3
Systems Aspects Of Digital Instrumentation And Control Technology

INTRODUCTION

Digital instrumentation and control (I&C) systems have proven to be useful and beneficial in a wide range of applications including fossil-fueled power generation, electric power distribution, petroleum refining, petrochemical production, aerospace, and some nuclear power plant applications (e.g., core protection calculators, diesel generator load sequencers, a few digital reactor protection systems, and plant radiation monitoring systems). This usefulness is evidenced by the trend over the last 20 years toward investment in digital I&C applications in the process industries.

However, digital I&C systems were not an instant success; early on it became clear that careful attention to systems aspects1 would be necessary to avoid unanticipated failure modes. In the late 1960s, there was mixed success using central computers in the so-called "direct digital control" architecture (commonly referred to as DDC) for process control. A transition was soon made to the so-called "supervisory control" architecture, in which minicomputers were used to transmit "supervisory" commands to analog controllers that performed continuous process regulation.

Eventually, this transition led to today's modern multilayered architectures in which (a) local controllers perform component control functions, (b) higher- (system-) level control stations coordinate in a supervisory mode the operations of multiple components in a system or multiple systems in a unit, and (c) higher-level stations perform plant-level supervisory functions and data analyses.

There are many options by which to implement these architectures. Selecting among these options involves addressing considerations such as (a) allocations of functions to different layers of the system, and to hardware and to software; (b) communications schemes within and between layers; (c) methods for achieving timely execution of data acquisition, analyses, and control functions; and (d) provisions for redundancy and diversity. One possible application of such a multilayered architecture to a nuclear generating station is described in Chapter 1 of this report (see Figure 1-1). Notice in Figure 1-1 the multiple horizontal layers of functionality that are typical in today's digital I&C systems, along with the traditional nuclear plant features of vertical independence between protection and control and the use of independent manual backup trips. Figure 1-1 also illustrates the use of redundancy in sensing and communication lines and the extensive use of data buses in the control system compared to the extensive use of deterministic point-to-point communications in the protection system.

Recent experience with large-scale, fully integrated digital I&C systems at nuclear power plants has also had its difficulties. There have been problems, apparently related to systems aspects, that have caused substantial delays and increased costs. In addition, there is increasing use of open systems, in which multiple vendors provide components that must successfully interact. Open systems are used because they foster competition and standardization and avoid dependence on single suppliers. However, the presence of multiple vendors may make successfully dealing with systems aspects more difficult because of the increased number of interfaces.

Statement of the Issue

Along with important benefits, digital I&C systems introduce potential new failure modes that can affect operations and margins of safety. Therefore, digital I&C systems require rigorous treatment of the systems aspects of their design and implementation.2 What methods are needed to address this concern? How can the experience and best practices of the various technical communities involved in applying digital I&C technologies be best integrated and applied to nuclear power plants? What procedures can be put

1  

"Systems aspects" refers to those issues that transcend the particular component(s) that comprise the system and possibly even the function that the system performs. Such issues include architecture, communications, allocation of functions, real-time processing, and distributed computing.

2  

Licensing aspects are discussed in Chapter 9.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 27
3 Systems Aspects Of Digital Instrumentation And Control Technology INTRODUCTION Digital instrumentation and control (I&C) systems have proven to be useful and beneficial in a wide range of applications including fossil-fueled power generation, electric power distribution, petroleum refining, petrochemical production, aerospace, and some nuclear power plant applications (e.g., core protection calculators, diesel generator load sequencers, a few digital reactor protection systems, and plant radiation monitoring systems). This usefulness is evidenced by the trend over the last 20 years toward investment in digital I&C applications in the process industries. However, digital I&C systems were not an instant success; early on it became clear that careful attention to systems aspects1 would be necessary to avoid unanticipated failure modes. In the late 1960s, there was mixed success using central computers in the so-called "direct digital control" architecture (commonly referred to as DDC) for process control. A transition was soon made to the so-called "supervisory control" architecture, in which minicomputers were used to transmit "supervisory" commands to analog controllers that performed continuous process regulation. Eventually, this transition led to today's modern multilayered architectures in which (a) local controllers perform component control functions, (b) higher- (system-) level control stations coordinate in a supervisory mode the operations of multiple components in a system or multiple systems in a unit, and (c) higher-level stations perform plant-level supervisory functions and data analyses. There are many options by which to implement these architectures. Selecting among these options involves addressing considerations such as (a) allocations of functions to different layers of the system, and to hardware and to software; (b) communications schemes within and between layers; (c) methods for achieving timely execution of data acquisition, analyses, and control functions; and (d) provisions for redundancy and diversity. One possible application of such a multilayered architecture to a nuclear generating station is described in Chapter 1 of this report (see Figure 1-1). Notice in Figure 1-1 the multiple horizontal layers of functionality that are typical in today's digital I&C systems, along with the traditional nuclear plant features of vertical independence between protection and control and the use of independent manual backup trips. Figure 1-1 also illustrates the use of redundancy in sensing and communication lines and the extensive use of data buses in the control system compared to the extensive use of deterministic point-to-point communications in the protection system. Recent experience with large-scale, fully integrated digital I&C systems at nuclear power plants has also had its difficulties. There have been problems, apparently related to systems aspects, that have caused substantial delays and increased costs. In addition, there is increasing use of open systems, in which multiple vendors provide components that must successfully interact. Open systems are used because they foster competition and standardization and avoid dependence on single suppliers. However, the presence of multiple vendors may make successfully dealing with systems aspects more difficult because of the increased number of interfaces. Statement of the Issue Along with important benefits, digital I&C systems introduce potential new failure modes that can affect operations and margins of safety. Therefore, digital I&C systems require rigorous treatment of the systems aspects of their design and implementation.2 What methods are needed to address this concern? How can the experience and best practices of the various technical communities involved in applying digital I&C technologies be best integrated and applied to nuclear power plants? What procedures can be put 1   "Systems aspects" refers to those issues that transcend the particular component(s) that comprise the system and possibly even the function that the system performs. Such issues include architecture, communications, allocation of functions, real-time processing, and distributed computing. 2   Licensing aspects are discussed in Chapter 9.

OCR for page 27
in place to update the methods and the experience base as new digital I&C technologies and equipment are introduced in the future? New Plants and Retrofits Successfully dealing with the systems aspects of digital I&C applications is critically important to both new plant applications and retrofits. However, there are substantial differences between the two applications. For new plants, a large system is conceived and designed as such. The designers have relative freedom in configuring the system architecture and creating the various subsystems, which can be implemented on a plant-wide, fully integrated basis (see for example Figure 1-1 and companion description in Chapter 1). The size of the design task is usually matched by a large pool of available resources and the presence of a dedicated design team. Extensive testing of the subsystems and of the integrated system is also likely to be possible. For retrofits or modifications, typically there will be a narrower focus and fewer resources available. The systems aspects of the particular application are likely to be relatively limited in scope, and in any case the designer is limited by the requirement of integrating the retrofit subsystem into an existing plant. For example, the designer will likely make more use of one-for-one digital-for-analog replacements. The customized nature of retrofits or modifications can make it difficult to carry out a series of changes in a consistent manner, unless there is an integrated, plant-wide plan. Systems Aspects The systems aspects of I&C systems in nuclear plants need to be considered from two perspectives: the plant (i.e., the nuclear, fluid, mechanical, and electrical systems) and the I&C systems themselves. More specifically, this includes: definition of the I&C systems, integration of these systems into the overall plant, and specification of the key high-level requirements applicable to all the I&C systems design of the individual I&C systems themselves, i.e., selection of design features intended to meet the high-level requirements Interactively addressing the systems aspects from these two perspectives is essential in order for the design of the plant and the I&C systems to be adequately integrated, and to achieve (a) reliable plant operation, (b) reliable plant investment protection, and (c) reliable worker and public health protection. This is consistent with the normal design approach used to design such systems; see, for example, Johnson (1989) and Pradhan (1996). These authors discuss the design process in terms of the high-level function of problem definition, system requirements, and system partitioning. Once these steps are accomplished, the overall I&C system will be defined and divided into manageable systems or subsystems with defined top-level requirements. The committee recognizes that individual digital systems are an important part of the successful implementation of large systems and that their design can be difficult. But there is a large body of experience, including numerous standards, with designing and successfully implementing these systems (see, for example, Center for Chemical Process Safety, 1995). There is also an extensive body of technical literature to guide this work. Therefore, the committee has focused on the higher-level aspects of digital I&C applications in nuclear power plants. It should be noted that there are several key areas in the design of digital systems that need to be carefully addressed, and these are summarized in Appendix F. CURRENT U.S. NUCLEAR REGULATOR COMMISSION REGULATORY POSITIONS AND PLANS In general, the U.S. Nuclear Regulatory Commission (USNRC) approach for addressing systems aspects is consistent with the above approach (looking at the I&C systems from two perspectives) and is generally described in Chapter 1 of this report. That is, high-level regulatory requirements are supplemented by more specific USNRC guidance and endorsements of industry standards. In discussion with the committee in October 1995, the USNRC staff called attention to top-level systems aspects requirements addressed in: 10 CFR 50.55a(h), endorsing the use of IEEE Standard 279–1971, particularly in paragraph 3, Design Basis, and paragraph 4.1, General Functional Requirement 10 CFR 50, Appendix A, Criterion 10, Reactor Design 10 CFR 50, Appendix A, Criterion 13, Instrumentation and Control 10 CFR 50, Appendix A, Criterion 20, Protection System Functions 10 CFR 50, Appendix A, Criterion 21, Protection System Reliability and Testability 10 CFR 50, Appendix A, Criterion 22, Protection System Independence 10 CFR 50, Appendix A, Criterion 23, Protection System Failure Modes 10 CFR 50, Appendix A, Criterion 24, Separation of Protection and Control Systems 10 CFR 50, Appendix A, Criterion 25, Protection System Requirements for Reactivity Control Malfunctions 10 CFR 50, Appendix A, Criterion 29, Protection Against Anticipated Operational Occurrences In addition to these basic, high-level criteria, the USNRC staff noted that the existing review guidance includes:

OCR for page 27
IEEE Standard 279–1971 and its alternate, IEEE Standard 603–1991 IEEE 7-4.3.2–1993, in particular, Annexes E and F The USNRC has recognized the need to revise and update their regulatory guidance documents to better address digital I&C systems, and it has an extensive revision under way (see Chapter 1 and 9). In the systems aspects area, the USNRC (1995) indicated the revision includes several items specifically directed at systems aspects. These include preparation of (a) a new branch technical position on digital systems architecture and real-time performance, which provides guidance on verifying limiting response times and architectural details; and (b) a new Standard Review Plan section, Section 7.9, Data Communications, which provides acceptance criteria and review guidance for data communications or multiplexers. Applicability to Existing Plants For existing plants the primary emphasis will be on digital upgrades and modifications. Thus, in addition to the documents listed above, the use of 10 CFR 50.59 will be very important. (See discussion in Chapter 1 and Chapter 9 regarding 10 CFR 50.59). Applicability to New Plants There are three new plant designs being proposed by the U.S. nuclear industry, one from each of the major vendors, and these designs are being reviewed by the USNRC. All of these plant designs use I&C systems that are completely digital-based and fully integrated into the overall plant design. The USNRC review is being conducted under an alternative process set forth in 10 CFR 50.52. The basic technical requirements for licensing the plants are essentially the same as for existing plants, but the overall licensing review process defined in 10 CFR 50.52 is intended to be more streamlined and to result in the approval of standardized designs that can potentially be used at multiple sites. An important part of the process of developing and documenting the design basis for these new plants has been the preparation and use of the Electric Power Research Institute's Utility Requirements Document (URD) (EPRI, 1992), which documents the requirements the utilities and vendors have agreed to impose on the new plant design. Chapter 10 (Man-Machine Interface Systems) of the URD sets forth requirements that specify the design approach for the digital I&C systems, requirements for the systems aspects, and requirements for specific systems. To ensure the eventual licensability of the new plant design, the industry has sought formal review by the USNRC of the URD. The USNRC has reviewed the URD and has written formal Safety Evaluation Reports in which the USNRC agrees that a plant that meets the URD will likely meet the licensing requirements. USNRC review and acceptance of these requirements and their subsequent use in the design certification of the new plants has provided a way for the nuclear industry and the USNRC to reach agreement on many of the systems aspects of digital I&C. (See additional discussion of the URD in Chapter 1 above). DEVELOPMENTS IN THE U.S. NUCLEAR INDUSTRY Existing I&C systems in U.S. nuclear plants are analog-based and are approaching or exceeding their life expectancy, resulting in increased maintenance efforts and costs to sustain system performance (see, e.g., a survey by Cross [1992] indicating that I&C maintenance costs are disproportionately high). As a result there is a strong interest in upgrading and modifying these systems. Many individual utilities are making upgrades, and an industry-wide initiative, led by the Electric Power Research Institute, is under way to promote cost-effective digital I&C upgrades (Chexal et al., 1991). The importance of systems aspects has been recognized in this initiative. For example, the EPRI initiative includes systems aspects in its retrofit implementation guidelines, which include guidance for defining equipment and interface requirements for plant data communications, architecture, systems requirements, and configuration management (see Machiels et al., 1995). No new U.S. nuclear plants have begun construction in almost 20 years. As discussed above, however, three new nuclear plant designs have been proposed and are under review by the USNRC. All of these plants have fully digital-based I&C systems, and the specifications and other documents submitted for licensing review emphasize assuring that the design process and systems aspects are correctly defined so that the eventual detailed design and implementation will be successful. There is at least some indication that this approach is effective. An advanced nuclear power plant recently completed in Japan (Kashiwazaki-Kariwa unit 6) was started up with only very minor I&C system problems. This plant's design meets the bulk of the requirements for the equivalent U.S. advanced boiling-water reactor plant design being reviewed in the United States and, in fact, was used as a basis for developing many of the requirements contained in the Utility Requirements Document. DEVELOPMENTS IN THE FOREIGN NUCLEAR INDUSTRY There have been several other nuclear plants completed in the last few years that use completely digital-based I&C systems and represent significant digital I&C integration efforts. These plants are in the United Kingdom (Sizewell-B plant), France (Chooz-B plant), Canada (Darlington plant), and Japan (Kashiwazaki-Kariwa unit 6). The committee has not reviewed these plant designs in detail. However, what is

OCR for page 27
known about actual progress of the work on these plants and some of the problems that have occurred is instructive with respect to the importance of systems aspects of the design. Sizewell-B includes a distributed digital control system for control and data acquisition, of a product family that has been extensively used in process control applications, including fossil fired generating stations. It also includes elements of a nuclear safety-grade product family for protection that has been used in some nuclear applications. Redundancy is provided at all levels, including the use of dual redundant conductors for data buses, and two diverse protection systems. Hard-wired controls and instruments provide backup for the computer-based systems (Boettcher, 1994). Electricite de France (EDF) uses a three-level architecture for its N4 PWR series used at Chooz-B. One level is the digital protection system. Its mission is to bring the plant to a safe, stable status, maintaining core and containment integrity. A second level uses off-the-shelf hardware to provide functions such as boron control, pressure and temperature control, and monitoring of secondary feedwater supply. The third level is the human-machine interface in the control room, which includes hardwired controls connected directly to the lowest possible level of the I&C system (Nucleonics Week, 1995). The Canadian nuclear program led the world in the use of digital technology. The CANDU reactors are physically large, and significant computations are required to maintain adequate neutron flux distribution and stability. As a result, digital systems have been extensively used in CANDU plants. Each new plant has had a greater scope of digital technology than the previous one. Darlington has digital systems in almost 100 percent of its control systems and over 70 percent of its plant protection system. Necessity and sound engineering have made digital I&C acceptable in the CANDU reactors (White, 1994). As explained above, the Kawshiwazaki-Kariwa unit 6 in Japan meets the bulk of the requirements for the equivalent U.S. advanced boiling-water reactor plant design under review in the United States. All of these plants are now producing power on the grid. Because the I&C systems are used extensively in the testing and startup phases as well as during operation at power, there are now several plant years of experience with these large systems. The implication of this experience is that such systems are clearly practical. Further, operation to data has been safe, although, as noted by Suri et al. (1995), large systems with long mission times are challenging tasks and may be subject to subtle failures that can take a long time to appear. Three of the four plants have had systems aspects problems that were costly and caused delays. Sizewell-B and Chooz-B were affected by a problem that resulted in the need to both change the basic system design and change the control system suppliers in the middle of the design (Nucleonics Week, 1991). For the Darlington plant, a careful review of the software as part of the licensing process indicated that the software in its present form is satisfactory for use but will eventually need to be rewritten as changes inevitably arise (Joannou, 1995). The plant in Japan reported problems in a single part of the control system, but this was resolved in the startup program. On the basis of this experience it appears that systems aspects of nuclear plant I&C systems continue to warrant attention. DEVELOPMENTS IN OTHER SAFETY-CRITICAL INDUSTRIES Safety-critical applications of digital I&C are widely used in the aerospace industry. Systems aspects have been the focus of many studies, particularly those addressing the role of the digital I&C systems in accidents and the lessons to be learned. Many of these deal with human-machine interfaces, task allocation, and levels of automation. One major finding closely related to systems aspects is the importance of operator confusion caused by automatic changes in operating modes (Aviation Week and Space Technology, 1995; IEEE Spectrum, 1995). The chemical industry has great similarity to the nuclear industry in that it is a process industry that deals with (a) similar fluid conditions in terms of temperatures, pressures, and physical phase changes; (b) similar rotating machinery and mechanisms; and (c) significant latent energy storage, albeit of a different kind. Digital I&C systems have been extensively used in the chemical industry since the late 1970s. The industry has developed Guidelines for Safe Automation of Chemical Processes (Center for Chemical Process Safety, 1995), which contains details on important systems aspects, such as integrity of process control systems, process hazards, control strategies and schemes, safety considerations, data communications media, data reliability, and administrative considerations for system integrity. DISCUSSION During Phase 1 of its study, the committee recognized that a great many of the issues and problems being discussed and addressed in the nuclear industry were of a relatively specific nature that missed capturing the systems aspects of the application of digital I&C technologies. This preponderance of relatively specific issues is reflected in the discussions the committee chose to focus on in Chapter 4 through 8 below and in the many other candidate issues and topics considered by the committee (see Appendix D). Several members of the committee, however, had had personal experience in which the various specific parts of a system were apparently designed correctly but the ensemble or overall system did not perform satisfactorily. However, the committee feels that relatively specific I&C issues and problems are best addressed in the context of overall I&C system requirements and interfaces with the rest of the plant. For example, the committee was very much aware of the problems at the

OCR for page 27
Sizewell-B, Chooz-B, and Darlington plants, which were higher-level problems. Sizewell-B and Chooz-B had to change their common original system supplier in the middle of the design efforts. The problem seems to have been the result of the under-specification of the Chooz-B system, and the complexity of the design. The original supplier found itself developing hardware and software in parallel to ever escalating requirements. Technical problems seem to have been created by the lack of adequate capacity to process the mass of acquired reactor data with the original architecture (Nucleonics Week, 1991). At Darlington, despite the high availability and safety record of the Canadian plants, the Canadian Atomic Energy Control Board undertook a more stringent review of the software engineering process and the operation of Darlington's first two units was delayed, with a resulting economic penalty on the utility. The major lesson learned from these cases is that not only is the control of the design process important; equally important is the need for clear, complete, and stable requirements from the beginning of the project. To be clear, requirements must be quantified. Functions define what the system must do and must not do. Requirements define how well system functions must be performed. The definition of clear, complete, and stable I&C requirements requires (a) an in-depth understanding of plant processes; (b) an in-depth understanding of the proposed I&C technology to be used; (c) the vision of what new features may be needed or desired in the new system, e.g., security, on-line maintenance aids; and (d) an ability to visualize and articulate the requirements in a top-down approach while keeping requirement conflicts out. The last component implies being able to look and see ahead for consistency as detailed ''lower level" requirements are developed from the more global "top level requirements." Finally, as noted above, the technical literature identifies the systems aspects of a design as being very important to achieving satisfactory performance, particularly as systems grow in size and complexity. There is thus a need to focus on the issue of systems aspects. In dealing with systems aspects in U.S. nuclear power plants, there are some important factors to be taken into account: First, although three new U.S. plant designs are being reviewed by the USNRC, it is unlikely that any new nuclear plants will be built in the next few years in the United States. The U.S. plant experience will be limited to modifications or upgrades of limited scope, with the bulk of the upgrades and modifications involving component change-outs or small subsystems. Second, dealing with the systems aspects is not solely a USNRC responsibility. This is because systems aspects applies to both the safety and nonsafety systems and only a relatively small subset of the overall I&C systems in a nuclear plant fall under regulatory control. Industry must assure that systems aspects are properly dealt with for the nonsafety systems. The lessons learned and problems seen in foreign (nuclear) plants indicate nonsafety systems can cause problems. Note, for example, that the problems at Chooz-B and Sizewell-B occurred in the nonsafety portion of the plant (Nucleonics Week, 1995); nevertheless they were costly and should be avoided. Both the USNRC and the industry recognize that failures in the nonsafety systems can challenge the plant's design envelope and the safety systems must be appropriately designed to withstand these challenges and keep the plant within its safety envelope. Third, the existing U.S. nuclear plant I&C technology is largely analog-based. There is very little regulatory guidance regarding systems aspects for digital-based components. (As noted above, the USNRC has recognized this and has begun an upgrade of their requirements.) Taking into account these realities of the situation in the United States, the committee discerned several activities that could be undertaken by the U.S. nuclear industry and the USNRC to better address systems aspects. The principle underlying these activities is that a proactive approach is appropriate for drawing on the available experience and expertise in other countries, comparable industries, and other government agencies. First, to assess whether new regulatory guidance documents have the needed specificity in the systems aspects area, a trial application could be made to the existing foreign plant experience that is already available and to new experience as additional foreign nuclear plants come on line. These new plants all use digital I&C technology throughout. These trial applications could be made both retrospectively to the existing plants and during development of new plants to see if the guidance is appropriate, effective, and of the desired specificity. Second, a systematic review could be made of the experience, techniques, and regulatory and industry guidance documents used in other comparable industries in the United States. Based on its own brief review, the committee has identified at least one candidate approach, one used in the chemical process industry, that merits consideration (Center for Chemical Process Safety, 1995). The committee expects that there are other likely sources of important experience and expertise, such as the aerospace industry, where large, fault-tolerant, safety-critical I&C systems are in wide use. For example, it would be useful for the USNRC to compare their new guidance documents with those available from the Federal Aviation Administration. Third, as digital systems continue to grow in power and complexity, and particularly in view of the probable lack of any new U.S. nuclear plants, action by the USNRC to maintain currency in systems aspects may also be warranted (Chapter 10 of this report discusses the general topic of technical infrastructure). Examples include: USNRC staff training and participation in key conferences in particularly germane technologies, such as fault-tolerant, distributed systems Participation by USNRC staff in the work of other domestic or foreign regulatory agencies (perhaps on a reciprocal loan basis) that are actively dealing with large-scale digital I&C systems

OCR for page 27
Finally, it is essential to pay careful attention to the specific design features of the individual I&C systems that are evaluated and licensed. Further, it is necessary to consider the details of the I&C system implementation and it is not sufficient to concentrate on general, high-level features. However, the committee's brief review of the applicable USNRC guidance found little specificity in these requirements regarding either level of the systems aspects, that is, the high-level systems aspects or the system design considerations covered in Appendix F. It appears that the USNRC should carefully consider the level of specificity provided in their regulatory guidance documents to be sure that the lessons learned from prior experience and in good design practice are adopted and followed. Appendix F is pertinent to this point. CONCLUSIONS AND RECOMMENDATIONS Conclusions Conclusion 1. Continued effort is warranted by the USNRC and the nuclear industry to deal with the systems aspects of digital I&C in nuclear power plants. Conclusion 2. The lack of actual design and implementation of large I&C systems for U.S. nuclear power plants makes it difficult to use learning from experience as a basis for improving how the nuclear industry and the USNRC deal with systems aspects. Conclusion 3. The USNRC's intent to upgrade their regulatory guidance in the systems aspects of digital I&C applications in nuclear power plants is entirely supported by the committee's observations about systems aspects. Conclusion 4. Existing regulatory guidance lacks the specificity needed to be effective, and the revision should address this shortcoming. Recommendations Recommendation 1. The USNRC should make a trial application of the proposed regulatory guidance documents on systems aspects to foreign nuclear plant digital systems, both existing and in progress. In particular, this review should focus on assessing whether or not the revised guidance documents have the necessary level of specificity to adequately address the systems aspects of nuclear plant digital I&C implementations. Recommendation 2. The USNRC should identify and review systems aspects guidance documents provided in other industries, such as chemical processing and aerospace, where large-scale digital I&C systems are used. The focus of this review would be to compare these other guidance documents with those being developed by the USNRC, paying due attention to common problems and application-specific differences. Recommendation 3. To obtain practical experience, the USNRC should loan staff personnel, perhaps on a reciprocal basis, to other agencies involved in regulating or overseeing large safety-critical digital I&C systems. Recommendation 4. The USNRC should require continuing professional training for appropriate staff in technologies particularly germane to systems aspects, such as fault-tolerant, distributed systems. REFERENCES Aviation Week and Space Technology. 1995. Automated Cockpits: Who's in Charge? January 30 and February 6. Boettcher, D. 1994. State-of-the-Art at Sizewell-B. Atom 433 (Mar–Apr):34–38. Center for Chemical Process Safety. 1995. Guidelines for Safe Automation of Chemical Processes. New York: American Institute of Chemical Engineers. Chexal, V., F. Lang, T. Marston, and K. Stahlkopf. 1991. An Industry Vision for the 1990s and Beyond. Nuclear Energy International 36(446):22–24, 26. Cross, A.E. 1992. Analysis of corrective actions applied to nuclear power plant operations. Nuclear Safety 33(4): 586. Electric Power Research Institute (EPRI). 1992. Advanced Light Water Reactor Utility Requirements Document. EPRI NP-6780-L, Vol. 2 (ALWR Evolutionary Plant) and Vol. 3 (ALWR Passive Plant), Ch. 10: Man-Machine Interface Systems. Palo Alto, Calif.: EPRI. Institute of Electrical and Electronics Engineers (IEEE) Spectrum. 1995. The Glass Cockpit. September. Joannou, P. 1995. Presentation to the Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety, Washington, D.C., December. Johnson, B.W. 1989. Design and Analysis of Fault Tolerant Digital Systems. New York: Addison-Wesley. Machiels, A., R. Torok, J. Naser, and D. Wilkinson. 1995. The Digital Challenge, An update on EPRI's I&C Upgrade Initiative . Nuclear Engineering International 40(489):44–46. Nucleonics Week. 1991. British Support French I&C System That EDF Has Abandoned for its N4. January 10 and April 11. Nucleonics Week. 1995. Outlook on I&C: Special Report to the Readers of Nucleonics Week, Inside the N.R.C. and Nuclear Fuel. September and October. Pradhan, D.K. 1996. Fault-Tolerant Computer System Design. Upper Saddle River, N.J.: Prentice-Hall. Suri, N., C.J. Walter, and M.M. Hugue. 1995. Advances in Ultra-Dependable Distributed Systems. Los Alamitos, Calif.: IEEE Computer Society Press. U.S. Nuclear Regulatory Commission (USNRC). 1995. USNRC Staff (J. Wermeil) presentation to the Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety, Washington, D.C., October. White, J. 1994. Comparative Assessments of Nuclear Instrumentation and Controls in the United States, Canada, Japan, Western Europe, and the Former Soviet Union. JTEC/WTEC Annual Report and Program Summary 1993/94. Baltimore, Md.: World Technology Evaluation Center, Loyola College.