Information Notice 2007-15, Effects of Ethernet-based, Non-Safety Related Controls on the Safe and Continued Operation of Nuclear Power Stations

From kanterella
(Redirected from Information Notice 2007-15)
Jump to navigation Jump to search
Effects of Ethernet-based, Non-Safety Related Controls on the Safe and Continued Operation of Nuclear Power Stations
ML071010303
Person / Time
Issue date: 04/17/2007
From: Michael Case
NRC/NRR/ADRA/DPR
To:
References
IN-07-015
Download: ML071010303 (4)


UNITED STATES

NUCLEAR REGULATORY COMMISSION

OFFICE OF NUCLEAR REACTOR REGULATION

WASHINGTON, DC 20555-0001 April 17, 2007 NRC INFORMATION NOTICE: 2007-15: EFFECTS OF ETHERNET-BASED, NON-SAFETY

RELATED CONTROLS ON THE SAFE AND

CONTINUED OPERATION OF NUCLEAR POWER

STATIONS

ADDRESSEES

All holders of operating licenses for nuclear power reactors, except those who have

permanently ceased operations and have certified that fuel has been permanently removed

from the reactor vessel.

PURPOSE

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to alert

licensees about recent operating experience related to the effects of potential interactions and

unanticipated failures of ethernet connected non-safety equipment on the safety and

performance capability of nuclear power stations. NRC expects that recipients will review the

information for applicability to their facilities and consider actions, as appropriate, to avoid

similar problems. However, suggestions contained in this IN are not NRC requirements;

therefore, no specific action or written response is required.

DESCRIPTION OF CIRCUMSTANCES

On August 19, 2006, operators at Browns Ferry, Unit 3, manually scrammed the unit following a

loss of both the 3A and 3B reactor recirculation pumps. Plant procedures following the loss of

recirculation flow required the manual scram. Immediate loss of the recirculation flow placed

the plant in a high power, low flow condition where core thermal hydraulic stability problems

may exist at boiling-water reactors (BWRs). Generally, intentional operation in this condition, of

high power and low flow, is not permitted. Although some BWRs are authorized for single loop

operation, sudden loss of even one pump could present the plant with the same stability

problems and could result in the reactor protection system initiating a shutdown of the plant.

The initial investigation into the dual pump trip found that the recirculation pump variable

frequency drive (VFD) controllers were nonresponsive. The operators cycled the control power

off and on, reset the controllers, and restarted the VFDs. The licensee also determined that the

Unit 3 condensate demineralizer controller had failed simultaneously with the Unit 3 VFD

controllers. The condensate demineralizer primary controller is a dual redundant programmable

logic control (PLC) system connected to the ethernet-based plant integrated computer system

(ICS) network. The VFD controllers are also connected to this same plant

ICS network. Both the VFD and condensate demineralizer controllers are

microprocessor-based utilizing proprietary software.

The licensee determined that the root cause of the event was the malfunction of the VFD

controller because of excessive traffic on the plant ICS network. Testing by site personnel

performed on the VFD controllers confirmed that the VFD control system is susceptible to

failures induced by excessive network traffic. The threshold levels for failure of the VFD

controllers due to excessive network traffic, as determined by the on-site testing, can be

achieved on the existing 10-megabit/second network. The NRC staff's review of industry

literature and test reports on network device sensitivity, and the threshold levels for such

failures, confirmed these testing results. The licensee could not conclusively establish whether

the failure of the PLC caused the VFD controllers to become nonresponsive, or the excessive

network traffic, originating from a different source, caused the PLC and the VFD controllers to

fail. However, information received from the PLC vendor indicated that the PLC failure was a

likely symptom of the excessive network traffic.

To ensure that excessive network traffic will not cause future Unit 3 VFD controller malfunctions, the licensee disconnected these devices from the plant ICS network before restart. The

licensee also disconnected the Unit 2 VFD controllers from the plant ICS network.

Licensee corrective actions included (1) developing a network firewall device that limits the

connections and traffic to any potentially susceptible devices on the plant ICS network and

(2) installing a network firewall device on each units VFD controller and condensate

demineralizer controller. The Browns Ferry Unit 3 event is discussed in Licensee Event Report

05000296/2006-002, dated October 17, 2006, Agencywide Documents Access and

Management System, Accession No. ML062900106.

BACKGROUND

Ethernet is one technology used for local area networking (LAN) of many different types of

digital devices such as computers, process controls, modems and PLCs. This allows many of

these devices to transfer data over a common communications cable, typically coaxial cable, or

special grades of twisted pair wire. It is the most widely used LAN technology today.

A data packet is a basic unit of data in a networked environment. In basic networks, data

packets are broadcast, meaning sent to each network device, rather than to one specific device.

To function properly, a device must be able to effectively handle the broadcast data packets it

receives.

A key point is that all network devices must allocate time and resources to read and interpret

each broadcasted data packet, even if the packet is not intended for that particular device.

Excessive data packet traffic on the network may cause connected devices to have a delayed

response to new commands or even to lockup, thereby, disrupting normal network operations.

This excessive network traffic is sometimes called a broadcast (or data) storm.

A firewall is a mechanism used to control and monitor data traffic to and from a network, or

device, for the purpose of protecting devices on a network. In effect, it is a filter that blocks unwanted network traffic and limits the amount and type of communication flow. A firewall can

act as an intrusion detection system by identifying data packets that are denied access, recognizing data packets specifically designed to cause problems, or reporting unusual

(including excessive) traffic patterns, and many other security-based features.

The reason the licensee at Browns Ferry investigated whether the failure of one device, the

condensate demineralizer PLC, may have been a factor in causing the malfunction of the VFD

controllers is that there is documentation of such failures in commercial process control. For

instance, a memory malfunction of one device has been shown to cause a data storm by

continually transmitting data that disrupts normal network operations resulting in other network

devices becoming locked up or nonresponsive. A network found to be operating outside of

normal performance parameters with a device malfunctioning can effect devices on that

network, the network as a whole, or interfacing components and systems. The effects could

range from a slightly degraded performance to complete failure of the component or system.

Major contributors to these network failures can be the addition of devices that are not

compatible, network expansion without a procedure and a overall network plan in place, or the

failure to maintain the operating environment for legacy devices already on the network.

DISCUSSION

While only non-safety related network devices became nonresponsive at Browns Ferry Unit 3, it

is important to protect both safety-related and non-safety related devices on the plant network to

ensure the safe operation of the plant. The August 19, 2006, transient unnecessarily

challenged the plant safety systems and placed the plant in a potentially unstable high-power, low-flow condition. The potential safety implications for future similar events would depend on

the type of devices that are connected to the plant ethernet. Careful design and control of the

network architecture can mitigate the risks to plant networks from malfunctioning devices, and

improper network performance, and ultimately result in safer plant operations.

CONTACT

This IN requires no specific action or written response. Please direct any questions about this

matter to the technical contact listed below or the appropriate Office of Nuclear Reactor

Regulation project manager.

/RA by TQuay for/

Michael J. Case, Director

Division of Policy and Rulemaking

Office of Nuclear Reactor Regulation

Technical Contact:

Royce D. Beacom, NRR

301-415-2781 E-mail: rdb1@nrc.gov

Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections. unwanted network traffic and limits the amount and type of communication flow. A firewall can

act as an intrusion detection system by identifying data packets that are denied access, recognizing data packets specifically designed to cause problems, or reporting unusual

(including excessive) traffic patterns, and many other security-based features.

The reason the licensee at Browns Ferry investigated whether the failure of one device, the

condensate demineralizer PLC, may have been a factor in causing the malfunction of the VFD

controllers is that there is documentation of such failures in commercial process control. For

instance, a memory malfunction of one device has been shown to cause a data storm by

continually transmitting data that disrupts normal network operations resulting in other network

devices becoming locked up or nonresponsive. A network found to be operating outside of

normal performance parameters with a device malfunctioning can effect devices on that

network, the network as a whole, or interfacing components and systems. The effects could

range from a slightly degraded performance to complete failure of the component or system.

Major contributors to these network failures can be the addition of devices that are not

compatible, network expansion without a procedure and a overall network plan in place, or the

failure to maintain the operating environment for legacy devices already on the network.

DISCUSSION

While only non-safety related network devices became nonresponsive at Browns Ferry Unit 3, it

is important to protect both safety-related and non-safety related devices on the plant network to

ensure the safe operation of the plant. The August 19, 2006, transient unnecessarily

challenged the plant safety systems and placed the plant in a potentially unstable high-power, low-flow condition. The potential safety implications for future similar events would depend on

the type of devices that are connected to the plant ethernet. Careful design and control of the

network architecture can mitigate the risks to plant networks from malfunctioning devices, and

improper network performance, and ultimately result in safer plant operations.

CONTACT

This IN requires no specific action or written response. Please direct any questions about this

matter to the technical contact listed below or the appropriate Office of Nuclear Reactor

Regulation project manager.

/RA by TQuay for/

Michael J. Case, Director

Division of Policy and Rulemaking

Office of Nuclear Reactor Regulation

Technical Contact:

Royce D. Beacom, NRR

301-415-2781 E-mail: rdb1@nrc.gov

Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections. ADAMS Accession

Number: ML071010303 OFFICE EICA:DE TECH EDITOR BC:EICA:DE BC:ITSB:DIRS BC:SBWB:DSS BC:RES:IEEB

NAME RBeacom H.Chang/email AHowe TKobetz GCranston WKemper

DATE 04/16/2007 01/22/2007 04/16/2007 02/06/2007 02/06/2007 02/09/2007 OFFICE BC:NSIR:RSB BC:RII/DRP/RPB6 NRR/DE/D PGCB:DPR PGCB:DPR BC:PGCB:DPR D:DPR

NAME SMorris MWidman/email PHiland DBeaulieu CHawes CJackson TQuay for MCase

DATE 02/13/07 02/26/2007 04/03/07 04/12/07 04/17/07 04/17/07 04/17/07 OFFICIAL RECORD COPY