Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page R1
Digital Instrumentation and Control Systems in Nuclear Power Plants SAFETY AND RELIABILITY ISSUES Final Report Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety Board on Energy and Environmental Systems Commission on Engineering and Technical Systems National Research Council NATIONAL ACADEMY PRESS Washington, D.C. 1997
OCR for page R2
NATIONAL ACADEMY PRESS 2101 Constitution Avenue, N.W. Washington, D.C. 20418 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competencies and with regard for appropriate balance. This report has been reviewed by a group other than the authors according to procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. This report and the study on which it is based were supported by Contract No. NRC-04-94-055 from the U.S. Nuclear Regulatory Commission. This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights. The views expressed in this paper are not necessarily those of the U.S. Nuclear Regulatory Commission. The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. William A. Wulf is interim president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. William A. Wulf are chairman and interim vice chairman, respectively, of the National Research Council. Limited copies of this report are available from: Board on Energy and Environmental Systems National Research Council (HA-270) 2101 Constitution Avenue, N.W. Washington, DC 20418 (202) 334-3344 email@example.com, http://www2.nas.edu/bees Additional copies are available for sale from: National Academy Press Box 285 2101 Constitution Avenue, N.W. Washington, DC 20055 800-624-6242 or 202-334-3313 (in the Washington Metropolitan Area) http://www.nap.edu Library of Congress Catalog Card Number 97-66084 International Standard Book Number 0-309-05732-9 Copyright 1997 by the National Academy of Sciences. All rights reserved. Printed in the United States of America.
OCR for page R3
COMMITTEE ON APPLICATION OF DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS TO NUCLEAR POWER PLANT OPERATIONS AND SAFETY DOUGLAS M. CHAPIN (chair), MPR Associates, Alexandria, Virginia JOANNE BECHTA DUGAN, University of Virginia, Charlottesville DONALD A. BRAND, NAE, Pacific Gas and Electric Company (retired), Novato, California JAMES R. CURTISS, Winston and Strawn, Washington, D.C. (from October 1995) D. LARRY DAMON, Bechtel Research and Development, San Francisco, California MICHAEL DeWALT, Federal Aviation Administration, Seattle, Washington (from October 1995) JOHN D. GANNON, University of Maryland, College Park ROBERT L. GOBLE, Clark University, Worcester, Massachusetts DAVID J. HILL, Argonne National Laboratory, Argonne, Illinois PETER E. KATZ, Calvert Cliffs Nuclear Power Plant, Lusby, Maryland NANCY G. LEVESON, University of Washington, Seattle CHRISTINE M. MITCHELL, Georgia Institute of Technology, Atlanta CARMELO RODRIGUEZ, General Atomics Company, San Diego, California JAMES D. WHITE, Oak Ridge National Laboratory, Oak Ridge, Tennessee Project Staff TRACY D. WILSON, study director, Board on Energy and Environmental Systems (BEES) SUSANNA E. CLARENDON, senior project assistant, BEES (from May 1996) THERON FEIST, project assistant, BEES (until June 1995) HELEN JOHNSON, administrative associate, BEES (until July 1995) WENDY LEWALLEN, senior project assistant, BEES (June 1995 to May 1996) MAHADEVAN MANI, associate executive director, Commission on Engineering and Technical Systems (from January 1996) JAMES J. ZUCCHETTO, director, BEES (from January 1996) NAE: Member, National Academy of Engineering
OCR for page R4
BOARD ON ENERGY AND ENVIRONMENTAL SYSTEMS ROBERT L. HIRSCH (chair), Energy Technology Collaborative, Inc., Washington, D.C. RICHARD MESERVE (vice chair), Covington and Burling, Washington, D.C. JAN BEYEA, Consultant, New York, New York E. GAIL de PLANQUE, NAE, Consultant, Potomac, Maryland LINDA C. DOLAN, Lockheed Martin Electronics and Missiles, Orlando, Florida WILLIAM FULKERSON, University of Tennessee, Knoxville JACQUES GANSLER, TASC, Inc., Arlington, Virginia ROY S. GORDON, NAS, Harvard University, Cambridge, Massachusetts FRANCOIS E. HEUZE, Lawrence Livermore National Laboratory, Livermore, California LAWRENCE T. PAPAY, NAE, Bechtel Group, Inc., San Francisco, California RUTH A. RECK, Argonne National Laboratory, Argonne, Illinois JOEL SPIRA, NAE, Lutron Electronics Co., Inc., Coopersburg, Pennsylvania JAMES LEE SWEENEY, Stanford University, Stanford, California IRVIN L. WHITE, UTECH, Inc., Fairfax, Virginia Former Members Active during Reporting Period H.M. (HUB) HUBBARD (chair), Pacific International Center for High Technology Research (retired), Honolulu, Hawaii ROBERT D. BANKS, World Resources Institute, Washington, D.C. ALLEN J. BARD, NAS, University of Texas, Austin DAVID E. DANIEL, University of Texas, Austin THOMAS O'ROURKE, NAE, Cornell University, Ithaca, New York Liaison Members from the Commission on Engineering and Technical Systems RICHARD A. CONWAY, NAE, Union Carbide Corporation, South Charleston, West Virginia JERRY SCHUBEL, New England Aquarium, Boston, Massachusetts Staff JAMES J. ZUCCHETTO, director (since January 1996) SUSANNA E. CLARENDON, administrative assistant WENDY LEWALLEN, senior project assistant (until May 1996) JILL WILSON, senior program officer TRACY D. WILSON, senior program officer NAE: Member, National Academy of Engineering NAS: Member, National Academy of Sciences
OCR for page R5
Preface The nuclear industry and the staff of the U.S. Nuclear Regulatory Commission (USNRC) have worked for several years on how best to safely introduce digital instrumentation and control systems into nuclear power plants. But together they have failed to reach consensus. This lack of consensus led the USNRC to request the National Research Council, through its Board on Energy and Environmental Systems of the Commission on Engineering and Technical Systems, to conduct the study whose results are reported here. The National Research Council's Computer Science and Telecommunications Board and the Council's Division on Education, Labor, and Human Performance provided additional technical support. The Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety (see Appendix A) was appointed by the National Research Council on December 20, 1994, to examine the use of digital instrumentation and control systems in nuclear power plants. This work was to be conducted in two phases. The final report summarizes the work of both Phase 1 and Phase 2. In Phase 1, the committee was charged to define the important safety and reliability issues (concerning hardware, software, and human-machine interfaces) that arise from the introduction of digital instrumentation and control technology in nuclear power plant operations, including operations under normal, transient, and accident conditions. In response to this charge the committee identified eight key issues associated with the use of digital instrumentation and control (I&C) systems in existing and advanced nuclear power plants. The eight issues separate into six technical issues and two strategic issues. The six technical issues are: systems aspects of digital I&C technology; software quality assurance; common-mode software failure potential; safety and reliability assessment methods; human factors and human-machine interfaces; and dedication of commercial off-the-shelf hardware and software. The two strategic issues are the case-by-case licensing process and the adequacy of the technical infrastructure. The committee recognizes that these are not the only issues and topics of concern and debate in this area. Nevertheless, the committee considers that developing consensus on these key issues will be a major step forward and accelerate the appropriate use and licensing of digital I&C systems in nuclear power plants. In Phase 2 of the study, the committee was charged to identify criteria for review and acceptance of digital instrumentation and control technology in both retrofitted reactors and new reactors of advanced design; to characterize and evaluate alternative approaches to the certification or licensing of this technology; and, where sufficient scientific basis exists, recommend guidelines on the basis of which the USNRC can regulate and certify (or license) digital instrumentation and control technology, including means for identifying and addressing new issues that may result from future development of this technology. Where insufficient scientific basis exists to make such recommendations, the committee was to suggest ways in which the USNRC could acquire the required information. In carrying out its Phase 2 charge, the committee limited its work to those issues identified in Phase 1. Further, the reader should not form too literal an expectation that the committee has provided a cogent set of principles, design guidelines, and specific requirements for ready use by the USNRC to assess, test, license, and/or certify proposed systems and upgrades. Rather, the results of the committee's efforts are presented in the form of conclusions and recommendations related to each key issue and primarily addressed to the USNRC for their consideration and use for setting detailed licensing criteria and guidelines for digital I&C applications in nuclear power plants. The report discusses the difficult and complex nature of the key issues and directions for developing consensus on assessment of digital technology. The committee outlined criteria where it was possible to do so but focused primarily on (a) process both in developing guidelines and in the short-term acceptance of new technology; (b) identifying promising approaches for further actions by the USNRC beyond the committee's report; (c) suggestions for avoiding dead-ends; and (d) mechanics
OCR for page R6
for improving communication and strengthening technical infrastructure at the USNRC. To carry out its work, the committee held a number of meetings, including site visits to several power plant facilities and simulators (see Appendix B). The committee also held detailed discussions with members of the staff of the U.S. Nuclear Regulatory Commission, the Nuclear Safety Research Review Committee, the Advisory Committee on Reactor Safeguards, members of the U.S. and foreign nuclear industries, and representatives from other safety-critical industries, who provided a variety of perspectives and information on digital instrumentation and control technology and its regulation. The committee is grateful to the many individuals who provided technical information and insights on this topic during briefings and site visits. The chairman is also particularly grateful to the members of this committee who worked diligently and effectively on a very demanding schedule to meet a very difficult charge and produce this work. Special commendation and thanks are also extended to Tracy Wilson of the staff of the National Research Council, who was a pillar of strength and whose never failing energy and focus greatly facilitated the work of the committee. Douglas M. Chapin Committee Chair
OCR for page R7
Contents LIST OF TABLES AND FIGURES x ACRONYMS xi EXECUTIVE SUMMARY 1 1 INTRODUCTION 13 Nuclear Power Plant Instrumentation and Control Systems 13 Transition from Analog to Digital Instrumentation and Control Systems 15 Licensing of Instrumentation and Control Systems 17 Challenges to the Introduction of Digital Instrumentation and Control Systems 18 Response of the U.S. Nuclear Regulatory Commission and Nuclear Industry to the Challenges 19 This Study 21 References 23 2 KEY ISSUES 25 Developing the Key Issues (Phase 1) 25 Addressing the Key Issues (Phase 2) 25 Presenting the Key Issues 26 References 26 3 SYSTEMS ASPECTS OF DIGITAL INSTRUMENTATION AND CONTROL TECHNOLOGY 27 Introduction 27 Current U.S. Nuclear Regulatory Commission Regulatory Positions and Plans 28 Developments in the U.S. Nuclear Industry 29 Developments in the Foreign Nuclear Industry 29 Developments in Other Safety-Critical Industries 30 Discussion 30 Conclusions and Recommendations 32 References 32 4 SOFTWARE QUALITY ASSURANCE 33 Introduction 33 Current U.S. Nuclear Regulatory Commission Regulatory Positions and Plans 35 Developments in the U.S. Nuclear Industry 37 Developments in the Foreign Nuclear Industry 37 Developments in Other Safety-Critical Industries 38 Review of Experience 39 Conclusions and Recommendations 41 References 42
OCR for page R8
5 COMMON-MODE SOFTWARE FAILURE POTENTIAL 43 Introduction and Background 43 U.S. Nuclear Regulatory Commission Position 45 Developments in the Foreign Nuclear Industry 45 Developments in Other Safety-Critical Industries 45 U.S. Nuclear Regulatory Commission Research Activities 47 Analysis 47 Conclusions and Recommendations 50 References 51 6 SAFETY AND RELIABILITY ASSESSMENT METHODS 52 Introduction 52 Current U.S. Nuclear Regulatory Commission Regulatory Position and Plans 55 Developments in the U.S. Nuclear Industry 55 Developments in the Foreign Nuclear Industry 55 Developments in Other Safety-Critical Industries 56 Analysis 56 Conclusions and Recommendations 57 References 57 7 HUMAN FACTORS AND HUMAN-MACHINE INTERFACES 59 Introduction 59 Current U.S. Nuclear Regulatory Commission Regulatory Positions and Plans 60 Developments in the U.S. Nuclear Industry 62 Developments in the Foreign Nuclear Industry 62 Developments in Other Safety-Critical Industries 62 Analysis 63 Conclusions and Recommendations 67 References 69 8 DEDICATION OF COMMERCIAL OFF-THE-SHELF HARDWARE AND SOFTWARE 71 Introduction 71 Current U.S. Nuclear Regulatory Commission Regulatory Positions and Plans 72 Developments in the U.S. Nuclear Industry 72 Developments in the Foreign Nuclear Industry 74 Developments in Other Safety-Critical Industries 74 Analysis 75 Conclusions and Recommendations 76 References 76 9 CASE-BY-CASE LICENSING PROCESS 78 Introduction 78 Regulatory Framework for Evaluating Digital Upgrades 79 Overview of Nuclear Applications of Digital Technology 80 Regulatory Response 80 Approaches to Regulation in Other Countries 81 Research and Plans 81 Analysis 81 Conclusions and Recommendations 83 References 84
OCR for page R9
10 ADEQUACY OF TECHNICAL INFRASTRUCTURE 85 Introduction 85 U.S. Nuclear Regulatory Commission Regulatory Positions and Plans 85 Developments in the U.S. Nuclear Industry 86 Developments in the Foreign Nuclear Industry 87 Developments in Other Safety-Critical Industries 87 Analysis 87 Conclusions and Recommendations 89 References 90 11 OVERVIEW AND SUMMARY 91 APPENDICES A Biographical Sketches of Committee Members 95 B Committee Meetings (Phases 1 and 2) 98 C U.S. Nuclear Regulatory Commission Licensing of Digital Instrumentation and Control Technology 101 D Development of the Final List of Eight Issues 103 E Excerpts from Licensing Regulations 105 F Digital Instrumentation and Control System Features 108 GLOSSARY 111
OCR for page R10
List of Tables and Figures TABLES 1-1 USNRC Design and Quality Assurance Guidance 17 4-1 U.S. Software-Related LERs between 1990 and 1993 40 4-2 Summary of Canadian Software-Related Event Reports 1980–1993 41 FIGURES 1-1 Illustration of nuclear plant I&C systems 16 7-1 Evolution of Japanese nuclear power plant control rooms 61 7-2 Human factors issues in the control of safety critical systems 64 8-1 Equivalent level of assurance for nuclear grade and commercial digital equipment 73
OCR for page R11
Acronyms ABB Asea Brown Boveri ABWR advanced boiling water reactor ACRS Advisory Committee on Reactor Safeguards ANS American Nuclear Society ANSI American National Standards Institute APWR advanced pressurized water reactor ASIC application-specific integrated circuit ATWS anticipated transient without scram BEES Board on Energy and Environmental Systems CETS Commission on Engineering and Technical Systems CFR Code of Federal Regulations CMF common-mode failure COTS commercial off-the-shelf EDF Electricité de France EMI electromagnetic interference EPRI Electric Power Research Institute EPS emergency power system ESFAS engineered safety features actuation system FPGA field programmable gate arrays FSAR final safety analysis report FTA fault tree analysis GE General Electric GL generic letter HCI human-computer interface HSI human-system interface I&C instrumentation and control IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronics Engineers INPO Institute for Nuclear Power Operations ISA International Society for Measurement and Control MTTF mean time to failure NEI Nuclear Energy Institute NRR Office of Nuclear Reactor Regulation (USNRC) NSRRC Nuclear Safety Research Review Committee NUSMG Nuclear Utilities Software Management Group PLC programmable logic controller PRA probabilistic risk assessment PSA probabilistic safety assessment RES Office of Nuclear Regulatory Research (USNRC) RFI radiofrequency interference RPS reactor protection system SAR safety analysis report SRP Standard Review Plan USNRC U.S. Nuclear Regulatory Commission USQ unreviewed safety question
OCR for page R12
This page in the original is blank.
OCR for page R13
Digital Instrumentation and Control Systems in Nuclear Power Plants
OCR for page R14
This page in the original is blank.