Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 13
1 Introduction NUCLEAR POWER PLANT INSTRUMENTATION AND CONTROL SYSTEMS Role of Instrumentation and Control in Nuclear Power Plants Nuclear power plants rely on instrumentation and control (I&C) systems for monitoring, control, and protection. The grouping of I&C systems according to these three types of functions (monitoring, control, and protection) is discussed in some detail below. There is, however, another division of I&C systems into two categories called within the nuclear industry "nonsafety" and "safety." The nonsafety systems are used by the operators to monitor and control the normal operation of the plant, including startup and shutdown, and to mitigate and prevent plant operational transients. These nonsafety systems are backed up by a set of independent (noninteracting), redundant safety systems that are designed to take automatic action to prevent and mitigate accident conditions if the operators and the nonsafety systems fail to maintain the plant within normal operating conditions. Thus to some extent (but not entirely) nonsafety systems coincide with monitoring and control systems, safety systems with protection systems. This is discussed further below. The two categories of systems, safety and nonsafety, are thought of as being consistent with and part of the defense-in-depth approach to safety.1 The distinction between them is important since essentially only the safety systems are "credited" (i.e., relied upon by the utility and the U.S. Nuclear Regulatory Commission [USNRC] as a basis for making judgments about safety) in the formal safety analyses of the plant. The safety systems are thus of particular concern in the USNRC's licensing procedures, whereas very few of the nonsafety systems fall under the same rigorous regulatory control. Before proceeding to further discussion of safety systems, however, it is in order to describe the three types of I&C systems in nuclear power plants. Types of Instrumentation and Control Systems In a nuclear power plant, the I&C systems—irrespective of whether they are analog or digital technology—are generally grouped into three types: plant monitoring and display systems, plant control systems, and plant protection and mitigation systems. Plant Monitoring and Display Systems Plant monitoring and display systems monitor plant variables and provide data to other I&C systems and to the plant operators for use in controlling the operation of the plant. Typical examples include systems that monitor and display the status of the fire protection system, fluid temperatures, and pressures. These systems also normally provide visual and audible alarms at various control stations, particularly the main control room, that notify operators of trends or particular values requiring action by the operator to avert an actual problem or emergency. Usually there are formal procedures the operators follow when such an alarm or notification occurs, with the alarm setpoint and required response time coordinated to give the operator adequate time to take action. Typically, the response times are on the order of tens of minutes; if inadequate time exists, an automated response is provided. Plant Control Systems Plant control systems are used to control all the normal operations of the plant. They are used in startup, power operations, shutdowns, and plant upsets. Regarded by plant owners as the primary controls for their expensive and complex plants, they are fully engineered, they are robust, and they usually have considerable redundancy (see below) to 1 Defense-in-depth is the conservative design approach that uses multiple, layered systems to provide alternate means of accomplishing different functions related to common goals. This approach provides added protection against natural phenomena and plant operational transients.
OCR for page 14
prevent single failures or anticipated events from escalating into plant shutdowns, trips, or accidents endangering plant equipment, personnel, and the public. Typical examples include feedwater and steam control systems, turbine generator controls, and the myriad of systems used to control the many circuit breakers, pumps, and valves throughout the plant. Plant Protection and Mitigation Systems Plant protection and mitigation systems are an additional, separate layer of systems that monitor the plant variables. If they detect that the above-described plant monitoring and control systems have not kept the plant within a predefined set of conditions, they take action automatically to rapidly shutdown the plant ("trip" and "scram" are terms that accurately convey the nature of the response) and start any other needed systems to mitigate the detected problem and place the plant in a safe state. These protection and mitigation systems have a number of important characteristics: (a) They are physically separate systems that generally do not share hardware and software with the plant operating and control systems. (Some limited amounts of equipment such as sensors may be shared provided the equipment meets safety quality requirements.) This extends to and includes needed auxiliary systems such as heating, ventilation, and air conditioning; electrical or hydraulic power supplies; and cooling water systems. (b) They are environmentally qualified for the harshest anticipated operating/accident conditions, including highly unusual events such as large earthquakes and tornadoes. (c) When called upon to act, they go to completion of their intended function. (d) The protection and mitigation systems do not control or modulate the operation of the systems they control. They shutdown the reactor, trip the turbine generator, start needed cooling water systems, and go to preset operating conditions that are safe for the plant to maintain for extended periods. In addition, (e) they are designed to single-failure proof. That is, no single failure at the component or system level (including a failure internal to the protection and mitigation systems in addition to the initiating event or failure and any direct consequence) or no single operator error can prevent them from successfully operating. As a result, they use redundancy. That is, there are typically multiple, separate, parallel sets of equipment and systems to carry out the same function. In the I&C systems in particular, this redundancy is usually provided by having four parallel channels that actuate the systems if needed. The four parallel channels are fed to a logic system that requires any two valid signals to cause actuation. This logic assures that no single failure will prevent or cause the drastic actions taken by these systems. It also allows complete (sensor-to-actuator) testing of one channel at a time while the plant is at power without causing or inhibiting the protection and mitigation function. In addition to being single-failure proof, (f) the protection and mitigation systems have other features to enhance their reliability and increase their effectiveness against hazards. For example, two reactor shutdown mechanisms are provided—insertion of control rods and injection of a soluble neutron poison. Also, for any given accident, two or more different initiation signals will be generated and sent to the protection and mitigation system. (For example, a loss-of-flow accident through the reactor will be detected by a high reactor outlet temperature and a high pressure signal.) This type of redundancy provides protection against general classes of common-mode failures—failures in which a single error or problem disables multiple, independent safety functions. (Redundancy is discussed further in Chapter 5.) It is important to note that the requirements of nuclear plant I&C systems, including the protection and mitigation systems, are well within the capabilities of current I&C technology—analog or digital. In terms of response time and accuracy (for example), the nuclear plant I&C requirements are relatively modest. Safety Systems The USNRC's safety evaluation of nuclear power plants primarily addresses the protection and mitigation systems. The monitoring and control systems are usually not given credit (see brief discussion of "credit" above) in the hazard and safety analyses of the plants. However, upsets or failures in the monitoring and control systems are usually considered the initiating events for the protection and mitigation systems and, as a result, the USNRC can impose requirements on the monitoring and control systems as well. The monitoring and control systems are also analyzed explicitly in the probabilistic risk assessment (PRA) of each plant to assess how well the plant does in comparison to the USNRC safety goals for nuclear plants. In general, however, the USNRC and the licensing applicant define a set of "safety systems" for each plant, largely comprised of the protection and mitigation systems; it is these safety systems that are subject to the most rigorous licensing and regulatory controls. This is an important distinction because a substantial effort is required to design, qualify, install, test, and maintain these safety systems, and commercial off-the-shelf equipment usually does not meet the requirements. As an indicator, costs of nuclear plant "safety-grade" systems and equipment can be 10 times that of the equivalent commercial quality equipment. Although this report covers applications of digital I&C systems in nuclear power plants that include all three types—the plant monitoring systems, the plant control systems, and the plant protection and mitigation systems—insofar as the USNRC, the sponsor of this study, is primarily concerned with the "safety-grade" subset of these systems, this report emphasizes this subset.
OCR for page 15
Operating Conditions for Instrumentation and Control Systems Nuclear power plant design includes specific consideration of a variety of plant operating conditions. Steady-state, transient, and accident conditions are covered by the regulatory requirements; these requirements also control how and by what criteria the transients and accidents must be analyzed. These analyses, in turn, specify operational requirements the plant equipment and systems must satisfy. For the I&C systems, these specifications include both instrument characteristics (such as input and output range, response time, and accuracy) and the environmental conditions (e.g., temperature, humidity, radiation effects, power supply fluctuations) under which the I&C equipment is required to operate. Except for the sensors, I&C systems have been specially placed in protected areas so that the environmental conditions they are exposed to are generally rather mild, akin to an "office environment." But the I&C systems must also function in the environment and under the conditions that lead to a transient or accident condition and that develop in the plant as a transient or accident progresses. Because accident conditions typically create a wider and harsher range of operating environments, and because I&C equipment and systems must survive and function in such environments, the equipment and systems must be qualified, usually by test. In general, this harsher operating environment exists only at the sensors and in most of the signal transmission network; the other components are in relatively well-protected (shielded) rooms and benign environments. Most sensors currently employ analog technology. If digital sensors are used, they will have to be designed and tested to show they can withstand these harsher environments. TRANSITION FROM ANALOG TO DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS Background During their extensive service history, analog I&C systems have performed their intended monitoring and control functions satisfactorily. Although there have been some design problems, such as inaccurate design specifications and susceptibility to certain environmental conditions, the primary concern with the extended use of analog systems is effects of aging, e.g., mechanical failures, environmental degradation, and obsolescence. The industrial base has largely moved to digital-based systems and vendors are gradually discontinuing support and stocking of needed analog spare parts. Some uses of digital technology in U.S. nuclear power plants go back more than two decades. These early applications were limited but included safety-related applications such as core protection calculators. In the early 1980s, the electronics industry began rapidly shifting to microprocessor-based digital technology. Early implementations of this technology in nuclear plants were successful in reducing unintended plant shutdowns ("trips") and maintenance burdens. This success fueled increased interest in digital applications and provided a training ground for enhancing proficiency and confidence in using digital equipment. At the same time, a number of vendors of instrumentation and control began to reduce their support of the analog equipment, which in turn gave additional practical impetus to the use of digital systems. The nuclear industry has not been alone. Many other safety-critical industries extensively utilize digital systems. These include aviation and space, chemical-petroleum processing, railroads, defense, and medical applications. These industries face safety issues similar to those faced by the nuclear industry. The reason for the transition to digital I&C systems2 lies in their important advantages over existing analog systems. Digital electronics are essentially free of the drift that afflicts analog electronics, so they maintain their calibration better.3 They have improved system performance in terms of accuracy and computational capabilities. They have higher data handling and storage capacities, so operating conditions can be more fully measured and displayed. Properly designed, they can be easier to use and more flexible in application. They are more widely available. Indeed, digital systems have the potential for improved capabilities (e.g., fault tolerance, self-testing, signal validation, process system diagnostics) that could form the basis for entirely new approaches to achieve the required reliabilities. Because of such potential advantages, and because of the general shift to digital systems and waning vendor support for analog systems, the U.S. nuclear power industry expects substantial replacement of existing, aging analog systems with digital I&C technology. For the same reasons, designs for new, advanced nuclear power plants rely exclusively on digital I&C systems. In summary, the experience of other safety-critical industries and the increasing age and obsolescence of the existing analog systems suggest that the increasing use of digital I&C technology is inevitable in nuclear power plants. Digital I&C technology is expected to enhance the safety and performance of nuclear power plants by offering process control improvements, such as reduced instrument 2 The committee intentionally avoided partitioning digital systems between hardware and software; rather the committee believes that digital systems are better treated in an integrated manner. Nevertheless, some of the specific topics addressed in the report merited discussion as "hardware" or "software" items. 3 The reader should note, however, that since most sensors will remain analog-based, drift will not be eliminated, though it will likely be improved, especially if the digital I&C component contains software specifically designed to offset expected sensor drift.
OCR for page 16
FIGURE 1-1 Illustration of nuclear plant I&C systems. calibration requirements and improved plant condition monitoring displays (see, e.g., Gill et al., 1994). Applications to Nuclear Plants Figure 1-1 illustrates a modern digital I&C system applied to a nuclear power plant. Blocks on the left represent the distributed control systems. These are the systems that are used to regulate plant conditions during startup, power operation, and shutdown. They are responsible for maintaining plant systems and components within their operating ranges, and they normally operate in a regulating mode. Notice that Figure 1-1 shows redundant data buses in these control systems. These data buses are used to transport the large amounts of information typically handled in a large generating station. The use of data buses reduces and simplifies plant wiring and consequently reduces the requirements for managing and maintaining wiring configuration. Redundancy and separation (including different routing) provides for increased data bus reliability. In this manner, reliable communications can be provided for the large numbers of information data points. Notice also, however, the lower level blocks on the left of Figure 1-1 dedicated to the control of individual systems (such as feedwater control). Real-time control functions are executed in these dedicated modules. Blocks on the right of Figure 1-1 represent the independent protection (safety) systems. They are responsible for detecting system failures and isolating or shutting down failed systems to protect the plant investment and the public health. This type of system normally uses multiple channels in a voting scheme to trigger the isolation or shutdown action. A typical voting scheme uses a two-out-of-four logic according to which, if one of the four channels fails, the failed channel may be taken out of service for repairs, while still leaving the remaining channels to take action using two-out-of-three logic. Thus, the system is single-failure proof. The use of two channels to trigger an action provides protection against unnecessary spurious trips. Figure 1-1 also shows point-to-point data links in the
OCR for page 17
protection systems, which provide for more deterministic and predictable data communications for the fewer data points that are normally needed and handled in safety systems. Notice also the independent manual trips bypassing all microprocessor-based systems. Virtually all of the 109 nuclear power plant units in operation today have digital I&C components. Some of these were part of the original design, for example, digital radiation monitoring equipment and diesel generator sequencers. The earliest implementations used solid-state logic operating at higher and relatively stiffer voltage levels than those of today's microprocessor-based designs. Moreover, these earlier systems did not employ the signal concentrations of multiplexed microprocessor-based systems. Modern systems also employ faster clock speeds, larger memories, and expanded word lengths that have allowed new developments in the software area as well. This in turn has led to heightened interest by the USNRC. More recently, many plants have retrofitted some I&C components and systems with modern digital technology (ACRS, 1993b). Although many of these retrofits have been relatively small-scale, one-for-one replacements for such components as recorders, meters, and displays, in recent years some relatively large-scale, microprocessor-based, system-level retrofits have been made (Palo Verde Nuclear Generating Station, 1993; Prairie Island Nuclear Generating Plant, 1993; Turkey Point Plant, 1990; USNRC, 1992; USNRC, 1993b). These include: reactor protection systems at Northeast Utilities Company's Haddam Neck plant; Tennessee Valley Authority's Sequoyah plant; Commonwealth Edison Company's Zion plant, Unit 2; and Pacific Gas and Electric Company's Diablo Canyon plant anticipated transients without scram systems at Arizona Public Service Company's Palo Verde plant, Units 1, 2, and 3 load sequencers in the emergency power system at Florida Power and Light Company's Turkey Point plant, Units 3 and 4 station blackout/electrical safeguards upgrades at Northern States Power Company's Prairie Island plant, Units 1 and 2 Applications in Advanced U.S. Plants In the United States, the advanced reactor designs being developed incorporate all-digital systems intended to utilize and exploit the new technology. They also feature enhanced human-machine interfaces such as more versatile displays with integrated process information (ACRS, 1991). These features, along with the other features of advanced plants, are intended to make the advanced plants simpler and safer. Certification of these designs has been sought (under the provisions of 10 CFR 50.52). LICENSING OF INSTRUMENTATION AND CONTROL SYSTEMS Design Guidance Licensing of any systems for use in a nuclear power plant is governed by formal, documented criteria. These criteria are stated in the General Design Criteria (GDC) (Title 10 CFR Part 50, Appendix A, 1995), which are part of federal law. The GDC are written for I&C systems at a very general level. The GDC were written early in the development of commercial nuclear power, before digital equipment, advanced materials, or modern fire-fighting systems such as halon were used in nuclear plants. The GDC requirements are nevertheless very important in guiding the design of digital systems in nuclear power plants. Examples of requirements from the GDC of particular interest for this report are contained in Appendix E. In order to make the requirements more specific and useful on a day-to-day basis, the USNRC provides extensive supplemental guidance in a variety of forms (see Table 1-1). For example, numerous regulatory guides have been issued that describe interpretations of the regulations acceptable to the USNRC staff. These "reg guides" are not mandatory, but if they are followed by the licensing applicant they provide a basis upon which the applicant's proposal will be accepted. Other regulatory guidance is provided by endorsement of a wide variety of industry standards and through the promulgation of branch technical positions, which are technical positions adopted by various branches (offices) of the USNRC regulatory staff. Much of this guidance is conveniently summarized in the Standard Review Plan (USNRC, 1981). The Standard Review Plan provides detailed guidance to the USNRC reviewers as to what is needed from the licensee to assess the adequacy of a proposed design; it also defines a satisfactory method of complying with the licensing requirements. (The guidance provided by the regulatory guides, branch technical positions, and industry standards is still more detailed.) A major revision of the Standard TABLE 1-1 USNRC Design and Quality Assurance Guidance Criteria and Supplemental Guidance Design guidance Generic design criteria (GDC) Supplemental guidance (summarized in the Standard Review Plan) Regulatory guides Branch technical positions Generic letters Industry standards Quality assurance Generic criteria (10 CFR 50, Appendix B) Supplemental guidance Industry standards Other guidance
OCR for page 18
Review Plan is currently in progress to fully adapt it and the associated regulatory guides, branch technical positions, and USNRC endorsements of industry standards to digital I&C systems. Note that as a result of all these documents there is a lot of existing high level guidance which is generally accepted and applied. For example, nuclear plants, including the digital I&C systems, are routinely required to undergo extensive hazards analyses as part of the licensing process. The regulators expect and the industry provides formal systematic reviews of the hardware and software using formal requirement specifications and independent reviews. It is not at this high level that additional criteria or guidance is needed. The difficulty arises in trying to implement this high level guidance at the working level and trying to establish a working consensus in particular areas. Consider, for example, common-mode software failure. USNRC regulators require that this problem be addressed and if a potential common-mode failure concern is detected then it must be dealt with. The exact methodology by which potential common-mode failures must be dealt with are not straightforward and there is considerable controversy over what may be appropriate. Quality Assurance There are basic requirements for quality assurance. Within the context of these requirements, quality is demonstrated by meeting the Quality Assurance Criteria for nuclear power plants (Title 10 CFR Part 50, Appendix B, 1995) and the related, subsidiary industrial standards, including those on environmental qualifications. These basic requirements are supplemented by more specific regulatory guidance that was originally based on analog equipment but is being revised to specifically address digital equipment in the revision process described above (see Table 1-1). Modifications and Upgrades Another important aspect of any system modifications and replacement of existing equipment is 10 CFR 50.59 (see Appendix E), which also applies to I&C systems. The purpose of this regulation is to define the circumstances under which the licensees may, without prior USNRC approval, make changes and conduct experiments and tests that are not specifically provided for in their facility licenses. Since virtually all U.S. nuclear plants have original analog equipment, 10 CFR 50.59 is of particular interest if a licensee is contemplating a digital modification or upgrade. If the criteria for making a change without prior regulatory approval defined under 10 CFR 50.59 are not satisfied, a formal change to the license is needed under another part of the federal code, 10 CFR 50.90. The process required to formally change the license under 10 CFR 50.90 is more difficult procedurally, is more costly, and requires a longer schedule. Cost and schedule become increasingly important as utility companies feel the pressure of increasing economic competition and as proposed investments such as digital upgrades and modifications face stringent economic tests, such as rapid returns on investment. The conditions an upgrade or modification must meet to be carried out under 10 CFR 50.59 are, first, that it must adhere to the design and operating conditions formally documented in the technical specifications for the license. Second, the change must not result in an "unreviewed safety question" (USQ). The criteria for determining whether or not a USQ exists are stated in 10 CFR 50.59(a)(2) (see Appendix E). To avoid a USQ, the change must not allow (a) an increased probability of occurrence or consequences of an accident or malfunction of equipment important to safety as previously evaluated in the licensing basis (safety analysis report); (b) possible creation of an accident or malfunction of a different type than previously evaluated in the licensing basis; or (c) a reduced margin of safety as defined in the licensing basis for any technical specification. USNRC regulatory treatment of upgrades or modifications to nuclear power plants may be summarized as follows: If there is a change in technical specifications, the licensee must seek prior USNRC approval via 10 CFR 50.90. If the licensee's analysis shows the presence of a USQ per 10 CFR 50.59(a)(2), the licensee must seek prior USNRC approval via 10 CFR 50.90. If there is no change in technical specifications and no USQ is uncovered, the licensee can make the change or upgrade without prior USNRC approval via 10 CFR 50.59. There has been continuing discussion and controversy as to exactly how to interpret 10 CFR 50.59 when applied to digital modifications; this is discussed further in this report (see Chapter 9). Nevertheless, many digital retrofits have been made without the creation of a USQ as defined in 10 CFR 50.59 (see Appendix C). CHALLENGES TO THE INTRODUCTION OF DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS Successful introduction of digital I&C systems into U.S. nuclear power plants faces several challenges. These challenges have several related sources: Uncertainty Inherent in Introduction of New Technology. There is some uncertainty inherent in the introduction of any new technology. According to Kletz (1995), "all changes and all new technologies introduce hazards as well as benefits." In a safety-critical industry like nuclear power, the users, designers, and regulators must proceed on the basis of choosing and implementing digital modifications so that the
OCR for page 19
current high level of industrial and public safety is at least maintained and preferably increased. The challenge is to take advantage of the performance and safety enhancements potentially available from the use of digital technology without introducing offsetting potential hazards. Further, the design, assessment, and regulatory approach of these new digital systems must also provide some means of assessing the resultant margins of safety. Shift of Existing Technology Base from Analog Experience. Much of the experience with U.S. nuclear plant design and operation has evolved primarily within the context of analog technology, as has the regulatory framework. Hence, in addition to coping with uncertainties arising from digital technology itself, its use may require changes or additions to the underlying technical infrastructure and regulatory framework. Technical Problems Identified from Some Applications of Digital I&C in Nuclear Power Plants. The introduction and use of digital systems has not been trouble free. For example, on the basis of recent plant experience with several digital I&C retrofits, the USNRC has identified the following potential problem areas with digital I&C systems (Mauck, 1995): common-mode failure in software commercial dedication of hardware and software possible lack of on-site plant experience with the new technology and systems configuration management increased complexity leading to possible programming errors and incorrect outputs reliability of standard software tools environmental sensitivity:4 electromagnetic or radiofrequency interference, temperature, power quality, grounding, smoke effects on plant margin of safety Similar problems have also occurred in other applications and other industries (Kletz, 1995). Difficult, Time-Consuming, and Customized Licensing Approach. Licensing of digital technology has presented a particular challenge for the USNRC. Because the regulatory approach has evolved with limited explicit consideration of digital technology, and because the response time to develop new regulatory bases and documentation is long, the pace of change in I&C systems has strained the regulatory process. As a result, the licensing process to date for regulatory review and approval of new digital I&C systems and modifications to existing systems has been difficult, time-consuming, and largely customized for each application.5 Many utilities are reluctant to seek a change that could not be carried out under 10 CFR 50.59, that is, without prior regulatory approval. (See below for discussion on recent USNRC activities in the digital I&C licensing process.) Lack of Consensus (between the USNRC and the Regulated Industry) on Issues Underlying Evaluation and Adoption of Digital I&C Technology and Means to Obtain a Satisfactory Resolution. In order to deal effectively with these challenges, an effective consensus needs to exist. This will allow the benefits of the new technology to be fully exploited while assuring that safety and public confidence are maintained. However, the industry and regulators have less experience with this somewhat unfamiliar technology and have had difficulty in reaching an effective consensus. It is important to note that the lack of consensus is not about the use of digital systems per se. Rather, much of the controversy revolves around specific issues, e.g., the potential for common-mode failures, and the lack of consensus on these specific issues tends to cloud whether or not the overall advantages of using digital I&C in nuclear power plants outweigh the disadvantages. This is made more difficult by the fact that the U.S. commercial nuclear power industry is heavily regulated. The rules for design and evaluation are subject to legal scrutiny and interpretation with severe penalties for violations and very real possibilities for litigation. Further, there are large amounts of capital investment at stake. Hence, delays in resolving issues, if translated into delays in allowing a nuclear power plant to operate, can cost up to hundreds of thousands of dollars per day. As a result, the definition of licensing criteria must follow systematic study and evaluation and sound synthesis of differing technical viewpoints. It is a process not to be undertaken lightly. RESPONSE OF THE U.S. NUCLEAR REGULATORY COMMISSION AND NUCLEAR INDUSTRY TO THE CHALLENGES Activities of the U.S. Nuclear Regulatory Commission The USNRC has reviewed a number of retrofits of plant I&C systems from analog to digital. It has also begun reviewing designs of advanced plants (USNRC, 1991). However, the review process for both retrofits and advanced plant designs has been customized for each application. This, in turn, has provoked criticism of the USNRC for failing to 4 Whether the new digital equipment is in fact more sensitive to environmental challenges than existing analog equipment is controversial. 5 The actual incremental cost and time required for a digital system upgrade is difficult to define and not well agreed upon. Some utilities have told the committee that they budget six months to a year and, for a major modification, incremental costs of a half-million to several million dollars for the regulatory review process. USNRC staff members have told the committee that they take exception to these values and that they expect much shorter times for future reviews.
OCR for page 20
adopt generically applicable standards. In an effort intended to address this criticism, the USNRC has a process under way to systematically review its internal directives and guidelines governing reviews of I&C systems with a view to adapting them for digital I&C technology (Wermiel, 1995). This process is due to be completed in 1997. In the interim, the USNRC has provided case-by-case approvals in specific plants, sought suggestions by its advisory committees for taking broad action, held a workshop seeking consensus on a regulatory program, and conducted research linking regulatory decision making to the context of I&C technology. A brief account follows. (A more detailed discussion appears in Appendix C.) Small digital I&C upgrades have been routinely accepted; large retrofits have also been made but the review process has been more difficult. These reviews have led to approvals at a number of nuclear power plants (see, e.g., USNRC, 1993b). Reviews of designs for advanced plants are also in progress. For example, a final design approval of the System 80+ advanced plant design has been completed (USNRC, 1994a). The USNRC and its staff receive advice from a number of advisory committees. The Advisory Committee on Reactor Safeguards (ACRS), established by Congress in 1957, provides advice to the USNRC on safety aspects of current and planned nuclear facilities and the adequacy of safety standards. It has a subcommittee that examines the use of computers in nuclear power plant operations. The USNRC's Office of Nuclear Regulatory Research conducts a research program to support the organization's regulatory decision making. This program includes areas of focus relevant to the problem of evaluating and regulating digital I&C technology in nuclear power plants. The Nuclear Safety Research Review Committee (NSRRC) is a 12-member group of experts who advise the USNRC's Office of Nuclear Regulatory Research on the quality and management of its research program. The ACRS and NSRRC have both expressed concern that the USNRC staff may be lagging behind the nuclear industry, in both the United States and foreign countries, in their understanding of the application of digital I&C systems. These committees have also urged the development of an overarching framework to guide USNRC regulation of new digital I&C technology (see, e.g., ACRS, 1992a, 1993a). The ACRS examined digital I&C technology and identified several concerns (ACRS, 1994), including: the lack of a coherent and effective review plan, including acceptance criteria, for digital I&C technology the need to address software specification development, software verification and validation,6 environmental effects on hardware, diversity as protection against common-mode failure,7 and prediction of I&C reliability. The NSRRC (1992) has expressed concerns that partially overlap with those of the ACRS, such as: the need to develop criteria for such issues as hardware reliability, software verification and validation, environmental effects (e.g., electromagnetic interference), common-mode failure, configuration management,8 and systems integration the need for an overarching strategy to guide regulatory developments and the certification process for the new technology the rapid pace of technological changes that affect I&C systems, including developments in the areas of artificial intelligence, expert systems, neural networks, fuzzy logic, genetic algorithms, and chaos theory To address technical concerns, and in hopes of developing a wide consensus across the USNRC and the nuclear industry for a regulatory program, the USNRC held a workshop on digital systems reliability and nuclear safety, cosponsored by the National Institute of Standards and Technology, in September 1993 (USNRC, 1993a). Activities of the Nuclear Power Industry The nuclear power industry has been actively addressing the introduction of digital I&C technology into nuclear power plants. Under the auspices of the Electric Power Research Institute (EPRI), the industry has developed guidelines for streamlined licensing of digital I&C upgrades (EPRI, 1993). These guidelines have recently been partially endorsed by the USNRC, subject to specific clarifications (USNRC, 1995). Recent attempts at further clarifications suggest that the USNRC staff position continues to evolve (see Chapter 9 of this report). The industry has also prepared a "Utility Requirements Document" for advanced plant designs (EPRI, 1992a, 1992b). Chapter 10 of this document provides guidance for designing the digital I&C systems and associated human-machine interfaces for the next generation of nuclear power plants. The document requires the use of fully integrated digital I&C technology. An extensive USNRC review of this 6 The verification and validation process ensures the adequacy of software requirements and specifications, the adequacy of the software development process, and the compliance of the resultant software with the original specifications. 7 Common-mode failure is the failure of multiple components in the same way. Common-mode failures arise when the assumption of independence of the failures of the components is violated. Common-mode failures are a concern when the failures occur concurrently or at least sequentially in a time frame before the minimum number of channels is recovered. 8 As defined in ANSI/IEEE Standard 610.12–1990, configuration management is a discipline applying technical and administrative direction and surveillance to identify and document the functional and physical characteristics of a configuration item, control changes to those characteristics, record and report change processing and implementation status, and verify compliance with specified requirements.
OCR for page 21
document (USNRC, 1994b) did not resolve basic issues inherent in digital I&C technology implementation. However, the USNRC review did produce a set of agreed-upon high-level criteria for advanced plant designs, as well as defining the process the USNRC would use to complete their review and approval of these designs. The USNRC did accept digital technology for all the I&C systems of the advanced nuclear plants. However, for the advanced plants, the detailed issues that are being addressed in existing plants have yet to be addressed. Other industry efforts include those of the nuclear steam supply system vendors, each of which has an ongoing program for developing digital I&C systems, both for retrofits and upgrades in existing plants and for future plants. Developments Overseas There is worldwide interest in digital I&C technology for nuclear power plants. For example, there is already significant application of digital I&C technology to nuclear power plants in Canada, Japan, and Western Europe (ACRS, 1992b; White, 1994). The Canadians have extensive operating experience with digital systems. Digital systems were first implemented 25 years ago because they were better suited to provide on-line control of their natural uranium-fueled, heavy water-moderated (''CANDU") plants, specifically, to monitor and control the power level and xenon oscillations. The British have adopted digital-based systems throughout their latest plant, Sizewell-B, and they have operated without incident during the first six months of plant operation (Nucleonics Week, 1995). The French have proceeded by gradually and systematically expanding the use of digital systems in each subsequent generation of their highly standardized plants. The latest design is completely digital-based and is implemented in the N4 series, the first of which is located at the Chooz-B site (Nucleonics Week, 1995). In Japan, digital systems have been implemented in several existing plants, including Ohi 3, which started commercial operation in 1992. The most recent plant to go into operation in Japan, the ABWR located at the Kashawazaki site, is a digital-based design. In addition, the United States, through both the Department of Energy and the USNRC, participates in international collaborative programs such as the Halden Reactor Project of the Organization of Economic Cooperation and Development. Standards Development A number of standards, USNRC regulations and regulatory guidelines (see, for example, USNRC, 1981), and USNRC publications exist to guide licensing of the current analog I&C systems. Since they were developed for analog systems, they can be difficult to apply and interpret for digital I&C systems. Nevertheless, pending the extensive revision of the USNRC's applicable documentation, which is currently under way, these documents have been used for reviewing digital I&C systems. Standards developed for digital I&C systems in nuclear power plants exist. These include International Electrotechnical Commission (IEC) Standard 880, Software for Computers in the Safety Systems of Nuclear Power Plants (1986); and IEC Standard 987, Programmed Digital Computers Important to Safety for Nuclear Power Plants. A U.S. standard also exists, IEEE 7-4.3.2, Application Criteria for Programmable Digital Computer Systems in Nuclear Power Generating Stations (1993), promulgated by the Institute of Electrical and Electronics Engineers. While not yet formally endorsed by the USNRC, this standard has been employed in the safety evaluation of digital I&C retrofits in nuclear power plants. THIS STUDY Committee's Task The National Research Council was asked by the USNRC to conduct a study (including a workshop) on application of digital I&C technology to commercial nuclear power plant operations. The National Research Council appointed a committee (hereafter the committee) to carry out the study in two phases. In Phase 1, the committee was charged to define the important safety and reliability issues (concerning hardware, software, and human-machine interfaces) that arise from the introduction of digital instrumentation and control technology in nuclear power plant operations, including operations under steady-state, transient, and accident operating conditions (NRC, 1995). In response to this charge the committee identified eight key issues associated with the use of digital I&C systems in existing and advanced nuclear power plants. The eight issues separate into six technical issues and two strategic issues. The six technical issues are: systems aspects of digital I&C technology; software quality assurance; common-mode software failure potential; safety and reliability assessment methods; human factors and human-machine interfaces; and dedication of commercial off-the-shelf hardware and software. The two strategic issues are the case-by-case licensing procedure and adequacy of the technical infrastructure. The committee recognizes these are not the only issues and topics of concern and debate in this area. Nevertheless, the committee believes that developing consensus on these key issues will be a major step forward and accelerate the appropriate use and licensing of digital I&C systems in nuclear power plants. These issues were presented in the Phase 1 report. Both the USNRC (represented by the staff of the Office of Nuclear Regulatory Research and the Office of Nuclear Reactor Regulation) and the Advisory Committee on Reactor Safeguards expressed agreement that these were important issues and that work by the committee in Phase 2
OCR for page 22
in helping arrive at a satisfactory resolution of these issues would be very useful. In Phase 2 of the study, the committee was charged to identify criteria for review and acceptance of digital I&C technology in both retrofitted reactors and new reactors of advanced design; characterize and evaluate alternative approaches to the certification or licensing of this technology; and, if sufficient scientific basis existed, recommend guidelines on the basis of which the USNRC can regulate and certify (or license) digital I&C technology, including means for identifying and addressing new issues that may result from future development of this technology. In areas where insufficient scientific basis exists to make such recommendations, the committee was to suggest ways in which the USNRC could acquire the required information. In carrying out its Phase 2 charge, the committee limited its work to those issues identified in Phase 1. The issues were chosen because they were difficult and controversial. Further, the committee recognized that by law, the responsibility for setting licensing criteria and guidelines for digital I&C applications in nuclear plants rests with the USNRC. Thus, the reader should not form too literal an expectation that the committee has provided a cogent set of principles, design guidelines, and specific requirements for ready use by the USNRC to assess, test, license, and/or certify proposed systems or upgrades. Rather, the results of the study are presented not in the form of simple generic criteria statements (i.e., at a high level of elaboration) but in the form of conclusions and recommendations related to each issue and primarily addressed to the USNRC for their consideration and use. In the committee's view, there is substantial further work to be accomplished. The committee expects the USNRC and the nuclear industry to extend the work of criteria development beyond where this Phase 2 report leaves it. To guide further work on the eight key issues studied, the committee's report offers findings and recommendations in four broad categories: (a) current practice (of the USNRC and the U.S. commercial nuclear industry) that is essentially satisfactory or requires some fine tuning, (b) points of weakness in the USNRC's approach, (c) issues that merit further inquiry and research before satisfactory regulatory criteria can be developed, and (d) criteria and guidelines that are unreasonable to expect in the near future. Conduct of the Study In conducting its study, the committee reviewed a large number of documents made available by the USNRC and a variety of other sources. The committee also interviewed selected personnel from the USNRC, from the two advisory committees discussed above (ACRS, NSRRC), from the nuclear industry, and from other industries using digital systems in safety-critical applications. The committee also sought the view of individuals from academia and research organizations. In addition, the committee visited control room simulators, a nuclear plant, and a fossil-fueled power plant with extensive digital I&C systems (see Appendix B). The committee also had frequent and detailed internal discussions, both face-to-face and via paper and electronic communications. The committee also brought to bear a wide range of experience in and knowledge of the field (see Appendix A). Carrying Out the Charge The committee took seriously the charge that it identify criteria for review and acceptance of digital I&C technology and that it recommend guidelines for regulation and certification. In carrying out its charge, the committee recognized that: In order to develop useful guidance, only a limited number of issues could be dealt with in the relatively brief duration of the study. General, high level criteria would not be particularly useful. The final criteria are legally the USNRC's responsibility. Further, since the nuclear power industry is heavily regulated in the public interest, the licensing criteria should be forged in a detailed interaction among the regulators, the industry, and the public. The committee has a wide range of expertise and experience in digital systems and nuclear power plants but it is not a surrogate for this interaction among the stakeholders. Hence, the committee could serve by clearly delineating and defining issues and providing guidance for resolving these issues rather than developing specific licensing criteria. Accordingly, the committee selected eight issues for study and worked on those issues. These eight issues address the two major intertwined themes associated with the use of digital instrumentation and control in nuclear power plants. These are: Dealing with the specific characteristics of digital I&C technology as applied to nuclear power plants. Dealing with a technology that is more advanced than the one widely in use in existing nuclear power plants. This technology is rapidly advancing at a rate and in directions largely uncontrolled by the nuclear industry but at the same time likely to have a significant impact on the operation and regulation of the nuclear industry. The technical issues of this report are primarily related to digital technology itself (Theme 1) while the strategic issues are primarily related to the process of adopting advanced technology (Theme 2). The committee concentrated on reviewing the current approaches being taken by the nuclear industry and its regulators toward dealing with the selected key issues. The committee also tried to learn from the experience of the international nuclear industry as well as gather
OCR for page 23
and evaluate information about how other safety-critical industries and their regulators dealt with these issues. Also, through the technical expertise and knowledge of its various members, the committee explored work done by the digital systems community at large, including both research activities and academic work. As the committee worked through the issues it discovered there is a major impediment to progress. This is the communication barriers that exist among the key technical communities and individuals involved. The basic reason for the communication difficulty is apparent. Work is simultaneously going on in many areas, each with its own technology, research focus, and agenda. Unfortunately, although many of these areas use common terms, these terms often have different meanings to different groups, resulting in either a lack of communication or very difficult communication. This is particularly troublesome for the nuclear power industry and its regulators, who are not dominant in this technology and must try to synthesize information and experience from a variety of sources and apply it in power plants where safety hazards must be dealt with in a rigorous way, under public scrutiny. In Chapter 11 the committee discusses this communication problem in more detail and provides suggestions for a way forward. Making substantial progress in this area should have a multiplicative effect as it eases the resolution of many specific technical and strategic issues. Overall, while there are important steps that remain to be taken by the USNRC and industry as addressed in this report, the committee found no insurmountable barriers to the use of digital instrumentation and control technology to nuclear power plants. The committee also believes that a forward-looking regulatory process with good and continuing regulations and industry communication and interaction will help. All participants must recognize that crisp, hard-edged criteria are particularly difficult to come by in this rapidly moving area and good practices and engineering judgment will continue to be needed and relied upon. For the key technical issues (systems aspects of digital I&C technology; software quality assurance; common-mode software failure potential; safety and reliability assessment methods; human factors and human-machine interfaces; and dedication of commercial off-the-shelf hardware and software) the committee provides specific recommendations and conclusions which include a number of specific criteria. These are listed in each chapter (see Chapters 3 through 8). But recognizing the difficulty of defining specific criteria, and the need for the nuclear technology stakeholders, particularly the USNRC, to make the final decisions, the committee focused on (a) providing process guidance both in developing guidelines and in the short-term acceptance of the new technology; (b) identifying promising approaches to developing criteria and suggestions for avoiding dead-ends; and (c) mechanics for improving communication and strengthening technical infrastructure. For the key strategic issues (the case-by-case licensing procedure and adequacy of the technical infrastructure) the committee: Emphasizes guidance to implement a generically applicable framework for regulation that follows current USNRC practice and which in particular draws a distinction between major and minor safety modifications. The committee also provides guidance for the evaluation and updating of this regulatory framework (see Chapter 9). Identifies a need to upgrade the current USNRC technical infrastructure and suggests specific research activities that will support the needed regulatory program and USNRC's research needs. The committee also suggests several improvements to the technical infrastructure to improve and maintain technical capabilities in this rapidly moving, technically challenging area. The specific recommendations made by the committee thus offer guidance toward implementing and maintaining the currency of a generically applicable framework for regulation that follows current USNRC practice and draws a distinction between major and minor safety modifications. The committee suggests specific research activities that will support this program and makes a number of suggestions for improving USNRC capabilities for addressing these issues. Contents of This Report This report contains 11 chapters and six short appendices. Chapter 1 (this chapter) briefly discusses the scope, basis, and context for the study. Chapter 1 also discusses use of digital I&C systems in nuclear plants in some detail so the reader has the necessary background to follow the more detailed discussions and evaluations in the remainder of the report. Chapter 2 briefly describes how the original issues were derived and places the specific issues in overall context, explaining their interrelationships and the relative priorities assigned to them by the committee. Chapters 3 through 10 discuss each of the individual issues in turn. The detailed discussions in these chapters include the committee's conclusions and recommendations regarding each issue. Chapter 11 presents an overview and summary of the committee's findings. Appendices A through F provide useful information too detailed to include in the body of the text. REFERENCES ACRS (Advisory Committee on Reactor Safeguards to the U.S. Nuclear Regulatory Commission). 1991. Minutes of ACRS Subcommittee Meeting on Computers in Nuclear Power Plant Operations, February 6, 1991. Washington, D.C. ACRS. 1992a. Digital Instrumentation and Control System Reliability. Letter to I. Selin, Chairman, USNRC, September 16, 1992. Washington, D.C. ACRS. 1992b. Minutes of ACRS Subcommittee Meeting on Computers in Nuclear Power Plant Operations: Special International Meeting, September 22, 1992. Washington, D.C.
OCR for page 24
ACRS. 1993a. Computers in Nuclear Power Plant Operations. Letter to I. Selin, Chairman, USNRC, March 18, 1993. Washington, D.C. ACRS. 1993b. Minutes of ACRS Subcommittee Meeting on Computers in Nuclear Power Plant Operations: Quantitative Software Assessment and Analog-to-Digital Industry Experience , February 9, 1993. Washington, D.C. ACRS. 1994. Proposed National Academy of Sciences/National Research Council Study and Workshop on Digital Instrumentation and Control Systems. Letter to I. Selin, Chairman, USNRC, July 14, 1994. Washington, D.C. EPRI (Electric Power Research Institute). 1992a. Advanced Light Water Reactor Utility Requirements Document. EPRI NP-6780-L. Palo Alto, Calif. EPRI. 1992b. Advanced Light Water Reactor Utility Requirements Document. EPRI NP-6780-L, Vol. 2 (ALWR Evolutionary Plant) and Vol. 3 (ALWR Passive Plant), Ch. 10: Man-Machine Interface Systems. Palo Alto, Calif.: EPRI EPRI. 1993. Guideline on Licensing Digital Upgrades. EPRI TR-102348. Palo Alto, Calif.: EPRI Gill, W., D. Harmon, T. Rozek, and S. Wilkosz. 1994. Nuplex 80+ Advanced Control Complex: Enhanced Safety Through Digital Instrumentation and Control. 9th Annual Korean Atomic Industrial Forum and Korean Nuclear Society (KAIF/KNS) Conference, April 6–8, 1994. Kletz, T. 1995. Computer Control and Human Error. Houston: Gulf Publishing. Mauck, J. 1995. Regulating Digital Upgrades. Presentation to the Committee on Applications of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety, Washington, D.C., January 31. NRC (National Research Council). 1995. Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues, Phase 1. Board on Energy and Environmental Systems, National Research Council. Washington, D.C.: National Academy Press. NSRRC (Nuclear Safety Research Review Committee to the U.S. Nuclear Regulatory Commission). 1992. Summary of April 29, 1992, Meeting. Letter to E. Beckjord, USNRC, November 16, 1992. Washington, D.C. Nucleonics Week. 1995. Outlook in I&C: Special Report to the Readers of Nucleonics Week, Inside the N.R.C. and Nuclear Fuel. September and October. Palo Verde Nuclear Generating Station. 1993. NRC Inspection Report 50-528, 50-259, and 50-530/93-07 Related to Amendment to Operating Licenses No. NPF-41, NPF-51, and NPF-74, Implementation Inspection for Anticipated Transients Without Scram (ATWS) Systems: Palo Verde Nuclear Generating Station Units 1, 2, and 3. Dockets Nos. 50-528, 50-529, and 50-530, April 9, 1993. Washington, D.C. Prairie Island Nuclear Generating Plant. 1993. Supplemental Safety Evaluation by the Office of Nuclear Reactor Regulation: Revision 1 of Design Report for Station Blackout/Electrical Safeguards Upgrade Project, Amendment to Facility Operating License No. DPR-42 and DPR-60: Prairie Island Nuclear Generating Plant, Units 1 and 2. Dockets Nos. 50-282 and 50-306, January 4, 1993. Washington, D.C. Title 10 CFR (Code of Federal Regulations) Part 50, Appendix A. 1995. General Design Criteria for Nuclear Power Plants. Title 10 CFR Part 50, Appendix B. 1995. Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants. Turkey Point Plant. 1990. Safety Evaluation Report by the Office of Nuclear Reactor Regulation of the Load Sequencers in the Enhanced Power System at Turkey Point Plant, Units 3 and 4, Amendment to Operating Licenses DPR-31 and DRP-41, Dockets Nos. 50-250 and 50-251, November 5, 1990 . Washington, D.C. USNRC (U.S. Nuclear Regulatory Commission). 1981. USNRC Standard Review Plan (SRP), NUREG-0800, section 7.1, Instrumentation and Controls. Other sections applicable to instrumentation and control technology include: 3.10, Seismic and Dynamic Qualification of Mechanical and Electrical Equipment; 3.11, Environmental Qualification of Mechanical and Electrical Equipment; 4.4, Thermal and Hydraulic Design; 7.2, Reactor Trip System; 7.3, Engineered Safety Features Systems; 7.4, Safe Shutdown Systems; 7.5, Information Systems Important to Safety; 7.6, Interlock Systems Important to Safety; 7.7, Control Systems; 8.1, Electric Power; 8.2, Offsite Power System; 8.3.1, A-C Power Systems (Onsite); 8.3.2, D-C Power Systems (Onsite); 15.0, Review of Anticipated Operational Occurrences and Postulated Accidents; 15.1.5, Steam System Piping Failures Inside and Outside of Containment. Washington, D.C.: USNRC. USNRC. 1991. Digital Computer Systems for Advanced Light Water Reactors. USNRC SECY-91-292. Washington, D.C.: USNRC. USNRC. 1992. Safety Evaluation Report Related to Amendment No. 127 to Facility Operating License No. DRP-48: Zion Nuclear Power Station, Unit 2. Docket No. 50-304, June 9, 1992. Washington, D.C.: USNRC. USNRC. 1993a. Proceedings of the Digital Systems Reliability and Nuclear Safety Workshop, U.S. Nuclear Regulatory Commission, September 13–14, 1993, Gaithersburg, Md. NUREG/CP-0136. Washington, D.C.: U.S. Government Printing Office. USNRC. 1993b. Safety Evaluation Report by the Office of Nuclear Reactor Regulation Related to Amendment No. 84 to Facility Operating License No. DPR-80 and Amendment No. 83 to Facility Operating License No. DPR-82: Eagle 21 Reactor Protection System Modification with Bypass Manifold Elimination: Diablo Canyon Power Plant. Dockets Nos. 50-275 and 50-323, October 7, 1993. Washington, D.C.: USNRC. USNRC. 1994a. Final Safety Evaluation Report: Related to the Certification of the System 80+ Design. NUREG-1462, Vols. 1–2. Washington, D.C.: USNRC. USNRC. 1994b. NRC Review of Electric Power Research Institute Advanced Light Water Reactor Utility Requirements Document. NUREG-1242, Vol. 3, Parts 1–2. Washington, D.C.: USNRC. USNRC. 1995. use of NUMARC/EPRI Report TR-102348, "Guideline on Licensing Digital Upgrades," in Determining the Acceptability of Performing Analog-to-Digital Replacements Under 10 CFR 50.59. NRC Generic Letter 95-02. Washington, D.C.: USNRC. Wermiel, J. 1995. Update of Instrumentation and Control Systems Section of the Standard Review Plan, NUREG-0800. Presentation to the Advisory Committee on Reactor Safeguards to the U.S. Nuclear Regulatory Commission, Rockville, Md., April 7. White, J. 1994. Comparative Assessments of Nuclear Instrumentation and Controls in the United States, Canada, Japan, Western Europe, and the Former Soviet Union. JTEC/WTEC Annual Report and Program Summary 1993/94. Baltimore, Md.: World Technology Evaluation Center, Loyola College.
Representative terms from entire chapter: