Review Plan is currently in progress to fully adapt it and the associated regulatory guides, branch technical positions, and USNRC endorsements of industry standards to digital I&C systems.
Note that as a result of all these documents there is a lot of existing high level guidance which is generally accepted and applied. For example, nuclear plants, including the digital I&C systems, are routinely required to undergo extensive hazards analyses as part of the licensing process. The regulators expect and the industry provides formal systematic reviews of the hardware and software using formal requirement specifications and independent reviews. It is not at this high level that additional criteria or guidance is needed. The difficulty arises in trying to implement this high level guidance at the working level and trying to establish a working consensus in particular areas. Consider, for example, common-mode software failure. USNRC regulators require that this problem be addressed and if a potential common-mode failure concern is detected then it must be dealt with. The exact methodology by which potential common-mode failures must be dealt with are not straightforward and there is considerable controversy over what may be appropriate.
There are basic requirements for quality assurance. Within the context of these requirements, quality is demonstrated by meeting the Quality Assurance Criteria for nuclear power plants (Title 10 CFR Part 50, Appendix B, 1995) and the related, subsidiary industrial standards, including those on environmental qualifications. These basic requirements are supplemented by more specific regulatory guidance that was originally based on analog equipment but is being revised to specifically address digital equipment in the revision process described above (see Table 1-1).
Modifications and Upgrades
Another important aspect of any system modifications and replacement of existing equipment is 10 CFR 50.59 (see Appendix E), which also applies to I&C systems. The purpose of this regulation is to define the circumstances under which the licensees may, without prior USNRC approval, make changes and conduct experiments and tests that are not specifically provided for in their facility licenses. Since virtually all U.S. nuclear plants have original analog equipment, 10 CFR 50.59 is of particular interest if a licensee is contemplating a digital modification or upgrade. If the criteria for making a change without prior regulatory approval defined under 10 CFR 50.59 are not satisfied, a formal change to the license is needed under another part of the federal code, 10 CFR 50.90. The process required to formally change the license under 10 CFR 50.90 is more difficult procedurally, is more costly, and requires a longer schedule. Cost and schedule become increasingly important as utility companies feel the pressure of increasing economic competition and as proposed investments such as digital upgrades and modifications face stringent economic tests, such as rapid returns on investment.
The conditions an upgrade or modification must meet to be carried out under 10 CFR 50.59 are, first, that it must adhere to the design and operating conditions formally documented in the technical specifications for the license. Second, the change must not result in an "unreviewed safety question" (USQ). The criteria for determining whether or not a USQ exists are stated in 10 CFR 50.59(a)(2) (see Appendix E). To avoid a USQ, the change must not allow (a) an increased probability of occurrence or consequences of an accident or malfunction of equipment important to safety as previously evaluated in the licensing basis (safety analysis report); (b) possible creation of an accident or malfunction of a different type than previously evaluated in the licensing basis; or (c) a reduced margin of safety as defined in the licensing basis for any technical specification.
USNRC regulatory treatment of upgrades or modifications to nuclear power plants may be summarized as follows:
If there is a change in technical specifications, the licensee must seek prior USNRC approval via 10 CFR 50.90.
If the licensee's analysis shows the presence of a USQ per 10 CFR 50.59(a)(2), the licensee must seek prior USNRC approval via 10 CFR 50.90.
If there is no change in technical specifications and no USQ is uncovered, the licensee can make the change or upgrade without prior USNRC approval via 10 CFR 50.59.
There has been continuing discussion and controversy as to exactly how to interpret 10 CFR 50.59 when applied to digital modifications; this is discussed further in this report (see Chapter 9). Nevertheless, many digital retrofits have been made without the creation of a USQ as defined in 10 CFR 50.59 (see Appendix C).
CHALLENGES TO THE INTRODUCTION OF DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS
Successful introduction of digital I&C systems into U.S. nuclear power plants faces several challenges. These challenges have several related sources:
Uncertainty Inherent in Introduction of New Technology. There is some uncertainty inherent in the introduction of any new technology. According to Kletz (1995), "all changes and all new technologies introduce hazards as well as benefits." In a safety-critical industry like nuclear power, the users, designers, and regulators must proceed on the basis of choosing and implementing digital modifications so that the
current high level of industrial and public safety is at least maintained and preferably increased. The challenge is to take advantage of the performance and safety enhancements potentially available from the use of digital technology without introducing offsetting potential hazards. Further, the design, assessment, and regulatory approach of these new digital systems must also provide some means of assessing the resultant margins of safety.
Shift of Existing Technology Base from Analog Experience. Much of the experience with U.S. nuclear plant design and operation has evolved primarily within the context of analog technology, as has the regulatory framework. Hence, in addition to coping with uncertainties arising from digital technology itself, its use may require changes or additions to the underlying technical infrastructure and regulatory framework.
Technical Problems Identified from Some Applications of Digital I&C in Nuclear Power Plants. The introduction and use of digital systems has not been trouble free. For example, on the basis of recent plant experience with several digital I&C retrofits, the USNRC has identified the following potential problem areas with digital I&C systems (Mauck, 1995):
common-mode failure in software
commercial dedication of hardware and software
possible lack of on-site plant experience with the new technology and systems
increased complexity leading to possible programming errors and incorrect outputs
reliability of standard software tools
environmental sensitivity:4 electromagnetic or radiofrequency interference, temperature, power quality, grounding, smoke
effects on plant margin of safety
Similar problems have also occurred in other applications and other industries (Kletz, 1995).
Difficult, Time-Consuming, and Customized Licensing Approach. Licensing of digital technology has presented a particular challenge for the USNRC. Because the regulatory approach has evolved with limited explicit consideration of digital technology, and because the response time to develop new regulatory bases and documentation is long, the pace of change in I&C systems has strained the regulatory process. As a result, the licensing process to date for regulatory review and approval of new digital I&C systems and modifications to existing systems has been difficult, time-consuming, and largely customized for each application.5 Many utilities are reluctant to seek a change that could not be carried out under 10 CFR 50.59, that is, without prior regulatory approval. (See below for discussion on recent USNRC activities in the digital I&C licensing process.)
Lack of Consensus (between the USNRC and the Regulated Industry) on Issues Underlying Evaluation and Adoption of Digital I&C Technology and Means to Obtain a Satisfactory Resolution. In order to deal effectively with these challenges, an effective consensus needs to exist. This will allow the benefits of the new technology to be fully exploited while assuring that safety and public confidence are maintained. However, the industry and regulators have less experience with this somewhat unfamiliar technology and have had difficulty in reaching an effective consensus.
It is important to note that the lack of consensus is not about the use of digital systems per se. Rather, much of the controversy revolves around specific issues, e.g., the potential for common-mode failures, and the lack of consensus on these specific issues tends to cloud whether or not the overall advantages of using digital I&C in nuclear power plants outweigh the disadvantages. This is made more difficult by the fact that the U.S. commercial nuclear power industry is heavily regulated. The rules for design and evaluation are subject to legal scrutiny and interpretation with severe penalties for violations and very real possibilities for litigation. Further, there are large amounts of capital investment at stake. Hence, delays in resolving issues, if translated into delays in allowing a nuclear power plant to operate, can cost up to hundreds of thousands of dollars per day. As a result, the definition of licensing criteria must follow systematic study and evaluation and sound synthesis of differing technical viewpoints. It is a process not to be undertaken lightly.
RESPONSE OF THE U.S. NUCLEAR REGULATORY COMMISSION AND NUCLEAR INDUSTRY TO THE CHALLENGES
Activities of the U.S. Nuclear Regulatory Commission
The USNRC has reviewed a number of retrofits of plant I&C systems from analog to digital. It has also begun reviewing designs of advanced plants (USNRC, 1991). However, the review process for both retrofits and advanced plant designs has been customized for each application. This, in turn, has provoked criticism of the USNRC for failing to
adopt generically applicable standards. In an effort intended to address this criticism, the USNRC has a process under way to systematically review its internal directives and guidelines governing reviews of I&C systems with a view to adapting them for digital I&C technology (Wermiel, 1995). This process is due to be completed in 1997. In the interim, the USNRC has provided case-by-case approvals in specific plants, sought suggestions by its advisory committees for taking broad action, held a workshop seeking consensus on a regulatory program, and conducted research linking regulatory decision making to the context of I&C technology. A brief account follows. (A more detailed discussion appears in Appendix C.)
Small digital I&C upgrades have been routinely accepted; large retrofits have also been made but the review process has been more difficult. These reviews have led to approvals at a number of nuclear power plants (see, e.g., USNRC, 1993b). Reviews of designs for advanced plants are also in progress. For example, a final design approval of the System 80+ advanced plant design has been completed (USNRC, 1994a).
The USNRC and its staff receive advice from a number of advisory committees. The Advisory Committee on Reactor Safeguards (ACRS), established by Congress in 1957, provides advice to the USNRC on safety aspects of current and planned nuclear facilities and the adequacy of safety standards. It has a subcommittee that examines the use of computers in nuclear power plant operations. The USNRC's Office of Nuclear Regulatory Research conducts a research program to support the organization's regulatory decision making. This program includes areas of focus relevant to the problem of evaluating and regulating digital I&C technology in nuclear power plants. The Nuclear Safety Research Review Committee (NSRRC) is a 12-member group of experts who advise the USNRC's Office of Nuclear Regulatory Research on the quality and management of its research program.
The ACRS and NSRRC have both expressed concern that the USNRC staff may be lagging behind the nuclear industry, in both the United States and foreign countries, in their understanding of the application of digital I&C systems. These committees have also urged the development of an overarching framework to guide USNRC regulation of new digital I&C technology (see, e.g., ACRS, 1992a, 1993a). The ACRS examined digital I&C technology and identified several concerns (ACRS, 1994), including:
the lack of a coherent and effective review plan, including acceptance criteria, for digital I&C technology
the need to address software specification development, software verification and validation,6 environmental effects on hardware, diversity as protection against common-mode failure,7 and prediction of I&C reliability.
The NSRRC (1992) has expressed concerns that partially overlap with those of the ACRS, such as:
the need to develop criteria for such issues as hardware reliability, software verification and validation, environmental effects (e.g., electromagnetic interference), common-mode failure, configuration management,8 and systems integration
the need for an overarching strategy to guide regulatory developments and the certification process for the new technology
the rapid pace of technological changes that affect I&C systems, including developments in the areas of artificial intelligence, expert systems, neural networks, fuzzy logic, genetic algorithms, and chaos theory
To address technical concerns, and in hopes of developing a wide consensus across the USNRC and the nuclear industry for a regulatory program, the USNRC held a workshop on digital systems reliability and nuclear safety, cosponsored by the National Institute of Standards and Technology, in September 1993 (USNRC, 1993a).
Activities of the Nuclear Power Industry
The nuclear power industry has been actively addressing the introduction of digital I&C technology into nuclear power plants. Under the auspices of the Electric Power Research Institute (EPRI), the industry has developed guidelines for streamlined licensing of digital I&C upgrades (EPRI, 1993). These guidelines have recently been partially endorsed by the USNRC, subject to specific clarifications (USNRC, 1995). Recent attempts at further clarifications suggest that the USNRC staff position continues to evolve (see Chapter 9 of this report).
The industry has also prepared a "Utility Requirements Document" for advanced plant designs (EPRI, 1992a, 1992b). Chapter 10 of this document provides guidance for designing the digital I&C systems and associated human-machine interfaces for the next generation of nuclear power plants. The document requires the use of fully integrated digital I&C technology. An extensive USNRC review of this
document (USNRC, 1994b) did not resolve basic issues inherent in digital I&C technology implementation. However, the USNRC review did produce a set of agreed-upon high-level criteria for advanced plant designs, as well as defining the process the USNRC would use to complete their review and approval of these designs. The USNRC did accept digital technology for all the I&C systems of the advanced nuclear plants. However, for the advanced plants, the detailed issues that are being addressed in existing plants have yet to be addressed.
Other industry efforts include those of the nuclear steam supply system vendors, each of which has an ongoing program for developing digital I&C systems, both for retrofits and upgrades in existing plants and for future plants.
There is worldwide interest in digital I&C technology for nuclear power plants. For example, there is already significant application of digital I&C technology to nuclear power plants in Canada, Japan, and Western Europe (ACRS, 1992b; White, 1994). The Canadians have extensive operating experience with digital systems. Digital systems were first implemented 25 years ago because they were better suited to provide on-line control of their natural uranium-fueled, heavy water-moderated (''CANDU") plants, specifically, to monitor and control the power level and xenon oscillations. The British have adopted digital-based systems throughout their latest plant, Sizewell-B, and they have operated without incident during the first six months of plant operation (Nucleonics Week, 1995). The French have proceeded by gradually and systematically expanding the use of digital systems in each subsequent generation of their highly standardized plants. The latest design is completely digital-based and is implemented in the N4 series, the first of which is located at the Chooz-B site (Nucleonics Week, 1995). In Japan, digital systems have been implemented in several existing plants, including Ohi 3, which started commercial operation in 1992. The most recent plant to go into operation in Japan, the ABWR located at the Kashawazaki site, is a digital-based design.
In addition, the United States, through both the Department of Energy and the USNRC, participates in international collaborative programs such as the Halden Reactor Project of the Organization of Economic Cooperation and Development.
A number of standards, USNRC regulations and regulatory guidelines (see, for example, USNRC, 1981), and USNRC publications exist to guide licensing of the current analog I&C systems. Since they were developed for analog systems, they can be difficult to apply and interpret for digital I&C systems. Nevertheless, pending the extensive revision of the USNRC's applicable documentation, which is currently under way, these documents have been used for reviewing digital I&C systems.
Standards developed for digital I&C systems in nuclear power plants exist. These include International Electrotechnical Commission (IEC) Standard 880, Software for Computers in the Safety Systems of Nuclear Power Plants (1986); and IEC Standard 987, Programmed Digital Computers Important to Safety for Nuclear Power Plants. A U.S. standard also exists, IEEE 7-4.3.2, Application Criteria for Programmable Digital Computer Systems in Nuclear Power Generating Stations (1993), promulgated by the Institute of Electrical and Electronics Engineers. While not yet formally endorsed by the USNRC, this standard has been employed in the safety evaluation of digital I&C retrofits in nuclear power plants.
The National Research Council was asked by the USNRC to conduct a study (including a workshop) on application of digital I&C technology to commercial nuclear power plant operations. The National Research Council appointed a committee (hereafter the committee) to carry out the study in two phases. In Phase 1, the committee was charged to define the important safety and reliability issues (concerning hardware, software, and human-machine interfaces) that arise from the introduction of digital instrumentation and control technology in nuclear power plant operations, including operations under steady-state, transient, and accident operating conditions (NRC, 1995).
In response to this charge the committee identified eight key issues associated with the use of digital I&C systems in existing and advanced nuclear power plants. The eight issues separate into six technical issues and two strategic issues. The six technical issues are: systems aspects of digital I&C technology; software quality assurance; common-mode software failure potential; safety and reliability assessment methods; human factors and human-machine interfaces; and dedication of commercial off-the-shelf hardware and software. The two strategic issues are the case-by-case licensing procedure and adequacy of the technical infrastructure. The committee recognizes these are not the only issues and topics of concern and debate in this area. Nevertheless, the committee believes that developing consensus on these key issues will be a major step forward and accelerate the appropriate use and licensing of digital I&C systems in nuclear power plants. These issues were presented in the Phase 1 report. Both the USNRC (represented by the staff of the Office of Nuclear Regulatory Research and the Office of Nuclear Reactor Regulation) and the Advisory Committee on Reactor Safeguards expressed agreement that these were important issues and that work by the committee in Phase 2