Digital Instrumentation and Control Systems in Nuclear Power Plants

SAFETY AND RELIABILITY ISSUES

Final Report

Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety

Board on Energy and Environmental Systems

Commission on Engineering and Technical Systems

National Research Council

NATIONAL ACADEMY PRESS
Washington, D.C.
1997



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page R1
Digital Instrumentation and Control Systems in Nuclear Power Plants SAFETY AND RELIABILITY ISSUES Final Report Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety Board on Energy and Environmental Systems Commission on Engineering and Technical Systems National Research Council NATIONAL ACADEMY PRESS Washington, D.C. 1997

OCR for page R1
NATIONAL ACADEMY PRESS 2101 Constitution Avenue, N.W. Washington, D.C. 20418 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competencies and with regard for appropriate balance. This report has been reviewed by a group other than the authors according to procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. This report and the study on which it is based were supported by Contract No. NRC-04-94-055 from the U.S. Nuclear Regulatory Commission. This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights. The views expressed in this paper are not necessarily those of the U.S. Nuclear Regulatory Commission. The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. William A. Wulf is interim president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. William A. Wulf are chairman and interim vice chairman, respectively, of the National Research Council. Limited copies of this report are available from: Board on Energy and Environmental Systems National Research Council (HA-270) 2101 Constitution Avenue, N.W. Washington, DC 20418 (202) 334-3344 bees@nas.edu, http://www2.nas.edu/bees Additional copies are available for sale from: National Academy Press Box 285 2101 Constitution Avenue, N.W. Washington, DC 20055 800-624-6242 or 202-334-3313 (in the Washington Metropolitan Area) http://www.nap.edu Library of Congress Catalog Card Number 97-66084 International Standard Book Number 0-309-05732-9 Copyright 1997 by the National Academy of Sciences. All rights reserved. Printed in the United States of America.

OCR for page R1
COMMITTEE ON APPLICATION OF DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS TO NUCLEAR POWER PLANT OPERATIONS AND SAFETY DOUGLAS M. CHAPIN (chair), MPR Associates, Alexandria, Virginia JOANNE BECHTA DUGAN, University of Virginia, Charlottesville DONALD A. BRAND, NAE, Pacific Gas and Electric Company (retired), Novato, California JAMES R. CURTISS, Winston and Strawn, Washington, D.C. (from October 1995) D. LARRY DAMON, Bechtel Research and Development, San Francisco, California MICHAEL DeWALT, Federal Aviation Administration, Seattle, Washington (from October 1995) JOHN D. GANNON, University of Maryland, College Park ROBERT L. GOBLE, Clark University, Worcester, Massachusetts DAVID J. HILL, Argonne National Laboratory, Argonne, Illinois PETER E. KATZ, Calvert Cliffs Nuclear Power Plant, Lusby, Maryland NANCY G. LEVESON, University of Washington, Seattle CHRISTINE M. MITCHELL, Georgia Institute of Technology, Atlanta CARMELO RODRIGUEZ, General Atomics Company, San Diego, California JAMES D. WHITE, Oak Ridge National Laboratory, Oak Ridge, Tennessee Project Staff TRACY D. WILSON, study director, Board on Energy and Environmental Systems (BEES) SUSANNA E. CLARENDON, senior project assistant, BEES (from May 1996) THERON FEIST, project assistant, BEES (until June 1995) HELEN JOHNSON, administrative associate, BEES (until July 1995) WENDY LEWALLEN, senior project assistant, BEES (June 1995 to May 1996) MAHADEVAN MANI, associate executive director, Commission on Engineering and Technical Systems (from January 1996) JAMES J. ZUCCHETTO, director, BEES (from January 1996)     NAE: Member, National Academy of Engineering

OCR for page R1
BOARD ON ENERGY AND ENVIRONMENTAL SYSTEMS ROBERT L. HIRSCH (chair), Energy Technology Collaborative, Inc., Washington, D.C. RICHARD MESERVE (vice chair), Covington and Burling, Washington, D.C. JAN BEYEA, Consultant, New York, New York E. GAIL de PLANQUE, NAE, Consultant, Potomac, Maryland LINDA C. DOLAN, Lockheed Martin Electronics and Missiles, Orlando, Florida WILLIAM FULKERSON, University of Tennessee, Knoxville JACQUES GANSLER, TASC, Inc., Arlington, Virginia ROY S. GORDON, NAS, Harvard University, Cambridge, Massachusetts FRANCOIS E. HEUZE, Lawrence Livermore National Laboratory, Livermore, California LAWRENCE T. PAPAY, NAE, Bechtel Group, Inc., San Francisco, California RUTH A. RECK, Argonne National Laboratory, Argonne, Illinois JOEL SPIRA, NAE, Lutron Electronics Co., Inc., Coopersburg, Pennsylvania JAMES LEE SWEENEY, Stanford University, Stanford, California IRVIN L. WHITE, UTECH, Inc., Fairfax, Virginia Former Members Active during Reporting Period H.M. (HUB) HUBBARD (chair), Pacific International Center for High Technology Research (retired), Honolulu, Hawaii ROBERT D. BANKS, World Resources Institute, Washington, D.C. ALLEN J. BARD, NAS, University of Texas, Austin DAVID E. DANIEL, University of Texas, Austin THOMAS O'ROURKE, NAE, Cornell University, Ithaca, New York Liaison Members from the Commission on Engineering and Technical Systems RICHARD A. CONWAY, NAE, Union Carbide Corporation, South Charleston, West Virginia JERRY SCHUBEL, New England Aquarium, Boston, Massachusetts Staff JAMES J. ZUCCHETTO, director (since January 1996) SUSANNA E. CLARENDON, administrative assistant WENDY LEWALLEN, senior project assistant (until May 1996) JILL WILSON, senior program officer TRACY D. WILSON, senior program officer     NAE: Member, National Academy of Engineering     NAS: Member, National Academy of Sciences

OCR for page R1
Preface The nuclear industry and the staff of the U.S. Nuclear Regulatory Commission (USNRC) have worked for several years on how best to safely introduce digital instrumentation and control systems into nuclear power plants. But together they have failed to reach consensus. This lack of consensus led the USNRC to request the National Research Council, through its Board on Energy and Environmental Systems of the Commission on Engineering and Technical Systems, to conduct the study whose results are reported here. The National Research Council's Computer Science and Telecommunications Board and the Council's Division on Education, Labor, and Human Performance provided additional technical support. The Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety (see Appendix A) was appointed by the National Research Council on December 20, 1994, to examine the use of digital instrumentation and control systems in nuclear power plants. This work was to be conducted in two phases. The final report summarizes the work of both Phase 1 and Phase 2. In Phase 1, the committee was charged to define the important safety and reliability issues (concerning hardware, software, and human-machine interfaces) that arise from the introduction of digital instrumentation and control technology in nuclear power plant operations, including operations under normal, transient, and accident conditions. In response to this charge the committee identified eight key issues associated with the use of digital instrumentation and control (I&C) systems in existing and advanced nuclear power plants. The eight issues separate into six technical issues and two strategic issues. The six technical issues are: systems aspects of digital I&C technology; software quality assurance; common-mode software failure potential; safety and reliability assessment methods; human factors and human-machine interfaces; and dedication of commercial off-the-shelf hardware and software. The two strategic issues are the case-by-case licensing process and the adequacy of the technical infrastructure. The committee recognizes that these are not the only issues and topics of concern and debate in this area. Nevertheless, the committee considers that developing consensus on these key issues will be a major step forward and accelerate the appropriate use and licensing of digital I&C systems in nuclear power plants. In Phase 2 of the study, the committee was charged to identify criteria for review and acceptance of digital instrumentation and control technology in both retrofitted reactors and new reactors of advanced design; to characterize and evaluate alternative approaches to the certification or licensing of this technology; and, where sufficient scientific basis exists, recommend guidelines on the basis of which the USNRC can regulate and certify (or license) digital instrumentation and control technology, including means for identifying and addressing new issues that may result from future development of this technology. Where insufficient scientific basis exists to make such recommendations, the committee was to suggest ways in which the USNRC could acquire the required information. In carrying out its Phase 2 charge, the committee limited its work to those issues identified in Phase 1. Further, the reader should not form too literal an expectation that the committee has provided a cogent set of principles, design guidelines, and specific requirements for ready use by the USNRC to assess, test, license, and/or certify proposed systems and upgrades. Rather, the results of the committee's efforts are presented in the form of conclusions and recommendations related to each key issue and primarily addressed to the USNRC for their consideration and use for setting detailed licensing criteria and guidelines for digital I&C applications in nuclear power plants. The report discusses the difficult and complex nature of the key issues and directions for developing consensus on assessment of digital technology. The committee outlined criteria where it was possible to do so but focused primarily on (a) process both in developing guidelines and in the short-term acceptance of new technology; (b) identifying promising approaches for further actions by the USNRC beyond the committee's report; (c) suggestions for avoiding dead-ends; and (d) mechanics

OCR for page R1
for improving communication and strengthening technical infrastructure at the USNRC. To carry out its work, the committee held a number of meetings, including site visits to several power plant facilities and simulators (see Appendix B). The committee also held detailed discussions with members of the staff of the U.S. Nuclear Regulatory Commission, the Nuclear Safety Research Review Committee, the Advisory Committee on Reactor Safeguards, members of the U.S. and foreign nuclear industries, and representatives from other safety-critical industries, who provided a variety of perspectives and information on digital instrumentation and control technology and its regulation. The committee is grateful to the many individuals who provided technical information and insights on this topic during briefings and site visits. The chairman is also particularly grateful to the members of this committee who worked diligently and effectively on a very demanding schedule to meet a very difficult charge and produce this work. Special commendation and thanks are also extended to Tracy Wilson of the staff of the National Research Council, who was a pillar of strength and whose never failing energy and focus greatly facilitated the work of the committee. Douglas M. Chapin Committee Chair

OCR for page R1
Contents     LIST OF TABLES AND FIGURES   x     ACRONYMS   xi     EXECUTIVE SUMMARY   1 1   INTRODUCTION   13     Nuclear Power Plant Instrumentation and Control Systems   13     Transition from Analog to Digital Instrumentation and Control Systems   15     Licensing of Instrumentation and Control Systems   17     Challenges to the Introduction of Digital Instrumentation and Control Systems   18     Response of the U.S. Nuclear Regulatory Commission and Nuclear Industry to the Challenges   19     This Study   21     References   23 2   KEY ISSUES   25     Developing the Key Issues (Phase 1)   25     Addressing the Key Issues (Phase 2)   25     Presenting the Key Issues   26     References   26 3   SYSTEMS ASPECTS OF DIGITAL INSTRUMENTATION AND CONTROL TECHNOLOGY   27     Introduction   27     Current U.S. Nuclear Regulatory Commission Regulatory Positions and Plans   28     Developments in the U.S. Nuclear Industry   29     Developments in the Foreign Nuclear Industry   29     Developments in Other Safety-Critical Industries   30     Discussion   30     Conclusions and Recommendations   32     References   32 4   SOFTWARE QUALITY ASSURANCE   33     Introduction   33     Current U.S. Nuclear Regulatory Commission Regulatory Positions and Plans   35     Developments in the U.S. Nuclear Industry   37     Developments in the Foreign Nuclear Industry   37     Developments in Other Safety-Critical Industries   38     Review of Experience   39     Conclusions and Recommendations   41     References   42

OCR for page R1
5   COMMON-MODE SOFTWARE FAILURE POTENTIAL   43     Introduction and Background   43     U.S. Nuclear Regulatory Commission Position   45     Developments in the Foreign Nuclear Industry   45     Developments in Other Safety-Critical Industries   45     U.S. Nuclear Regulatory Commission Research Activities   47     Analysis   47     Conclusions and Recommendations   50     References   51 6   SAFETY AND RELIABILITY ASSESSMENT METHODS   52     Introduction   52     Current U.S. Nuclear Regulatory Commission Regulatory Position and Plans   55     Developments in the U.S. Nuclear Industry   55     Developments in the Foreign Nuclear Industry   55     Developments in Other Safety-Critical Industries   56     Analysis   56     Conclusions and Recommendations   57     References   57 7   HUMAN FACTORS AND HUMAN-MACHINE INTERFACES   59     Introduction   59     Current U.S. Nuclear Regulatory Commission Regulatory Positions and Plans   60     Developments in the U.S. Nuclear Industry   62     Developments in the Foreign Nuclear Industry   62     Developments in Other Safety-Critical Industries   62     Analysis   63     Conclusions and Recommendations   67     References   69 8   DEDICATION OF COMMERCIAL OFF-THE-SHELF HARDWARE AND SOFTWARE   71     Introduction   71     Current U.S. Nuclear Regulatory Commission Regulatory Positions and Plans   72     Developments in the U.S. Nuclear Industry   72     Developments in the Foreign Nuclear Industry   74     Developments in Other Safety-Critical Industries   74     Analysis   75     Conclusions and Recommendations   76     References   76 9   CASE-BY-CASE LICENSING PROCESS   78     Introduction   78     Regulatory Framework for Evaluating Digital Upgrades   79     Overview of Nuclear Applications of Digital Technology   80     Regulatory Response   80     Approaches to Regulation in Other Countries   81     Research and Plans   81     Analysis   81     Conclusions and Recommendations   83     References   84

OCR for page R1
10   ADEQUACY OF TECHNICAL INFRASTRUCTURE   85     Introduction   85     U.S. Nuclear Regulatory Commission Regulatory Positions and Plans   85     Developments in the U.S. Nuclear Industry   86     Developments in the Foreign Nuclear Industry   87     Developments in Other Safety-Critical Industries   87     Analysis   87     Conclusions and Recommendations   89     References   90 11   OVERVIEW AND SUMMARY   91     APPENDICES         A Biographical Sketches of Committee Members   95     B Committee Meetings (Phases 1 and 2)   98     C U.S. Nuclear Regulatory Commission Licensing of Digital Instrumentation and Control Technology   101     D Development of the Final List of Eight Issues   103     E Excerpts from Licensing Regulations   105     F Digital Instrumentation and Control System Features   108     GLOSSARY   111

OCR for page R1
List of Tables and Figures TABLES 1-1   USNRC Design and Quality Assurance Guidance   17 4-1   U.S. Software-Related LERs between 1990 and 1993   40 4-2   Summary of Canadian Software-Related Event Reports 1980–1993   41 FIGURES 1-1   Illustration of nuclear plant I&C systems   16 7-1   Evolution of Japanese nuclear power plant control rooms   61 7-2   Human factors issues in the control of safety critical systems   64 8-1   Equivalent level of assurance for nuclear grade and commercial digital equipment   73

OCR for page R1
Acronyms ABB Asea Brown Boveri ABWR advanced boiling water reactor ACRS Advisory Committee on Reactor Safeguards ANS American Nuclear Society ANSI American National Standards Institute APWR advanced pressurized water reactor ASIC application-specific integrated circuit ATWS anticipated transient without scram BEES Board on Energy and Environmental Systems CETS Commission on Engineering and Technical Systems CFR Code of Federal Regulations CMF common-mode failure COTS commercial off-the-shelf EDF Electricité de France EMI electromagnetic interference EPRI Electric Power Research Institute EPS emergency power system ESFAS engineered safety features actuation system FPGA field programmable gate arrays FSAR final safety analysis report FTA fault tree analysis GE General Electric GL generic letter HCI human-computer interface HSI human-system interface I&C instrumentation and control IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronics Engineers INPO Institute for Nuclear Power Operations ISA International Society for Measurement and Control MTTF mean time to failure NEI Nuclear Energy Institute NRR Office of Nuclear Reactor Regulation (USNRC) NSRRC Nuclear Safety Research Review Committee NUSMG Nuclear Utilities Software Management Group PLC programmable logic controller PRA probabilistic risk assessment PSA probabilistic safety assessment RES Office of Nuclear Regulatory Research (USNRC) RFI radiofrequency interference RPS reactor protection system SAR safety analysis report SRP Standard Review Plan USNRC U.S. Nuclear Regulatory Commission USQ unreviewed safety question

OCR for page R1
This page in the original is blank.

OCR for page R1
Digital Instrumentation and Control Systems in Nuclear Power Plants

OCR for page R1
This page in the original is blank.