APPENDIX C
U.S. Nuclear Regulatory Commission Licensing of Digital Instrumentation and Control Technology

In the regulation of digital instrumentation and control (I&C) technology, the U.S. Nuclear Regulatory Commission (USNRC) has considered both retrofits to existing, operating plants and implementation of digital I&C technology in new plants of advanced design.

OPERATING PLANTS

The USNRC has approved a number of retrofits of digital I&C systems in existing nuclear power plants. These retrofits have ranged from small-scale replacements of individual components to full reactor protection system upgrades.

The first replacement of a full reactor protection system was at the Connecticut Yankee's Haddam Neck station in 1991. The Haddam Neck upgrade was followed by retrofits at the Sequoyah, Zion, Diablo Canyon, and D.C. Cook nuclear power plants.

As expressed in their safety evaluations of the above upgrades, the USNRC concluded that the application of programmable digital devices in redundant nuclear safety systems introduces the possibility of common-mode software failure, which could jeopardize the redundancy and independence features of the plant protection system (as discussed in General Design Criterion 22, Regulatory Guide 1.75, and IEEE-STD-279).

The concern about common-mode software failure led the USNRC to conclude that all future digital upgrades would involve an ''unreviewed safety question" (USQ) as defined by 10 CFR 50.59. Determination that an upgrade involves a USQ mandates formal plant license amendments under 10 CFR 50.90. These license amendments typically entail a prolonged, customized review process and public hearings for each upgrade. The additional time and expense inherent in the customized review process has created substantial disincentives for the utilities to pursue digital I&C upgrades.

To be even clearer on the issue and to provide all licensees a better understanding of their position, the USNRC distributed a draft generic letter outlining why such upgrades presented a USQ and thus could not proceed without prior approval. However, the nuclear industry does not consider most digital I&C upgrades to involve a USQ. In an attempt to resolve the disagreement, the nuclear industry developed guidelines (EPRI, 1993). These guidelines were developed in coordination with the USNRC staff. While the USNRC has endorsed the nuclear industry guidelines, it has offered clarifications that appear to leave the situation unresolved (USNRC, 1995).

NEW PLANTS

The USNRC is reviewing a number of advanced nuclear power plant designs. These designs include the General Electric (GE) Advanced Boiling Water Reactor (General Electric, 1994), the GE Simplified Boiling Water Reactor, the Westinghouse AP600, and the Asea Brown Boveri (ABB) Combustion Engineering System 80+ (Combustion Engineering, 1993). The I&C systems in these advanced plant designs are all-digital systems intended to utilize and exploit the new technology.

The light-water reactor designs follow the guidelines of the nuclear industry's Advanced Light Water Reactor Utility Requirements Document (EPRI, 1992). The USNRC has evaluated these guidelines (USNRC, 1994) but did not fully resolve many of the issues involved in the application of digital I&C technology.

The USNRC has issued a final design approval on two advanced plant designs (Combustion Engineering, 1993; General Electric, 1994) under a new regulatory review process. Certification of these two plant designs is proceeding. In advanced plants, the design review by the USNRC covers only the design process, since actual plant hardware (and software in the case of digital I&C systems) is not yet available for review. Therefore, the USNRC may have continuing difficulty in the final certification of advanced designs unless the issues surrounding certification of digital I&C technology are resolved.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 101
APPENDIX C U.S. Nuclear Regulatory Commission Licensing of Digital Instrumentation and Control Technology In the regulation of digital instrumentation and control (I&C) technology, the U.S. Nuclear Regulatory Commission (USNRC) has considered both retrofits to existing, operating plants and implementation of digital I&C technology in new plants of advanced design. OPERATING PLANTS The USNRC has approved a number of retrofits of digital I&C systems in existing nuclear power plants. These retrofits have ranged from small-scale replacements of individual components to full reactor protection system upgrades. The first replacement of a full reactor protection system was at the Connecticut Yankee's Haddam Neck station in 1991. The Haddam Neck upgrade was followed by retrofits at the Sequoyah, Zion, Diablo Canyon, and D.C. Cook nuclear power plants. As expressed in their safety evaluations of the above upgrades, the USNRC concluded that the application of programmable digital devices in redundant nuclear safety systems introduces the possibility of common-mode software failure, which could jeopardize the redundancy and independence features of the plant protection system (as discussed in General Design Criterion 22, Regulatory Guide 1.75, and IEEE-STD-279). The concern about common-mode software failure led the USNRC to conclude that all future digital upgrades would involve an ''unreviewed safety question" (USQ) as defined by 10 CFR 50.59. Determination that an upgrade involves a USQ mandates formal plant license amendments under 10 CFR 50.90. These license amendments typically entail a prolonged, customized review process and public hearings for each upgrade. The additional time and expense inherent in the customized review process has created substantial disincentives for the utilities to pursue digital I&C upgrades. To be even clearer on the issue and to provide all licensees a better understanding of their position, the USNRC distributed a draft generic letter outlining why such upgrades presented a USQ and thus could not proceed without prior approval. However, the nuclear industry does not consider most digital I&C upgrades to involve a USQ. In an attempt to resolve the disagreement, the nuclear industry developed guidelines (EPRI, 1993). These guidelines were developed in coordination with the USNRC staff. While the USNRC has endorsed the nuclear industry guidelines, it has offered clarifications that appear to leave the situation unresolved (USNRC, 1995). NEW PLANTS The USNRC is reviewing a number of advanced nuclear power plant designs. These designs include the General Electric (GE) Advanced Boiling Water Reactor (General Electric, 1994), the GE Simplified Boiling Water Reactor, the Westinghouse AP600, and the Asea Brown Boveri (ABB) Combustion Engineering System 80+ (Combustion Engineering, 1993). The I&C systems in these advanced plant designs are all-digital systems intended to utilize and exploit the new technology. The light-water reactor designs follow the guidelines of the nuclear industry's Advanced Light Water Reactor Utility Requirements Document (EPRI, 1992). The USNRC has evaluated these guidelines (USNRC, 1994) but did not fully resolve many of the issues involved in the application of digital I&C technology. The USNRC has issued a final design approval on two advanced plant designs (Combustion Engineering, 1993; General Electric, 1994) under a new regulatory review process. Certification of these two plant designs is proceeding. In advanced plants, the design review by the USNRC covers only the design process, since actual plant hardware (and software in the case of digital I&C systems) is not yet available for review. Therefore, the USNRC may have continuing difficulty in the final certification of advanced designs unless the issues surrounding certification of digital I&C technology are resolved.

OCR for page 101
STANDARDS DEVELOPMENT The USNRC has worked with the nuclear industry and professional societies in continuing to develop standards for digital I&C applications in nuclear power plants. Several USNRC guidelines are in place (USNRC, 1981, 1991) and other industry standards have been developed (such as ANSI/IEEE-ANS 7.4.3.2, ANSI/IEEE-Std-1012-1986, ASME NQA 2A-1990, Regulatory Guide 1.152). The USNRC has continued development of additional guidance such as draft "Branch Technical Positions" and other documents (see, e.g., USNRC, 1994, 1995; Wermiel, 1995). In addition, the USNRC has conducted a series of meetings with its advisory groups (see, e.g., ACRS, 1992a, 1992b; NSRRC, 1992), solicited research papers (see, e.g., NRC, 1988), and organized workshops (USNRC, 1993a). The USNRC's Office of Nuclear Regulatory Research also supports research into several areas relevant to the present problem of evaluating and regulating digital I&C technology. However, these efforts have not yet been able to provide the necessary answers. RECENT DEVELOPMENTS Recent USNRC positions (Mauck, 1995) indicate the USNRC's willingness to clarify their requirements and define acceptable standards. The USNRC will still require demonstration of defense-in-depth as described in NUREG-0493, but it will also tolerate disablement of a safety function by a common-mode failure if a diverse set of equipment not subject to the same failure can perform the same safety function. Moreover, in demonstrating such diversity, the USNRC will allow the use of digital or analog based nonsafety systems and operator actions. In recent licensing positions (USNRC, 1993b), the USNRC further indicated its acceptance of adequate software reliability based on prior audits of a supplier's verification and validation program. Still, and in spite of substantial effort by the USNRC and the industry, a sufficiently definitive set of generic guidelines does not exist and the docketed case-by-case method of prior approval remains necessary. For this reason, the USNRC's efforts are continuing (Wermiel, 1995) and, in cooperation with the Advisory Committee on Reactor Safeguards, are responsible for the study being performed under the auspices of the National Research Council (ACRS, 1994). REFERENCES ACRS (Advisory Committee on Reactor Safeguards to the U.S. Nuclear Regulatory Commission). 1992a. Digital Instrumentation and Control System Reliability. Letter to I. Selin, Chairman, USNRC, September 16, 1992. ACRS. 1992b. Minutes of ACRS Subcommittee Meeting on Computers in Nuclear Power Plant Operations: Special International Meeting, September 22, 1992. ACRS. 1994. Proposed National Academy of Sciences/National Research Council Study and Workshop on Digital Instrumentation and Control Systems. Letter to I. Selin, Chairman, USNRC, July 14, 1994. Combustion Engineering. 1993. The Certified Design Material (ITAAC) for the System 80+ Standard Plant from ABB Combustion Engineering, Inc., Section 2.5, Instrumentation and Control. Windsor, Conn.: Combustion Engineering. EPRI (Electric Power Research Institute). 1992. Advanced Light Water Reactor Utility Requirements Document. EPRI NP-6780-L, Vol. 2 (ALWR Evolutionary Plant) and Vol. 3 (ALWR Passive Plant), Ch. 10: Man-Machine Interface Systems. Palo Alto, Calif.: EPRI. EPRI. 1993. Guideline on Licensing Digital Upgrades. EPRI TR-102348. Palo Alto, Calif.: EPRI. General Electric. 1994. Advanced Boiling Water Reactor Final Safety Evaluation Review. Ch. 18: Human Factors Engineering. San Jose, Calif.: General Electric. Mauck, J. 1995. Regulating Digital Upgrades. Presentation to the Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety, Washington, D.C., January 31. NRC (National Research Council). 1988. Human Factors Research and Nuclear Safety. Committee on Human Factors, National Research Council. Washington, D.C.: National Academy Press. NSRRC (Nuclear Safety Research Review Committee). 1992. Summary of April 29, 1992, Meeting. Letter to E. Beckjord, USNRC, dated November 16, 1992. USNRC (U.S. Nuclear Regulatory Commission). 1981. USNRC Standard Review Plan (SRP), NUREG-0800, section 7.1, Instrumentation and Controls. Other sections applicable to instrumentation and control technology include: 3.10, Seismic and Dynamic Qualification of Mechanical and Electrical Equipment; 3.11, Environmental Qualification of Mechanical and Electrical Equipment; 4.4, Thermal and Hydraulic Design; 7.2, Reactor Trip System; 7.3, Engineered Safety Features Systems; 7.4, Safe Shutdown Systems; 7.5, Information Systems Important to Safety; 7.6, Interlock Systems Important to Safety; 7.7, Control Systems; 8.1, Electric Power; 8.2, Offsite Power System; 8.3.1, A-C Power Systems (Onsite); 8.3.2, D-C Power Systems (Onsite); 15.0, Review of Anticipated Operational Occurrences and Postulated Accidents; 15.1.5, Steam System Piping Failures Inside and Outside of Containment. Washington, D.C.: USNRC. USNRC. 1991. Digital Computer Systems for Advanced Light Water Reactors. USNRC SECY-91-292. Washington, D.C.: USNRC. USNRC. 1993a. Proceedings of the Digital Systems Reliability and Nuclear Safety Workshop, September 13-14, 1993, Rockville, Md. NUREG/CP-0136, NIST SP 500-216. Washington, D.C.: U.S. Government Printing Office. USNRC. 1993b. Safety Evaluation Report by the Office of Nuclear Reactor Regulation Related to Amendment No. 84 to Facility Operating License No. DPR-80 and Amendment No. 83 to Facility Operating License No. DPR-82: Eagle 21 Reactor Protection System Modification with Bypass Manifold Elimination: Diablo Canyon Power Plant. Dockets Nos. 50-275 and 50-323, October 7, 1993. Washington, D.C.: USNRC. USNRC. 1994. NRC Review of Electric Power Research Institute Advanced Light Water Reactor Utility Requirements Document. NUREG-1242, Vol. 3, Parts 1–2. Washington, D.C.: USNRC. USNRC. 1995. Use of NUMARC/EPRI Report TR-102348, Guideline on Licensing Digital Upgrades, in Determining the Acceptability of Performing Analog-to-Digital Replacements Under 10 CFR 50.59. NRC Generic Letter 95-02. Washington, D.C.: USNRC. Wermiel, J. 1995. Update of Instrumentation and Control Systems Section of the Standard Review Plan, NUREG-0800. Presentation to the Advisory Committee on Reactor Safeguards to the U.S. Nuclear Regulatory Commission, Rockville, Md. April 7.