2
Key Issues

Digital instrumentation and control systems for nuclear power plants have very similar technological characteristics—the equipment, response time, input and output range, and accuracy—to digital instrumentation and control systems for other safety-critical applications such as chemical plants and aircraft. What distinguishes digital I&C (instrumentation and control) applications in nuclear power plants from other digital I&C applications is the need to establish very high levels of reliability under a wide range of conditions. Because of the potentially far greater consequences of accidents in nuclear power plants, the I&C systems must be relied upon to reduce the likelihood of even low-probability events. The U.S. Nuclear Regulatory Commission (USNRC) has developed a regulatory process with the goal of achieving these high levels of reliability and thus assuring public safety. This process is subject to public scrutiny.

DEVELOPING THE KEY ISSUES (PHASE 1)

In Phase 1 of the study, the committee identified eight key issues associated with the use of digital I&C systems in existing and advanced nuclear power plants. In the committee's view, these issues need to be addressed and a working consensus needs to be established regarding these issues among designers, operators and maintainers, and regulators in the nuclear industry. The process the committee followed to identify these issues in Phase 1 is discussed in the Phase 1 report (NRC, 1995) and is only briefly summarized here.

In essence, the committee considered the impact of digital I&C systems against a set of standard regulatory approaches to assessing and ensuring safety (defense-in-depth, safety margins, environmental qualification, requisite quality assurance, and failure invulnerability). From this analysis, the committee identified a number of questions, issues, and facets of issues (see Appendix D). After a number of deliberations, the committee winnowed the list down to eight key issues.

The eight issues separate into six technical issues and two strategic issues. The six technical issues are systems aspects of digital I&C technology, software quality assurance, common-mode software failure potential, safety and reliability assessment methods, human factors and human-machine interfaces, and dedication of commercial off-the-shelf hardware and software. The two strategic issues are the case-by-case licensing process and the adequacy of technical infrastructure (i.e., training, staffing, research plan). The committee recognizes that these are not the only issues and topics of concern and debate in this area (see Appendix D). Nevertheless, the committee reaffirms its judgment, initially formed during Phase 1, that developing a consensus on these eight issues will be a major step forward and accelerate the appropriate use and licensing of digital I&C systems in nuclear power plants.

At the end of Phase 1, it became clear to the committee that the software-related issues and the regulating process would be particularly challenging aspects of the study. Accordingly, the committee strengthened its capability by adding to its numbers two experts in these areas (see Appendix A).

ADDRESSING THE KEY ISSUES (PHASE 2)

In Phase 1, the committee largely operated as a single group. In approaching Phase 2, the committee recognized that deeper study of each issue would be needed to provide a firm foundation for developing specific conclusions and recommendations. The committee accordingly formed working subgroups associated with each area. These subgroups, each led by a member of the committee particularly knowledgeable in that area, were charged with studying the issues in detail, developing topic papers, identifying and reviewing key reference documents, and arranging for presentations by those active in the field to the full committee. However, the committee recognized that several issues had close interrelations, requiring that the committee also work as an integrated body to achieve a balanced perspective and forge a committee consensus. Thus, each issue received significant attention by the entire committee.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 25
2 Key Issues Digital instrumentation and control systems for nuclear power plants have very similar technological characteristics—the equipment, response time, input and output range, and accuracy—to digital instrumentation and control systems for other safety-critical applications such as chemical plants and aircraft. What distinguishes digital I&C (instrumentation and control) applications in nuclear power plants from other digital I&C applications is the need to establish very high levels of reliability under a wide range of conditions. Because of the potentially far greater consequences of accidents in nuclear power plants, the I&C systems must be relied upon to reduce the likelihood of even low-probability events. The U.S. Nuclear Regulatory Commission (USNRC) has developed a regulatory process with the goal of achieving these high levels of reliability and thus assuring public safety. This process is subject to public scrutiny. DEVELOPING THE KEY ISSUES (PHASE 1) In Phase 1 of the study, the committee identified eight key issues associated with the use of digital I&C systems in existing and advanced nuclear power plants. In the committee's view, these issues need to be addressed and a working consensus needs to be established regarding these issues among designers, operators and maintainers, and regulators in the nuclear industry. The process the committee followed to identify these issues in Phase 1 is discussed in the Phase 1 report (NRC, 1995) and is only briefly summarized here. In essence, the committee considered the impact of digital I&C systems against a set of standard regulatory approaches to assessing and ensuring safety (defense-in-depth, safety margins, environmental qualification, requisite quality assurance, and failure invulnerability). From this analysis, the committee identified a number of questions, issues, and facets of issues (see Appendix D). After a number of deliberations, the committee winnowed the list down to eight key issues. The eight issues separate into six technical issues and two strategic issues. The six technical issues are systems aspects of digital I&C technology, software quality assurance, common-mode software failure potential, safety and reliability assessment methods, human factors and human-machine interfaces, and dedication of commercial off-the-shelf hardware and software. The two strategic issues are the case-by-case licensing process and the adequacy of technical infrastructure (i.e., training, staffing, research plan). The committee recognizes that these are not the only issues and topics of concern and debate in this area (see Appendix D). Nevertheless, the committee reaffirms its judgment, initially formed during Phase 1, that developing a consensus on these eight issues will be a major step forward and accelerate the appropriate use and licensing of digital I&C systems in nuclear power plants. At the end of Phase 1, it became clear to the committee that the software-related issues and the regulating process would be particularly challenging aspects of the study. Accordingly, the committee strengthened its capability by adding to its numbers two experts in these areas (see Appendix A). ADDRESSING THE KEY ISSUES (PHASE 2) In Phase 1, the committee largely operated as a single group. In approaching Phase 2, the committee recognized that deeper study of each issue would be needed to provide a firm foundation for developing specific conclusions and recommendations. The committee accordingly formed working subgroups associated with each area. These subgroups, each led by a member of the committee particularly knowledgeable in that area, were charged with studying the issues in detail, developing topic papers, identifying and reviewing key reference documents, and arranging for presentations by those active in the field to the full committee. However, the committee recognized that several issues had close interrelations, requiring that the committee also work as an integrated body to achieve a balanced perspective and forge a committee consensus. Thus, each issue received significant attention by the entire committee.

OCR for page 25
PRESENTING THE KEY ISSUES The issues are discussed individually in Chapters 3 through 10 of this report. The committee has maintained the separation between technical issues and strategic issues in the Phase 2 report, even though as work proceeded in Phase 2 it became increasingly apparent that the technical issues and the strategic issues are tightly interwoven. The technical issue discussions (Chapters 3 through 8) generally focus on the technical basis of the issue and how pertinent technical knowledge (or the lack thereof) affects how the issue is addressed in U.S. nuclear plants, foreign plants, and other industries and their regulators. For each issue, the committee draws conclusions and provides recommendations. Discussion of the two strategic issues (Chapters 9 and 10) focuses on the licensing process and a key underlying area, the way in which the USNRC has developed and continues to develop its technical infrastructure (staffing, training, and research plans) in the digital I&C area. In Phase 1, the committee became convinced that even if the six technical issues were resolved and no controversy or lack of consensus existed, these strategic issues would still need to be carefully considered and addressed. Concern with these two strategic issues reflects the recognition that rapidly moving and evolving technologies present a special difficulty for an industry and its regulators where licensing and certification processes generally move more slowly than the technology they are intended to regulate. Because the issues are highly interrelated and are relatively general, the committee debated their relative importance and their order of presentation, which warrants the following brief discussion of their arrangement in this report. The committee chose to present the technical issues first to provide a basis and context for the strategic issues presented later. Of all the technical issues, systems aspects of digital I&C technology is addressed first (in Chapter 3) because it is a broad issue that encompasses many others. Next (in Chapters 4, 5, and 6), the committee has chosen to present the three issues primarily related to software. 1 Software constitutes a major difference between analog and digital I&C applications, and its use raises some concerns. Software is a design artifact and, because it is, there is difficulty showing definitively that it has no critical errors. Software is also more amenable to the addition of features and enhancements (so-called "creeping complexity") not needed for its basic function, whereby the system becomes more difficult to understand. As the most general of the three software issues, software quality assurance is discussed first (Chapter 4). The issue of software common-mode failures is discussed next (Chapter 5). Common-mode failure in software is closely related to software quality assurance but warrants discussion as a separate topic because of its significance to the safety-critical digital applications, with their emphasis on independence, redundancy, and diversity. The final issue discussed in the primarily software-related group is quantitative safety and reliability assessment methods (Chapter 6). The committee then turns to the issue of human factors and the human-machine interface (Chapter 7), an issue important in both analog and digital systems. Digital I&C technology has the potential to greatly improve the human factors and human-machine interfaces so that the combination of the human operator and the computer could provide greatly improved process control and enhanced safety. There are, however, unique design challenges that digital technology I&C presents. The last technical issue discussed is dedication and use of commercial off-the-shelf (COTS) digital I&C systems and equipment in nuclear power plants (Chapter 8). This topic is important because much of the existing I&C equipment in nuclear power plants is becoming obsolete and vendor support is waning. The nuclear plant market is relatively small and COTS offers a potentially cost-effective way to address this problem. Other industries have reached the same conclusion and are reportedly finding some success (Loral, 1996). This is a relatively new area for nuclear plants, particularly in safety system applications, but there is considerable industry activity and regulatory involvement. Finally, the committee turns to the two strategic issues, case-by-case licensing and adequacy of the technical infrastructure (discussed in Chapters 9 and 10). Both the Advisory Committee on Reactor Safeguards and the Nuclear Safety Research Review Committee share the committee's view that successful resolution of these issues is a necessary prerequisite to successfully applying digital I&C systems in nuclear power plants. REFERENCES Loral (Loral Space Information Systems). 1996. Mission Control Center Upgrade at NASA Johnson Space Center. Houston, Texas: Loral Corporation press release. NRC (National Research Council). 1995. Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues, Phase 1. Board on Energy and Environmental Systems, National Research Council. Washington, D.C.: National Academy Press. 1   In its internal discussions, however, the committee arrived at the view that in general the software and hardware aspects of a digital application cannot be clearly separated.