ML18145A017
| ML18145A017 | |
| Person / Time | |
|---|---|
| Issue date: | 09/16/1991 |
| From: | Taylor J NRC/EDO |
| To: | Curtiss J, Remick F, Rogers K, Selin I NRC/Chairman, NRC/OCM |
| Holonich J | |
| References | |
| NUDOCS 9109200242, SECY-91-292 | |
| Download: ML18145A017 (23) | |
Text
I_
For:
The Comnlssloners From:
James M. Taylor Subject :
Purpose:
Executive Director for Operations DIGITAL COMPUTER SYSTEMS FOR ADVANCE0 LIGHT WATER REACTORS To fnform the Carmission on the major regulatory issues associated with the application o f digital computer technology to instrumentation and control (I&C) systems that are important to safety and the MRC staffs actions to resolve these issues.
These issues include the effect o f evaluated experiences, the continuing rapid changes in dlgital computer technology, and the establishment and maintenance o f the new regulatory review process for I&C systems important to safety consistent with Subpart B of Part 52 of Title 10 o f the Code of Federal Regulatioas (10 CFR Part 5 2 ).
The evolutionary and passive advanced 1 icht water reactor (ALWR) designs Incorporate Instrumentation and control (IK) systems uslng digltal computer technology to implement the Rlonitorlng, control and protection functions.
Power Rnoearch Instttute ( E P R I ) Utility Requirements Oocument (RD) also addresses the use of dlgital computer technology for I&C systhis and man-machine interface systems (H-NIS).
To ensure that digital systems are implemented safely i n nuclear power plants, the staff is reviewlng the designs with an approach that considers exlsting regulatory requirements, the development of requirements where none exist. the lessons learned in the U.S.
and other countrles, and the guidelines pr-Zvided in the EPRI RD.
Background:
The Electric
Contact:
M. Chiramal, NRR/DST J, Gal 1 agner, NRR/OST 492-0845 492-0823 KOTE: E:KLOSUP.E 1 nEr:ovm TO AKOV PUBLIC I
EELEASE OF PAPER Absence of standards for digital was a concern
/. -,
i The C m i s s i o n e r s The use of digital computer technology in protection and control systems raises a concern that the software and hardware for these computer systems could be vulnerable tu design and programing errors that could leao to safety-significant c o m o n mode failures.
The staff reviewed Chapter 10 of the EPRI RD, "Man-Machine Interface Systems, and concludes that, in general, the EPRI requirements are acceptable from the point o f view that they do not violate existing NRC criteria.
high-level design goals that address many of the key issues discussed herein.
There are, however, certain open issues and confirmatory items that require resolution before the EPRI RD can be considered complete, even at this relatively high level of design requirements.
Significant work remains to resolve all issues such that the ALWR designs can be certified.
water reactor (ABWR) design, the staff concluded that the ABWR safety analysis report does not include a sufficiently complete design and does not reference many o f the standards included i n the EPRI RD.
The staff will continue to comnunicate with the applicant, the General Electric Company (GE), to address these open issues.
The E P R I RD provides In reviewing the advanced boiling Discussion:
EXPERIENCE There i s a wide range of experience with the application of digital cmputer technology for monitoring, control, and protection systems in various industrial applications; land, sea, and air transportation systems; c m u n i c a t i o n systems:
defense systems; fossil power plants; and nuclear power plants.
The m s t successful digital systems applications have been in industrial processes to automatically control, monitor, and protect major components. Certainly the recent Patriot Missile and telephone system experience demonstrate, however. that these systems can fail.
The U.S. nuclear industry has limited operational experience with digital computer system technology.
Calculators (CPCs) were reviewed by the NRL in the late 70's and are Installed in all later Combustlot? Engineering (CE) plants.
Several U.S.
plants have retrofitted uigital systems to replace selected analog systems, however, complete replacement of all plant analog systems with digital systems has not been performed.
Core Protection Lack of knowledge about digital problem areas and associated defensive measures was a concern Lack of nuclear-related experience was a concern
The Comnissioners MAJOR REGULATORY ISSUES Plants using safety-related digital computer systems are being designed and constructed in Canada, the United Kingdom, France, and Japan. The NRC staff comnunicates regularly with these countries to monitor activities involving digital systems applications in these plants. This is especially important given the international nuclear industry's difficulties with implementing computer systems applications that were designed without a structured process and the use of formal verification and validation (VbV) procedures.
IE:;CLCSURE 1 m:ovm TO ALL.OI~
PUCLIC RELEASE)
Instrumentation and Control (IK) systems help to ensure that the plant operates safely and reliably by monitoring, controlling, and protecting critical plant equipment and processes. The digital computer based ILC systems for ALWRs differ significantly from the analog systems used in operating nuclear plants.
Because of the greater information content of digital signals compared to analog signals and the increased information processing capabi 1 ity o f digital equipment compared to analog equipment, the change to digital computer based I&C systems provides the potential for improvements in the safe and reliable operation of nuclear power plants.
This potential is achievable through the iniplementation of highly re1 table digital I K systems for all servtce conditions of operation of the equipment. This requires special constraints on the system architectural designs and features, and the application of a high level o f discipline to the processes associated with the life cycle phases of design, manufacture, installation, operation. maintenance, and modification of !he I4C sy;lm.
Such requirements, however, must allow for flexibility in the application of the evolving digital computer technology.
The digital IbC system has a greater degree of sharing of data transmission, functions, and process equipment compared to the analog system. Although this sharing forms the bases for many of the advantages of the dlgital system it also raises a key concern with respect to its reliability.
The concern is that a design using shared data hases and process equipment ha$ the potential to propagate a c m o n cause or c o m n mode failure oi redundant equipment. Another key concern I s that software programing errors can defeat the redundancy achieved by the hardware architectural structure.
The goal o f the requirements for the digital I&C systems is to limit the probability of the occurrence of comnon cause and c o m n mode failures and, since some failures will still occur, Lack of structured process (based on accepted standards) was an important concern We can now point to the EPRI document and IEC standards as methods to address these special digital design issues IEC standards have made safety critical design concepts for nuclear I&C mature IEEE and IEC standards, EPRI Preventive & Limiting (P&L) measures (see NEI 16-16), and modern development and test tools reduce likelihood of design errors
The Comnissioners limit the extent of loss of functions o f the IbC systems.
These requirements are in addition to the existing requirements that are based primarily on analog technology. Enclosure 2 discusses these issues and development of requirements for digital systems.
The staff i s reviewing the EPAI Utility Requirements Document (RD) for the evolutionary and passive AlWRs and two applicatlons for design certification:
Boveri/Combustion Engineering, Incorporated (RBBICE) System 80+.
To review the I&C systems for the ALURs, the staff i s using current regulatory requirements, guides, and industry standards in the SRP, and national and international standards not currently endorsed by the NRC. Information from other elements, such as lessons learned from operational and design experience. participation in codes and standards c m i t t e e s,
staying current with evolving technology through technical information exchanges, conferences and meetings, and input from research effcrts, will also be integrated into the review of the ABUR, ABB/CE System 80+, and passive ALURS, as well as the updated SRP. Enclosure 3 discusses additional details o f the s t a f f ' s review effort;.
There is a general consensus within the international nuclear c m u n i t y that the proper use of digital computer technology in the design of monilorlng. control and protection systems will improve the safety and performance of nuclear power plants.
The President's Conmission on The Accident A t Three Mile Island reached a similar conclusion regarding improving the collection and understanding o f information on the state af plant processes and equipment and thereby improving the safety and performance o f the plant.
Digital computer technology I s changing in a way that provides d much wider range o f tools to assist in the engineering activities to develop and verify the designs of advanced I K system$.
improved hardware and software to Imalement the design.
The international comnunlty is expending a significant amount o f resources, most of which are outside the nuclear industry, to formulate guidelines and standards to improve the proper use of t h i s techno 1 ogy.
the GE ABWR and the ASEA-Browi
==
Conclusion:==
This change in techno!ogy has the potential to provide Now that this has been realized for nuclear industry safety critical systems and processes, can we credit this for a change in the BTP 7-19 diversity/
bounding consequence approach.
.i..,
The Comnissloners However, much of this technology i s being developed wlthout consensus standards, as the technology dvailahle for desrgn i s ahead of the technology that is well understood thrcugh experience and supported by application standards.
challenge to which the NRC must respond, especially in light of the design certification process. addresses the effect that the use o f digital computer technology has on current requirements which primarily address analog IbC technology, f o r additional requirements and describes how Chapter !3 of the EPRI RD can provide a frame of reference to assist in developing new requirements and acceptance crlteria.
proposes a means for reviewing proposed designs and developing requirements and acceptance criteria in an environment of change.
safety of the functlons being performed w i t h respect to reductian in the potential f o r radiation exposure could be adopted.
The functions with the hlghest level of importance to safety, and thus with the most stringent requirements, w e less likely to be affected by equipment change< than those functims with lower levels of importance to safety, such as, information sys terns.
Because o f Its safety importance, the staff expects to expend the most effort <n the modification or development of requirements and acceptance criteria for digital computer technology-based monitoring, control, and protection systems.
Particular emphasis will be placed on defense against propagatton of t m
n mode fajlures within and between functions.
In this regard, the staff currently intends to require sme level of diversity such as a reliable analog backup.
The staff shares in the consensus that the:@
I&C systems can improve safety; however, the international operating and regulatory experience, the developmental nature of consensus U.S. standards and the significant interdependence of these This is a describes the need The enclocure also A graded set o f requirements based on the iwortance to Can we credit the advancements in standards and safety critical design features for a change in the BTP 7-19 diversity/
bounding consequence approach?
The Conmissioners systems. require that A L M aoplicants submit sufficient design information fcr certification for the s t a f f to ensure that open issues are adequately resolved.
.,. 1 w
nnt (EECL0SUP.E 1 REMOVED TO P.LLOI:
for Operations
Enclosures:
- 2. Requlrments for Oigitlal Systems
- 3.
Staff Review o f ALWR$
(E?:CLOSLRE 1 ZCKOVFD TO ALLO!:
PUBLIC I x L Z A i I : )
DISTRIBUTIOK :
Conmissioners OGC OCA4 OIG GPA LSS REGIONAI, OFFICES ED0 ACRS ACNW SECY
ENCLOSURE i RI~MOVED r o ALLOW PC'BLXC RELEASE OF TAPER
ENCLOSURE z REQUIREMENTS FOR DIGITAL SYSTEMS PURPOSE This enclosure discusses the differences between analog and digital instrumtentatton and control (IbC) systems, the need for requirements for reducing the probability and consequences of c o m o n mode failures in digital I&C systems, and a process for developing new rcgulatory requirements and acceptance criteria.
INTRODUCTION Instrumentation and Control (IK) systems help to ensure that the p l a n t operates safely and reliably by:
controlling plant processes, in both automatic and manual modes monitoring the state of the plant processes and plant equipment to dssist the operating staff in making decisions protectlng critical plant equipment to maintain the inteqrity of barriers tci the release of radioactive mdterisls or to control radioactivity releases if one or more o f the barrters are breached.
Because of the greater information content in digital signals compared to analog signals and the Increased informa,ion processing capability o f digital cquiprnent compared to analog equipment, the change t o dlgital computer based IbC systems provides the potential fo: {mprovements in the safe and reliable operatlon of nuclear power plants. The use of digital computer technology to provide information to help plant operators prevent or cope with accidents was one of the principal recomnendations in the report of the President's Comnlsslon on The Accident at Three Mlle Island.
The realization of this potent441 I s, of course, dependent on the implementation of highly reliable digital I&C systems for a11 the service condltions of operation o f the equtpwnt. The achievcment of high levels of reliability for these systems requires special constraints on the system architectural designs and features nnd a high level of discipline applied t o the processes associated with each life cycle phase of the 1K systm. However, the requirements for the life cycle phases of design, manufacture, installat Ion, operatlon, maintenance and modlffcatlon of these I&C systems must not arbltrarily constrain application of digital cplnputer system technology.
DIFFERENCES BETWtKN THE ARCHITECTURE OF ANKOG AND DIGITAL 16C SYSTEMS As discussed below there is a major difference i n the optimum architectural conflguratlon of dibital colnputer based IhC systems when compared to analog systans.
An analog I&C system i s a collectlon of primarily single para,(Ictcr conflguratSon5.
between the components that cmprise each of these single parameter configurations.
Often the only installed comnon items between such configurations are the Cable routing fixtures and the power Supplies for the equipment that make up these conflgurations.
Analog I K systems usually have direct wire connections These are usually referred to as "hard-wired configurations."
The EPRI P&Ls address these concerns with improved design guidance.
It should be noted that the conservative D3 assumptions in BTP 7-19 have made I&C architectures more complex and is now the primary driver for I&C architecture designs.
The processing functions f a r contt-01 algorithms. l i n e a r i z a t i o n o f sensor measurements. logic relationships, e t c., have been t r a d i t i o n z l l y implernenteo w i t h analog equipment by the use of b u i l t - i n c i r c u i t s dedicated t o a p a r t i c u l a r math or logic task.
adjustments i n setpoints and pre-selected ccefficients by changing potentiometer settings and rearranging h i p h l y v i s i b l e b u i l t - i n patch connectors, A d i g i t a l I&C system usually consists o f A c o l l e c t i o n of individual input/output c ' r c u i t boards connected t o the plant equipment (sensors and actuators) through d i r e c t wire connections.
multiplexed data l i n k or data highway so that a single e l e c t r i c a l wire or outic fiber carries signals from many senscrs incllrding information about the j t a t e O f the sensors and actuators and the o u a l i t y o f the signals.
f i b e r also carries control comnands fcr manly separate actuators.
l i n k or highway i s connected t o a s e t G f equiGment t h a t uses a shared computer t h a t can sequentially perform the algorithmic numerical and l o g i c computations for several controllers according t o t' I inputs from t h e i r respective sensors and actuators.
The ingress, transmission, and egress of datd on the multiplex data l i n k s or d a t a highway i s usually controlled by a protocol that w i t h i n i t s e l f has shared functions.
could r e s u l t in a high degree o f interdependence w i t h respect t o the equipment connected t o the data link.
The shared computer can be a mini (mainframe) computer that uses a multi-task operating System t o perform many processing functions using the application software programs and the same hardware and executive operating system software t o Lontrol the operation o f that hwdware or, a set o f microcomputers, i n d i v i d u a l l y connected t o the highway, each running asynchronously using embedded software w i t h l i m i t e d multi-tasking capability f o r the operating system and application software modules that may be identical f o r d i f f e r e n t redundant hardware sets of equipment.
Programing for these functions i s usually l i m i t e d t o These boards are connected t o r:
This w i r e or This data Consequently thr data 1 ink (highway) protocol
- 1) 2 )
Consequently, the shared processing equipment can have a wide range o f interdependence w i t h respect t o the functions performed; i.e.,
from one computer t h a t performs many fhictions t o separate computers that v-rform d i f f e r e n t functions but use c o m n software aodcles for these separate functions.
POTENTIAL PROBLEM CAUSED BY SHARING RESOURCES It i s t h i s resource sharing that forms the bases f o r many o f the advantages of d i g i t a l computer technology over analog technology.
However, t h i s sharing raises a key concern w i t h respect t o :he r e l i a b i l i t y of I&C systems based on d i g i t a l computer technology.
The root cause o f t h i s concern i s that the use of The EPRI P&Ls address these concerns with improved design guidance.
shared data bases and processing equipment can result i t 1 a desigr that has the potential to propagate A.;omon mode failure o f 1-edunoant I-quipment.
resulting loss in functions would be greater than far an analog I&c syztem:
thereby, resulting in a system that is less safe than t h e analog system.
That i s, the consequences of a common mode fdilure can be a loss of defense in depth.
Another key concern i s.:hat software programing errors can defeat the redundancy achleved by the hardware architectural structure.
A software error i s a comnon mode failure th,,
can simultaneously defeat the functioning of all redundant channels or trzins c f the protection system, even if the protection system design has minimized the sharing o f databases and digital proce\\sin<?
equipment.
The goal for the requirements i s to both limit the probability of the occurrence of comnon mode failures associated with aigital computer technology and, since some failures will still occur. limit the extent of loss of functions i n the monitoring, control and safety systems.
are in addition to the existing requirements for I&C systems that are based primarily on analog technology and, therefore, place emphasis on single random failures in hardware and stress incorporation and maintenance o f redundancy in equipment. These additional requirements are belng developed by the staff for applicability to ALWR designs.
The challenge in the achievement of this goal o f limiting the occurrences and consequences of cornon mode failures, i s to reach the proper balance between control over the extent and means of information sharing and the potentially adverse effects that this control might have on the benefits from the application of digital technology, with its attendant potential for improvements in safety and operation o f the plant.
T h i s challenge i s further complicated by the duration of the validity of Dr Certification that results through compliance with these requirements, vis-a-vis the rapid rate o f technology advancements in the electronics and information management fields.
Regulatory requirements should not unduly impede the orderly introduction of improved technologies that address the goal for advanced reactor man machine interface (M-MI) systems: to improve the performance of the personnel involved In the operational activities of the plant (operations, maintenance, and wrveillance of both plant processes and equipment).
- he These requirements 3n DEFENSE I N DEPTH The principle of defense in depth is to provide several levels or echelons of defense to challenges to plant safety, so that failures in equipment and human Ditto
errors will not result in an undue threat to public safety. The echelons o f defense provided by M-HI I&C systems are as f o l l o w s :
- 1) the monitoring and diagnostic surveillance systems that provide information to the plant operations personnel regarding the state o f plant processes and plant equipment specified normal ranges the protection systems that place the plant i n a safe shutdown condition when specified limits are exceeded the engineered safety features systems that provide essential functions to either maintain the integrity o f barriers to the release of radioactive materials or to mitigate the consequences of failures i n these barriers i n order to control the release of radloactive materials to acceptable limits
I 2 )
the control systems that regulate plant process variables within
- 3) 4 )
The foundational purpose o f the requirements for the M-MI I&C system i s to achieve an acceptably low probability that comnon mode Failures caused by equlpment or people will result in the loss of more than one echelon of defense in depth.
DEFENSE AGAINST COHMON MODE (COWON CAUSE) FAILURES The nuclear industry and the staft carefully evaluate and seek ways to improve human activities performed throughout the plant life cycle because such activities are the primary cause of comnon cause failures.
International Atomic Energy Agency (IAEA) safety practices document, Safety Series No. 50-P-1, "Applicat!on of the Single Failure Criterion," cortains a section i n which cannon cause failures are arranged by category and A,-nerd1 frdn'I@WOrk is provided to defend against these failures. These cateoot I S are identical to those developed by the United Kingdom Atomic Energy Au'km-iry (UKAEA) Safety and Reliabillty Directorate in SRD R 196, "Defenses AbL I n s t Comnon-mode Failures In Redundancy Systems."
Figure 1 (from IAEA 50-P-1) provides the categories of c m o n mode failures. The percentages given i n Figure 1 are obtained from INPO Report 85-027, "Analysis of Root Causes of Signiflcant Event Repcrts," which presented the analysis of significant event reports for 1983 and 1984. This fjgure shows that design, maintenance, and operations actlvities are the major contributors to conanon cause failures.
The IAEA report contains the following statement:
In the defense against comnon mode failures, quality, segregation and dlversity are o f fundamental importance.
There are two basic forms of preventlng comnon cause fatlures in a system: either the causal influences on the system can be reduced, or the ability of the system to resist those influences can be increased. The reductlon rf causal influences can be related to all the causes o f failure shown in [figure 13 and the overall defense strategy can be as showil in [Figure 21.
A recent I think we can now claim that the better standards, modern tools and platforms, EPRI P&Ls, etc.
lead to reductions in CCF potential previously assumed.
The various aspects of quality, especially tho$,. associated with quality assurance, to provide discipline i n the desin... manufacture, installatici, operation, and maintenance of systems impor'ant to safety, assist in minimizing comnon cause failures due to human error.
The main purpose of segregation is to provide and maintain independence between redundant components so that a comnon influence cannot cause a comnon mode failure.
environment.
achieving an acceptable degree of segregation to restrict tht qropagation o f failures between redundant channels.
Segregation requirements are primarily concerned with the hardware configuration o f M-MI I&C systems.
In addition to quality and segregation, there is a need for adequate diversity in human activities for the M-MI IbC system life cycle phases, and the application of the equipment (hardware and software) used in realizing the M - M I S design.
and/or software diversity, and human diversity.
When diversity i s considered for a particular application, care should be exercised to ensure that the diversity actually achieves the desired increase in reliability o f the implemented design.
are used, there should be reasonable assurance that such additions are of overall benefit, taking into account any disadvantages, such as additional complications i n operating, maintenance and test procedures, or the consequent use of equipment o f lower reliability.
One of the more effective means of achieving diversity is to require s m e form of diversity between preselected sets o f functions (functional diversity) to ensure that c m
n mode failures of M-MIS equipment do not degrade the performance of more than one set of these functions.
diversity i s dlscussed in NUREG-0493, "A Defense In-Depth and Diversity Assessment o f the RESAR-414 Integrated Protection System," March 1979.
assessment, the preselected sets o f functions were control, including general monitoring functlonr: reactor trip; and engineered safety features.
fl :;uck concept was introduced to provide a mechanism for sys?cz3tirz!:r analyzing the effect o f c m
n mode failures on the defense In depth of the IbC system. The block concept aggregates the equipment (components and modules) of the system into a manageably small number of functional blocks. The staff Chose three such blocks: measured variable, derived variable and comnand blocks.
These blocks provide the equipment structure for the preselected s e t s of system level functions.
consequences of postulated C m o n mode failures.
structure.
Since i c s initial introduction, this approach has been refined (on the U.K.
Sizewell B design) t o provide for some level o f diversity within both the reactor trip system and the engineered safety features ( E S F ).
This diversity will provide assurance that cornon mode failures of software or hardware will not defeat all the reactor trip or ESF functions.
Segregation can be regarded as a form of diverse location and Many of the requirements for redundancy are directed to The practice of diversity includes functional diversity, hardware I f diverse components or systems The concept of functional In that The resultlng block structure i s used for the analysis of the Figure 3 shows the block Now we have required IV&V We now have mature IEEE and IEC standards for the nuclear industry Nice twist!
The current regulatory approach does not link the required diversity to relevant or important CCF vulnerabilities or consider the downside of the diversity solution.
The EPRl ALWR Utility Requirements Document uses a similar approach to establish general requirements that provide some level of protection against cornon mode failures in major control and monitoring functions and between the reactor trip system and the ESF.
major functions.
In addition to the above, the staff is considering the following M-MIS regulatory requirements:
EPRl termed this approach segmentation of
- 1)
Requirements for the engineering activities that are used for the development of the design, manufacture, installation, operation and maintenance features of the man machine interface systems with emphasis placed on reduction in the probability of comnon mode failures, and Requirements for the implementation of the design with emphasis on the hardware and software architectural configurations (including diversity) used to reduce the probability of the occurrence or propagation of c m o n mode failures 2 )
SAFETY CLASSIFICATION OF I&C SYSTEMS The present method for safety classification of IbC systems and equipment is highly deterministic in that, with a few exceptions, the I&C systems are either members of the protection system or not members, and the equipment is either Class 1E or non-safety grade.
This classification method has two major problems:
- 1)
ILC equipment not included in the protection system i s considered as non-safety equipment, although operating experience has shown it to be quite important with respect to the safe operation of the plant.
Many events that resulted in a significant deterioration in the echelons o f defense in depth have occurred because o f failures or misoperation of equipment in monitoring or control systems that are outside o f the protection systems.
All I&C equipment considered important to safety is also considered as part of the protection system and, therefore, must meet the criteria for protection systems as stated in IEEE-279 (10 CFA 50.55a(h)).
This means that the equipment used in these systems must be Class lE, Independent of the level of importance to safety of the function performed by that system. The result can be a potentially significant first cost and overhead cost burden on utilities without the accompanying benefit justification and consequently lead to the exclusion of equipment and systems that cculd contribute to an improvement in plant safety, 2 )
The problem with such a limited Clar-ifitation method was a subject of both the findings and the recornendations in the President's Comnission report on The Accident at Three Mile Island.
Th Institute o f Electrical and Electronic Enyineers ( I E E E ) Nuclear Power E n 'neering Cornittee (:4PEC) had initiated activities in the U.S.
to develop a ne This classification method was based on graded requirements comnensurate with the importance of the involved safety function (similar to that for mechanical equipment).
two major concerns by the !EEE NPEC Members, One was the perception O f a resultant significant increase in the complexity and number of items and.
therefore, the overhead burden, for the p l a n t I&C equipment list covered by the requirements of 10 CFR 50, Appendix 6.
since there is no quantitative measure for level of importance to safety or an agreement between industry and the NRC with respect to meaningful differences in EQ (equipment qualification) and QA requirements for different levels of importance to safety, any equipment added to this graded classification would, in effect, be considered by the NRC as Class lE, with the attendant significant increase in life cycle costs.
The international situation i s different.
In 1984, the I A E A issued safety guide 50-513-08, "Safety-Related Inrttumentatiun and Control Systems f o r Nuclear Power Plants," which recomnended all plant I&C systems important to safety be placed in one o f three categories according to their importance to safety. The requirements for these systems are to be based on their importance to safety as established by these three categories. T h i s safety guide, together with Safety Guide 50-SG-03, "Protection Systems and Related Features in Nuclear Power Plants," establish distinctlons between the sLfety systems (i.e. those systems provlded to assure the safe shutdown of the reactor and heat removal from the core and to limit the consequences of anticipated operational occurrences and accident conditions), and safety related l&C systems ( i.e. those systems Important to safety that are not included in the safety systems.)
Figure 4 depicts the relationship between these systems. Of special interest for the use o f this approach in the design of the H-MIS are the graded requirements for reliability, equipment qualification, testing, deslgn, and qualificatlon ( V & V ) of software for computer and multiplexed systems, and the teliablllty of the computer and multiplexed systems based on the importance of the associated safety functions.
The methodology used for determining the importance to safety o f a particular I&C system is based on the methodology in the IAEA Safety Guide 50-SG-01, "Safety function and Component Classification for BWR, PUR and PTR."
In this methodology, safety functions are ranked in order of importance by the combination of:
the consequence of failure of that safety function (based on magnitude of potential increase in radiation exposure upon failure of that safety function), and the probability that the safety function would be required.
classification method for IbC systems J n d equipment important to safety.
These activities were terminated because of what appeared to be The second was the conviction that,
- 1) 2 )
The assignment of safety class design requirements for the equipment that performs the safety function needs a third factor that accounts for the confidence that the safety system(s) will perform a s expected.
That is:
- a -
3 )
the probabllity that the safety function would not be accomplished when required.
The product of these three factors must be acceptably low for all I&C systems that are important to safety.
this third factor to include specific factors that deal with alternative actions for accnnplishing the safety function and time considerations for initiation of the safety function and for reconfiguration or repair of safety Systems and equipment.
Safety Guide 08 also includes general guidance for key design requirements as they relate to three categories o f importance to safety: highest, intermediate, and lowest.
The InternJtional Electrotechnical Comnission (IEC), SuScomnittee 45A, Reactor Instrumentation, is developing an international standard "The Classification o f Instrumentation and Control Systems Important to Safety f o r Nuclear Power Plants," which is based on IAEA Safety Guide 08.
The I E C standard presents the following:
IAEA Safety Guide 08 has further subdivided
- 1) 2 )
- 3)
A definition o f the three categories of importance to safety o f functions and the associated s y s t e m and Items of equipment Criteria for assignment o f functions and associated systems and items of equipment t o one of the three categories and a procedure for performjng this assignment Key requirements for the functions and associated systems and items of equipment important to safety for each of the three categories These requirements are the design criteria for assuring functionality, perfomance, reliability, environmental durabllity and quality assurance of the functions and associated systems and items of equipment.
The need for a graded safety classificatton of I&C digital based systems is addressed by several o f the requirements given in Chapter 10, "Man-Machine Interface Systems" of the E P R I Utility Requirements Document. For example, subsection 6.1.3.14 contains the following statement:
The M-MIS functions of protection, control, alarm. and display shall be based on digltal technology (instrument display formats and sensor stgnal conditioning exempted),
characteristics [three of which were selected for t h i s eramp\\e]:
- software shall be capable of being vertfled and validated
- a standard software structure shall be used in all processors which
- a continuous-loop, non-tnterruptlble software structure is prefzrred This technology shall have the followtng provlde RPS or safety system functions Experience has shown that V W of software has several levels of completeness that are dependent, amongst other factors, on the design attributes and operating characteristics o f the computer system that the software resides in. Mainframe systems that require multitasking to be effective cannot be verified to the same level o f completeness as distributed microprocessor systems that use the preferred software structure cited above.
the assurance of reliability for the achievement of a safety function is not as high for a mainframe based system when compared to a microprocessor based system (the probability that the safety function would not be performed is higher f o r the mainframe system).
One would, therefore, expect requirements for both deterministic hardware and software structures for IbC systems associated with safety functions whose consequence of failure would be either a significant release of radioactivity or a lower level o f release but with a higher probabi 1 ity of occurrence.
Consequently, Control room displays also perform a safety function.
in monitoring plant operation to ensure that process variables are being maintained within the lin,its assumed in the safety analysis o f the plant.
However, the failure of the control room displays are of lesser consequence because of the functions of the auto::atic protecton systems. Therefore, the degree of completeness one normally expects to get from a V&V program for software resident in a multitasked based mainframe (mini) computer system, c m o n l y used for the control room displays, would be acceptable.
They assist the operator REQUIREMENTS FOR ENGINEERING ACTIVITIES The requirements the NAC presently uses to determine the acceptability of an IbC design for a system or component that is important to sdfety concentrate primarily on the implementation o f the design.
design process, reliance is placed on references to mre general requrrements generated from 10 CFR 50, Appendix B: quality assurance criteria. There are also some specific requirements for the qualification of equipment, seismic testing, and the reference to the V&V process in the ANSI/IEEE computer standards.
For matters related to the In contrast, Chapter 10 of the EPRI Lltility Requirements Document contains policy statements that form the basis for requirements f o r both the design of the AlWR M-HIS and the process by which this design is achieved.
statements are directed to the production o f a quality design, provided that the accompanying requirements and appropriate acceptance criteria are met.
These The pol icy statements specifically address the design process for those aspects of the design that can reduce the probability o f human error, if properly specified.
for selection and allocation o f tasks between human and machine including the appropriate level of automEtion for each monitoring, control, and protection function.
The human factors engineering activities include task analysis The following are important requirements for controlling the engineering actlvities that follow from these policy statements:
- discipline in the design bocess
+ verlflcatlon & validation of cotnnon mode failure prone design activities (such as software development)
NRC-approved platforms are deterministic, yet no benefit from this fact in the treatment of assumed CCF is afforded in BTP 7-19.
- diversity of skills within Specified engineering teams
- documentation and configuration management
- testtng, both as part of the design process (rapid prototypfngj and
- the use o f formal methods to specify the software functional
- the use of automatic tools for both design and V&V for qualificatlon of equipment requirements The requirements in the E P R I document address a range of topics governing engineering activities.
does not define acceptance criteria needed t o determine if these requirements have been properly implemented.
However, staff review o f the document finds that it REQUIREMENTS FOR DESIGN IMPLEMENTATION The requirements presently referenced in the standard review plan address primarily the single failure criteria and redundancy.
requirements are needed to address the potential comnon mode failure sources that are more likely to exist in digital I&C systems, additional requirements may be needed to clarify existing requirements in order to cover features of digital computer technology.
The sources of major complexities in the requirements for digital l&C systems arise from the additional configuration dimensions dealing with the system software structures (which are in addition to the h a r d w w e strbetures) and the need for separation between redundant function sets (bechusd 6 f the increased emphasis on c m o n mode failures).
Several organizations are developing requirements for separation between redundant functions sets. The EPRI document addresses segmentation of major control and monitoring functions and other design features that reduce the probability of cMrmOn mode failures, presents guidelines for functional diversity between different echelons of defense in depth to address comnon m d e failures.
A consensus agreement of the types of diversity that achieve ucceptable separation in the context of the different potential sources of c m o n mode failures has not yet been achieved.
Whlle requirements have also been developed that address specific aspects of the software structure that are potential sources of c m
n mode failure, (for example, IEC 880, "Software for Digital Computers In Safety Systems,"
recomnends against the use of operating systems, interrupts, etc.) there has been almost no developnent of requirements for system software drchttectwe.
Furthennore, the requlrments addressing the system hardware architecture are almost totally from the view Of independence between redundant channels or trains.
A requirement could call for a set of diagrams of system software architecture that would show the software functional configurations at the subsystem level, with designators as to the particular category of software used to perform each Therefore, new In some cases, As discussed previously, NUREG-0493 IEC 60880 and other companion standards have matured and used for the design of global-based I&C platforms for nuclear.
f 11 -
function - that is; operating system scftware. application specific software, or embedded software. This software functional configuration could show not only the software directly associated with the monitoring, control or safety functions, but also the software support functions needed to operate the application software functions or to transfer data between subsystem.
A mapping of the system software architecture into the system hardware architecture could show any overlap o f software functions within hardware modules, and thereby identify areas where separation o f functions for protection against potential c m o n mode failures may not have been maintained.
The system software architecture can also be used in developing requirements for software structures s!milar to the use of the system block architecture in Figure 3 to develop the guidelines f o r the blocks shown in that diagram.
Additionally, requirements could also be developed for the following:
- diversity; functional, equipment, and software
- fault tolerance
- reliability of software (There i s disagreement amongst software design experts with respect to quantitative versus qualitative claims for the reltability of software. Consequently, the staff has initiated a program to address software reliability and provide the basis for a regulatory position an t h i s method.)
Since the EPRI RO does contain requirements for digital system engineering and design implementation, the staff intends to use it to assist in the development o f requirements and acceptance criteria for the different classes of IbC systems that are important to safety.
I think we can now claim that the better standards, modern tools and platforms, EPRI P&Ls, etc. lead to reductions in CCF potential previously assumed.
COMMON CAUSE FAILURE 13U n
Figure 1. C.fegoriea common mod0 failures Figure 2, Common muse delenco mtructure.
I 1
I I
\\--
I MFUVED DERIVED VARIABLE VARIABLE 1
BLOCK I I BLOCK 1
I I
I I
I 3 I"
/
EW.INEERED SAFETY FEATURES 1
I 1
COMMAND BLOCK I
I I
I I
I I
I 1
I I
ENQINEERED I
SAFETY I
FEATURES 1
EMS NOT IMPORTANT TO S A W Y RELATED %KMS SAFETY SYSTEMS SAFETY SYSTEM SUPPORT PROTECTION SrjfEM
ENCLOSURE 2 STAFF REVIEW OF ALWRs The Staff is reviewing the EPRI R D for the evolutionary and uassive ALWRs and two aoplications f o r desiqn certification:
the GE ABWR and +he ASEALBrown Boveri/CombuItion Enginee Incorporated (ABWCE) System 80+.
The Standard Safety Analysis Report (SSAR) submitted for GE ABWR does not contain sufficient design detail, as required by 10 CFR 52 and clarified by the February 15, staff requirements memorandum.
Thr level o f detail avai f o r review is not adeauate f o r the staff to resolve all
- ing, the
- 991, able safety questions. The-staff requested the appiicants to provlde additional information and will continue to work with the applicants to resolve any open issues.
testing required for the design certification of the microprocessor based monitoring, control and protection system, in accordance with 10 CFR Part 52, paragraph 52.47 (b) (2)
( i ) ( 6 ) and (2) (11) is currently under review. This item is a major factor in establishing the level of detail required or design certification.
Based on the informatton currently available, the staff be1 ieves that prototypes wi 1 1 be needed to demonstrate acceptable performance of new technology.
The staff is also reviewing the SSAR for the ABB/CE System 80+ evolutionary design.
i s that the ABBlCE System 8D+ design submittal is more complete than the other submittal, but additional information is needed for a design certification.
The EPRI RDs contain design process requirements and system requlrements beyond current regulatory requirements, will use the EPRI RD to assist In identifying and resolving key issues for both the evolutionary and passive ALWRs. discusses these key issues and the development of requiremnts for digital systems.
During the review process, the staff will inform the Conmission of resolution of these issues since they may result in a signiflcant extension to current repulrements.
The Staff has established a section in the lnstrumentatron and Control Systems Branch in the Divlsion of Systems Technology, NRR, dedlcated to the review o f I&C systems o f AlWRs.
contractor team with technical expertise and skills to help the staff resolve the dlverse and c m p l e x ACWR issues elated to the IbC systems.
flnalfzed, they will be integrated into the review process and Incorporated in the updated Standard Review Plan (SRP).
The Pacific Northwest Laboratories and the Lawrence Livermore National Laboratory will participate in these actlvlties.
The prototype The staffs preliminary conclusion The staff The staff I s establishing a multi-disciplianry As requirements and positions are Now we have NRC approved platforms that have a comprehensive set of validation tests for the generic platform features.
We now have mature regulatory guidance and industry standards for the design development process.
(Continued)
The NRC staff i s also participating in the development and revision of both national and internatlonal standards that address the development and implementation of digital computer technology for IbC systems. The staff has members on the working groups for ANSI/IEEE-ANS-7-4.3,2,,
Application Cr i teri a for Programable Digital Computer Systems in Safety Systems of Nuc 1 ear Power Generating Stat 1 ons, and the lnternat i onal Electrotechnical Comnission (IEC) Standard 880, Software f o r computers i n the safety systems o f nuclear power stations.
The Office of Nuclear Reactor Regulation (NRR) staff has requested the Offiri o f Nuclear Regulatory Research (RES) to provide support in a number of areas o f advanced digital I&C systems for passive plants.
The results of this effort will also Support the staff in revtewing passive ALWRs.
Ditto