National Academies Press: OpenBook

Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues (1997)

Chapter: Current Analog Instrumentation and Control Systems

« Previous: Introduction
Suggested Citation:"Current Analog Instrumentation and Control Systems." National Research Council. 1997. Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues. Washington, DC: The National Academies Press. doi: 10.17226/5432.
×

prevent single failures or anticipated events from escalating into plant shutdowns, trips, or accidents endangering plant equipment, personnel, and the public. Typical examples include feedwater and steam control systems, turbine generator controls, and the myriad of systems used to control the many circuit breakers, pumps, and valves throughout the plant.

Plant Protection and Mitigation Systems

Plant protection and mitigation systems are an additional, separate layer of systems that monitor the plant variables. If they detect that the above-described plant monitoring and control systems have not kept the plant within a predefined set of conditions, they take action automatically to rapidly shutdown the plant ("trip" and "scram" are terms that accurately convey the nature of the response) and start any other needed systems to mitigate the detected problem and place the plant in a safe state. These protection and mitigation systems have a number of important characteristics:

(a) They are physically separate systems that generally do not share hardware and software with the plant operating and control systems. (Some limited amounts of equipment such as sensors may be shared provided the equipment meets safety quality requirements.) This extends to and includes needed auxiliary systems such as heating, ventilation, and air conditioning; electrical or hydraulic power supplies; and cooling water systems. (b) They are environmentally qualified for the harshest anticipated operating/accident conditions, including highly unusual events such as large earthquakes and tornadoes. (c) When called upon to act, they go to completion of their intended function. (d) The protection and mitigation systems do not control or modulate the operation of the systems they control. They shutdown the reactor, trip the turbine generator, start needed cooling water systems, and go to preset operating conditions that are safe for the plant to maintain for extended periods.

In addition, (e) they are designed to single-failure proof. That is, no single failure at the component or system level (including a failure internal to the protection and mitigation systems in addition to the initiating event or failure and any direct consequence) or no single operator error can prevent them from successfully operating. As a result, they use redundancy. That is, there are typically multiple, separate, parallel sets of equipment and systems to carry out the same function. In the I&C systems in particular, this redundancy is usually provided by having four parallel channels that actuate the systems if needed. The four parallel channels are fed to a logic system that requires any two valid signals to cause actuation. This logic assures that no single failure will prevent or cause the drastic actions taken by these systems. It also allows complete (sensor-to-actuator) testing of one channel at a time while the plant is at power without causing or inhibiting the protection and mitigation function.

In addition to being single-failure proof, (f) the protection and mitigation systems have other features to enhance their reliability and increase their effectiveness against hazards. For example, two reactor shutdown mechanisms are provided—insertion of control rods and injection of a soluble neutron poison. Also, for any given accident, two or more different initiation signals will be generated and sent to the protection and mitigation system. (For example, a loss-of-flow accident through the reactor will be detected by a high reactor outlet temperature and a high pressure signal.) This type of redundancy provides protection against general classes of common-mode failures—failures in which a single error or problem disables multiple, independent safety functions. (Redundancy is discussed further in Chapter 5.)

It is important to note that the requirements of nuclear plant I&C systems, including the protection and mitigation systems, are well within the capabilities of current I&C technology—analog or digital. In terms of response time and accuracy (for example), the nuclear plant I&C requirements are relatively modest.

Safety Systems

The USNRC's safety evaluation of nuclear power plants primarily addresses the protection and mitigation systems. The monitoring and control systems are usually not given credit (see brief discussion of "credit" above) in the hazard and safety analyses of the plants. However, upsets or failures in the monitoring and control systems are usually considered the initiating events for the protection and mitigation systems and, as a result, the USNRC can impose requirements on the monitoring and control systems as well. The monitoring and control systems are also analyzed explicitly in the probabilistic risk assessment (PRA) of each plant to assess how well the plant does in comparison to the USNRC safety goals for nuclear plants. In general, however, the USNRC and the licensing applicant define a set of "safety systems" for each plant, largely comprised of the protection and mitigation systems; it is these safety systems that are subject to the most rigorous licensing and regulatory controls. This is an important distinction because a substantial effort is required to design, qualify, install, test, and maintain these safety systems, and commercial off-the-shelf equipment usually does not meet the requirements. As an indicator, costs of nuclear plant "safety-grade" systems and equipment can be 10 times that of the equivalent commercial quality equipment.

Although this report covers applications of digital I&C systems in nuclear power plants that include all three types—the plant monitoring systems, the plant control systems, and the plant protection and mitigation systems—insofar as the USNRC, the sponsor of this study, is primarily concerned with the "safety-grade" subset of these systems, this report emphasizes this subset.

Suggested Citation:"Current Analog Instrumentation and Control Systems." National Research Council. 1997. Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues. Washington, DC: The National Academies Press. doi: 10.17226/5432.
×

Operating Conditions for Instrumentation and Control Systems

Nuclear power plant design includes specific consideration of a variety of plant operating conditions. Steady-state, transient, and accident conditions are covered by the regulatory requirements; these requirements also control how and by what criteria the transients and accidents must be analyzed. These analyses, in turn, specify operational requirements the plant equipment and systems must satisfy. For the I&C systems, these specifications include both instrument characteristics (such as input and output range, response time, and accuracy) and the environmental conditions (e.g., temperature, humidity, radiation effects, power supply fluctuations) under which the I&C equipment is required to operate.

Except for the sensors, I&C systems have been specially placed in protected areas so that the environmental conditions they are exposed to are generally rather mild, akin to an "office environment." But the I&C systems must also function in the environment and under the conditions that lead to a transient or accident condition and that develop in the plant as a transient or accident progresses. Because accident conditions typically create a wider and harsher range of operating environments, and because I&C equipment and systems must survive and function in such environments, the equipment and systems must be qualified, usually by test. In general, this harsher operating environment exists only at the sensors and in most of the signal transmission network; the other components are in relatively well-protected (shielded) rooms and benign environments. Most sensors currently employ analog technology. If digital sensors are used, they will have to be designed and tested to show they can withstand these harsher environments.

TRANSITION FROM ANALOG TO DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

Background

During their extensive service history, analog I&C systems have performed their intended monitoring and control functions satisfactorily. Although there have been some design problems, such as inaccurate design specifications and susceptibility to certain environmental conditions, the primary concern with the extended use of analog systems is effects of aging, e.g., mechanical failures, environmental degradation, and obsolescence. The industrial base has largely moved to digital-based systems and vendors are gradually discontinuing support and stocking of needed analog spare parts.

Some uses of digital technology in U.S. nuclear power plants go back more than two decades. These early applications were limited but included safety-related applications such as core protection calculators. In the early 1980s, the electronics industry began rapidly shifting to microprocessor-based digital technology. Early implementations of this technology in nuclear plants were successful in reducing unintended plant shutdowns ("trips") and maintenance burdens. This success fueled increased interest in digital applications and provided a training ground for enhancing proficiency and confidence in using digital equipment. At the same time, a number of vendors of instrumentation and control began to reduce their support of the analog equipment, which in turn gave additional practical impetus to the use of digital systems.

The nuclear industry has not been alone. Many other safety-critical industries extensively utilize digital systems. These include aviation and space, chemical-petroleum processing, railroads, defense, and medical applications. These industries face safety issues similar to those faced by the nuclear industry.

The reason for the transition to digital I&C systems2 lies in their important advantages over existing analog systems. Digital electronics are essentially free of the drift that afflicts analog electronics, so they maintain their calibration better.3 They have improved system performance in terms of accuracy and computational capabilities. They have higher data handling and storage capacities, so operating conditions can be more fully measured and displayed. Properly designed, they can be easier to use and more flexible in application. They are more widely available. Indeed, digital systems have the potential for improved capabilities (e.g., fault tolerance, self-testing, signal validation, process system diagnostics) that could form the basis for entirely new approaches to achieve the required reliabilities. Because of such potential advantages, and because of the general shift to digital systems and waning vendor support for analog systems, the U.S. nuclear power industry expects substantial replacement of existing, aging analog systems with digital I&C technology. For the same reasons, designs for new, advanced nuclear power plants rely exclusively on digital I&C systems.

In summary, the experience of other safety-critical industries and the increasing age and obsolescence of the existing analog systems suggest that the increasing use of digital I&C technology is inevitable in nuclear power plants. Digital I&C technology is expected to enhance the safety and performance of nuclear power plants by offering process control improvements, such as reduced instrument

2  

The committee intentionally avoided partitioning digital systems between hardware and software; rather the committee believes that digital systems are better treated in an integrated manner. Nevertheless, some of the specific topics addressed in the report merited discussion as "hardware" or "software" items.

3  

The reader should note, however, that since most sensors will remain analog-based, drift will not be eliminated, though it will likely be improved, especially if the digital I&C component contains software specifically designed to offset expected sensor drift.

Suggested Citation:"Current Analog Instrumentation and Control Systems." National Research Council. 1997. Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues. Washington, DC: The National Academies Press. doi: 10.17226/5432.
×

FIGURE 1-1 Illustration of nuclear plant I&C systems.

calibration requirements and improved plant condition monitoring displays (see, e.g., Gill et al., 1994).

Applications to Nuclear Plants

Figure 1-1 illustrates a modern digital I&C system applied to a nuclear power plant. Blocks on the left represent the distributed control systems. These are the systems that are used to regulate plant conditions during startup, power operation, and shutdown. They are responsible for maintaining plant systems and components within their operating ranges, and they normally operate in a regulating mode.

Notice that Figure 1-1 shows redundant data buses in these control systems. These data buses are used to transport the large amounts of information typically handled in a large generating station. The use of data buses reduces and simplifies plant wiring and consequently reduces the requirements for managing and maintaining wiring configuration. Redundancy and separation (including different routing) provides for increased data bus reliability. In this manner, reliable communications can be provided for the large numbers of information data points. Notice also, however, the lower level blocks on the left of Figure 1-1 dedicated to the control of individual systems (such as feedwater control). Real-time control functions are executed in these dedicated modules.

Blocks on the right of Figure 1-1 represent the independent protection (safety) systems. They are responsible for detecting system failures and isolating or shutting down failed systems to protect the plant investment and the public health. This type of system normally uses multiple channels in a voting scheme to trigger the isolation or shutdown action. A typical voting scheme uses a two-out-of-four logic according to which, if one of the four channels fails, the failed channel may be taken out of service for repairs, while still leaving the remaining channels to take action using two-out-of-three logic. Thus, the system is single-failure proof. The use of two channels to trigger an action provides protection against unnecessary spurious trips.

Figure 1-1 also shows point-to-point data links in the

Suggested Citation:"Current Analog Instrumentation and Control Systems." National Research Council. 1997. Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues. Washington, DC: The National Academies Press. doi: 10.17226/5432.
×

protection systems, which provide for more deterministic and predictable data communications for the fewer data points that are normally needed and handled in safety systems. Notice also the independent manual trips bypassing all microprocessor-based systems.

Virtually all of the 109 nuclear power plant units in operation today have digital I&C components. Some of these were part of the original design, for example, digital radiation monitoring equipment and diesel generator sequencers. The earliest implementations used solid-state logic operating at higher and relatively stiffer voltage levels than those of today's microprocessor-based designs. Moreover, these earlier systems did not employ the signal concentrations of multiplexed microprocessor-based systems. Modern systems also employ faster clock speeds, larger memories, and expanded word lengths that have allowed new developments in the software area as well. This in turn has led to heightened interest by the USNRC.

More recently, many plants have retrofitted some I&C components and systems with modern digital technology (ACRS, 1993b). Although many of these retrofits have been relatively small-scale, one-for-one replacements for such components as recorders, meters, and displays, in recent years some relatively large-scale, microprocessor-based, system-level retrofits have been made (Palo Verde Nuclear Generating Station, 1993; Prairie Island Nuclear Generating Plant, 1993; Turkey Point Plant, 1990; USNRC, 1992; USNRC, 1993b). These include:

  • reactor protection systems at Northeast Utilities Company's Haddam Neck plant; Tennessee Valley Authority's Sequoyah plant; Commonwealth Edison Company's Zion plant, Unit 2; and Pacific Gas and Electric Company's Diablo Canyon plant

  • anticipated transients without scram systems at Arizona Public Service Company's Palo Verde plant, Units 1, 2, and 3

  • load sequencers in the emergency power system at Florida Power and Light Company's Turkey Point plant, Units 3 and 4

  • station blackout/electrical safeguards upgrades at Northern States Power Company's Prairie Island plant, Units 1 and 2

Applications in Advanced U.S. Plants

In the United States, the advanced reactor designs being developed incorporate all-digital systems intended to utilize and exploit the new technology. They also feature enhanced human-machine interfaces such as more versatile displays with integrated process information (ACRS, 1991). These features, along with the other features of advanced plants, are intended to make the advanced plants simpler and safer. Certification of these designs has been sought (under the provisions of 10 CFR 50.52).

LICENSING OF INSTRUMENTATION AND CONTROL SYSTEMS

Design Guidance

Licensing of any systems for use in a nuclear power plant is governed by formal, documented criteria. These criteria are stated in the General Design Criteria (GDC) (Title 10 CFR Part 50, Appendix A, 1995), which are part of federal law. The GDC are written for I&C systems at a very general level. The GDC were written early in the development of commercial nuclear power, before digital equipment, advanced materials, or modern fire-fighting systems such as halon were used in nuclear plants. The GDC requirements are nevertheless very important in guiding the design of digital systems in nuclear power plants. Examples of requirements from the GDC of particular interest for this report are contained in Appendix E.

In order to make the requirements more specific and useful on a day-to-day basis, the USNRC provides extensive supplemental guidance in a variety of forms (see Table 1-1). For example, numerous regulatory guides have been issued that describe interpretations of the regulations acceptable to the USNRC staff. These "reg guides" are not mandatory, but if they are followed by the licensing applicant they provide a basis upon which the applicant's proposal will be accepted. Other regulatory guidance is provided by endorsement of a wide variety of industry standards and through the promulgation of branch technical positions, which are technical positions adopted by various branches (offices) of the USNRC regulatory staff. Much of this guidance is conveniently summarized in the Standard Review Plan (USNRC, 1981). The Standard Review Plan provides detailed guidance to the USNRC reviewers as to what is needed from the licensee to assess the adequacy of a proposed design; it also defines a satisfactory method of complying with the licensing requirements. (The guidance provided by the regulatory guides, branch technical positions, and industry standards is still more detailed.) A major revision of the Standard

TABLE 1-1 USNRC Design and Quality Assurance Guidance

 

Criteria and Supplemental Guidance

Design guidance

Generic design criteria (GDC)

 

Supplemental guidance (summarized in the Standard Review Plan)

 

Regulatory guides

 

Branch technical positions

 

Generic letters

 

Industry standards

Quality assurance

Generic criteria (10 CFR 50, Appendix B)

 

Supplemental guidance

 

Industry standards

 

Other guidance

Suggested Citation:"Current Analog Instrumentation and Control Systems." National Research Council. 1997. Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues. Washington, DC: The National Academies Press. doi: 10.17226/5432.
×
Page 14
Suggested Citation:"Current Analog Instrumentation and Control Systems." National Research Council. 1997. Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues. Washington, DC: The National Academies Press. doi: 10.17226/5432.
×
Page 15
Suggested Citation:"Current Analog Instrumentation and Control Systems." National Research Council. 1997. Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues. Washington, DC: The National Academies Press. doi: 10.17226/5432.
×
Page 16
Suggested Citation:"Current Analog Instrumentation and Control Systems." National Research Council. 1997. Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues. Washington, DC: The National Academies Press. doi: 10.17226/5432.
×
Page 17
Next: The Transition to Digital Instrumentation and Control Systems »
Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues Get This Book
×
Buy Paperback | $39.00 Buy Ebook | $31.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

The nuclear industry and the U.S. Nuclear Regulatory Commission (USNRC) have been working for several years on the development of an adequate process to guide the replacement of aging analog monitoring and control instrumentation in nuclear power plants with modern digital instrumentation without introducing off-setting safety problems. This book identifies criteria for the USNRC's review and acceptance of digital applications in nuclear power plants. It focuses on eight areas: software quality assurance, common-mode software failure potential, systems aspects of digital instrumentation and control technology, human factors and human-machine interfaces, safety and reliability assessment methods, dedication of commercial off-the-shelf hardware and software, the case-by-case licensing process, and the adequacy of technical infrastructure.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!