Instrumentation and Control Systems in Advanced Plants (see Chapter 5), and its counterpart for existing plants.
Recommendation 3. The USNRC should revisit its guidelines on assessing whether adequate diversity exists. The USNRC should not place reliance on different programming languages, different design approaches meeting the same functional requirements, different design teams, or using different vendors' equipment ("nameplate" diversity). Rather, the USNRC should emphasize potentially more robust techniques such as the use of functional diversity, different hardware, and different real-time operating systems.
Recommendation 4. The USNRC should reconsider the use of research funding to try to establish diversity between two pieces of software performing the same function. This does not appear to be possible. Specifically, it appears the USNRC funding of the Unravel tool is based on the use of this tool for this purpose and, as such, is unlikely to be useful.
Safety and Reliability Assessment Methods
Issue Statement. Effective, efficient methods are needed to assess the safety and reliability of digital I&C systems in nuclear power plants. These methods are needed to help avoid potentially unsafe or unreliable applications and aid in identifying and accepting safety-enhancing and reliability-enhancing applications. What methods should be used for making these safety and reliability assessments of digital I&C systems?
Conclusion 1. Deterministic assessment methodologies, including design basis accident analysis, hazard analysis, and other formal analysis procedures, are applicable to digital systems.
Conclusion 2. There is controversy within the software engineering community as to whether an accurate failure probability can be assessed for software or even whether software fails randomly (see Chapter 6). However, the committee agreed that a software failure probability can be used for the purposes of performing probabilistic risk assessment (PRA) in order to determine the relative influence of digital system failure on the overall system. Explicitly including system failure on the overall system. Explicitly including software failures in a PRA for a nuclear power plant is preferable to the alternative of ignoring software failures.
Conclusion 3. The assignment of probabilities of failure for software (and more generally for digital systems) is not substantially different from the handling of many of the probabilities for rare events. A good software quality assurance methodology is a prerequisite to providing a basis for the generation of bounded estimates for software failure probability. Within the PRA, uncertainty and sensitivity analysis can help the analyst assure that the results are not unduly dependent on parameters that are uncertain. As in other PRA computations, bounded estimates for software failure probabilities can be obtained by processes that include valid random testing and expert judgment.6
Conclusion 4. Probabilistic analysis is theoretically applicable in the same manner to commercial off-the-shelf (COTS) equipment, but the practical application may be difficult. The difficulty arises when attempting to use field experience to assess a failure probability, in that the experience may or may not be equivalent. For programmable devices, the software failure probability may be unique for each application. However, a set of rigorous tests may still be applicable to bounding the failure probability, as with custom systems. A long history of successful field experience may be useful in eliciting expert judgment.
Recommendation 1. The USNRC should require that the relative influence of software failure on system reliability be included in PRAs for systems that include digital components.
Recommendation 2. The USNRC should strive to develop methods for estimating the failure probabilities of digital systems, including COTS, for use in probabilistic risk assessment. These methods should include acceptance criteria, guidelines and limitations for use, and any needed rationale and justification.
Recommendation 3. The USNRC and industry should evaluate their capabilities and develop a sufficient level of expertise to understand the requirements for gaining confidence in digital implementations of system functions and the limitations of quantitative assessment.
Recommendation 4. The USNRC should consider support of programs that are aimed at developing advanced techniques for analysis of digital systems that might be used to increase confidence and reduce uncertainty in quantitative assessments.
Human Factors and Human-Machine Interfaces
Issue Statement. At this time, there does not seem to be an agreed-upon, effective methodology for designers, owner-operators, maintainers, and regulators to assess the overall impact of computer-based, human-machine interfaces on human performance in nuclear power plants. What methodology and approach should be used to assure proper consideration of human factors and human-machine interfaces?
Conclusion 1. Digital technology offers the potential to enhance the human-machine interface and thus overall operator performance. Human factors and human-machine interfaces are well enough understood that they do not represent a major barrier to the use of digital I&C systems in nuclear power plants.
Conclusion 2. The methodology and approach adopted by the USNRC for reviewing human factors and human-machine interfaces provides an initial and acceptable first step in a review. Existing USNRC procedures, for both the design product and process, are consistent with those of other industries. The guidelines are based on many already available in the literature or developed by specific industries. The methodology for reviewing the design process is based on sound system engineering principles consistent with the validation and verification of effective human factors.
Conclusion 3. Adequate design must go beyond guidelines. The discussion in NUREG-0711 on advanced technology and human performance and the design principles set out in Appendix A of NUREG-0700 Rev. 1 provide a framework within which the nuclear industry can specify, prototype, and empirically evaluate a proposed design. Demonstration that a design adheres to general principles of good human-system integration and takes into account known characteristics of human performance provides a viable framework in which implementation of somewhat intangible, but important, concepts can be assessed.
Conclusion 4. There is a wide range in the type and magnitude of the digital upgrades that can be made to safety and safety-related systems. It is important for the magnitude of the human factors review and evaluation to be commensurate with the magnitude of the change. Any change, however, that affects what information the operator sees or the system's response to a control input must be empirically evaluated to ensure that the new design does not compromise human-system interaction effectiveness.
Conclusion 5. The USNRC is not sufficiently active in the public human factors forum. For example, proposed human factors procedures and policies or sponsored research, such as NUREG-0700 Rev. 1, are not regularly presented and reviewed by the more general national and international human factors communities, including such organizations as the U.S. Human Factors and Ergonomics Society, Institute of Electrical and Electronics Engineers (IEEE), Society on Systems, Man, and Cybernetics, and the Association of Computing Machinery Special Interest Group on Computer-Human Interaction. European nuclear human factors researchers have used nuclear power plant human factors research to further a better understanding of human performance issues in both nuclear power plants and other safety-critical industries. Other safety-critical U.S. industries, such as space, aviation, and defense, participate actively, benefiting from the review and experience of others.
Recommendation 1. The USNRC should continue to use, where appropriate, review guidelines for both the design product and process. Care should be taken to update these guidelines as knowledge and conventional wisdom evolve—in both nuclear and nonnuclear applications.
Recommendation 2. The USNRC should assure that its reviews are not limited to guidelines or checklists. Designs should be assessed with respect to (a) the operator models that underlie the them, (b) ways in which the designs address classic human-system interaction design problems, and (c) performance-based evaluations. Moreover, evaluations must use representative tasks, actual system dynamics, and real operators.
Recommendation 3. The USNRC should expand its review criteria to include a catalog or listing of classic human-machine interaction deficiencies that recur in many safety-critical applications. Understanding the problems and proposed solutions in other industries is a cost-effective way to avoid repeating the mistakes of others as digital technology is introduced into safety and safety-related nuclear systems.
Recommendation 4. Complementing Recommendation 2, although human factors reviews should be undertaken seriously, e.g., in a performance-based manner with realistic conditions and operators, the magnitude and range of the review should be commensurate with the nature and magnitude of the digital change.
Recommendation 5. The USNRC and the nuclear industry at large should regularly participate in the public forum. As noted in NUREG-0711, advanced human interface technologies potentially introduce many new, and as yet unresolved, human factors issues. It is crucial that the USNRC stay abreast of current research and best practices in other industries, and contribute findings from its own applications to the research and practitioner communities at large—for both review and education. (See also Technical Infrastructure chapter for additional discussion.)
Recommendation 6. The USNRC should encourage researchers with the Halden Reactor Project to actively participate in the international research forum to both share their results and learn from the efforts of others.
Recommendation 7. As funds are available, the USNRC's Office of Nuclear Regulatory Research should support research exploring higher-level issues of human-system integration, control, and automation. Such research should include exploration, specifically for nuclear power plant applications, of design methods, such as operator models, for more effectively specifying a design. Moreover, extensive field studies should be conducted to identify nuclear-specific technology problems and to compare and contrast the experiences in nuclear application with those of other safety-critical industries. Such research will add to the catalog of recurring deficiencies and potentially link them to proposed solutions.
Recommendation 8. Complementing its own research projects, the USNRC should consider coordinating a facility, perhaps with the U.S. Department of Energy, in which U.S. nuclear industries can prototype and empirically evaluate proposed designs. Inexpensive workstation technologies permit the development of high-fidelity workstation-based
simulators of significant portions of control rooms. Other industries make extensive use of workstation-based part-task simulators (e.g., aviation); results are found to scale quite well to the systems as a whole.
Dedication of Commercial Off-the-Shelf Hardware and Software
Issue Statement. What methods should be agreed upon by the regulators and the licensees to evaluate and accept the use of commercial off-the-shelf digital I&C systems in safety applications in nuclear power plants?
Conclusion 1. Use of COTS hardware and software is an attractive possibility for the nuclear industry to pursue, provided that a technically adequate dedication process can be formulated and that this process does not negate the cost advantages of COTS.
Conclusion 2. The recently developed draft guideline of the Electric Power Research Institute (EPRI) working group, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, appears to have potential as the basis for reaching industry and USNRC consensus on the COTS issue. In view of this possibility, the committee notes that the guideline and the follow-on (second-tier) guidance should assure that the necessary and sufficient attributes of digital I&C application are defined for both hardware and software. Once these attributes are well-defined, various acceptable methods of assessing the validity of the attributes can be more readily ascertained and used and the requisite experience gained. As an example of the type of approach the committee considers appropriate, the EPRI working group and the USNRC staff should consider the FAA's DO-178B guideline for digital avionics, Software Considerations in Airborne Systems and Equipment Certification, which includes guidance on COTS.
Conclusion 3. Software quality assurance and safety and reliability assessment methods are strongly related to COTS. The committee's conclusions in Chapters 4 and 6, respectively, should therefore also be considered. Dedication processes for COTS should also prove relevant in cases where standardized software is reused among similar nuclear applications.
Conclusion 4. The USNRC involvement in the EPRI, Nuclear Utilities Software Management Group (NUSMG), IEEE, and International Society for Measurement and Control (ISA) working groups is very useful and should aid the USNRC in developing specific guidance to address the COTS issue.
Conclusion 5. The approach to COTS must apply criteria and verification activities commensurate with the safety significance and complexity of a specific application. For example, the level of verification activities applied to small-scale replacements of recorders and indicators would not be the same as that applied to large-scale replacements of reactor protection systems.
Recommendation 1. The USNRC staff should assure that their involvement in the ERPI, NUSMG, IEEE, and ISA working groups means that USNRC concerns and positions are being addressed so that any standards or guidelines developed by these groups can be quickly accepted and endorsed by the USNRC.
Recommendation 2. The USNRC should establish what research is needed to support USNRC acceptance of COTS in safety applications in nuclear plants. This research should then be incorporated into the overall research plan.
Recommendation 3. The USNRC regulatory guidance on the use of COTS should recognize and be based on the principle that criteria and verification activities are to be commensurate with the safety significance and complexity of the specific application.
Case-by-Case Licensing Process
Issue Statement. What changes should be considered in the regulatory process to provide more efficient and effective regulation of digital I&C systems in nuclear power plants? How can sufficient flexibility be incorporated to address the rapidly changing nature of the digital I&C technology and better match the time response of the regulatory process to the technology it controls? How can the regulatory process be made more efficient while maintaining its technical integrity?
Conclusion 1. As a general observation, the role of the regulator in overseeing the implementation of digital upgrades can be a valuable and important one. Particularly in an area such as digital I&C systems, where the state of the art evolves rapidly and where first-of-a-kind nuclear applications are contemplated, the oversight role of the regulator can bring valuable insights to the implementation of such upgrades. Indeed, the committee found several specific examples of this happening.
Conclusion 2. Nevertheless, the committee found that the regulatory response to the development and implementation of digital I&C upgrades in nuclear plants has proceeded in a manner that resulted in some degree of confusion and uncertainty within the licensee community with regard to the applicable regulatory requirements and the procedural framework for implementing such upgrades. This uncertainty and the resultant incremental cost has been a major contributor to the reluctance on the part of utilities in proceeding with digital upgrades.
Conclusion 3. The lack of generically applicable regulatory requirements for digital upgrades has resulted in a case-by-case approach that has contributed to the confusion and uncertainty. This approach to reviews may have been necessary in the early phase of the transition to digital systems.
But the USNRC now has a sufficient body of experience with safety-related digital upgrades, gained over recent years and supplemented by the extensive experience of other countries and other industries, to enable the agency to establish a generically applicable regulatory regime that would govern the review and approval of such upgrades.
Conclusion 4. The process established in 10 CFR 50.59, wherein the agency has defined those circumstances where a licensee may make a modification without prior USNRC review and approval, is fundamentally sound, necessary, and consistent with the USNRC's responsibility to protect the public health and safety. In particular, it recognizes the practical necessity for licensees to make facility modifications consistent with their facility licensing basis, without the need for prior USNRC review and approval. Moreover, the process appropriately reflects the gradation of significance in changes that might be made in a nuclear plant and the USNRC's attendant role based upon these gradations. In this regard, the committee strongly believes that it is important for the USNRC to distinguish between digital upgrades that are significant (i.e., pose unreviewed safety questions) and those that are not, and tailor the scope and depth of the regulatory review in a manner that is commensurate with this gradation.
Conclusion 5. The committee believes that defining all safety-related digital upgrades as resulting in an unreviewed safety question, as stated in the USNRC's draft generic letter of August 1992, is contrary to both the letter and spirit of 10 CFR 50.59.
Conclusion 6. The agency has no formal process for cataloguing determinations made under 10 CFR 50.59 with regard to digital upgrades and the bases for these determinations. Such information would assist both the USNRC and the utilities in determining whether particular upgrades pose unreviewed safety questions.
Conclusion 7. Early interaction between a utility applicant and the USNRC can be extremely helpful in identifying and fleshing out important issues. Where this proactive interaction has occurred, the committee found that the subsequent regulatory review was more efficient and focused, minimizing resources that would otherwise be required on the part of both the utility and the USNRC.
Recommendation 1. The USNRC should place a high priority on its effort to develop a generically applicable framework for the review and evaluation of digital I&C upgrades for operating reactors.
Recommendation 2. In view of the rapid evolution of digital technology, a process should be established to ensure that the regulatory framework is updated to stay abreast of new developments. To ensure that this framework takes into account the best practices in other safety-critical industries, external and public review is highly desirable.
Recommendation 3. The USNRC should consider additional ways in which the guideline development process can be accelerated and streamlined. For example, consideration could be given to establishing chartered task groups involving representatives from the USNRC, the industry, and academia. These groups would be tasked and managed on a project basis to investigate and resolve unreviewed matters of possible safety significance that arise in the development and use of digital systems.
Recommendation 4. In developing its regulatory requirements, the USNRC should ensure that where issues arise that are unique to digital systems, they are treated appropriately. On the other hand, where issues arise with regard to digital upgrades that are no different from issues posed for analog systems, such issues should be treated consistently. The opportunity (or obligation) for the USNRC to review and approve digital upgrades should not be seen as an opportunity to impose new requirements on individual licensees unless the issue is unique to the application proposed.
Recommendation 5. In view of the substantial benefits of early interaction with individual utilities considering digital upgrades, as well as the benefit of working closely with industry groups and other interested members of the public in the development of standards and guidelines, the USNRC should undertake proactive efforts to interact early and frequently with individual utilities and with industry groups and other interested members of the public. In addition, it would be of benefit for the USNRC to be familiar with the broader evolving applications of digital I&C systems in both nuclear and nonnuclear applications. This, in turn, will provide a foundation for a cooperative working relationship.
Recommendation 6. The USNRC should revisit the "systems level" issue addressed in Generic Letter 95-02 and EPRI Report TR-102348 to ensure that this position is consistent with the historical interpretation of 10 CFR 50.59. The committee strongly endorses maintaining and formalizing the distinction between major and minor safety system upgrades containing digital technology.
Recommendation 7. The USNRC should establish a process for cataloguing 50.59 evaluations of digital upgrades in some centralized fashion, so that individual utilities considering such upgrades can review and consider past 50.59 determinations regarding when a particular modification has been found to result in an unreviewed safety question.
Adequacy of Technical Infrastructure
Issue Statement. Does the USNRC need to make changes in its staffing, training, and research program to support its regulation of digital I&C technology in nuclear power plants? If so, what is the appropriate program for the USNRC? How should this program be structured so that it
maintains its effectiveness in the face of rapidly moving and developing technology and generally declining budgets?
Conclusion 1. The USNRC should make changes in its staffing, training, and research program to support its regulation of digital I&C technology in nuclear power plants. Specific recommendations are provided below.
Conclusion 2. The issue of adequate technical infrastructure is applicable not only to the USNRC but also to the nuclear industry as a whole. Many of the committee's recommendations for the USNRC have parallel applications to the nuclear industry.
Conclusion 3. The USNRC must anticipate that the regulatory technical infrastructure will continue to be challenged by advancing digital I&C technology. The focus of the near-term licensing effort will be on digital upgrades and certification of the advanced plants. The USNRC will have to continue to expand its technical infrastructure as use of digital technology expands and its sophistication increases.
Conclusion 4. There are problems inherent in the historical process for developing standards and industry guidelines, particularly those applied to the rapidly advancing digital technology. Pending development of alternate approaches, early involvement by the USNRC in developing standards and industry guidelines will foster more timely availability of regulatory guidance and acceptance criteria.
Conclusion 5. A strategic plan is needed for the USNRC research program on digital I&C applications. The current research program is a disjointed collection of studies lacking an underlying strategy and in some specific cases pursuing topics of questionable worth. The staff structure of the USNRC, which separates the staff of the staff of the Office of Nuclear Reactor Regulation (NRR) from the staff of the Office of Nuclear Regulatory Research (RES) and mandates that the RES staff respond to NRR ''user needs," may be an obstacle to development of a coherent plan that balances near-term regulatory decision making and long-term research into problems on the horizon. Periodic outside review of the USNRC research program could help assure that the right issues are being addressed and could also lead to areas of collaborative research. The committee is aware of and notes favorably the impact of the existing Nuclear Safety Research Review Committee. However, a more formal, outside review would be useful. Perhaps this could be done on an exchange basis with other agencies to reduce resource demands.
Recommendation 1. Despite difficulties posed by declining budget and staffing levels in the face of rapidly moving technology and a stagnating nuclear industry, the USNRC must explore ways to improve the efficiency of the review process with existing staff and resources.
Recommendation 2. The USNRC should define a set of minimal and continuing training needs for existing and recruited staff. Particular attention should be paid to software quality assurance expertise. Once defined, the USNRC training program should be subjected to appropriate external review. Certification of USNRC expertise levels is one possibility the USNRC may wish to consider.
Recommendation 3. Consistent with Conclusion 5 above, the USNRC should develop a strategic plan for the research program conducted by the RES and NRR offices. The plan should emphasize balancing short-term regulatory needs and long-term, anticipatory research needs and should incorporate means of leveraging available resources to accomplish both sets of research objectives. It should also reach out more effectively to relevant technical communities (e.g., by the establishment of research simulators for human factors research), to the Electric Power Research Institute, to the Department of Energy, to foreign nuclear organizations, and to other safety-critical industries dealing with digital I&C issues. In making this recommendation, the committee recognizes the Halden Reactor Project provides an example of such cooperative research; but much of the Halden work cannot be published widely and therefore lacks the benefit of rigorous peer scrutiny.
Recommendation 4. Because research in the digital I&C area may require a longer time frame than that of single fiscal years, the USNRC should give consideration to planning and arranging funding on a multiyear basis.
Recommendation 5. Consistent with Conclusion 4 above, the USNRC should consider ways to accelerate preparation and updating of needed standards and guidance documents. In particular, the USNRC should consider using chartered task groups (see Recommendation 3 pertaining to the case-by-case licensing process).
The committee has presented what it believes to be a pragmatic approach for meeting the challenge. One key obstacle is overcoming impediments to communication.
There are a number of ways to address the communication difficulty. Some are already being pursued, some need to be initiated. The committee particularly emphasizes five areas of need:
the need for better, clearer, crisper statements of the regulatory concern and the appropriate acceptance criteria that are valid at any point in time
the need for the nuclear power industry and the USNRC to be more proactive in the relevant technical communities
the need for the nuclear power industry and its regulator to strengthen its technical infrastructure in digital systems
the need to formally address the communication problem in a systematic way
the need to tune up the regulatory mechanisms that are employed when an advanced technology, like digital I&C, has temporarily outpaced the regulations
Turning to high-level issues more specifically related to digital technology, the committee emphasizes the following:
The use of digital I&C technology does not obviate the standard methods for safety assessments of nuclear power plants.
Digital I&C systems (and digital systems in general) should not be addressed only in terms of hardware or software.
Most practical digital I&C systems cannot be exhaustively tested and therefore cannot be shown to be free from any and all errors.
In summary, the committee notes that digital instrumentation and control is state-of-the-art technology and is widely used both inside and outside the nuclear industry. Digital I&C systems offer powerful capabilities that can, however, affect nuclear power plant safety; therefore, digital systems should be treated carefully, particularly in safety-critical applications. It appears the USNRC and the nuclear power industry are moving forward with procedures, processes, and technical infrastructure needed to assure continued safe operation of the plants. The committee has suggested several improvements.
NUCLEAR POWER PLANT INSTRUMENTATION AND CONTROL SYSTEMS
Role of Instrumentation and Control in Nuclear Power Plants
Nuclear power plants rely on instrumentation and control (I&C) systems for monitoring, control, and protection. The grouping of I&C systems according to these three types of functions (monitoring, control, and protection) is discussed in some detail below. There is, however, another division of I&C systems into two categories called within the nuclear industry "nonsafety" and "safety." The nonsafety systems are used by the operators to monitor and control the normal operation of the plant, including startup and shutdown, and to mitigate and prevent plant operational transients. These nonsafety systems are backed up by a set of independent (noninteracting), redundant safety systems that are designed to take automatic action to prevent and mitigate accident conditions if the operators and the nonsafety systems fail to maintain the plant within normal operating conditions. Thus to some extent (but not entirely) nonsafety systems coincide with monitoring and control systems, safety systems with protection systems. This is discussed further below.
The two categories of systems, safety and nonsafety, are thought of as being consistent with and part of the defense-in-depth approach to safety.1 The distinction between them is important since essentially only the safety systems are "credited" (i.e., relied upon by the utility and the U.S. Nuclear Regulatory Commission [USNRC] as a basis for making judgments about safety) in the formal safety analyses of the plant. The safety systems are thus of particular concern in the USNRC's licensing procedures, whereas very few of the nonsafety systems fall under the same rigorous regulatory control. Before proceeding to further discussion of safety systems, however, it is in order to describe the three types of I&C systems in nuclear power plants.
Types of Instrumentation and Control Systems
In a nuclear power plant, the I&C systems—irrespective of whether they are analog or digital technology—are generally grouped into three types: plant monitoring and display systems, plant control systems, and plant protection and mitigation systems.
Plant Monitoring and Display Systems
Plant monitoring and display systems monitor plant variables and provide data to other I&C systems and to the plant operators for use in controlling the operation of the plant. Typical examples include systems that monitor and display the status of the fire protection system, fluid temperatures, and pressures. These systems also normally provide visual and audible alarms at various control stations, particularly the main control room, that notify operators of trends or particular values requiring action by the operator to avert an actual problem or emergency. Usually there are formal procedures the operators follow when such an alarm or notification occurs, with the alarm setpoint and required response time coordinated to give the operator adequate time to take action. Typically, the response times are on the order of tens of minutes; if inadequate time exists, an automated response is provided.
Plant Control Systems
Plant control systems are used to control all the normal operations of the plant. They are used in startup, power operations, shutdowns, and plant upsets. Regarded by plant owners as the primary controls for their expensive and complex plants, they are fully engineered, they are robust, and they usually have considerable redundancy (see below) to