bree M Albers aod De Wl A Wal ề Lined copes of is rapa aval fom Addo cope ar asta for ale from

2101 Conon Aven 210, Coton Avene NW

‘Washington DC 20818 Washing BC 20055

fom sheet espana, ups? aaedahees 'Waseingie Menpohia Ae) 24 63427 2923343913 in te

apitan nape Lary of Congres Calo Cat Nore 97884

{Cony 1997 he NauoalAcaeny of Selene I eh ees

‘Primed nthe Unies Stes of Ameren

‘COMMITTEE ON APPLICATION OF DIGITAL INSTRUMENTATION AND CONTROL

‘SYSTEMS TO NUCLEAR POWER PLANT OPERATIONS AND SAFETY

DOUGLAS M CHAPIN (chat) MPR Associates Alexa Virginia

JOANNE BECHTA DUGAN, University of Virginia, Chalotenile

[BONALD A BRAND, NAE Pace Gas and Else Company (eied), Novato, Calera

JAMES R CURTISS, Winston and Strawn, Washington, D.C (om October 1998) D, LARRY DAMON, Bechel Research and Development San Francisco, Califrnia

(MICHAEL DeWALT, Feral Aviation Administration, Seale, Washington from October 1998)

JOHN D_ GANNON, University of Maryland, College Park

[ROBERT L GOBLE, lak University, Worcester, Massachusens DAVID J HILL, Argonne National Laboratory Argeane Iinois

PETER E KATZ, Calvert Clif Niclear Power Plat, Lasby, Marland

NANCY G LEVESON, Univeniy of Washington, Seale

(CHRISTINE M MITCHELL Georgia laste of Technology Alana

‘CARMELO RODRIGUEZ, General Atomics Company, Sun Diego, California

SAMIES D, WHITE, Oak Ridge National Laboratory Oak Ridge, Tennesse

Project Statt

‘TRACY D WILSON, dy director, Board on Energy and Environmental Systems (BEES) SUSANNA F CLARENDON, senior projet assim, BEES (from May 1996)

‘THERON FEIST project asisant, BEES (unl June 1995) HELEN JOHNSON, administrative ssociate, BEES (util uly 195)

WENDY LEWALLEN senior projet assistant, BEES Ce 1995 to May 1996)

MAHADEVAN MAN, astocist executive director, Commision on Engietring and Technical Systems from January 1996) AMES J.ZUCCHETTO, dưetoc BEES (rom Janay 1996),

BOARD ON ENERGY AND ENVIRONMENTAL SYSTEMS

ROBERT L HIRSCH (chs, Energy Tecnology Collaborative, I, Washington, D.C

RICHARD MESERVE (vise etn, Covington and Burling, Wasingion, D.C

JAN BEYEA, Consultant, New York, Now York

E GAIL de PLANQUE, NAB, Contant, Potomac, Maryland INDAC, DOLAN, Lockhesd Marin Hetrnis and Mase, Orlando, ida

WILLIAM FULKERSON, University of Temessce, Kaowille

JACQUES GANSLER, TASC, In, Arington, Virginia

ROY S, GORDON, NAS Harvard University Cambridge, Mascachusets FRANCOIS E HEUZE, Lawrence Liveomore National Laboratory, Livermere, California

LAWRENCE T PAPAY NAE, Bechtel Group, In, Sua Frane'sco, Califia

RUTH A RECK Argonte National Laboratory Argonne ios

JOEL SPIRA, NAE, Lotron Electonics Co, Ie, Ceoperburp, Pensyania JAMES LEE SWEENEY, Stanford Universi, Stanford, Calera

IRVIN L WHITE, UTECH, Ine Fain, Vigiie

Former Members Active during Reporting Period:

HLM (HUB) HUBBARD (chain, Pacific Icrational Cente for High Techalogy Research etsed), Houoal, Hawaii ROBERT D, BANKS, World Resouces Insite, Washington, DC,

ALLEN J BARD, NAS, University of Texas, Ain

DAVID E DANIEL University of Tess, Austin

LUalson Members from the Commission on Engineering and Technical Systems

RICHARD A CONWAY NAE, Union Caride Corporation, South Charleston, West Vignia

SERRY SCHUBEL, New England Aquarium, Boston, Massachsens

staff

JAMES 1, ZUCCHETTO, director since January 1996) SUSANNA F CLARENDON, administrative asian

WENDY LEWALLEN, senior project assist (nil May 1996)

SILL WILSON, senior program offices

[TRACY D WILSON, senior program ofcer

Preface

‘The nuclear industry and the stat ofthe US Nuclear

Regulaery Commission (USNR) have worked fo several

arson how best to safely introduce digital instrumentation

“nd conta systems nt clear power plants But ggeber

‘hey have fall to reach consests This lack af consensus led the USNRC to request the National Research Coun,

through its Board on Energy and Environmental Systems of

‘the Commission on Engiecrng and Teeical Systems, (0

conduct he sty whose results are reported hee The Ne

‘nal Research Council's Computer Seince apd Telecom

‘miications Board and the Couns Division on Ec ton, Labor and Homan Performance provided aionat

techni spot “The Commie on Application of Digital Instruments

tion and Contrl Systems te Nuclear PowerPlant Operations land Safety (8 Appi A) was appointed by the Natio

Research Council on December 20,199, examine the we

of digal istration and contol systems in cleat owe plants, This work was toe conducted in wo phases

“The final report suamarzes the work of both Phase I and Phase 2

Tn Phase 1, the commie was charged to define the in

nant safety and reabily issues (concering ha,

Software, and human-machine imerfoces that arise fom the

inreduction of ig instrumentation and conta tech gy in muclear power plan operations, including operations

Under arma ransiat, and accident condons a esponse

tothischarge the committee wdenied igh ke tot reo

fiated with the use of digital instrumentation and contol

URC) systems i existing and advanced nuclear power

Plants The eighr sues separate i sin technical sues and

two strategic Hess, The í tecnica ses ae: systems

speci of digital IC technology: sofware quality ass

take: cramion-modesltvare (ale poten salty and

reliability assessment methods; uma factors and human

‘machine interfaces: and dedication of commercial off

theif ardware and oftware Te io sratgi ses athe

csvcb se len proces and he adequacy of he tech ca ifestrcture, Th committee recognizes thatthe te

‘ot the ony sues and topics of concer an debate in tis trea, Nevertheless, te commitee considers thal developing somsenss on these Key ess wil ea major sep forward tnd accelerate the appropriate use and ering of dg TAC systems in ncler power plants, mn Phase 2 ofthe study the commitee was charged 10 Sent enter review and accepance of gal nt

‘mentation and consol ehology in bt etait reactors

tn row rectors of advanced design to characterize and

‘raat alleratve approaches othe cericaten er ien {ng ofthis technology and, where suicient scenic basis sslqe, recommend guidelines on the asi of which the

‘USNR ean egulate and cenit fr eens) digital inst

‘mentation ad consol technology inching meas for iden Uitying and addressing new sues that may result fom fe (ure development e0 bai exists to mae uch recommendations the com of his ectnology Where isin since was to sugzest ways in which the USNRC could ac quire the required information Ta caring ot its Phase 2 charge, the commie limited fis work to tose sues identified in Phase 1 Futer the reader should not form to Ira an expectation that the commize has povided a cogent st of pancples design {uidelnes, and specific requirement or ready we by the UUSNRC we ates, tt, cese andr ceri proposed 53s tems and upgrades Rather, the fests of the commute's effort are presented inthe orm of conclusions and recom mendations reatedtocach key iss and primaiyadreset {o the USNRC for thei consideration and se foe seting eld licensing eeria and guidelines fr digital LC ap-

‘cations in nuclear power plams The report discusses the {ificlt ancomplex nate ofthe key keuet snđđưecuom Tor developing consensus assesment of ial echo

‘fy The commie auld criteria where it was possible {do so but focused primarily om (a process both in devel

‘oping idles and in the shorter aecepance of new technology: ()ienting promising approaches for Gur

‘er acuons bythe USNRC beyond the commie’ repr: {e) suggestions for avoiding dead-end a (0) mechanics

for improving communication and stengthening technical

infastrotre al the USNRC To carryout is work the com-

rites eld 8 numberof mosis, coding ale vss to

Several power pan ais and simulators (sce Appendix

3) The come aso hed dealled discussions with mem

ber ofthe staf ofthe U.S, Nuclear Regulaory Commis-

sion, the Nuclear Safty Resarch Review Commitee, he

‘Advisory Commie USS and foreign nicer industries, andreqresesatives fom on Reactor Sieguards, member ofthe

ter safely-citcalindostes, who provided a ware of

‘Perspectives and information on dil fsiromenistion and

onto! technology and its regulation The commits is

‘rate to the many individuals who provided technics!

infra

"The chairman is als paiculay grateful tothe members

‘ofthis commince who worked dilgenlyandeffecuvely on 4 very demanding schedule to meta very dificult carpe tnd prosice thin work Special commendation and thanks tMealoextended to Tracy Wikon ofthe staf of te National Research Council who was a pillar of strength and whose never fing energy and focus great facilialed the work of the commits

nan insghison tis topic dering briefings and

Douglas M Chapin Commitee Chair

Contents

Ngler Power Phøt Tewnennbin ad Conn Sans, Tan from Anaog a Dil eszuenlation abd Cool Sass, 19

¿chu sf Insamneatton and Cons! Seton 17

‘Gallenges te nuction f Dig Ineromentaion and Cone Systems, 1X Response of he US Nuclear Reulsory Commission and Norley Fi tte Challenges, 19 Tis Sil, 2

Developing te Key Haues (Phan 12

‘Addesuns the Key Taues(Phss 3

Carre U.S” Nuon Regulatory Comunsson Regultry Psion and Pans, 28

Develoomeats nine US Nacleor Indore, 72

Development inthe Fonsi Nock Insiry 22

Devclepmeats in Ot Salety Cia! Isis, 80 Son

(Coren US Nectear Reguatory Commission Rpuatry Poston and Pans 8

Desclogmwats ete US, Note Jaa 37

Develeaes wie Fveign Nucleae Ins 37

DDevelopmest: in Oe Soe -Crinal dons, 38

Renu J

vú

contents 5 COMMON ODE SOFTWARE FAILURE pOTENTIA Tection ad Backrest, 43 2

(CS Nueiear Reglatry Commision Postion

DDeveloprein tthe Foreign Nuclear fy 1S

Development ir Osher Safety -Cral Indus, 5

(5 Resiear Regulatory Cunsrisioa Resear Acts, #2

SAFETY AND RELLAWILITY ASSESSMENT AE feiss

(Curent 1S, Nuclear Regulatory Commissioe Regulatory Psion and Plans $3 Develgments inthe US Nectar Instn 5

DDevelopmcit the Forcgn Nuclear ery, $8 eselopninis in Othe Sate Cres Insts, Se

7 HUMAN FACTORS AND HUMAN-MACHINE INTERFACES Tuuiuelen “

(Curent US, Nacenr Regulstry Commission Regulstry Potions and Pans, Developm inthe US, Raster Int 2

‘Development rhe Foreign Nosiear indy, 2

Developninis in Osher Safety-Crlca Indus 62

(Caren US, Nile Regulston Commission Regulny Poions and Pans, 72 Developments ete U.S NesiarIndvary 72

‘Develops ate Fowegn Nuclear ed, 74

Development ir Other Safe Chia Indust, 74

‘Goochusios an Recommendations 76

neon 78

ogulacey Frasers for Evaluating Dig Upgrades 79

reriew of Nciesr Appisunons of Digial Techacigy #0

Reguluery Response 0 Aporoaces to Repultion in Other Counce, $1

Rescush aed Plans #1

Analisi $1 Concisngs and Recommend

(0 ABBQUACY OE-TECHNICAL INERASTRUETURE In ss USS Nuclear Regulatory Commission Regulatory Pontos nd Pt 8S

Developmen inthe US Nuclear Indy,

Dselopmeni inthe Foreign Nucl Indy, #7

Developmen in Over Safety Chul Inst, £7

‘A Riggaphicel Sketches of Commitce Members os

CUS, Nuclese Reeulory Comision Licey of Dal Jnsrunstion ‘a Conia Techy tớ D_Develognent of he Fin] List of Tht In, mỊ

OO erential

List of Tables and Figures

‘Asea Brown Bovers

‘vanced boing water reacor

‘Advinory Commitee op Reetor Safeguards

‘American Nuclear Society

“American Nationa Standards Instn

advanced pressurized water reactor

pplicaton-speciie integrated eireit

Biipated ransient without evans

‘Board on Energy and Environmental Systems

Commission on Engineering and Technical

ete Power Resear insite

croergency power system

ngiecred Safety features actuation system

eld programmable gate ansys

Sal le analysis repent

instrumentation sd contol Intemational Elsttecnicl Commission Intl of Eerie! and Dlecunnis Engineers

Institute for Nuclear Power Operations Intemational Society for Measurement and Conia

ean cnet faite

‘Nuclear Energy Isite Office of Nocear Reactor Regulation (USNRC)

[Noclear Safety Research Review Commitee Nocleat Ulli Software Management Group programmable logic convoler

probabil risk asesanent probabilistic ae sessment Oftce of Nectar Regulatory Research CUENRC)

radiofrequency interference reactor protection sytem fey analysis rept Standard Review Plat

US Nuclear Reguatry Commission unreviewed safety question

Executive Summary

INTRODUCTION

Nuclear power plans ey on instrumentation and contol

(48) systems fr monitoring, contol, and protection Du ing their extensive sevie history analog LC sytem ave

‘Performed tee intended monitoring and contol functions

Satisfactory Although there have been some design peab- lems, sch as inaccurate design specifications and susept-

Diy to cern envionment conditions the primary con

‘corn with he extended use of analog systems effects of

‘aging eg mechanical ares, envionment degradation,

and obolescence, “The indoerial tase has largely moved o digital based

systems! and vendors are gradually discontinuing supprt

and stocking of needed analo spare pars The reso ot

‘the ransiion to dita IAC systems es in thei imporant

vantages ove existing analog sysers Digital electronics

fe excell feof the dei tha ais aoaog electeon ics so they maintain their calbation better They have in

proved sytem performance in terms of accuracy and com-

utatonl capaites Tey ave higher data handing and

Storage apie, s operating conditions can be moe fly measured and displayed Properly designed, they can be

‘sie touse and more lexi in application, Idee digital

Sgstems have the potential for improved capabilities ( Fault olrance, sles, signal valulslo, pydees

tem diagnostics that could form the ass fr entely acw

approaches to achieve the requied elas Because of

Sch potential advantages and because ofthe gener shit

{oil systems and waning vendor supe for analog 33-

tem, the US mulear power indus expects substan

In essence the problem isto develop a systematic regula tory review and approval methodology for digital 1&C sys tems tha allows obtaining the safety and eiabty benefits sailbie ram this ecology while avoiding the inoue

in of offieting safety problems “The transition from analog to digital L&C systems in rucear power plas is ot staihtorvaz ne mus! cre fully secout forthe ways which ital LC implementa tions are ferent and fame regulations that reflect those

ditereees Response of the U.S, Nuclear Regulatory

‘Commission tothe Challenges

‘The USNRC has viewed s numberof analog to-igtal

“retoits”in mcear powerplant J&C systems and 9 the

2 DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS IV NUCLEAR POWER PLANTS proces of reviewing designs of advanced plants However,

the review proces hes agely een customized for ath ape

Plieaton because ofthe lack of agred-apon applicable

teria Inakiton abnor commits, cdg the Ad

sory Commit on Reactor Safeguas (ACRS) and the

‘Nuclear Safty Reseach Review Commitee (NSRRC), hse

expressed concer ha the USNRC may be lagging behind

Jn is understanding of dpa U&C sytens and have urged

the development ofa framework to pide the rpulation of

chgÌAI ME telaolagy “To adres echnical concems, nd in Ropes of develop-

Ing 3 wide comennisacrns the USNRC tnd the noclear

nds fr a epulatryproram the USNRC bel 2 ork

shop in September 1993, While wel forum, the work

shop didnt ead oa consensus, and ihe USNRC rested

the sistance ofthe Nation Research Coxe

‘Tals STUDY

‘Committee's Task

“The Natonal Reseach Coun wa asked by the USNRC

to conduct a sul including workshop on application of {igi UC technology to commercial milear power pnt

‘operations The National Reset Coun accordingly Pate a commie (herafer the coi) la cae ct ap

the study, which was conducted into phases In Phase 1

the commitee was charged to define the importa safety

and eiaityfases tat arse ons the itrdction a ip

1a LAC technology in alear power plan operations

‘lodng operations under steady-state wansien, and acc ‘ent operating cndiions In response to tis charge, the

omnitieedetfed eight key ses associate with heute

ft digital IAC systems in exiting snd advanced usar

Powe plans In Phase 2 of the study, the commitee was charged

deoiy itera for review and sccepance of ipa IEC

teetuoogy in bth revolted actos and new reactors of

Advanced desig: to characterize and evaluate aferative

"pproaches fo the cetiation or Hcensng of ti technol

‘jy: and where alicient cemfc hats ena econsmend

fulelines om the basis of which the USNRC can repute

nd cenily (or cess) igtal EXC technology including

reams for idenitying and addressing new ses ạt nay

‘esl ren fare developoent of ths tchuoloy bn areas

‘hea Fo Rep Por sO pene 8 Tne

Tl tne lng ton ried se ee a ah

lacking sii! siemiic basi to make such recommen latins the commitce was to suggest ways in Which the LUSNRC could acgire the equred information In caying outs Phase 2 charge, the commie limited

is work to thove oe eid in Phase 1."The issues Were chosen because they Were difficult and controversial Farther tbe committee recognized tht by lathe respons

"My lọ setig icensing criteria and pidlines for pital &C apleatins to ouclar pln eels wi the USNR

“Thus, the reader stould not form too Malan expectation

‘hat the comminee has provided a cogent st of principles

‘design guidelines, and specifi equtements for ready use by the USNRC w aunt, st ese, andor cet pro- posed systems or upgrades Rather, the resus ofthe study tne presntd inthe orm of conchisions and recommend tins related 0 ea issbe and primarily addressed to the UUSNRC for thei consideration snd ue the comnitee'+

‘ow there i substan further work tobe accomplished

‘The committe expects the USNRC andthe nuclear industry torextend the work of erteria development beyond sere this Phase 2 report faves i To gui further work, the ommice’s report efes Findings and recommendations i four broad categories) curem practice thal is essentially

‘tisactory oe requires some Fine tong () pont of weak nes it the USNRC's approach, sues hat mei farther lnạ and esearch before stsfactory repultry ira

an be developed and (d)eiteria and guidlines hac ae

tnresonable expect inthe nea tre, KEY ISSUES,

Digital instrumentation ang control systems for noclear owe pln have echnologicalcharslentiesequpeent,

‘sponse time, input and output range and accuraey—very

‘inl to tose of digital insirumenation and cove ss fem for ther saety-rvalappliaions sch as chemical plants pd acral What distinguishes digital LC appics tion in ucla power plants ram edhe digital appli tions isthe ned 0 establish very high levels of relay and sfety under wide range of conitions, Because of the potently far greater comsequenesof acide in cleat ower plans he JAC systems mst be lied upon to reduce the tiktiiood of even low probability events The USNRC

as develope a reglatory process wth the goa facie dng ose ph levels of relly and ths assuring public

Safety This proces is subject publi sertny Developing the Key lsues (Phase 1)

1 Phase 1 ofthe study, the commits idemtiid eight sey issues associat with the vse of digital L&C system

fn existing and advanced muclear power plans Th the commit’ view, thee boue neo wo be adesed a2

‘working consensus need ote extablished regarding dese

‘ssbes among designers, operators an those responsible or

tmdinenince f ch deme, si regulators la te nogler

industry, The process the cơnnifee folowe lo lđenHfY

these tues cused nthe Phase I port ad sony

briefly unsaved ber Tn esenes, the committee considered the impact of

Aigitl L&C systems against a set of standard regulatory

pproaches lo assessing and ensuring safety (defense-n

depth safety margins, environmental qualification, qual

tủy assurance, and failure Invulnerablty) From this

analysis the commitce identified a numberof questions

Sand ise Aller extensive deliberations the commitee

Selected eight key issues, “The eight ses can be separated in sic echnical ses

and vo static sues The teeMjeM leues den

Aspects of digital HAC technology software quality assur

ance, common-mode software (sre potenti sfey and

{ebatility assessment metbods, hum actos and hur Imachine inerfaces, and dedition of comes off the

‘shelf hardware ad woftwae, The to strategic ses are the cxe hy cee heendng re an the ade of techn

al nfeasteture Ge unig ting sear plan) The

‘ommitcerecogeizs that these are no he only sues and

topics of concern and debate in thi ara, Neves, he

commie realms is jodgmen inl formed ding Phase i at developing consensus on hee eight sues

Will Rea major step forward and acelerate the appropiate

te and licensing of digital IC systems in mick power

plants

‘Analyzing the Key Issues (Phase 2)

In conducting Phase 2 of ts study the commits em

ployed a syseraic proces, which i efleced i the ste

{ure of most of the chapters in this repr The comvmitce

reviewed a large number of documents made avalale by

the USNRC and variety of oer soures The commitee

also interviewed selected personel rm te USNC, from

the two advisory commits discussed ahove (ACRS,

[NSRRC), rom the mtclear industry and footer indus

tees" sing egal ystems in sftycrdeal applications

‘Te commie ako sought the view of individuals from

academia and esearch organizations a aon hệ com,

‘ite visited contol oom simular, anos plan

forsl-fieled powerplant withestensve digital A&C systems,

‘The commit ako bad frequent and detailed intemal ds

cussions a facet face ava paper ad ele com

munications, The commitee also Brought to be a wide

range of experience n and Brow ofthe fed

aly iy

Carrying Out the Charge

“The committe tok seriously the charge that city erie forreview at acceptance of digital 1&C technology and hat wt rccommendgudeine oe regulation and cert fication, In carrying outs charge, the commie recog nized that

+ Inorderto ero tes could be dealt wih the elatvely bet develop wel guidance onl ited nam aration ofthe oy,

+ Genera high level criteria would not be parielady +The final era iy Furter, sine the nuclear power indus is heavily ae lepally the USNRC's esponsibil- reputed inthe pubic intrest, the sensing ceria thou be forged in a deta interaction among the regulators, dhe inst andthe public

+ The committe has a wide range of expense ‘ence in digital systems ad miler power lant bat it and expe-

‘eno a sarogate for this inaction among the sake holden Here, the commit could serve by clearly đElaesing and defining issues and providing gsdance for resolving these ines rather han developing spe cif censing evita

— "11" land worked on tone iss, These igh sues aes Be

‘wo myorinterwined themes associated withthe se fig {at instumentation and contol im neler power plants

‘These ae

1 Dealing withthe specifi characteris of digital 1&C lechnology a applied to mclar power pits,

2 Dealing wi a tehology that more avaced han the one widely in we inthe exiting nuclear power plans This technology is apy advancing ata ete tnd in directions largely unconled bythe moclear Jndostry but atte sme time tly lo havea sign can impacto the operation and regulation af the clea indus

‘Te eels the commitefoeweson it inthis report are primarily related to digital technology self (Theme whe the suategic issues tht follow ae rims

‘ily elated othe proces of adopting advanced technology (Theme 2) The commitce conrntaed on reviewing he

‘urea sppeoaces being aken by the nucear indus and its regulators toward dealing wit the selected ey issues

“The commie slo tried ota rom the experience of the interatona nuclear indy aswell gather and evakste information about how other saey-rlealindusties and

‘hei epulatrs dealt with these issues Also hugh the technical expertise and knowledge ofits various member

‘he committee explored work done by the digit stem

‘community at fre, inlading both research aces and

——

Asthe committee worked trough the issues it discovered

theresa major impeiment to progres This the comm

ication bari tht exist among the key technica om

ties and individuals involved Te ase enon forthe cn

‘munication dificly is apart Work i siputancously

ting on in many ares, each wih itso echo

Search fous, and agenda Unfotunntely, hough ny a

these areas doe common es, these tens fen have dil

Fereotmeaningsto deren groups, sulting inet ck

‘of eommuniaton or very dificult communication, This

Teiulndy oablesorne forthe mocler power indy ard

le regulates, who ase not dominam ds technology sd

mus ry to sythesie sinformation and experience fon a

‘arity of soures and apply iin power plas where safety

hazards ust be dal with a gerous way, under paie

Seestny 18 Chaper 11 the commute dscses this cam

‘munication problem in more etal an provides suggestions

fora way forward Making subtrial rogress inthis rea should hive a mulipieae effect si eases the resolution

of many specifi technical and suategc sues ‘Overall while there are important steps that remain o be

taken by the USNRC and industry as adresse inthis

ort the commute found ne esurnounabe hares othe

the of igi insrumesiation and contol technology tơ

ociear power pints The committer also Boies tha &

forward-looking regulatory process with good an ont

ing regulations an industycommunicallon and interaction

‘wl ep AIL paicipants must recognize that esp, hand

Slged cñteia a parculsly dieu wo come by inthis

rapidly moving area and ood practices and enpinering

{ingen wll oni io be need and velied upon, For the key technial issues (systems aspects of dial

1&C technology softwar quality wstrance common-mode

software alae potenti safety and reishity assessment

‘neta: hun acters and human-machine interac: nd

edison of commercial offhe-abll hardware cd 0

‘ware tbe committee provides specifi ecommpendatons and

conclusions which inclade a numberof specific ener, “These ae Tisted in each chapter (se Chaps 3 dough 8)

Bat recognizing the dificuly of defising specific cetera,

andthe need for the nuclear techoolgy stakeholders, par

telly the USNRC, lo make the ial decisions, the com

mince focused on (a) providing process guidance bol i

‘developing guidelines and inthe shor-crnsccepance of the new eenogy (8 identtying promising approaches

developing eteria and suggestions for avoiding dates tnd (@) mechanics for impeoving communication and

Sengtening echnical infrastructure Tor the key sates ses he case-by-case Ticensing

procedure and adegutcy’ ofthe echoes infrastruc) the

+ Emphasizes guidance to implement a generically ap- pliable rameseork for regulation thal fellows erent

USNRC practice and draws a iviacien between

major and ior safety mifcatons The commit also provides guidance forthe cvlution and updating

‘ofthis reulaloy framework (se Chap 9 + Lesion ‘al infasructse and suggest speiic esearch at ee to upprde th caren USNRC th tes tha will suppor she aceded regulatory program

‘nd USNRCsrevearch nee The commie sls several inprovemenls the chica ines alo so ture to improve and mainiaintchoial capabilities this rapily moving technically challenging aca The results this paces are set fort below, where te commiteeiaces each of he ke issues—fsat the ec

‘ical thea the stratgic—with an “issue statement devel

‘oped during Phase | ofthe toy Following each sve sae

‘ment are the contusion and recommendations formated

bythe comic ding Phase 2 of the sty

TECHNICAL ISSUES Systems Aspects of Digital Instrumentation

‘and Control Technology Issue Statement Alone wit oporsmthenefie gio t&C stems ivoduce potential ew fare modes thal ea {eet operations and margins of safety Therefor, digital 1&C stems eur igoros eaten of he systems aspects of {hei design and implementation What methods to address his concern? How can te experience and best are needed

‘rates ofthe varius technical commutes involved 1s applying digital 1&C technologies be best integrated and pple to mclaz power plans? What proces can be po

In place co updste the methods and We expericnce base a

ow dial IC technologies and equipment are inoduced

fn he fat Conclusion 1 Coste efforts warranted by the USNRC and the nls indusry wo deal withthe stems aspects of {igi 18 in nuclear power pans

‘Copetuson 2 The lack of seta design aniplemetation oflege IAC systems for US, aclea power late mths

‘iu to ose leening from expericace as bs or roving how the miler index and the ƯSNRC den with

‘stems aspects

(Conctasion 3 The USNRC's nen to upgrade te repule tory guidance i the systems aspects of gi L&C applic tions alear power plans ts enely supported by the

‘comme’ otnevatios about systems aopect,

‘Conetason 4: Existing regulatory guidance acs the speci- Seiy needed tobe effective and the revision shold adress this shortcoming

Recommendation 1 The USNRC should make ail ap cation of the proposed regulatory guidance documents on

‘stem aspect foreign mace pln digital systems both

existing and in progres, In particular this review should focus onaeesting wheter oro the revived guidance docu

rent have the necessary level of specifi 10 adequately

address the systems aspects of miclear plat digital L&C

implementations

Recommendation 2 The USNRC shou dey and

‘ew systems aspects guidance documcns povided in eher

Indus, such as chemical processing and acospae, whore

large-scale digital HAC sysers ae sed The foes ofthis

review would eto compare theater guidance documents

‘vith thore being developed by the USNRC, paying duc

atetion to common problems and apptication-speciic

differences,

‘Recommendation 3 To obtain peartialexpeiene, the

LUSNRC should fon sa personal eraps cna eprcal

‘ss, oer agencies involved in regulating or oveneinE

large safetycricl digital IC ystems,

‘Recommendation 4 The USNRC should require contin

ing prtesional caisng for appropiate sf in echaclo-

ses particularly germane to systems aspects, sib as fal

{otean, dtabuted ystems

Software Quality Assurance

Insue Statement The use of softwares prncpat dier:

cence between digital and analog L&C systems Quality of

‘Soares measured in trms oft abi 10 perform ie ivended fonctions This in tur, is traced 10 software speci

feations and compliance with these specification Nether

‘ofthe casi approaches of () controling the software de ‘lopment pres or (b) veri the end-product appears

{o be fully slsactory in assuring adequate quality of so ‘ware, partially for se with safety-critical systems How

‘an the USNRC and the suclear indi define a genesly

‘zceped technically sound soluson to specyng produ

ing andconreling oftvare ceded indigial IAC stems?

Conclusion 1 Sofware quality san procedures pi

cally motor process compliance rahe han product got iy in parclu, there ae no generally accepted evaluation

rita for safety-related software rather, standards and

[uidelines hep repeat best practices Because 0H sf

‘are qualities related o system safety, eg, munainabiy, comecnes and Security cannot be measured dec 1

rust be assumed hata rationship exists Between meas

able wriables ap the quis to be ensared To dea with

1 itaton care must he taken 1p validate such models, sing past development activities andio asa that he

Imessuremnts being made ae approprinte and acurate in

sessing the desired software quale

‘Conclusion 2 Poe operating experience with pancula software does not necessarily ensure reliability oF safery

operon new application Aina reviews, analysts

‘or tetng bya uty or hind pany dedicate may he neces ‘Sry to each an adequate evel of asrance Conclusion 3 Testing must aot Be the sole quality ass ance technigh, In genera iis not Feasible 10 ass ste wae comecness through extiv testing for most eal practi LC sytem

Conclusion 4 USNRC sf reviews of he verification nd

‘alidation process use during sftware development sem

‘gate bora Conclusion 5 Exposing software Mas demonstating lable behavior of software, and finding unimtended fun tionality and aw in requirements are different concepts

an shouldbe atessed by 3 combination of lehnigues 0 chung

+ Systematic inspections of software ‘with representative inputs from diferent pars of the an planned esting Systems domai can ep determine if Oa exit inthe software + Functional ests an be chosen mal nd oundary cates ml me of est coverage to expose eres in nor

an be reported fo thes + Testing besed on larg numbers lected fom the operational profiles ofa progam can of iapts anton se

te ned to assess the liklinod tha softare wl fa der specific operating comitions

+ Requirement inspections can he an effective method for detecting software dees, provided equrements are uiie by several experienced people who dd not Pareipte inter comsructon The effectiveness of These reviews aso depends om the quality af th quieren

+ Asystem-ove ‘combined sith environmental coniton,can le lờ za analysis can deny tats tha cides The alysis should extend into software

‘omponens te ensure at software doesnot combate to system hazards,

‘Conctuson 6 The USNRC research programs related to softvare qualiy assurance apear to be skewed tard in-

‘vesigaingcodelevel estes, eg coding in different lan [pages to achieve diversity an program sing 1 denlly

‘hres containing convnon code

‘Conclusion 7 Rigorous configuration management must be

‘seo assure tatchanges ‘mente and thal ratonship etweedillerent sofware a re ome designed and pe

‘ats re msn

‘Conctason Softwar is not more testable simply esate the design has been implemented on achip Use of ny tech tology fequsingequvalem design effort to software r- (quires commensurate quality assurance Fo example this onciasion aples to ASIC fappieaton specific negated

‘rei, PLC (programmable logic consoles), and FPGA

6 DIGITAL INSTRUMENTATION AKD CONTROL SISTEMS IV NUCLEAR POWER PLANTS (Geld programmable gate arays), However the commitee roves that these technologies may be weft ia addressing

some configuration masagement probe

Recommendation Cure the USNRC's path sto de-

‘elop regulatory guides to endorse vary of industry staards The USNRC should develop (with possible exceptions)

is own guidelines for software quality assurance hat focus

‘onaccepance ereria abe than prescriptive sftins The

raft epulatry guide, Software in Protection and Control Systems by Canada's Atomic Energy Conta Bosid i an

‘example of his type of approach The USNRC guidlines Should be subjected 1 broad-based eternal eer review

proces ling (a the nuclear dusty, () aber salty:

‘eal indusees and) bu the commercial and academic ‘oftware comnts

Recommendation 2 Sysers requirements shold he wi

tem in a language wi precise meaning so that general

ropeaics ike consistency and completeness a well a ap-

Plieaon-specific properties can be analyzed, Cognizant

Personne ck x plant eniner, replat, system archi

‘Ee and software developers shel be able understand

the language

Recommendation 3 USNRC research the software qual

ity asurnce era sbould be balanced in emphasis tween

carly pases fhe software lie cycle and code level issues

Experience shows tht he early phases convibute mere fe

‘oem othe generation of software eno

Recommendation 4 The USNRC should regute 4 com

rmensurate quality assurance process for ASICS, PLC, and

‘ter imlsrleebnologit

‘Common-Mode Software Failure Potentis

Issue Statement Digital technology introduces «posi ity ta common-mode software flues may case reds

in sfety systems ofl in sucha wy tha here los of

Safety fonction Various procedures have been developed

and evolved for esluaing common-mode file potential

Inanalog devices D these sre proceduses apply lo com

ucts and software rare diferent approaches to ensuing

reliblty needed? What does software diversity mean? Cn

ibe achieved and asessed and fs, how? Do techniques

fis or assessing common cause fall and common-mode

Failure when computers are involved? What arte implica

tions ommend offare ue forthe sensing ro:

se and the ue of component diversity? Are redundancy

nd vest the ost eecuve way to achieve reli for

igi sjtems?

Conclusion 1 The USNRC postion of assuming that com

moa-mode software failare could occur scribe, coors

to engineering practice and should be retained

Conclusion 2 The USNRC position with expect dive: sige an stated nthe deat branch echo] postion, Digit Instumeniation and Conuol Systems in Advanced Pans, and its ounterpet or exiting plans i appropiate

‘Conclusion 3 The USNRC guidelines on assessing wheter Adequate diversity exists need tobe reconsidered With fut these pidelines: (2) The commit agrees that pro-

‘ing digital systems (components) that perform differen fuetions sa pen effective means of achicving diver sity Analysis of software uscionl divers showing tht Independence i maintained at the system level und 0 ne failure modes have been introduced bythe use of digital tect soy sn diferent rom he for upgrades ce dsigs ha fnclade analog istmenatio.¢b) The comminee consid stat he use of ciferent hardware real-time operating

"ystems ie potently effective in achieving diversity pro

‘ied functional diversity has heen demonstrate With gard to real-sme operating spe, hs apis oaly 0 0p

‘ring systems developed by difeent companies of shown tobe functionally divers.) The commit that ase of diferent programing languages eiferent does ot agree

Gp approaches mecting ie same functional eure

‘beret design teams o differen vendors equipment axed 4o perform the same faction is likely to be effective in schevig diversity Tals none ofthese mtd 3 poo!

‘of independence of failures Conversely, neither ithe pres ence of hese eo of dependence of ules Conetason 4, Tere appears abe no geerally applicable elfetve way to evalutediversiy between to pesos of Sofiare performing the sae fnction Superior su fice sync) differences do at imply fare indepen dence, nor does thew of diferent algorithms to achieve he Same functions Therefore funding esearch oy to eva ste design diversity des not appear to bea reasonable use of LUSNRC research ands,

‘Conetoson 5 Alhongh many inthe software commun tbeleve that thee are more cost-effective techiques for scheving high software relblity ha redundancy aml ức

‘verity there no agreement ast what these aiematives

‘maybe The mot promising ofthese appear ote the exten sion of standard safety analysis and design tecnigues to Sefivare andthe use of formal (matbemarcl analysis Conclusion 6, The vse of sl-checking to detect hardware falues and some spe software errs i effective tad shoud be incorporated However, care must Be Laken to s« Sore that he selchecking features themselves dono inso-

——

‘Recommendation 1 The USNRC should retin ts position

of assuming that common-mode software failure is credible

‘Recommendation 2 The USNRC sho maintain its basic poaton regarding the need fr divert in digital L&C syc tems ae stated inthe draft ranch chica postion, Digit

EXECUTIVE SUMMARY

Insirmemation and Comtol Systems in Advanced Plats

‘ee Chapter 5 and is counterpart fr existing plans

Recommendation 3 The USNRC should revs is guide

Hines on assessing whether adequate diversity exit, The

UUSNRC should no place reliance on ifreat programing Tanguages diferent design approsshes meeting the same

Funetonal requirements, diferent design cams oF sig ai ferent vendor” equipment ("amepite diveriy) Rather,

the USNEC should phasing potently ore rabus ch

niques such s the we of functional diversi different hard ‘wae, and diferent real-sime operating sytem,

Recommendation 4 The USNRC should reconsiertbe use

‘of tescarch funding Woy io establish diversity between v0 pcees of vfiwae performing the same function This does

otappeariote pssble Specifically i ppears the USNRC

funding ofthe Urea! fol tase onthe we ofthis oo) Fortis purpose and, a uch ueikly to be sel

Safety and Reliability Assessment Methods

Issue Statement fective, elfen methods assess the safety and reliability of digital IRC systems ia ae needed to

nuclear powerplants These methods are needed t help

480i potently usa or uncible ppictons and aid in identifying and accepting safety-nhancing and reliability

‘enhancing applieaons What methods shouldbe sed for taking these sary and reliability assessments of gal

1&C gems?

Conclusion 1 Deterministic ‘lading design bass acient analysis, haard ali, and axsessment methodologies, n-

‘other formal analysis procedures, re applicable digital systems

Conclusion 2 There i controversy within the software en-

nceiogcommsnity as whether an scart failure prob-

ability can be asested for software of even Whether sof

‘eae fils randomly (see Chopier 6), However the commit:

tee agreed that solivare itr probability canbe wed for

the purposes of pecorming probabilistic risk assessinent

(RA) im order to determine the elaive infusnce of dig

system failure onthe overall sytem Expicly inloding Software fails in a PRA Tora nuclear power plant i pret:

rable to the alternative of gnoving software Falues,

cision 3 The assignment of probeblis of faire for

softwar (and more general for digital syste ino sob

antl ferent fom the handing of many ofthe prob

aMalies for are events A good sotvare ual assurance

ethology is prerequisite to providing basis forthe

eneration of hounded etimates fr software faire pro

li ghi the PRA, uncertainty and ensivity analyis

‘an lp the analyst asae thatthe result are aot unduly

‘dependent on paranctes tat ar uncer Asin other PRA

‘computations, bounded estimates for software fare

probabilities ean be obtained by processes that isha valid

‘andor testing and expe judgrect

‘Conclusion 4 Probabilistic analysis i thecal ap cable in the rame manner to commercial off-the-shelf {COTS) equipment, but he practical application may be i Ful The dieu aries when atcmpting to xe Geld ex evence to assess failure probably in thatthe experience

‘may or may not he equivalent For programmable devices {he softare failure probability may be unique for eich ap plication However, sl of rigorous tess may tl te ap able 1o bounding the fale pecbay as kh cơươm systems A long history of successful eld experince may

‘be useful in ehieting expe judgment

‘Recommendation 1 The USNRC should rie that the felative influence of software failure on system rliabi- ity be included ia PRAS for systems that include digital component

‘Recormmendation 2, The USNRC should strive o develop methods for estimating the failure probabiies of digital

‘ystems, including COTS, for vse im probabilistic isk

‘samen These methods should include aceepance enter,

‘uelnes and mations for use, and ay seeded rationale

sd jsuication

Recommendation 3 The USNRC and indodry should eaalele the eapabiles and develop sfc level of expose to understand the requirement fo gaining cont

‘ence in digital implemenatons of sem funtons andthe Jimiations of quaitaive assesment

‘Recommendation 4, The USNRC should consider support

of programs thutae aimed at developing advanced tech nies fo analysis of digital systems that might be wsed 10 increas confidence and rice vncersniy i quaiaive

Human Fectors and Human-Machine Interfaces Isaue Statement At his tne, thee doesnot seem to Be an spreed-upon effective methodlogy for designers, owner peratrs, maintainers and regulators to assess the overall Jimpact of computer-based, human-machine imeraces on

‘un petfonnanee in nuclear power plans, What meth

‘ology and approach sbould be used to sue proper consid tration of human factors anéhaman-oachine interac? Conclusion 1 Digital tcchaoiogy offers the potential 10

‘enhance the human-machine ierfce and thus overall op- feruor performance Human ficiots and human-machine terface are well enough unersood that they Jono ere

‘Seo a major barr to thease of digial IRC spt in nuclear power plant

# DIGITAL INSTRLMENTATION AND CONTROL SYSTEMS IV NUCLEAR POWER PLANTS Conclusion 2 The methodology and approach adopted by

the USNRC for reviewing human factors and human

machine inerfaces provides anil and acceptable fist

Step in review, Existing USNRC procedures or bth the

‘esignprodoct Indust, The guidelines are based on Huy ch audl- and process, are consent with ihe of eer

able inthe Tieatueo developed by specific industries The

methodology for reviewing the design proces is based on

sound system engineering principle consistent wth he val

‘ation and verifies fefective burn factors

Conclusion 3 Adequate design must zo beyond guides

“The đacaedon in NUREGO7IT on advanced technology and human performance andthe design prinepes ston)

‘Appendix A of NUREG-O700 Re 1 provide a famework in which be nuclear indosty can speci protype, and

rir evaluate A dsign adheres to general principles of good human- a proposed design Demonstration thịt

System integration and ake into secoual known character

isis of human performance provides viable framework in

hích implenentsie of somewhat intangible, bat impor

Tan, concepts can be assed

Conclusion 4 Thre isa wide range inthe type and nani

tude ofthe digital uperades that canbe made safety and

safety-related systems is important forthe magnitose of

the human fastrs review and eration to be comment

rate with the magnitode of the change Any change, bow

ve, that alfets whl infermaton the operator ses othe

Sen S response 10 a contol int mit be empirically

talus to ensure tha the ew design docs not compro

‘ise human system interaction effectiveness

CConetution The USNRC snot sulfichenly ative in the

public Raman factors frum Fr exsnple,prposed har

factors procedures and policies o sponsored research such

6 NUREG-070 Rev I are not regularly presented and

‘ewe by the more general atonal ad jtemationa bọ

‘man Factors communities, ieluding such organizations 3

the US Human Factors and Ergonomics Society In

of Bletical and Electonics Engineers (IEEE) Soie ơn

Systems, Man, and Ceres ad the Associaton of Com:

puting Machinery Spacat Interest Group on Comper

Human Interaction European nuclear huran factors ee

searchers have used nuclear powerplant human factors

esearch lo farther beter understanding of human perfor

mance issues in both uclear powerplant and other safety

crcl industries Otber safery-crucal U.S indus, such

8 space aviation, an defense, pancipae actively benef

sng from the review and experience of oes

‘Recommendation 1, The USNRC shoul continue to we

where appropri, review guidlines for both the sign

Fro nd press Care shoul he taken to update these

{uelines s knowledge and conventional wisdom evolve

fn both nuclear and nonnucear ppietions,

Recommendation 2 The USNNRC should asa that sr views are ot Limited 0 godelines or eheklists Designs steal he assessed wth espe (a th operate modes hat tndetiethe them (bay in which be designs ates cs

‘se human system dencuon design problems (6) pero

‘ances ealuations Moevver, erations mts ero

‘evcttve sks, atl system dynamics, and el operator,

‘Recommendation 4 Complementing Recommendation 2 lthoogh human actors review should he undertaken ser taaÌy cự ae pefemaneeused manner with vale ondons sad operator, the magnitude and range of the feview shouldbe commensurate With the nature and magi: tae ofthe digital change

‘Recommendation 5 The USNRC andthe clear ndasty

at lrg shuld regularly parscpaein he publi forum AS

‘tote in NUREG-O711, advanced human interface echnoo- ies potently inteshce many now and as ye unresolved Dua factors ses I is eri that the USNRC May seas of eusent earch and best practices in ther snus fries and conubute findings from it own applications to the research and practitioner communities at arge—for both review and eduation (See alo Techniea! Infrastructure

‘hap for addtional dscussion) Recommendation 6 The USNRC should casounge searchers withthe Halden Reactor Projet to atively pa

‘eipate inthe ttermaional esearch frum tooth share tet

‘ests and lean fom the effets of ter

Recommendation 7 As funds are available, the USNRC's Office of Sucka Repultry Research should oppor research exploring higher-level aries of hurasysem integration

‘ont and aưunutin Suh neeuch should ince expo-

‘ato, specifically for nocear powerplant applications of

‘design ethos such a operator models for more flee:

‘ely specifying adesien Mowcove, extensive Feld sues Stouldbe conducted to deny nucearspecific echoology

‘problems and to compare and contrast the experiences It clea pplication with hose of ete safety eis! ind

ts, Such esearch wll do the aa of rcuring det

‘ences and potently link then to propose sous Recommendation 8 Complementing is ow research projects he USNRC should consider coedinating a fac

fy pesbaps with te US Deparunet of Energy, a which {S nuctear industries can prototype and empirically eval

ae proponed designs Inerpensive workstation technologies Pei the development of highiely workstation based

executive souatany

simulators of significant portions of conta roms Other

industries make extensive sof worktation-bsed paras

fimulitor (eg aviation); resls are fund 4 ace quite

sell the systems aa whole

Dedication of Commercial Off-the-Shelf

Hardware and Software

Iesue Statement, Wha ethos shouldbe sped! un by

the epultrs andthe licenses lo eva and accep hề

we of commercial of-he shel digital L&C sysens in saety

Applications in maces per plants?

CConctuson 1 Use of COTS hard at satan án

tractive posi for he nuctear industry to use po-

‘ied that techni adequate deicaion proces cn be

formulated and tat this proves does nt nepal Te cos

advanages of COTS

‘Conctsion 2 The een devsloped daft guideline of the

Electric Power Research Inte (EPRD working Ep

Guietine on Evaluation and Acceptance of Commercial

‘Grade Dial Equipment for Nuclear Safety Applications

appar to bave poeta s the bai fo reaching ndusey

tnt USARC comms onthe COTS iss In vie of ie

pesibiliy the commie notes tha he guideline and te

follow-on seeosdle? guidance shuld asue tate ne

cssary andi stuf dil L&C appliton ae tine for bo hardware and stare Once these a

tnbutes are well-defined, various acepale mtd sessing he ality ofthe guibues cụt be ore realy of >

Cerained ad se and he eqs expienc gied As

tn example ofthe yp o approach aprons the EPRI sorting soup and the USNRC sf he commit consider

Should eoesider he FAA's DO-UTHB pide for il

onc Software Coeierations a Alene Syst snd

Ta ———¬

‘Conclusion 3 Software quy svunmee analy ad

shing sucane net ae engl ned COTS The

ommitee’s contusions in Chapters 4 and 6, repecively,

‘ul theses lobe considered: Deion pos fr

{COTS sould so prove eleva in cos where aie

software eased umong snl ees pplions

‘Concason The USNRC inva eneain the EPRL Nace

‘inn Software Manages Interationl Society for Measirement and Control (ISA) Group (NUSMG), IEEE nd

‘woking group sry seta nd sould ithe USNR

Aoveoping apie pudance io addes ths COTS issu

‘Concusion S, The approach to COTS must apply exter

and verification activi commenurate with he sey i

Aifeance and comply of» spot plication Fore

plete lvl of yriaon ster api os

xoleElsecmensofteeoder amlimlicdloe xui xe lẹ

{hese as hal applied io ages replacers of re

tor proction stems

Recommendation 1 Te USNRC staf should sore tat their involvement inthe EPRI, NUSMG, IEEE and ISA

‘working groupe mean at USNRC concerns and postions

fe being addressed 0 ha any standards ogden de

‘eloped hy these groups can he quckly accepted and et dosed by the USNRC

Recommendation 2 The USNRC shold etblish what search needed to saport USNRC acseptnce of COTS in Safety applications in muclear plans Ths esearch should then be incorporate ino the overall eeath plan,

Recommendation 3 The USNRC repultory dance on the use of COTS should recognize an be based onthe pin tiple that criteria and veicaon ative ar to e sm rmensuat withthe safety signficance and complexity af the spect appiation,

STRATEGIC ISSUES (Case-by-Case Licensing Process [ese Statement: Wha hangcs shoul regulary process provide more efficient and effective be considered in the regultion of dial K&C systems in pocear power plats?

ow can slice exibity be inconpoated to aes the rapidly changing nature of the digital IAC technology sed etter match the ime tesponse ofthe repustory process to the technology it cont? How can te regulatory process

te made more ficient while mating technica teeny?

Conclusion 1 Asa pene observation, the rol ofthe eeu lator in ovesceing the implementation of cyt upgrades

‘ean be a valuable an important one Paiculey ina area suchas digital &Csptems, where thesia of ear evelses rapidly and where freota-kind nuclear applications are

‘contemplated the oversight role of he regulator ean bing ‘lable sgh lo the implementation of such upgrides Tadeed, the comic fond several specie examples of this happening

CConelason 2 Nevertheless, the commits found thatthe requlsloy response wo the development and implementation tiga HEC upgrades ucla plants as prcseded ina manner at eailed in sone degree f confusion and uncer pliable epustoryrequement and the procedr fame Tay within he sence community with regard the ap

‘work for plementng such upgrades Ts uncertain and the resultant incremental ost has been a mjor contributor tothe reluctance onthe pr of wits in proceeding with Sigal uperades

CConetuson 3 The lack of generically applicable reulatery requirements for digital upgrades has resled ina casey

‘ae apprench that has conte to the confusion and an erty This approach lo euiows may have besa neces Sry inthe ely phase of the anton to digital systems

" DIGITAL INSERLMENTATION AND CONTROL SYSTEMS I NUCLEAR POWER PLANTS But the USNRC now has a sufficint body of experience

it sfety-eate digital upgrades sind over recent years

snd supplemented bythe extensive experience tes and other industries, to enable the agency to establish oe coun

enerially aplicabereglatery regime tha would gover

the review and approval of uch upgrades

Conelusion 4 The process established in 10 CFR 5089,

wherein the agency his defied those cieunstances where a

Tcensee may make a mesfication without pri USNRC

review nd approvals fundamentally sound nesesiy, and

‘onsen tl the USNRC's responsiblity to protect the Public ea nd safe In priculay.eeengoizes he pric

cal necessity Yor licenses to make Facility modifications

consistent for prior USNRC resiew and approval Morcover, the pro wi ter facility icensing bass, without te need

‘sss appropriately eles the gradation of siuiianee in

‘anges that might be ade in a nuclear plant and the UUSNRC's attendant role sed upon these gradations this

regard, the commie suongly believes thi 6 iporaat

forthe USNRC to distinguish eewcon digital upgraes that

ane significant fie, pose unreviewed safely questions) and

thos tha ae not and tao the scope and depth the eg

Intry review in'a manne that comnmensrte wid this

gadaion

Conclusion § The commitee believes that dining oll

safety-related digital upgrades a resulting nan unreviewed

‘fey question, ated inthe USNRC's raft generic eter

(of gust 1992 is contrary to bom he eter and spit of 10CTR 5039,

Conclusion 6 The ageny hat mo formal process fr eat

Joguing deteminaions made uader 10 CFR 50.59 wit

fa 0 digital upgrades andthe bases fr these determina tions Sack information would assist bo the USNRC and

‘heise deterning wheter patil uppades pone

unreviewed safety questions

Cooetosion 7 Early interaction terween ality applicant

andthe USNRC ean be extremely help nideoiying nd

Meshing out important issues, Where this proactive iter

‘ston bse occured te commie found ta the subg

tepulaory review was more efficent and food, minim Ing resoures hat wool atheraine be rere on the pt of

Dosh he lity and the USNC

Recommendation 1, The USNRC should place «high pri-

‘onty on ts effort to develop a generally applicable name trork for he review apd evatton of digital 1 upg

Foropeating racers

Recommendation 2 n si ofthe rapid evolution faii-

taltechnolgy a process should be extabished tense at

the teglaoy framework is updated say breast of a

‘evelopment, To ensure tha this Tgrnewafi takes no

ouot the Best practices in ater saety-rial indus,

‘enteral a pubbe rove i bighly desirable

‘scderin, These groups woul be tasked and managed ons

‘roel bois o investigate and resolve unreviewed men

St posible safety significance that arise athe developmest and use of dig ystems

Recommendation 4 In developing its reglaoryrequte sents, the USNRC should ensure that where issues aie that are unique to digital systems, they are weted prep ely On the other Ran, where sss aie wih regan ly Sigal upgrades hat are no different from sues posed ft ftalog systems, such sues should be weuted coast

‘The gpponani (or ebligation) for the USNRC to review and approve digtal upgrades should not be Seen an pp tunity lo pose ne requirements on eid heensocs ess hehe i uigue tothe application proposed

‘Recommendation Sn view of the substantial benefits of srl interaction with inva ties considering digital

“parades, swell the beef of woring closely with dusty groups and ter intrested members of the puble the development of salads and guidelines, the USNRC should uaderake proactive efor interact early and fe

‘gun with advil ies ane with ada groupe aed ter inresed members ofthe publi nado, would

‘eof benefit forthe USNRC to be familar with he broader

‘volving aplicitions of ipa I&C systems in bh nuclear

Se nonnuclear applications This, ture, will provide 8 Foundation for a eboperatve woking elaonship Recommendation 6, The USNRC should revisi the “ys tems level" nse aresed in Generic Leter 95.02 3d EPRI Report T:102348 to nse that this poston con sistent wih the histone sterpetation of 10 CFR 50.39 The commits strongly endorses maintaining and forms ing the dsinetionbetncen major and mir safety syste perads containing digital cchaoogs

Recommendation 7 The USNRC shoul establish a po-

<2 forcatlogving $039 evalations of digital upgrades a some centralized shi, so hatin utes conse

‘ing Such upsrade can review and consider terminations regarding when a pariclar moification has past 80 59 de- eon found io ret nan unreviewed safety question

‘Adequacy of Technical infrastructure Issue Statement Docs the USNRC need to make changes 1G saling, asin, and seat program Lo supp is regulation of digital L&C technology in aiclear power plants? If s0, what is the appropriate program forthe PSNR? How shuld this moger bệ sượctrel so tt là

EXECUTIVE SeMMARY

snaitains it efletivenets inthe face of rapidly coving and

‘developing techoolony and generally declining budeets?

(Conctuson 1 The USNRC shou make changes int staff

ing training, and research progam to support is epuation

of digital IAC technology in mclee power planes, Specific

recomendations are provided belo

‘Concusion 2 The sue of adequate techicalinfasractre

js applicable not ony othe USNR but also to the nuclear

fndusty a a whole Many ofthe commite'secomends

Hos forte USNRC have pull appicatons tothe cleat

—

CConetason 3 The USNR mast ancy that he reps:

tory technical infastracture wil continue tobe challenged

by advancing digital &C teehnlogy, The focus ofthe nea

tem licensing effort wil be on digital upgrades an cet

ation ofthe advanced plans The USNR wl ave to con

tinue to expand is technial infrastructure a se of digital

technology expands and it sophistication increases

‘Conclusion 4 Tere are problems inherent in the historical

proces for developing tandnds and fndotry guidelines,

Parcualy those appli to te eapdly advancing digital

technology Pending development of sltemate approaches,

aly involvement bythe USNR in developing standards

Sd industry pdelines wil foster mor timely aay

‘of regulary uidance and aeceptaceeriria

‘Conclusion S.A strategic pln is needed forthe USNR

researeh program on digital &C applications Te curren

‘search program iv djoned collection of studies lek

ing an underlying strategy and in some specific cases pus

ing opis of questionable wor The staff stature ofthe USNR whic separates the sta ofthe Office of Nuclear

Reactor Regulation (NBR) rom the tal of the Office at

[Nuclear Regulatory Research (RES) and mandates thatthe

RES stuff respond to NRR “use seeds.” may bean obstacle to development of = coherent plan that halnces nearer

regulatory decision making a long-term research into

problems on he hoizn, Periodic ouside review ofthe

TUSNRC research program could elpasste tat the right

Issues are being adressed and cold alo ead to areas of

collaborative research The commits is ware of apd notes

fivorably the impact ofthe existing Nuclear Safety RE-

search Review Commitee, However, a more fom, out

‘ide review would be sel, Perhaps this could be done oF

fn exchange bass with eter agencies to reduce reource

demands

Recommendation I Despite difficulies posed by dectning

‘adel and staffing levee inthe face of rapily moving tech:

‘ology and signing ater indy the USNR inst

explore ways improve effceny fe review process

‘with exsng sta and resources,

Recommendation 2 The USNRC shoul define ast of mi

smal and continuing wasing neds for exising and recruited

„

fl Particular attention shoul be pido slware quality surance experts Once defae, the USNRC wang poe 1m shold be subjected to appropriate extra review Cerication of USNRC expenin levels ope pony the USNRC may wish to consider

Recommendation 3 Consistent with Conclusion 5 above, the USNRC should develop a state pln forthe esearch

‘rogram conte bythe RES and NRK offices The plan

‘Shouldemphasize hlancing rate means of leveraging avalable resources accomplish Tong-tem anticipatory sesearch needs and should tncofe- shore regulatey needs ad olhseh ofrekefchobjecike.ồeuld reach out more effectively to relevant technical communities (eg by the stalishment of esearch simulators fe burma fone r= Search), tothe Elect Poser Research Inne, othe De- tent of Ener, to foreign icles ogatirations nd to Caer suey cial industries dealing with digit L&C i Sus Ia making this recommendation, te commiteerec08- aes the Halden Reactor Projet provides an example of

‘ch coperative research: Bt mich ofthe Halen werk a tot be published widely and therefore lacks the beni of

‘igorous peer sơn, Recommendation 4 Becnine research inthe digital L&C area may requ longer ie fre than that of ingle is

al ears, the USNRC should give consideration to phang and aanging fending on a mulyear bass

Recommendation 5 Consistent with Concason 4 above,

‘he USNRC should consider ays t aceleate preparation land updating of needed standards and guidance documents In patculr he USNRC should consider using chanered task groups (see Recommendstion pertaining othe ene

Họ sec heymúng process

‘CONCLUDING STATEMENT The commie has resend what believes tobe pag mai ppeouch for mcetng the challenge Oe hey obstacle

iS overcoming impediments communication “Thee area numberof way to ares the commana: ion dticly Some are lady being pursed some ned tobe inated, The commie pariculny emphasizes Fe cas of net:

"`" ofthe tegulaory concern andthe appropiate accepance feta tha ae valida any poi i ine

+ the ned forthe nuclear power industry ad the USNRC tobe more proetve in the eletan fecha cman + the seed fr the naclear power industry and its eps tort strengthen is fechnialafastucure im gta + he need to formally adress the communication prob: lemina systematic way

„ DIGITAL INSTRUMENTATION ND CONTROL SYSTEMS IN NUCLEUR POWER PLANTS + the need io tune up the epultory mechan that re ‘employed when an advanced technology, Uke digital

1c has temporary curpaced the regulations

‘Turning to hiheve ses more specifically related vo

Aigialechooogy the commits emphasizes the following

+ The use of iia A&C technology doesnot obviate the standard methods (or safety atestnens of aueeaF

powerplants

+ Digial IC systems (and digital systems in general) should ot be adresse only in ems of hardware ot

software

+ Most practical digital 1&C systems eannot be

exhaustively tested and therefore cannot he shown o

be fee fom any and all errs

In summary the commitee noes hat digital inrumen tan and contol is ate-of-the-at technology ais wie taed bạh hoi and ouside the nuclear inst” Digit

TC systems ofer perl capabilities tat can, however alec nuclear powerplant sft therefore, gal systems ‘ould ate earetlly, parca in satya ap plleatioas appears the USNC and the nulear ower

‘sy are moving forward with procedares, process and technical inrasractre needed 1 assoe continued fe op- raton ofthe plans, The comics has wupgete Seer) improvements

Introduction

NUCLEAR POWER PLANT INSTRUMENTATION

‘AND CONTROL SYSTEMS

Role of Instrumentation and Control in ‘Nuclear Power Plants

Nuclear power plants ely on instrumentation and con-

tel (L&C) systems for monitoring, contol, and protection

‘The eouping of functions (monitoring, conte, and protection) is dis- of LAC systems according to these thee pes

fussed in ome dtall tlw, There is, however, another

‘ison of IAC systems nto 140 alegre called within

‘he nuclear iodusty "nonsafry” and "safety." The non

safety systems are used the opertrso monitor and con-

tcl the norma operation ofthe plant inca tarp an

shuudow, and to miligte and prevent plant opertional

ttansients These nonsafety systems are backed up by a set

of indepeadem (noninteracting), redundant safety systems

that are designed Yo take automatic action to prevent and

mitigate accident conditions ifthe operators andthe

‘onset systems fail oman te plant within nora

‘operating conditions Thus to some extent (but not entirely) tonsafty systems coincide with monitoring and contol

syste, salty yMemx wih protection systems, This dis

‘hued further below “The wo categories of systems, safety and nensafety, are

thought ofa being consistent with and pr ofthe defese-

fn-doph approach to suey The dsincion between thers

{S imporantsisce essentially nly the safety systems are redited” (Le relied upon by the duy and the US

[Nociear Regulatory Commission (USNRC] asa basis for

snaking jdgents about safety) nthe oral safety analy Ss ofthe plane The safety stems are thus of pacar

concern inthe USNRC's licensing procedures, Whereas ery

Tew of the nonsafty systems fall under the same rigorous

tich ri ou aT pac roe aed ru

‘Shepmes ere penn ond pt ene ca

4

regulatory consol Before proceeding to furher discussion

Df safety systems, however in inorder to dese the tree

"ypesof LC aysems in miclear powerplant

‘Types of Instrumentation and Control Systems

ln a mclear power plan the 1&C sytems—inespetive

of whether they ae analog o digital echnalogy—aze gener ally grouped into thee rye: plant monitoring and display ystems plant com! systems and plan proton and it sation systems

Plant Monitoring and Display Systems Plant monitoring nd pay systems monitor plant vas bes and provide dl to ther IRC systems ao he pant operators fr use in convo tbe operation ofthe plan

“Typical examples include systems that moniter and display the sts ofthe fire protection stem, fad temperate and resures These systems also normaly provide visual

fd sodibe alas a various coat ston, paricltly the aim conta ror that oy operaters ticular valves requiring ation by the operator to aver an ef treads of pat actual problem or eretgency, Us tere ae fora pro ears the operators follow when such a alarm or noi tion aceurs ith th ala Setpoint and required response time coordinated o give the operator adegoate time wake action Typally the espnse ties are on the ler of ens

of minus inadequate ime ess, an automated response is provided Plant Control Systems

Plant contol systems are used to contol ll the neal operations of the plant They a used in startup poser op-

‘fans, shutdosms, and plane upsets Regarded by plant

‘wera the primary con fo thei expensive and com

ex plans, they are filly engineered, they ae robust rd they wally ave considerable redundancy {sce below) to

“ DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR POWER PLANTS

‘event sage failures anticipated events rom escalaing To plan shutdowns, tis or accidents endangering plant

‘equipment, personel andthe public Typical examples

‘elude feedvater and steam contol systems, turbine ge

rato coals, and the mid of systems used o consol

‘he many circuit breakers, pumps and valves trooghout

the pan

Plant Protection and Mitigation Systems

Pant protection and mitigation systems are an ational,

separate lye of systems tht monitor the plant variable I

they detect that the above-described plant monitoring and

onto systems have not kept the plant wih a predeined fet of condons they take ston automatically to rapidly

‘Shut dw th plan (up a "sera are ems tha ecw

‘ately convey the ature of the eespnse and stan any oer needed systems to mitigate the detected problem and place

the plant ina safe tate These protection snd mitigation sys-

tens havea numberof import chararteistis (@) They ae physically Separate systems dat generally do

rot share hardware and software with the plat opersting

and contra systems (Some limited amounts of eqipment

‘Sich as sensors maybe shared eovided safety qua requirements) This extends 1 and includes the equipment ects

needed auxiliary systems such as heating ventilation and

sir condioningelectical or hydraulic power supplies: ed enling water stems (b) They ate enviromental qual

fd fr the harshest ancpated opeatingacidem cond

tins including highly unusual events sch as age ear

‘giakes and trades, 6) When eile up ch hey 89

10 completion of thet itnded function.) Me peszction and mfgaton systems donot conto or modula the ops

tion ofthe systems they contol They shut down he eater

trp the trie generate, sar needed cooling water 58

tems and go o preset operating conditions tha re sae ar

the plato maintain fr extended perio fm addition, () they are designed to be single-faire

roof That 0 single alr at the component oyster

{evel neon failure internal othe protection and eit

{ston systems inadtion tothe initng event Fare

Sod any direct consequence orm single pero ror can

reve them rom sucecflly operating Asa el hey

{ke redndancy Thats ere ae typically mulipl, ep

‘at, parallel es of equipment apd stems to cary out the

xemefuncion tmthe L&C system npr, this don:

ancy i usualy provided by Raving four paral channels

thar actus the systems if aeded The four pall chase

sels a fed 1 a Togic system tha requires any two valid

‘gna to case acteation, This loge shares tht no single fare will preven or ease the drastic actions ken by

‘hese spstems I als allows complete (ensorse-actuten)

{esting of one chanel at time wile he plant at power

‘without causing or inibting the praeetion ad mitigation Tuneton

Im addition to being single-Fllre proof (f) the prot tion and mitigation systems ave the Fetes to enhance their and increase thei effectiveness against har ads For example, two eator shutdown mechanisns ate Provided—inserion of control rods and injection of foluble neutron poison Also, or any given ecient, tw0or

‘ore lferent ation signals wil be peered nd sent

10 te protection and tigation system (For example, + lossofsow accent trough the reactor will be detected

by a high reactor outlet temperature and high pressure sipral,) Thistypeofedundaney provides protection against fener lasses of common-mode failares—Falures in

‘hich single enor en safer fantions (Redundancy is discussed farther in o problem disables multiple indepen ChaperS) Ts lnportant co note tha the requirements of nuclear plant L&C systems, including the protection and mitigation

‘ystems, are well within the capabilities ofcurten IC tech nology—aalog or dgitl fp terms of respons time and curacy (or empl) the cleat plan TC requirements

ae relauvely modest Safety Systems

Te USNRC's sefry evaluation of ucla power plans primarily addresses the protection and mitigation systems

‘The monitoring and conrl systems are usally nt given credit ce bef dicusion of “red” abv nthe hazard land safety analyses of the plats However, upsets o fai

‘res nthe monitoring and contol systems re usally con

‘ered the initiating events for he protection and mip tion systems and a6 3 resul the USNRC cae impose re quirements oa the monitoring and coawol systems as well

‘The monitoring and contol systems ae also analyzed ex- plc n the probabilistic ik sssesmen (PRA) ofeach plato asens how wel the plant does in comparison tothe USNRC safety goals fr ncler plas, In general, Bo ver the USNRC and he licensing applicant deine ase of fey systems" for cath plant lưạnhy comprised of the protection and mization stems these safety systems that are subject othe most porous ieasing an eepul tory controls, This isan important distinction because asub- antal efot is equiredo design, quail, wtall te, and Iain these safety systems, nd commercial of he sell

‘equipment sony doesnot mect the requirements Asan Indicator, cons of nuclear pan “sfey-prade” systems and equipment con be 10 mes thal of he equivalent commer

fa quality equipment AIhoukh thịc report covers aplicaions of dial 18C system innoclear power plants th incl al Được ypes— the plant montriog stems the plant conto sytem an the plan poteton and miaton sytems-—insofa a the UUSNRC, the sponsor of this study is pray conceraed eth he “sey rade” sabato hee systems, this repr phaszes hs suse

Operating Conditions for instrumentation

‘and Control Systems

Nuclear power plant desig includes spectc conser:

aon ofa variety of plan operating conditions Steady-state,

transient and accident conditions ae covered bythe rp

latory regirements: these requirements he conol hơn

sand by wha etera the transients and accidents mast be

fnalyaed These analyses, in tam speify Operational re

‘quirements the plan equipment and sjsems mus sats For the I&C systems these specifications inclae bath

‘tument characteristics (such as input and ouput range, responte tine, and accuracy) and the exironmctal cond

tions (eg temperature, humidity adaton effets, power supply lactatons ner wbich he L&C equipment =

‘quired 0 operat Except forthe sensors LC systems have ben speially

placed in peoteced ates so thatthe envzonmental cond

ios they are exposed wo are generally rather mil akin an

“fice environment” Bit the 1&C rates st al ane

to inte environment and under the conditions tt ad to

‘transent or acim condition and tha velop inthe plant

asa transient Aion typically rete a wider and harsher range of operat ot acidentprogeses Because acide con

ing envitounents, and becuse L&C equipment ond sytem

‘must survive and funtion in sah environments, he equp-

‘ment and systems must be qualified sual by et In gen

‘ral, this harsher operating environment exits ony a the

‘Sensors and in mot of the lgaltranamisson netork the

‘ther components are in elavely well retected (sheded)

ooms and benign environments Most sensors curently

‘employ analog technology W gal sensors ae wed they wil have wo be designed and tested to show they can ih

‘und thee harsher environment,

During thei extensive service history, analog L&C sys

tems have performed their intended monitoring and cont Fanetons saisfactorily Although there Rave been some de

‘sign prablms cha inaccurate design speiietons and

‘susceptbliy te cenain envionment conditions, te

mary concer withthe extended ure of analog systems jx

effects of ing, eg mechanical ales, entironmenta

Seradation, and obsolescence The industrial base has

largely moved to dipitl-based systems and vendors ate

gradually discontinuing support and stocking of needed ana log spare pas

‘Some ties of dial technology in US nuclear power

plants go back more than to decades These early appli

tons were limited but fcladd safety-related applications

Is suchas core protection calcul In he ely 1980s thề ecronics indus began rapidly shifting to microproces- So-ased dig technology Early implementations of this Technology Ho nacear pan were sucess edcing -wlended plant shutdowns (ep) and mitenace bu

‘dene This succes red increased intrest nda

‘ion and provided a raining ground for ening prot

‘eney and confidence 0 ating dpa equipeen AU the

‘Sane ime, umber of vendor of instrunettation snd con

‘aol began to reduce their spon ofthe anslg equpmen tthich tn tum gave aditonl practical impetus othe ws of igi sytem "The milea indsty has wot been aloe Many oer safeyctcal induce extensively lize digital systems

‘These include aviation and space cerca pemuleum ra

‘essing aie, defense and medical appications These indus face safety Sous similar to thse faced by the sea indy “The reason forthe transition to digital 1 sytem es

in their important advantages ovr existing analog stems Digital electronics ate esseallyfce ofthe det haf fits analog elects, so Uey maintain thei ealibeation better They have improvedsytem perfomance ners of accuracy and computational capabilites Tey hive higher shaban and storage capaccs, so operating comlitons

an be more Fully eased and displayed Property de igned they cn be ease fo ue and moe eben app Cation They are more widely avilable Inded, digit ss tems have the potenti for impeonedeapbilis (eg aut tolerance selPesting signal validation process system di agnostics) that could form the basis for enuely new áp proaches to achieve the required relates Because uf och potential advantages, and because ofthe general sit toil systems and wang vendor suppor fr analog ys tems, the US nuclear power industry expects substantial replacement of existing, ang analog spslems with digital TAC tecnology Fr the same reasons, desis fre a

‘vrced nuclear poser plans ely exclusively on digial &C systems Tm summary, the experience of other safety-critical in

ti and he creasing ae ad dbsolesence ofthe ex- {sting analog systems suggest that he nereasing use of dig fal IRC technology is evitable in noclear power pnt Digital 1&C technology is expected to enane the safety and performance of nuclear powerplants by offering re

es contol improvements, such a reduced instrument

"Thc commie mean aed pang tl sens be

‘acinar sn fe er be ems eee tt a snipe ict pbk

‘Seni epee de

6 DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR POWER PLANTS

.Openlens,mavdenshce and manogement te

‘rocessng: Tecnica rd business perorance,

‘Marterance ord resin plans, pare pars venti, a i

Engineering data processing

Every aes ery ol

FIGURE Justin of lear lane 1&C sss

calibration requzements snd improved plat condition

‘monitoring displays (ee, 8, Gil etal, 1394),

‘Applications to Nuclear Plants

Figure 1-1 strates a moder digal LAC system sọc

‘ied oa nuclear power plan Blocks on the let represent

the dsebted cor syste, These are the systems that

re wed (0 regulate plat conditions darog sat, power

‘penton, and shutdown They ae responsible for maine ing plant systems and components within ther operating

anges, and they normaly operat in a regulating mode ‘Nai that Figure I-lshows redundant data buses in

‘ese contol systems These data buses are used to ass

‘or the large amounts large generating station, The use of dala huss reduces and of information typically handed ina

simplifies plant wiring and consequenly reduces the re

(quirement Tor managing and mining Wing configu-

‘avon Redundancy and separation (including diferent

‘oting) provide for increased data bs reliability bn this

Operator workstation

‘ated ithe conto of ndviual poms sac as feedwater onto) Rea ime contra uncon are exccuted ia these

‘Sediated modules, Blocks onthe ight of Figure 1-1 epresemt the indepen

‘eat protection (sey) sytem They ate responsible for deccting system fires and iolting or shuting dove fad systems io protet the plan investment and he public health This typeof system somally uses multe chanrels ina voting seme trigger the isolation or shutdown =

ia A typical voting scheme uses a two-out-of four Lose cording 10 which, s one ofthe four channels fils he fale chanel may be ken ou of service for epi wile shilleaving the emsinng ebannes take ation using 0 tutof-tvee logic Tha, the spe i single fare prot The use of vo channels to nggeran action rovdes pr tio against unnecessary spurious ps igure I also shows point-to-point data links inthe

protetion systems, which provide for more deere

land predictuble data communicaons forthe fewer data Prints that are normally needed and handled in suey $3

tems Notice aso the independent manual nps bypassing al

reroprocstor bined spon ‘Varually al of the 109 mucear powerplant units in op-

eration today have digital JRC components, Some ofthese

‘were prof te orginal desig, for example, digital rai tion monitoring equipment and diese encrtorsequencers

The east implementations used soi-stte lpi opera

fing at higher andrlatively siffer voltage level than those

of tody'+ mictoprocesor-bved desig, Moreover, these her stems did ot employ the signal eaeentations of

‘uliplxed microprocessors systems Modern ystems

also employ faster clock specds, ager memories, and ex

panded word lengtsthit have alowed new developments

‘the stare aea aswell This orn ha eo ght

ed inrest by the USNRC ‘More recenly many plants have reofited some 1&C

components and systems with moder digi technology

ACRS, 19986), Although many ofthese retrofits have Been

‘elavelysmall-seale, oneforone replacements for such

‘components a coger meters, and displays, insect

yeas some relatively large-scale microprocessor hase 59 temvievel retrofits have been made (Palo Verde Noclear

‘Generating Station, 1998: Pa sland Nlear Generating

Plan 1993; Turkey Poi Plant 1990; USNRC 1993,

'USNRC, 1993), Tes include:

+ retcor protection systems at Northeast Unites Companys Haddarn Neck plant; Tennessee Valley

“Autoritys Sequoyah plant: Commonwealth Edison

‘Company's Zion plant Unit 2: and Pacific Gas and Elec Companys Dihlo Canyon plant

lipid aint without ramen at Arizona

Public Service Company's Palo Verde plat, Units 2uand 3

load tequencers in the emergency power system at

Fionda Power and Light Company's Tukey Pot

lane, Unis and

‘ation blackouvlesrical safeguards upgrades st Northern States Power Company's Pair sland pan,

Unie Tad?

‘Applications in Advanced U.S Plants

le the United States, the advanced reactor design being

developed incorporate ll-tigalsptems intended walze

and exploit the new technology They also feature enhanced

human machine interface such ak more veri daplays ‘vith integrated process information (ACRS, 199) These

features, along wih the the features of advanced pans,

are intended wo make the advanced plans simpler and afer

Certification of thee desig has been sought (ander the

provisions of 10 CFR $0.5),

” LICENSING OF INSTRUMENTATION AND CONTROL SYSTEMS

Design Guidance Licensing of any systems fr use in nuclear power plant 's govemed by formal documented cera, These stiera are saed in the General Design Crea (GDC) Tile 1OCHR Pan 80, Append A, 1995) which are pst of federal lw

‘The GDC ae writen for AC spent vey genera level

‘The GDC were writen callin the developnea cial nuclear power, before digital equipment, advanced ma of commer (eas, of mer fre iphtng sje sch a lon were

‘ed in wcear plats The GDC requirements are never Jes very important in guiding the design of digital stems {nuclear powerplants Examples of equirement fom the {GDC of parca interest for thn repr are contained in

‘Append Te ord o mate the requiemens more specific and wse- {ul oma day-to-day ass the USNRC provides extensive supplemental giance na variety of forms (8 Table 1 For example, numenus regulatory guides have been sued shar describe nepretations ofthe regulations accepable to the USNRC sf These "reg guides” are not mandatory but if they are followed hy the licensing applicant they provi tess upon which the applicant's proposal wl be seeped

‘ier regulatory guidance s provided hy endorsement of 2

‘wide varey of indus standards and though he promal- {ation of Branch technical postion which are technical posiions ated by various ranches toffices) of the USNR regulatory sal Much of this guidance ts con sieny summarized inthe Standard Review Pan (USNRC 1981) The Standnd Review Plan provides dened gui ance tothe USNKC reviewers ast wha node fom he Tense to assess the adeyeaey ofa proposed desig: tals define a saisfsctory method of complying sith the licens ing requirements, The guidance povided y the regsltoy _ides, beanh echnical positions, and industry Mandar {Still more detailed) A major revision of the Standard

oe putin

‘ay seme

“ DIGITAL INSTRUMENTATION AND CONTROL SUSTEMS IV NUCLEAR POWER PLANTS Review Panis curetyin progres ally apt it an the

associated regulatory guides, branch echnical postions, nd

USNRC endorsements of nduty stands to digital LC

systems Nove ha resol of al hee documents here tof

ising hgh level guidance which is generally seeped ard

Saplied For example nuclear plants including the ipa

TAC systems, are routinely required to undergo extensive

hazards alyssa oh cesing proces The ela

toys expect and the industry provides formal systema ếc

‘ews ofthe hardware and software wang formal rue

tment specifications and independent reviews I iso at this

high evel hat addtional entra o guidance i needed The

‘tical arise 9 eying implement hs hgh Bevel gid:

toe athe working level and ying wo establish working

consensus in particular areas onside fr example, com

‘on-mode software flue USNR regulators roi that

this problem be abesed sod «potential corwo-mode

failure concer i detect then it ust be det with The

exact methodology by which peal common-mode fail

‘re mo! be deal with arent trsghforward and thee is

comderable controversy over what may Be appropriate

Quality Assurance

‘There ate basic requirements for quality assurance

‘Within de coment of these requirements, quali is demon

stray mecing the Qualy Assurance Criteria or nuclear

power plan Tile IOCFR Pan $0, Appendix B, 1995) and the eited subsidiary inde standas including Dose

cạn enMoanenal qualifications These asic equsements

ae supplemented by more specie epultry guidance tha

‘sas orginally based on analog eguipment bts being r= vised vo specially addres digi equipment in these

Son paces dosribed above (see Table I=

Modifications and Upgrades

Another import aspect of any system modiiatons

and replacement ‘AppentixE), which ao apples o IRC systems The poe of existing equipment is 10 CFR 5.59 sce

‘pont of his regulation i 0 define the ereunstances under

‘which che Heebses may without poor USNR approval

make changes spciialy provided for inte facityKeenes Since i= and conduct experiments and tess that are not

‘aly allU'S-nter plans have orignal analog equipment, 10CER $0.50 is of pticularieestifalheense conten

plating a eigital moieaton or upgrade I the enter for

‘making change without prior epuatry approval dined Ander 10 CER 509 se ut isi, a forma change to he

Tense is needed under ances past ofthe federal code

10 CFR $0590 The process required to formally change the license under 10 CFR 50.90 ss more eicul proce

ural is more only an sequies a longer schedule Cot

land sthedule Become increasingly important a5 willy

companies fe the presse of increasing ecnomic core tion ands proposed investments such as distal uprades and moditiations face sagen economic tests Sch as

‘api lu on investment The canons an upgrade or maifcation must meet ©

be cared oat under 10 CFR $0.59 ae, fr tht i must sero the design and operating conditions formally docu-

‘mented in the technical specifications fr the ens See- fond, the change mos! not resin an “unreviewed salty

‘queion”(USQ), The chien for determining wheter

‘ta USQ exss ae stated in 10 CFR 80 591012) (se AP- {endix E).Toavoida USQ the change must aot allow (aan Increased proability of excureace or consequences of an scoden or malfunction of egspment pia sae 8

‘viously evalsted in the Heensing basis (afety analysis

‘epor:() posible creation of an accident o malfunction

‘of ileret type than previo evauaed i the licensing Ins rfc) a Fedoced targa of safety a8 defined i he lensing bas for any techaea speiision, 'USNRC regulatory teatment of upgrades oF moi

‘ations to nuclear power plants may be summarized as follows

‘5059 (See AppendisC) CHALLENGES TO THE INTRODUCTION (OF DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

Suecesflitoduction of dita IRC ystems ilo US nuclear power plans fees several challenges These ctl lenges hove several ested scutes

Uncertain Inrent in Inraucton of New Technolo

‘Theres sere uncertainty tnberew a he notion ofa new technology According to Kltz (1998), “all changes

‘nd all pew technologies inroduce hazards aswell s bes efits” Ina sey incr ike nucle power the se, designers, and egulators mst proceed on the basi choosing and implementing digi modiiations so thatthe

current high eel of industrial and publ safety is at Kast

‘gitsined and preferably increased The halen istorake

advantage the performance and safety enhanccments po-

{ently avilable fom the uve of digital ecology wont inoducig offen potential hazaeds Fue he f,

assessment, and regulatory approach ofthese new digital tem must alo provide some means of nsesing the re

Slat gins of salts:

Ship of Existing Tetology Base fom Anaiog Espen

cence Much of tie experience with U.S clea pla design

Sind operation has evolved primaniy within the conte! of

analog technology as his the regulatory framework, Hence,

J addition 1o coping with uncertainties arsine om digital

tectinology ellis use may eure changes or adtons to

‘he underyigLechnicalnfeasretire ad elton frame:

work

Technical Problems emi from Some Applcaions af

Digital 18C in Nuclear Power Plots The intedoon na

ts of digial systems has at been rouble re, For expe fn he bass of recent plan experience with several dtl

FC reroits the USNRC his identified the following

potential problem areas with digital 1&C systems

* common-mode faite n software + commecildedicton of hardware and software

+ pole lack of onsite plant expeience withthe ew technology and stems

+ configuration management

* increased complet edn o posible programming ror and lacorect outputs

+ teh of standard satware eas

+ envronmenal semi eleetomagnetic or raion regen inerence, eget, poner ty,

+ effects on plan margin of ary

Similar problems have sso accu i eter applications

another inate lee 195)

Difficult Time Consuming and Customized Licensing

Approach Licensing of dig technology is presented 3 ptcular challenge forthe USNRC Becatse the epulatory Sppeoach has evolved with ned explicit consideration of

digital technology snd because the response met develop

‘new rultory bic and documentation ison the pace of

‘hangs in LC systems has ined the regulatory proces

‘Asa est the ceasing process to date for regulatory r=

‘Sew and approval of new dighal L&C splem am nodfSt-

tins to exiting systems has en dificut time consaming,

“chr ie opi ot me see en

————=.——

„ and largely customized foreach aplication Many utes erecta to sek a change tha could othe cated out tinder 10 CFR 50.38 hat wou pre reputory ap- proval (Se below for dicunsin om revent USNR ett thes i the pial LEC heensing process.)

Lack of Consensus berween the USNRC an the Ree ote IeleMn Dan Iowet Undcrhung Evaluation and Ad tion of Digital 14C Tecnology und Means to Obtain St IsfctoryReselaton, I onder to del ffstely with these stallenges an effestive comsnais needs to esis Tis will

‘ilo the ones of he new technology ‘Mile assuring that safely an public conlence areal toe fall exploited tained’ However he iadasry and eglators have ctpc rience wit hie somewhat vam technology and hve

a fic i eacing is ampovtat to noe thatthe Lek of ensenss ot am elective consents about the use of gia spsens per se Rather, mach of he

‘onirovery revolves around speii ses, he pen til for common mode fares, andthe fk of eonsensus 08 these specific sacs tends a cou whether ot the vee all advantages of using digital JAC in clear power plans

‘outweigh the disadvantages, Tiss made more dificult by the fact thatthe US commercial cler pdve misuy envly epulated, The rls for design and evaluation wc subject olga scrutiny and inerpetation wih secre pe ales for ilations an very rea possibilties fo gation Forher there are large amounts of capital evestnt at sae Hence, delays in evolving fea if ransaed ata

‘elas allowing» nler powerplant o operat can cos upto hundreds of thvands of dallas per day Ava res The definition of consng enters mst follow systematic Sty and evaluation snd sound syatesis of differing ec nical viewpoints esa process oto Be underaken Lightly

[Activities of the U.S Nuclear Regulatory ‘Commission

‘The USNRC bac reviewod a number of reo of plant 1&C systems from analog fo dit I hs also begun e owing designs of advanced pants (USNR, 199], Ho

‘ver the review proces for bth refit and advanced plant

‘esi as hen cotomized foreach application Tas a turn, his provoked eric of the USNRE far fling to

Pe cetacean ee a [ie comnts te sean as

opt generically applicable standards nan ff intended

{fo adress tis rte, the USNR has process under

_uselines goveming reviews of L&C stems Wiha vi to

‘daping them fr digital I&C techology Wermiel 1998)

“Te proces s de to he completed in 1997 ne iter

the USNRC has provided ene by case approvals in specific

plans, sought suggestion by i advisory comminees for

{aking broad ation tea woekstop seeking consensts ona

regulatory program, and conducted esearch inking eps

{ory decision making tothe comteat of IC tecbologs A

Iwi acount follows (A more deed discussion appeas in Appendix C)

Sal digit L&C wprades ave heen outnely aeceped:

large retrofits have al Been made ut the review process

ths been ore difficult These eviews ave lt apple ata numberof nuclear power pls (se ©, USNRC

193m) Reviews of design for advanced pln ae also in

propre Forenunpeafial design approval of the System oe adsanced plant design hasbeen completed (USNRC,

9940, The USNRC and is wal receive adc fom 3 number

of advisory commie The Advisory Commitee on Rede

tor Safeguards ACRS), established by Congtess in 1987

‘roves advice tthe USNRC on sally specs of crrent

Sod planned maces facies and the aequay of saety

‘Muar, I has a subeommiace tha enanines the use of

‘computes in quclear power plat operations The USNRC's

‘Otice of NoclearRepuaiory Research conducts a esearch

‘program test the organiatons repuatry deesion Faking This program cludes ares of focus eleva othe

problem of evaluating and regulating digital L&C teshool-

‘ony in nuclear power plans The Nuclear Safety Research Review Commitee (NSRRC) it 212 member group of ex

‘pers who advise the USNRC"s Office of Naclee Repl tory Reseach on the quality and management ofits esearch

‘rogram, “The ACRS and NSRRC have both expressed concern that

‘he USNRC staff may be lngging behind the mclear indus

tryin oth the United Stats and forcign counts, nie

tundrsanding ofthe application of digital IC systems

‘These commites have sso uped he development of a8

‘overrching framework guide USNRC regulation of new

Aigtal 1&Ctechroogy(see.e 2 ACRS, 12,1989) The AACRS examined dial I&C technology and wend sev

cal eoneems (CRS 19), ielding

+ thelack ofa cohereatand effective review pla, itlud- ing acceptince enter, for digital 1&C technology

+ thenced ares softare specification deelopnent software verification and valkstion? envionment

The NSRRC (1992) has expressed concerns that partially

‘overlap with hose ofthe ACRS, sch ác + the need tn develop criteria for sic sues as andre relay, solvate verification an validation, ea fenmena effets (eg eecwomagntic interference

‘common-mode fire, configuration management”

nd ysens imegration the ned for an overarching sategy to guide regula tory development and the creation process forthe

nolgy-n Setember 1993 (USNRC, 19980), Activites of the Nuclear Power Industry

‘The mucear power industry has been actively addressing the invodoetion of digital T&C technology into nuclear owe plans Unde the auspices othe Electric Power Re Search Insitute (EPRI the indus his developed guide Tine for steamlied liceasing of digtal L&C uperades EPRI, 1993) Those giles have recent been partly dor hy the USNRC, subject specific claeatons TUSNRC, 1999, Reeem alengt at Tuber leifeiues suggest ta he USNRC staf positon contiaues to evolve {sce Chapter 9 ofthis epor, “The indosey as alo prepared a “Uiiity Requirements Document” for advanced plant designs (EPRI, 1992s, 1992) Chapter 10 of this document provides guidance for Sksigning the digital &C systems and associated hur

‘machine iteaces for he next generation af lea poner Plans The document seques thease of fly soeprted ighal L&C technology Anewensive USNRC review ofthis

document (USNRC, 19940) did no resolve basi sues bere in digital [RC technology implementation However,

the USNRC review id produce ast of agreed-ypon high

level rte for advance plat designs, wel ak defining

‘he poces the USNR would use o complet thir view

and approval ofthese designs, The USNRC did accept dig

tal technology forall the T&C systems ofthe advanced

roctear plants However, for the advanced pins, the de

tailed nses that are being adesed in existing plans have

yetio be adaressed, ‘Other industry ffors include those ofthe nlear steam

supply sytem venders, each of which has an ongoing ro:

‘ram for developing digital L&C systems, both for ees

‘and upgrades in existing plans and for fue plans

Developments Overseas

“Thereis worldwide interest in digital LC technology for

nuclear powerplants For example theres already signif

‘ant pplication of digital WRC technology to mica power

plants Canada Japan, and Wester Europe (ACRS 9826: ‘White 194), The Canadians have extensive opeaing các

perience wih digital systems Digital systems were ist

Smplemenie 25 years ago because hey were beer suited to

provide online contol of their natural uraniun-fusled

heavy water-moderated (*CANDU") plants, specifically to ‘monitor and contol the power eel ad xenon osiliions

‘The British have adoped dig based systems throughout

ther lates plat, Sizewell and they hve operated with

fut incident during the fst ix months of plant operation

(Nocleonics Week 1998) The French have proceeded by

agravally and systematically expanding the vse of digital

{stems ia each subsoqent generation of their highly sen

arized plants The atest espns completely digital tased

land is implemented inthe NE series the fest of wich

located at the Choor-B ste (Noeleonics Week, 1995)-In

pan, digital systems have Deen implemented ia several exist {ng plats, including Oh 3, which stated commercial opes-

tin in 1992 The mos recent plato go nt operation in Japan, the ABWR located at the Kashawaraki ste, is 3

sigal-based desi Tn addvon, the United States, trough both the Depa

ment of Energy and the USNC, participates in infers

tional ealaboratve programs sich asthe Halden Rescor

Project of the Organization of Economie Cooperation and

Developneat

Standards Development

‘A umber of standards, USNRC regulations and pul

tory guidlines (see for example ỦSNRC, 1981), and

USNC poblcatins exis to gute censing of tbe current

‘analog IEC systems Since they were developed for analog,

‘sysems, dey cane dificult apply abd interpret for dai-

{al T&C systems, Nevertheless, pending the extensive

mr

‘vison ofthe USNRCs applicable documentation, which Iscurrenly underway, hese documents have been ec fot reviewing dial 18C systems Stars developed for dtl L&C systems in nuclear poser plants exist These elude Tnlermatioal Elect {echaical Commission (IEC) Standard HNO, Softwaze for

‘Computers in the Safety Systems of Nuclear Power Plants

986 and TEC Standard 987, Programmed Digital Con pss kmprtat o Salty for Neclear Power Pans AUS,

“and ho củea, IEEE 7-432, Applicata Cetera for Programmable Digtat Computer ystems in Nuclear Power Generating Stations (1993) promulgated by the Inte of Eletical and Eletonis Engineers While not yt formally

‘endorsed by the USNRC, ths tna has been employed in the safety evaluation of digital L&C rewoits in nuclear power plans

‘THIs STUDY Committee's Task

‘The National Research Coun ws asked y the USNRC

to conduct a ty icing a workshop) on application of Aigial 1&C technology to commercial poctear poser plant

‘operations, The National Research Covel appoint com tice hereafter panes In Phas I, the commitce was charged to define the he coma} to eamy out stad io inporewf sức snlrelahiM hecxeuneeminganhere, solar, and Roman machine eece) tha ane fom the {nueductio of digtal asramenttion and convo ech ogy im miclear power plan operations including operations der steay-ate, transient, al accent operating cond tions (NRC 1995) Ta tespnse to his charge the commie idatiied eight sey ioe assowited withthe we of dig [AC systems in xining and advanced nscear power plans, The eight is thes separate ino six echnical seoe and wo stooge Sues The sn technical issues ae systoms aspects of digital

18 technology sofware quality assurance: common-mode software ailure potent safety ane reibility assesment

‘metbods: human factor and heman machine interfaces: and

‘edison of commercial off-the-shelf hardware and of

‘re The two seatepessuesare te case-by-case licensing Procedire and adeqicy of he technical tfasnctre The fwomidee recognizes these are not the only issue an ợc fev ofconcer and debts in his are Nevertheless, becom tite btives that developing consensus on these Key i

es il be & major stp forward and accelerate the app pte use and licensing of digital LC systems in aucear owe plants These issues were peseted inthe Phase

‘epom Boh the USNRC (presente bythe sa of the OF fice of Nuclear Regulsory Research and the Office of [Nuclear Reactor Regulation) aad the Advisory Commitee

on Reactor Safepuais expressed agreement that hese were portant sues and tha work hy the corte in Phase 2

2 DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR POWER PLANTS

in elping it at a satisfactory reoltion ofthese iasves

would be very wef Tn Phase 2 of the study, she commie was charged 0

ieoify criteria for reviw and accepance of digital L&C

Technology in bth retofited reactor and new racer of

vanced devgh:characonice and evaluate alleraive ap-

prouches othe erifiaton or hcesing ofthis technology:

indi die scintii bass eited, recommend pide Tins onthe has of which the USNRC can repolte and

‘ety (or lense) digital L&C tesla ineldng meas for identifying and addressing new issues that may result

from fue development of hs echnology, In areas where

incon scenic basis exist To make such recommen

sions, the comanitee wast suggest ways in whieh thề

.USNNRC could acquire te required information In carying outs Pase 2 charge the commits Hmited

tus work to tens ites enti in Phase 1 The issues

were chosen beause they were difficult and contoversa

Furr the commie recognized tht by la, he respons

tility Tor seting licensing citera and guidelines for Sigal

1&C application in nuclear plans ets wh the USNC

‘Thus, the reer should not orn too eal an expectation

thatthe commits bas provide a cogent set of principles

design guidlines and specie reqirements for ready use

hy the USNRC 1 aset et, ieene, and ceil ro:

posed systems or upgrades Rather the resus ofthe study

te presented not inthe form of simple generic criteria sae

‘ent (am high eel of abortion) bi the form of

onclosions and recommendations related to each se and

Primarily addessed to the USNRC for their consideration

nd ws Inthe commie ew, there substan fuer ‘work to be accomplished The commitee expects the

UUSNRC andthe nace industry io extend he work of exe:

sa developeent beyond where this Phase 2 report leaves

To guide further work os the cight key iss studied, tbe

committees report oes Findings and recommendations in

four broad eatepres: (2) eument practice to te USNRC

‘nde US commercial miler industry) thats esentally Sssfactory or requires some fin ting () pints of weak

nes inthe USNREC'sapprach, (sues tht meri farher

ng and yeseach belo stsfacory regulatory criteria

can be developed, and (4) eiteria and guidlines tht are

nreasonabl to expect inthe near future

Conduct of the Study

In conducting is sud the commie reviewed a age

numberof documents made available by the USNRC and

‘arity of other sources The comme aso interviewed

telete personnel fom the USNC, from the oo advisory

commites discussed above (ACRS, NSRRC), from the ae industry and fom oer indasris using digital sy

tems in safety cnieal applications The comnitee also

Sought th view of individuals ram acaderaa and research

organizations In akiton, the commie Visited contol

room simulators, 8 nuclear plant and fossi-fuled power

‘lant wih extensive dial IAC systems ace Appendix By

‘Te commie also had frequent and detailed internal is consions, koh face-to-face and va paper and electronic ‘unictions The commie also brovght to beara wide £m

‘ange of experience in and Kanwledge ofthe eld (see Ap

pendix A, carrying Out the Charge The commie tok seriously the carpe that it deny criteria for review and aecepance of sigtal IC technol-

‘gy and that i recommend pldsins for eepuation and cetfiation In carrying out Hs charge the commie Fee- ognized ha: + Inonderto develop wel gidane, only atimited nm her fies could be del with nthe easively bese gio of the sud

General high evel criteria would not be paricularly wef

‘The inal criteria se lgally the USNRC's responsi

iy Faerie the mclear power indus is heavily regulated in the public imerest the Hcensing cites sould be forged in a detailed intretion aznong the

‘epulatrs the industry, andthe publ

‘The commie has a wide range of experts and expe ence in digital systems and acter powerplants butit

‘snot srogate for this interaction among the lake holden Hens, the commie could seve by clearly delisting end defining issues and proving guidance for resolving these issues ater than developing spe

li ceasing cites, Accordingly, the commitee selected eight ines for stay land worked on those ieses, These eight sues adden he {to majorinirwined hemes sociated with the se Od tal instumenation and contol in nuclear power pants,

‘These ae

1 Dealing with the specific characterises technology a appied to mclear power plants f digital AC

2 Dealing wih technology tats more advanced than the one widely i use in existing miler power plats This technology is pidly advancing at rte and in directions age uncontrolled hy the mclearinsry but atthe same me likely to have a siaiicant impact onthe operation and regulation of th aelear nds

‘The tecnica issues ofthis repr are primarily rated to Aigitleebnoogy ise (Pheme 1 while the sategic sues

ae primarily related to the process of adopting advanced technology (Theme 2) The comminee coneentaed 0 r=

‘viewing the current approaches being ake by the nuclear indotry and ts egulatn toward dealing with the slated

‘ey iss The commie also wed to lea fom the expe rene of te international niles indy a well a ser

(AROD0CHON

uữ valodeinfennadon shot ho thế safety ciel ine

Gustries and thir regulators dest with these sues Als,

thrgh the technical expense and knowledge of ts various

members, the commitee explored work done by the digital

systems community at largenluding both research at

‘sand academic work ‘Ashe commitce worked hough he issues i discovered

there sa major impediment to progres Ths the comma

‘cation barers hat exis among the key techie! comm

‘sand individual involved The base reason fo the cor

‘munication difficulty i appre Wodk is simultaneously

sing on in many areas each with is own technology re

Search foes, and agenda Unfortunately, though many of these areas use common terns, ee lets oten ave di

ferent mesnngsodifferent groups, resulting nether ack

‘of communication oe very dificll communication Tiss

pticlarly teublesome fo the nilear power industry and

As eegulators, wo ae wt dominant nti ecology and

‘must uy 1 Symes information an experience fom &

‘variety of scores and apply it in powerplants where safety

hazards mast be deal within a igoreus way ender public

seruuay In Chaper 11 the commitee dcises thi com

‘munication problem in more det an provides suggestions fora way forward Making substantial popes inthis rea

shout have a multiplicative effect set se the elution

fof many specifi echnical and xatepc ites, Overall while tere re important steps that remain to be

taken bythe USNRC and indusuy a edessea io this

ort the committe found no insurmountable bats tthe

xe of igitl instrumentation and contol technology 10

nuclear powerplants The commits also believes that &

forward-looking regulatory process with good and continu

ing regulation nd industry commonicaion and interaction

sil hep All paeipans must eecogeize that csp hard

‘edged cra ze paicualy dificult come by in his jgment wl continu oe needed and elied upon, rapidly moving rca and good practices and enginering

For the hey technical issues (stems aspects of digital

aC techoology sofware quay storance; common-mode

software fare potenti: safety and eaiiy asexsmest ‘methods: hun facors and human-machine interfaces; and

Sedieaton of commercial ofthe sel hardware and so

‘ware the commite provides pie ecommendaons conclusions which include u numberof specie entra, and

“These are listen each chapter (ce Chapters But recognizing the diiculty of detning specific enter, 3 through

‘and the ned forthe nuclear leehnology stakeholders, pat

‘ularly the USNR to make he final decison the com mites focused on (a) providing process guidance both in

‘eveloping sidelines and in the short-term acceptance of

‘the new technology (b)ientiyng promising approaches 0

developing criteria and suggestions Tơ skeudng dead-end

land (e) mechanics for improving communication and xengUesingteclmsllrsdnchire

or tbe hey stele issues Ihe case-by-case ens

2 cedure and adequacy ofthe echiclinfasructr) the + Enpasizes guidance wo implement a generically ap pliable tramework fr regulation tat follows euent UUSNRC practice and which in panicular draws dis tiacuonetwcen nsjoranl mingrfqy modiicdHom

‘The eonumivee nko provides guidance forthe eval Vion and updating of this regulatory framework (ace Caper denies need to upgrade the coment USNRC tech cal infastrctre and sopgests speci research stv

‘es tha will supp the needed epulatry program and USNRC’sreverch needs, The commie aso sug {ests ceveral improvement othe technica ae {tre to improve and aajnhinke-đmjedl capabiTiet tà

‘his apidly moving techaialychallongig are

‘The spsifc recommendations made by the comitee thus offer guidance town implementing and maintaining the curency ofa genecclly applicable mower for ees: lain that follows curent USNRC practice and draws ds: tinction Beeen major and minor safety eaifctions The commie pot this program and makes © nurber of suggestions for suggest spec research atts that wil sp Improving USHRC copabiiies for adessng these sues

Contents of This Report

‘Tis report contin II chapiers and six shor appendices

‘Chapter 1 his chapter) briefly discusses the scope bass and context forthe nly Chaper | alse dncones uke of

“gia LẠC systems in clear plans ie some deta so he

‘eader has the necessary background wo follow the mo de led discussions and evalatons inthe reminder ofthe

‘report Chapter 2 brief describes bow the origina sien tere desved and places the spi issues i overall com {ext explaining ther intetlatonships and the cave pr rites assigned fo them by the committee Chapters 3

‘rep 10 deus each ofthe invidal ses in as The

‘le lscussions in thee chapters inte the comic's

‘conclusions andrecommendaons ter IT presen an overview an smmary of the commis garda ech ise Chap- Findings Appendices A through F provide sel infra tonto dete include nthe by of he

REFERENCES

(euncragacn ita Powe Ops any 618

3 i se Sem Rea La Sic Pa pnt rt keo ve

„ DIcITAL INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR POWER PLANTS + Sin Camm USNRC Mach L188 Wasaga DE nh

ACIS 190 Pod eal Aen of Seen Rech ‘CaaS tal Renn peace a to

Cairn Moreh and Wien 84 Nes HA ‘anced ena Cane Eat hgh line

cca Ra Set (RAIPAN Contec Aes

¬ "on Apps Dg Coed ys na Com

Sete ras Wap De

Repay Comicon Hin Say oh 38 Nog

{Scr ety USNR: Noe Wag De

aoe eM Nt Sp Sể

So-on 00 p) S0.80950 uelAmeudnrepOerang

‘ithe ‘ln eco Sree Repo Revie fe en etc Ps Splomta Say ae

“outage Sten cute opr pe: Pe

eg ca ete a Dyna Qan ot Mech

‘an cea ups Entwmens! Quiet ot

ti nl hina epi Thal an a De

‘nc Opens! ss Rosa es S13

[USAHC 2 Sal Evan Ree Rela Ae Se 27 weft rg me DR fon Nc foe Se USNC: ‘tng 8 Saray Come Spe Pct Dg ens Reb and Nee USNR 1H suey Eaton ep hee of Nave Resor

‘epson STD at Amen nenimet Nessa Open ene Pty Ope ee Se

‘Grn’ uate #232 Nati De USANC

em lo Cpe aon so Cn Se Son

2

Key Issues

Digital instrumentation and conta ystems fr sar

power plans have very sir echpolopical characteris

'Ses—the equipment, espose tie, pst and ou rng, and accuscy 1o dil ioseumenttion and conta 98

{ems for eher safetyzrieal applications such as chemical

plants and arr What distinguishes dial IC Gas

‘mentation and contol) applications in ater power plans from other digital L&C application i the nocd wo etabish

‘very high levels of reliability under a wide ange of eon

‘ons, Because ofthe potentially far greater consequeaces of

stdent in neler power plats, he HC systems must De

feed upoa to educe the likelhond of ever ow probability

vents The US Nucla Regulatory Coesisson (USNR)

Js developed a regulatory process withthe goal of aches

‘ng these high levels of eiabity and thus assuring public

safety This process is sbjet o public sertny

DEVELOPING THE KEY ISSUES (PHASE 1)

In Phase { ofthe stady, he commits idee cit

sey issues associated wit the we of digi LAC syste in

sisting and advanced aucear power plants la the com file's view, hee nes noe to be aressed and a werk

ing consensus neds tobe established egading hese noes

“among designers opeatrs and manaiers and regulators inthe nclear industry The proces the commie flowed

to dentiy these sues in Phase is ciconed nthe Pha |

‘eon (NRC 195) andi only briefly surmarized here Tn essenee the commitce considered th impact of ig

tal L&C sjstems against a set of standard regulatory ap

proaches toanesing and ensing safety (defenc-i- depth,

Eafey enarpins, environmental qalifiation, requisite qual

ity asrance and ature invari) Pom his analy

sis the commit identied a number of questions sss

and facets of issues (see Append D) Aira numberof

<elteraions te commineewinnowed the Ut down to eight

ey issues “The igh asus separate into six technical sues and wo

straegi nses, The sit etic nes are systems arpcts

2

of digital L&C technology software quaity assurance com non-mode sofware failure potential, valey am rÏahiley {sesemen methods, man factors and hitan-machine ferfaces, and dedication of commercial ofthe self hart tere and software The two stratepc issues ae the case by-case Hiensing process and he adequacy of technical infrastructure (se taining staffing researc pla) The

‘commie recognizes that hese are no the only sabe snế topics of concer and debate inthis area (ae Appendix) Neverbeless the comic raf judgment itlly {ome during Phase, hat developing aconsesus on these ight sees wil Bea aor step forward and accelerate the Sppropine use and Hens of gta HRC syste in

‘clear power plats "At the nd of Phise It became clear to the commit tee thatthe sftware-reated issues andthe epulting ro- cess would be particularly challenging aspects of the Study Accordingly the commits strengtheneds capa bility by adding to its oumbers two exports in these reas (see Appendin A),

ADDRESSING THE KEY ISSUES (PHASE 2)

In Phase 1, the commitee largely operated asa single roup I approaching Phase 2, the commie xeognel that dsp stay ofeach sue would be needed to provide finn foundation for developing specific conclusion andres conmnendniore The cumnifeeaecodingi lamtedrkine Sulgroup asscited with each area Thes subgroup, each [ed by a member ofthe comnts pac knoledge ble in that area, were charged with studying the issues in etl, developing topic papers, icnifying and reviewing Jay reference documenis, an arranging for preseaations by

‘hose active in the eld othe fll commie Hower commice recognized ha sevralisues ha close interela the

‘ons, requiring hat the commie also work a negated body to achieve a balaced perspective and forge commit tee comensis, Thus, each fue received signin ten jon bythe ear cramer

” DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS 18 NUCLEAR FOMER PLANTS PRESENTING THE KEY ISSUES

The issues are discussed individually ia Chapters 3

through 10 of hs repo The commits has inane the

separation beeen technical ses and stacy ses in

the Phase 2 report, eventhough as work proceeded in Phase

2 became increasingly apparent at the tecnica issues

andthe srategic issues are gly interven The echnical fan discussions (Chapters 3 hough 8 generally foes on

the technical basis of the es and how pertinent technical

Saostedge or the lack thereof) affects How the iste i ức

resid in US nuclear plans, foreign plants, and chen

‘hse and her replat For each soe th commer

‘eas conclusions and provides recommensations Discussion ofthe tw state ses (Chaps 9 and 10}

focuses onthe licensing press and key underlying are, the way in which the USNRC tas developed and continues

to develop its technical neasiseture (saling alain

‘esearch pln) inthe digital I&C area In Phase 1 the com-

‘miles became convinced tht even fhe six echnical ses

‘were resold and po conrovers of Lack of comers ex

[sted hee strategie ses would sl ned oe carefully

‘considered inses reflects the recognition hat ipidly moving and adesod, Concer with these two strategic aod evoly=

ing lechaologes preset pois difiuly fora nduery

anditregulatrs whet licensing and ecto processes

{generally move mote slowly than te technology they are Intended to regu

Because the anes ae highly Hnterelted and ave re

tively gencral the commitee dated thei elt unper

tance and hei order of presentation which warrant the f- losing tri dkeueion of their arrangement inthis ep

The committee chon to preset the lehnial es Fit

to provide a bass and context for the salle aes re

‘ented la Of al the eehiel su systems septs of

Aigiad 1&C technology i reset (a Chapt 3) be

au iis abroad isn hat encompass many others Next

(in Chapter 48 and) thecommitec thet issues primarily elatedto softwar! Sofware co has chosen present

tts a major difference between arlog an digital TC

Applications, and its we raises some concerns Slates &

fevgnanifact and, because is tere I icy showing

‘efntveythatthas po crcl eons Software also more

fmenable to the addition of features and enancements

(Gocaled “creeping comple") not needed Tori baie

fupedon, whereby the system becomes more dificult © un

<erstand AS the most general of the tre software issues software quality asoance ie dicused fre (Chaptr 4) The ihe of software commen-mde failures is discsted next (Chap 5) Comman-node Tauri software i closely reltedo software quality assurance but warans discussion

BH topic Beene of is ngifcance to the sale rca dial applications, with hr emphasis on adept

‘ence, edundaney, aod diversity The fal issu discussed inte primarily software elated groups quanta and reality asessnent methods (Chapter 6) safety The consis then tars othe nse of hua factors and th bumat-achis intertace (Chapt 7) ane se nant in bah aealog and dial systems Digital IC tech ogy hs the potenti t0 geal improve the hm f= tors and human-machine interfaces a0 thal te combination

ff tie human operator and the computer could provide realy improved process convo andeshanced safety The are however unique design challenges tht digit eco

ty HRC presents "The ast technical sue discuss is dlistion and use of

‘commercial off he-shef (COTS) digital 18C systems and equipment in miclear power plans (Chaper 8), This topics nga because mich ofthe existing IEC equipment in clear powerplants i becoming able and vendo sip- ots waning The maclearplans markets rlatvely small and COTS offers a potentially cn-effestive way to adress this problem, Other indies have rachel the tre com tlusion and are reportedly finding some suceess (Leva 1996) This is a lative new area for nclar plants pa {cular i say stem applications, bt thee consider

se inÖuem§ aindy and repaltoy nvavereat uly the connrite tums tothe two step sues, ease-by-cibe Heeasing and adequacy ofthe echnical na strutare(iseussed in Chapters 9 and 10) Both the Adv tory Consmitee on Reactor Safeguards and the Nuskar Safety Research Review Commitee shure the comic's

‘ew tat soceafl resolution ofthese ues ea necessry rerequsite to soccesselly applying gal [Csysems io ucla powerplants

REFERENCES,