Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 91
11 Overview and Summary As the study progressed the committee recognized there are two major intertwined themes associated with the use of digital instrumentation and control in nuclear power plants. These are: Dealing with the specific characteristics of digital instrumentation and control (I&C) technology as applied to nuclear power plants. Dealing with a technology that is more advanced than the one widely in use in the existing nuclear power plants. This technology is rapidly advancing at a rate and in directions largely uncontrolled by the nuclear industry but at the same time likely to have a significant impact on the operation and regulation of nuclear power plants. The technical issues the committee focuses on in this report are primarily related to digital technology itself (Theme 1), while the strategic issues are primarily related to the process of adopting advanced technology (Theme 2). Specifically, the issues largely related to digital technology are systems aspects, software quality assurance, common-mode software failures, quantitative assessment, human factors and human-machine interfaces, and commercial off-the-shelf equipment and systems. The strategic issues, which are not so tightly coupled to the digital technology, are two: case-by-case licensing and technical infrastructure. Although this alignment of issues with themes is not perfect insofar as some of the issues have elements belonging to both themes, nonetheless considering the issues in this way provides a useful framework for the overall discussion. A major impediment to having this discussion, however, was discovered by the committee in the communication barriers that exist among the key technical communities and individuals involved. The committee itself, most of whose members have been active participants in one or more technical areas associated with digital instrumentation and control, brought a wealth of experience to the consideration of the issues and as a group represented a broad spectrum of the interested parties. Nevertheless, it took an extraordinary effort on the part of the committee to develop a common language and terms and reach a common understanding of the issues themselves, much less agree on ways to build a consensus for addressing these issues. It is clear, both from the committee's interactions with the many individuals who appeared before it and from individual committee members' interactions in their home communities, that this communication problem is widespread. The basic reason for the communication difficulty is apparent. Work is simultaneously going on at a rapid rate in many areas, each with its own technology, research focus, and agenda. Unfortunately, although many of these areas use common terms, these terms often have different meanings to different groups, resulting in either a lack of communication or very difficult communication. This is particularly troublesome for the nuclear power industry and its regulators, who are not dominant in this technology and must try to synthesize information and experience from a variety of sources and apply it in power plants where safety hazards must be dealt with in a rigorous way, under public scrutiny. There are a number of ways to address the communication difficulty. Some are already being pursued, some need to be initiated. The committee particularly emphasizes five areas of need: There is a need for better, clearer, crisper statements of the regulatory concern and the appropriate acceptance criteria that are valid at any point in time. As noted in the previous chapters, the committee strongly prefers more focused, succinct statements of regulatory problems, criteria, and standards. This is to be contrasted with the current U.S. Nuclear Regulatory Commission (USNRC) approach which is characterized by relatively complex statements of requirements created by interconnected endorsements and caveats in a family of standards and related documents. The committee understands that the USNRC staff has taken this path as the most efficient in terms of effort and time. But the committee is concerned that the gain in efficiency is
OCR for page 92
offset by the loss of clarity as to what the regulatory concerns and issues are and the difficulty in clearly defining the related acceptance criteria. On the other hand, it is very important to recognize that criteria for regulation cannot always be quantitative and objective. For today's complex systems, this is clearly not always feasible. Human reliability is a case in point. One must do the best one can with a thoughtful mix of objectivity and expert judgment (subjectivity), given a finite budget. There is a need for the nuclear power industry and the USNRC to be more proactive in the relevant technical communities. Their involvement is needed to be sure that valid issues and constraints, unique to the nuclear power industry, are recognized and addressed. Active involvement also helps the nuclear power community gain access to the broad expertise available in closely related but nonnuclear fields, e.g., software engineering. There is a need for the nuclear power industry and its regulator to strengthen its technical infrastructure in digital systems. It is especially necessary in this area to work cooperatively and creatively to husband and multiply the available resources, by working together and carefully selecting the topics to be pursued. The committee recognizes the need for the regulator to be independent but sees maintaining this independence as feasible. The committee also sees some progress in this regard, particularly in early involvement by the regulators in reviewing and assessing industry research programs and guidelines development efforts and in new training programs for the USNRC staff. The committee commends those efforts and urges their expansion to make best use of the limited resources available. There is a need to formally address the communication problem in a systematic way. This would include increased attention in documents to the clear definition of terms and context. The committee also suggests increased use of early, informal communication between the USNRC staff and the industry in areas where there is uncertainty or lack of clear regulatory guidance. There is a need to tune up the regulatory mechanisms that are employed when an advanced technology, like digital I&C, has temporarily outpaced the regulations. Such a mechanism is 10 CFR 50.59, which the committee believes is fundamentally sound and should continue to be used. But, as discussed particularly in Chapter 9 (Case-by-Case Licensing Process), there are a number of changes that could be made to the regulatory process that would make this process much more efficient and assure that the intent and basis of the decisions made are fully communicated. Turning to high-level issues more specifically related to digital technology, the committee emphasizes the following: Deterministic assessment methodologies, including design basis accident analysis, hazard analysis, and other formal analysis procedures, are applicable to digital systems, as long as they are applied with care. There is controversy within the software community as to whether an accurate failure probability can be assessed for software or even whether software fails randomly. However, the committee agreed that a software failure probability can be used for the purposes of performing probabilistic risk assessment (PRA) in order to determine the relative influence of digital system failure on the overall system. Explicitly including software failures in a PRA for a nuclear power plant is preferable to the alternative of ignoring software failures. Digital I&C systems (and digital systems in general) should not be addressed only in terms of hardware or software. Hardware and software must be treated together as a system; focusing solely on one or the other should be done with great caution. There are two examples from this report: First, the treatment of "common-mode software errors" leads far beyond the boundaries of the software itself; and the successful resolution of this problem emphasizes treatment of the systems as a whole. A second example is the treatment of complexity. It is important to assure that system complexity is addressed. For example, digital system complexity issues are not resolved by simplifying the software dramatically at the expense of introducing more complex (and potentially less testable) hardware. Most practical digital I&C systems cannot be exhaustively tested and therefore cannot be shown to be free from any and all errors. However, the committee is convinced that adequate approaches exist and can be applied within practical resource restraints to support the use of digital systems in safety-critical applications in nuclear power plants. In summary, the committee notes that digital instrumentation and control is state-of-the-art technology and is widely used both inside and outside the nuclear industry. Digital I&C systems offer powerful capabilities that can, however, affect nuclear power plant safety; therefore, digital systems should be treated carefully, particularly in safety-critical applications. It appears the USNRC and the nuclear power industry are moving forward with procedures, processes, and technical infrastructure needed to assure continued safe operation of the plants. The committee has suggested several improvements. Given this situation, the committee considers the use of digital I&C systems in new nuclear power plants and in modifications and upgrades of existing plants to be appropriate and desirable. For existing plants, this is particularly true where digital I&C systems replace older systems and equipment for which vendor support is no longer readily available.
OCR for page 93
OCR for page 94
This page in the original is blank.
Representative terms from entire chapter: