ML18145A017

From kanterella
Jump to navigation Jump to search
SECY-91-292 - Digital Computer Systems for Advanced Light Water Reactors with Comments
ML18145A017
Person / Time
Issue date: 09/16/1991
From: Taylor J
NRC/EDO
To: Curtiss J, Remick F, Rogers K, Selin I
NRC/Chairman, NRC/OCM
Holonich J
References
NUDOCS 9109200242, SECY-91-292
Download: ML18145A017 (23)
v  d  e


Text

For:

I _ The Comnlssloners From: James M. Taylor Executive Director for Operations Subject : DIGITAL COMPUTER SYSTEMS FOR ADVANCE0 LIGHT WATER REACTORS

Purpose:

To fnform the Carmission on the major regulatory issues associated with the application o f digital computer technology to instrumentation and control (I&C) systems that are important to safety and the MRC staffs actions to resolve these issues.

These issues include the effect o f evaluated experiences, the continuing rapid changes in dlgital computer technology, and t h e establishment and maintenance o f the new regulatory review process for I&C systems important to safety consistent with Subpart B o f Part 52 o f Title 10 o f the Code of Federal Regulatioas (10 CFR Part 5 2 ) .

Background:

The evolutionary and passive advanced 1 icht water reactor (ALWR) designs Incorporate Instrumentation and control ( I K )

systems uslng digltal computer technology to implement the Rlonitorlng, control and protection functions. The Electric Power Rnoearch Instttute ( E P R I ) Utility Requirements Oocument (RD) also addresses the use of dlgital computer technology for I&C systhis and man-machine interface systems (H-NIS).

To ensure that digital systems are implemented safely i n Absence of nuclear power plants, the staff is reviewlng the designs with standards for an approach that considers exlsting regulatory requirements, digital was a the development of requirements where none exist. the lessons concern learned in the U.S. and other countrles, and the guidelines pr-Zvided in the EPRI RD.

Contact:

M. Chiramal, NRR/DST 492-0845 J , Gal 1 agner , NRR/OST 492-0823 -

KOTE: E:KLOSUP.E 1 nEr:ovm TO AKOV PUBLIC EELEASE OF PAPER I

/. - ,

. - , i The C m i s s i o n e r s Lack of knowledge The use of digital computer technology in protection and control about digital problem systems raises a concern that the software and hardware for areas and associated these computer systems could be vulnerable tu design and defensive measures programing errors that could leao to safety-significant c o m o n was a concern mode failures.

The staff reviewed Chapter 10 of the EPRI RD, "Man-Machine Interface Systems, and concludes that, in general, the EPRI requirements are acceptable from the point o f view that they do not violate existing NRC criteria. The E P R I RD provides high-level design goals that address many of the key issues discussed herein. There are, however, certain open issues and confirmatory items that require resolution before the E P R I RD can be considered complete, even at this relatively high level of design requirements.

Significant work remains to resolve all issues such that the ALWR designs can be certified. In reviewing the advanced boiling water reactor (ABWR) design, the staff concluded that the ABWR safety analysis report does not include a sufficiently complete design and does not reference many o f the standards included i n the EPRI RD. The staff will continue to comnunicate with the applicant, the General Electric Company (GE), to address these open issues.

Discussion: EXPERIENCE There i s a wide range of experience with the application o f digital c m p u t e r technology for monitoring, control, and protection systems in various industrial applications; land, sea, and air transportation systems; c m u n i c a t i o n systems:

defense systems; fossil power plants; and nuclear power plants.

The m s t successful digital systems applications have been in industrial processes to automatically control, monitor, and protect major components. Certainly the recent Patriot Missile and telephone system experience demonstrate, however. that these Lack of nuclear- systems can fail.

related experience was a concern The U.S. nuclear industry has limited operational experience with digital computer system technology. Core Protection Calculators (CPCs) were reviewed by the NRL in the late 70's and are Installed in all later Combustlot? Engineering (CE) plants.

Several U.S. plants have retrofitted uigital systems to replace selected analog systems, however, complete replacement of all plant analog systems with digital systems has not been performed.

The Comnissioners Plants using safety-related digital computer systems are being designed and constructed in Canada, the United Kingdom, France, and Japan. The NRC staff comnunicates regularly with these countries to monitor activities involving digital systems Lack of structured applications in these plants. This is especially important process (based on given the international nuclear industry's difficulties with accepted standards) implementing computer systems applications that were designed was an important without a structured process and the use of formal verification concern and validation (VbV) procedures.

IE:;CLCSURE 1 m : o v m TO ALL.OI~

PUCLIC RELEASE)

MAJOR REGULATORY ISSUES Instrumentation and Control ( I K ) systems help to ensure that the plant operates safely and reliably by monitoring, controlling, and protecting critical plant equipment and processes. The digital computer based I L C systems for ALWRs differ significantly from the analog systems used in operating nuclear plants. Because of the greater information content of digital signals compared to analog signals and the increased information processing capabi 1 ity o f digital equipment compared to analog equipment, the change to digital computer based I&C systems provides the potential for improvements in the safe and reliable operation of nuclear power plants. This potential is achievable through the iniplementation of highly re1 table digital We can now point to I K systems for all servtce conditions o f operation o f the the EPRI document equipment. This requires special constraints on the system and IEC standards as architectural designs and features, and the application of a methods to address high level o f discipline to the processes associated with the these special digital life cycle phases of design, manufacture, installation, design issues operation. maintenance, and modification of !he I4C sy;lm.

Such requirements, however, must allow for flexibility in the IEC standards have application of the evolving digital computer technology.

made safety critical design concepts for The digital IbC system has a greater degree of sharing of data nuclear I&C mature transmission, functions, and process equipment compared to the analog system. Although this sharing forms the bases for many of the advantages o f the dlgital system it also raises a key IEEE and IEC concern with respect to its reliability. The concern is that a standards, EPRI design using shared data hases and process equipment ha$ the Preventive & Limiting potential to propagate a c m o n cause or c o m n mode failure o i (P&L) measures (see redundant equipment. Another key concern I s that software NEI 16-16), and programing errors can defeat the redundancy achieved by the modern development hardware architectural structure.

and test tools reduce likelihood of design The goal o f the requirements for t h e digital I&C systems is to errors limit the probability of the occurrence of comnon cause and c o m n mode failures and, since some failures will still occur,

The Comnissioners limit the extent of loss of functions o f the IbC systems. These requirements are in addition to the existing requirements that are based primarily on analog technology. Enclosure 2 discusses these issues and development o f requirements for digital systems.

The staff i s reviewing the EPAI Utility Requirements Document

( R D ) for the evolutionary and passive A l W R s and two applicatlons for design certification: the GE ABWR and the A S E A - B r o w i Boveri/Combustion Engineering, Incorporated ( R B B I C E ) System 80+.

To review t h e I&C systems for the ALURs, the staff i s using current regulatory requirements, guides, and industry standards in the SRP, and national and international standards not currently endorsed by the NRC. Information from other elements, such as lessons learned from operational and design experience. participation in codes and standards c m i t t e e s ,

staying current with evolving technology through technical information exchanges, conferences and meetings, and input from research effcrts, will also be integrated into the review of the ABUR, ABB/CE System 80+, and passive ALURS, as well as the updated SRP. Enclosure 3 discusses additional details o f the s t a f f ' s review effort;.

Conclusion:

There is a general consensus within the international nuclear Now that this has c m u n i t y that the proper use o f digital computer technology in been realized for the design of monilorlng. control and protection systems will nuclear industry improve t h e safety and performance of nuclear power plants. The safety critical President's Conmission on The Accident A t Three Mile Island systems and reached a similar conclusion regarding improving the collection processes, can we and understanding o f information on the state af plant processes credit this for a and equipment and thereby improving the safety and performance change in the BTP o f the plant.

7-19 diversity/

bounding Digital computer technology I s changing in a way that provides consequence d much wider range o f tools to assist in the engineering approach. activities to develop and verify the designs of advanced I K system$. This change in techno!ogy has the potential to provide improved hardware and software to Imalement the design. The international comnunlty is expending a significant amount o f resources, most of which are outside the nuclear industry, to formulate guidelines and standards to improve the proper use of t h i s techno 1 ogy .

.i.. , .,.. .

The Comnissloners Can we credit the advancements in However, much o f this technology i s being developed wlthout consensus standards, as the technology dvailahle for desrgn i s standards and safety critical design ahead of the technology that is well understood thrcugh features for a experience and supported by application standards. This is a change in the BTP challenge to which the NRC must respond, especially in light of 7-19 diversity/

the design certification process.

bounding consequence Enclosure 2 addresses the effect that the use o f digital approach? computer technology has on current requirements which primarily address analog IbC technology, Enclosure 2 describes the need f o r additional requirements and describes how Chapter !3 of the EPRI RD can provide a frame of reference to assist in developing new requirements and acceptance crlteria. The enclocure also proposes a means for reviewing proposed designs and developing requirements and acceptance criteria in an environment of change. A graded set o f requirements based on the iwortance t o safety o f the functlons being performed w i t h respect to reductian in the potential f o r radiation exposure could be adopted. The functions with t h e hlghest level o f importance to safety, and thus with the most stringent requirements, w e less likely to be affected by equipment change< than those f u n c t i m s with lower levels o f importance to safety, such as, information sys terns.

Because o f Its safety importance, the staff expects to expend the most effort < n the modification or development of requirements and acceptance criteria for digital computer technology-based monitoring, control, and protection systems.

Particular emphasis will be placed on defense against propagatton o f t m n mode fajlures within and between functions. In this regard, the staff currently intends to require sme level of diversity such as a reliable analog backup.

The staff shares in the consensus that the:@ I&C systems can improve safety; however, the international operating and regulatory experience, the developmental nature o f consensus U.S. standards and the significant interdependence of these

The Conmissioners systems. require that A L M aoplicants submit s u f f i c i e n t design information fcr certification for the s t a f f to ensure that open issues are adequately resolved.

.,.1 w nnt

  • - (EECL0SUP.E 1 REMOVED TO P.LLOI:

for Operations

Enclosures:

(E?:CLOSLRE 1 ZCKOVFD TO ALLO!:

PUBLIC IxLZAiI:)

2. Requlrments for Oigitlal Systems
3. Staff Review o f ALWR$

DISTRIBUTIOK :

Conmissioners OGC OCA4 OIG GPA LSS R E G I O N A I , OFFICES ED0 ACRS ACNW SECY

ENCLOSURE i RI~MOVED r o ALLOW PC'BLXC RELEASE OF TAPER

ENCLOSURE z REQUIREMENTS FOR D I G I T A L SYSTEMS PURPOSE This enclosure discusses the differences between analog and digital instrumtentatton and control (IbC) systems, the need for requirements for reducing the probability and consequences of c o m o n mode failures in digital I&C systems, and a process for developing new rcgulatory requirements and acceptance criteria.

INTRODUCTION Instrumentation and Control ( I K ) systems help to ensure that the p l a n t operates safely and reliably by:

- monitoring the state of the plant processes and plant equipment to dssist the operating staff in making decisions

- controlling plant processes, in both automatic and manual modes

- protectlng critical plant equipment to maintain the inteqrity of barriers tci the release o f radioactive mdterisls or to control radioactivity releases if one or more o f the barrters are breached.

Because of the greater information content in digital signals compared to analog signals and t h e Increased informa,ion processing capability o f digital cquiprnent compared to analog equipment, the change t o dlgital computer based IbC systems provides the potential fo: {mprovements in the safe and reliable operatlon of nuclear power plants. The use of digital computer technology to provide information to help plant operators prevent or cope with accidents was one of the principal recomnendations in the report of the President's Comnlsslon on The Accident at Three Mlle Island. The realization of this potent441 I s , of course, dependent on the implementation of highly reliable digital I&C systems for a11 the service condltions of operation o f the equtpwnt. The achievcment of high levels of reliability for these systems requires special constraints on the system architectural designs and features nnd a high level of discipline applied t o the processes associated with each life cycle phase of the 1K systm. However, the requirements for the life cycle phases o f design, manufacture, installat Ion, operatlon, maintenance and modlffcatlon of these I&C systems must not arbltrarily constrain application o f digital cplnputer system technology. The EPRI P&Ls address these concerns with DIFFERENCES BETWtKN THE ARCHITECTURE OF ANKOG AND D I G I T A L 16C SYSTEMS improved design guidance.

As discussed below there is a major difference i n the optimum architectural conflguratlon of dibital colnputer based IhC systems when compared to analog systans. It should be noted that the conservative D3 assumptions in BTP 7-19 have made I&C architectures more complex and is now the primary driver for I&C architecture designs.

An analog I&C system i s a collectlon of primarily single para,(Ictcr conflguratSon5. Analog I K systems usually have direct wire connections between the components that c m p r i s e each o f these single parameter configurations. These are usually referred to as "hard-wired configurations."

Often the only installed comnon items between such configurations are the Cable routing fixtures and the power Supplies for the equipment that make u p these conflgurations.

The processing f u n c t i o n s f a r contt-01 algorithms. l i n e a r i z a t i o n o f sensor measurements. l o g i c r e l a t i o n s h i p s , e t c . , have been t r a d i t i o n z l l y implernenteo w i t h analog equipment by the use o f b u i l t - i n c i r c u i t s d e d i c a t e d t o a p a r t i c u l a r math o r l o g i c task. P r o g r a m i n g for these f u n c t i o n s i s u s u a l l y l i m i t e d t o adjustments i n s e t p o i n t s and p r e - s e l e c t e d c c e f f i c i e n t s by changing p o t e n t i o m e t e r s e t t i n g s and r e a r r a n g i n g h i p h l y v i s i b l e b u i l t - i n patch connectors, A d i g i t a l I&C system u s u a l l y c o n s i s t s o f A c o l l e c t i o n o f i n d i v i d u a l i n p u t / o u t p u t c ' r c u i t boards connected t o t h e p l a n t equipment (sensors and a c t u a t o r s ) through d i r e c t w i r e connections. These boards a r e connected t o r:

m u l t i p l e x e d data l i n k or data highway so t h a t a s i n g l e e l e c t r i c a l w i r e or o u t i c fiber c a r r i e s s i g n a l s from many senscrs i n c l l r d i n g i n f o r m a t i o n about t h e j t a t e O f t h e sensors and actuators and t h e o u a l i t y o f the s i g n a l s . This w i r e o r f i b e r a l s o c a r r i e s c o n t r o l comnands f c r manly separate a c t u a t o r s . T h i s d a t a l i n k or highway i s connected t o a s e t G f equiGment t h a t uses a shared computer t h a t can s e q u e n t i a l l y perform the a l g o r i t h m i c numerical and l o g i c computations f o r several c o n t r o l l e r s according t o t ' I i n p u t s from t h e i r r e s p e c t i v e sensors and a c t u a t o r s . The ingress, transmission, and egress o f d a t d on t h e m u l t i p l e x d a t a l i n k s or d a t a highway i s u s u a l l y c o n t r o l l e d by a p r o t o c o l t h a t w i t h i n i t s e l f has shared f u n c t i o n s . Consequently t h r d a t a 1 ink (highway) p r o t o c o l c o u l d r e s u l t in a h i g h degree o f interdependence w i t h r e s p e c t t o t h e equipment connected t o t h e d a t a l i n k .

The shared computer can be

1) a m i n i (mainframe) computer t h a t uses a m u l t i - t a s k o p e r a t i n g System t o perform many processing f u n c t i o n s u s i n g t h e a p p l i c a t i o n software programs and the same hardware and e x e c u t i v e o p e r a t i n g system software t o L o n t r o l t h e o p e r a t i o n o f t h a t h w d w a r e o r ,
2) a s e t o f microcomputers, i n d i v i d u a l l y connected t o t h e highway, each r u n n i n g asynchronously u s i n g embedded s o f t w a r e w i t h l i m i t e d m u l t i - t a s k i n g c a p a b i l i t y f o r t h e o p e r a t i n g system and a p p l i c a t i o n software modules that may be i d e n t i c a l f o r d i f f e r e n t redundant hardware s e t s of equipment.

Consequently, t h e shared processing equipment can have a wide range o f interdependence w i t h respect t o the f u n c t i o n s performed; i.e., from one computer t h a t performs many f h i c t i o n s t o separate computers t h a t v-rform d i f f e r e n t f u n c t i o n s b u t use c o m n software aodcles for these separate functions . The EPRI P&Ls address these concerns with POTENTIAL PROBLEM CAUSED B Y SHARING RESOURCES improved design guidance.

I t i s t h i s r e s o u r c e s h a r i n g t h a t forms t h e bases f o r many o f t h e advantages of d i g i t a l computer technology over analog technology. However, t h i s s h a r i n g r a i s e s a key concern w i t h respect t o :he r e l i a b i l i t y o f I&C systems based on d i g i t a l computer technology. The r o o t cause o f t h i s concern i s t h a t t h e use o f

shared data bases and processing equipment can result i t 1 a desigr that has t h e potential to propagate A .;omon mode failure o f 1-edunoant I-quipment. :he resulting loss in functions would be greater t h a n far an analog I&c syztem:

thereby, resulting i n a system that is less safe than t h e analog system. That i s , the consequences of a common mode fdilure c a n be a loss of defense in depth.

Another key concern i s .:hat software programing errors can defeat the redundancy achleved by the hardware architectural structure. A software error i s a comnon mode failure th,, can simultaneously defeat the functioning o f all redundant channels or trzins c f the protection system, even i f the protection system design has minimized the sharing o f databases and digital proce\sin<?

equipment.

The goal for the requirements i s to both limit the probability o f the occurrence of comnon mode failures associated w i t h aigital computer technology and, since some failures will still occur. limit the extent of loss of functions i n the monitoring, control and safety systems. These requirements are in addition to the existing requirements for I&C systems t h a t are based primarily on analog technology and, therefore, place emphasis on single random failures in hardware and s t r e s s incorporation and maintenance o f redundancy in equipment. These additional requirements are belng developed by the staff for Ditto applicability to ALWR designs.

The challenge in the achievement o f this goal o f limiting the occurrences and consequences of cornon mode failures, i s to reach the proper balance between control over the extent and means of information sharing and the potentially adverse effects that this control might have on the benefits from the application of digital technology, with its attendant potential for improvements in safety and operation o f t h e plant.

T h i s challenge i s further complicated by the duration o f the validity of Dr 3n Certification that results through compliance with these requirements, vis-a-vis the rapid rate o f technology advancements in the electronics and information management fields. Regulatory requirements should not unduly impede the orderly introduction o f improved technologies that address the goal for advanced reactor man machine interface ( M - M I ) systems: to improve the performance of the personnel involved In the operational activities of the plant (operations, maintenance, and wrveillance of both plant processes and equipment).

DEFENSE I N DEPTH The principle of defense in depth is to provide several levels or echelons of defense to challenges to plant safety, so that failures in equipment and human

errors will not result in an undue threat to public safety. The echelons o f defense provided by M-HI I&C systems are as f o l l o w s :

1) the monitoring and diagnostic surveillance systems t h a t provide information to the plant operations personnel regarding the state o f plant processes and plant equipment

'I

2) the control systems that regulate plant process variables within . ,

specified normal ranges

3) the protection systems that place the plant i n a safe shutdown condition when specified limits are exceeded
4) the engineered safety features systems that provide essential functions to either maintain the integrity o f barriers to t h e release of radioactive materials or to mitigate the consequences of failures i n these barriers i n order to control the release of radloactive materials to acceptable limits The foundational purpose o f the requirements for the M-MI I&C system i s to achieve an acceptably low probability that comnon mode Failures caused by equlpment or people will result in the loss of more than one echelon of defense in depth.

DEFENSE AGAINST COHMON MODE (COWON CAUSE) FAILURES The nuclear industry and the staft carefully evaluate and seek ways to improve human activities performed throughout the plant life cycle because such activities are the primary cause of comnon cause failures. A recent International Atomic Energy Agency (IAEA) safety practices document, Safety Series No. 50-P-1, "Applicat!on of the Single Failure Criterion," cortains a section i n which cannon cause failures are arranged by category and A ,-nerd1 frdn'I@WOrk is provided to defend against these failures. These cateoot I S are identical to those developed by the United Kingdom Atomic Energy Au'km-iry (UKAEA) Safety and Reliabillty Directorate in SRD R 196, "Defenses AbL I n s t Comnon-mode Failures In Redundancy Systems." Figure 1 (from IAEA 50-P-1) provides the categories of c m o n mode failures. The percentages given i n Figure 1 are obtained from INPO Report 85-027, "Analysis of Root Causes of Signiflcant Event Repcrts," which presented the analysis of significant event reports for 1983 and 1984. This fjgure shows that design, maintenance, and operations actlvities are the major contributors to conanon cause failures.

The IAEA report contains the following statement:

In the defense against comnon mode failures, quality, segregation and dlversity are o f fundamental importance. I think we can now claim There are two basic forms of preventlng comnon cause that the better standards, fatlures in a system: either the causal influences on modern tools and the system can be reduced, or the ability of the system platforms, EPRI P&Ls, etc.

to resist those influences can be increased. The lead to reductions in CCF reductlon rf causal influences can be related to all the potential previously causes o f failure shown in [figure 13 and the overall assumed.

defense strategy can be as showil in [Figure 21.

We now have The various aspects of quality, especially tho$,. associated with q u a l i t y mature assurance, to provide discipline i n the desin manufacture, installatici, IEEE and operation, and maintenance of systems impor'ant to safety, assist in IEC minimizing comnon cause failures due to human error.

standards for the The main purpose of segregation is to provide and maintain independence between nuclear redundant components so that a comnon influence cannot cause a comnon mode failure. Segregation can be regarded as a form of diverse location and Nice twist!

industry environment. Many of the requirements for redundancy are directed to achieving an acceptable degree of segregation to restrict tht qropagation o f failures between redundant channels. Segregation requirements are primarily concerned with the hardware configuration o f M-MI I&C systems.

Now we have In addition to quality and segregation, there is a need for adequate diversity required in human activities for the M-MI IbC system life cycle phases, and the IV&V application of the equipment (hardware and software) used in realizing the M - M I S design. The practice of diversity includes functional diversity, hardware and/or software diversity, and human diversity.

When diversity i s considered for a particular application, care should be exercised to ensure that the diversity actually achieves the desired increase in reliability o f the implemented design. I f diverse components or systems are used, there should be reasonable assurance t h a t such additions are of overall benefit, taking into account any disadvantages, such as additional complications i n operating, maintenance and test procedures, or the consequent use of equipment o f lower reliability. The current regulatory approach does not link the required diversity to relevant or important CCF vulnerabilities or One of the more effective means o f achieving consider diversity the downside is to diversity of the require sme solution.

form of diversity between preselected sets o f functions (functional diversity) to ensure that c m n mode failures of M-MIS equipment do not degrade the performance of more than one set of these functions. The concept of functional diversity i s dlscussed in NUREG-0493, "A Defense In-Depth and Diversity Assessment o f the RESAR-414 Integrated Protection System," March 1979. In that assessment, the preselected sets o f functions were control, including general monitoring functlonr: reactor trip; and engineered safety features. fl :;uck concept was introduced to provide a mechanism for sys?cz3tirz!:r analyzing the effect o f c m n mode failures o n the defense In depth of the IbC system. The block concept aggregates the equipment (components and modules) of the system into a manageably small number of functional blocks. The staff Chose three such blocks: measured variable, derived variable and comnand blocks. These blocks provide the equipment structure for the preselected s e t s o f system level functions. The resultlng block structure i s used for the analysis of the consequences of postulated C m o n mode failures. Figure 3 shows the block structure.

Since i c s initial introduction, this approach has been refined (on the U.K.

Sizewell B design) t o provide for some level o f diversity within both the reactor trip system and the engineered safety features ( E S F ) . This diversity will provide assurance that cornon mode failures of software o r hardware will not defeat all the reactor trip or ESF functions.

The EPRl ALWR Utility Requirements Document uses a similar approach to establish general requirements that provide some level of protection a g a i n s t cornon mode failures in major control and monitoring functions and between the reactor trip system and the E S F . EPRl termed this approach segmentation of major functions.

In addition to the above, the staff is considering the following M - M I S regulatory requirements:

1) Requirements for the engineering activities that are used for the development o f the design, manufacture, installation, operation and maintenance features of the man machine interface systems with emphasis placed on reduction in the probability of comnon mode failures, and
2) Requirements for the implementation o f the design with emphasis on the hardware and software architectural configurations (including diversity) used to reduce the probability of the occurrence or propagation of c m o n mode failures SAFETY CLASSIFICATION OF I&C SYSTEMS The present method for safety classification of IbC systems and equipment is highly deterministic in that, with a few exceptions, the I&C systems are either members o f the protection system or not members, and the equipment is either Class 1 E or non-safety grade.

This classification method has two major problems:

1) ILC equipment not included in the protection system i s considered as non-safety equipment, although operating experience has shown it to be quite important with respect to the safe operation of the plant.

Many events that resulted in a significant deterioration in the echelons o f defense in depth have occurred because o f failures or misoperation of equipment in monitoring or control systems that are outside o f the protection systems.

2) All I&C equipment considered important to safety is also considered as part of the protection system and, therefore, must meet the criteria for protection systems as stated in IEEE-279 (10 CFA 50.55a(h)). This means that the equipment used in these systems must be Class lE, Independent of the level of importance to safety of the function performed by that system. The result can be a potentially significant first c o s t and overhead cost burden on utilities without the accompanying benefit justification and consequently lead to the exclusion of equipment and systems that cculd contribute to an improvement in plant safety, The problem with such a limited Clar-ifitation method was a subject o f both the findings and the recornendations in the President's Comnission report on The Accident at Three Mile Island.

Th Institute o f Electrical and Electronic Enyineers ( I E E E ) Nuclear Power E n 'neering Cornittee (:4PEC) had initiated activities in the U.S. to develop a ne classification method for IbC systems J n d equipment important to safety.

This classification method was based on graded requirements comnensurate with the importance of the involved safety function (similar to that for mechanical equipment). These activities were terminated because of what appeared to be two major concerns by the !EEE NPEC Members, One was the perception O f a resultant significant increase in the complexity and number of items and.

therefore, the overhead burden, for the p l a n t I&C equipment list covered by the requirements of 10 CFR 50, Appendix 6. The second was the conviction that, since there i s no quantitative measure for level of importance to safety or an agreement between industry and the NRC with respect to meaningful differences in EQ (equipment qualification) and QA requirements for different levels of importance to safety, any equipment added to t h i s graded classification would, in effect, be considered by the NRC a s Class l E , with the attendant significant increase in life cycle costs.

The international situation i s different. In 1984, the I A E A issued safety guide 50-513-08, "Safety-Related Inrttumentatiun and Control Systems f o r Nuclear Power Plants," which recomnended all plant I&C systems important to safety be placed in one o f three categories according to their importance to safety. The requirements for these systems are to be based on their importance to safety as established by these three categories. T h i s safety guide, together with Safety Guide 50-SG-03, "Protection Systems and Related Features in Nuclear Power Plants," establish distinctlons between the sLfety systems (i.e. those systems provlded to assure the safe shutdown of the reactor and heat removal from the core and to limit the consequences o f anticipated operational occurrences and accident conditions), and safety related l&C systems ( i . e . those systems Important to safety that are not included in the safety systems.)

Figure 4 depicts the relationship between these systems. Of special interest f o r the use o f this approach in the design of the H-MIS are the graded requirements for reliability, equipment qualification, testing, deslgn, and qualificatlon ( V & V ) of software for computer and multiplexed systems, and the teliablllty of the computer and multiplexed systems based on the importance of the associated safety functions.

T h e methodology used for determining the importance to safety o f a particular I&C system is based on the methodology in the IAEA Safety Guide 50-SG-01, "Safety function and Component Classification for BWR, PUR and P T R . " In this methodology, safety functions are ranked in order o f importance by the combination of:

1) the consequence o f failure o f that safety function (based on magnitude of potential increase in radiation exposure upon failure of that safety function), and
2) the probability that the safety function would be required.

The assignment of safety class design requirements for the equipment that performs the safety function needs a third factor that accounts for the confidence that the safety system(s) will perform a s expected. T h a t is:

- a -

3) the probabllity that the safety function would not be accomplished when required.

The product of these three factors must be acceptably low for all I&C systems that are important to safety. I A E A Safety Guide 08 has further subdivided this third factor to include specific factors that deal with alternative actions for accnnplishing the safety function and time considerations for initiation o f the safety function and for reconfiguration or repair of safety Systems and equipment. Safety Guide 08 also includes general guidance for key design requirements as they relate to three categories o f importance to safety: highest, intermediate, and lowest.

The InternJtional Electrotechnical Comnission (IEC), SuScomnittee 4 5 A , Reactor Instrumentation, is developing an international standard "The Classification o f Instrumentation and Control Systems Important to Safety f o r Nuclear Power Plants," which is based on I A E A Safety Guide 08.

The I E C standard presents the following:

1) A definition o f the three categories of importance to safety o f functions and the associated s y s t e m and Items of equipment
2) Criteria for assignment o f functions and associated systems and items of equipment t o one of the three categories and a procedure for performjng this assignment
3) Key requirements for the functions and associated systems and items o f equipment important to safety f o r each of the three categories These requirements are the design criteria for assuring functionality, perfomance, reliability, environmental durabllity and quality assurance of the functions and associated systems and items of equipment.

The need for a graded safety classificatton of I&C digital based systems is addressed by several o f the requirements given in Chapter 10, "Man-Machine Interface Systems" of the E P R I Utility Requirements Document. For example, subsection 6.1.3.14 contains the following statement:

The M-MIS functions of protection, control, alarm. and display shall be based on digltal technology (instrument display formats and sensor stgnal conditioning exempted), This technology shall have the followtng characteristics [three of which were selected for t h i s eramp\e]:

-- provlde software shall be capable of being vertfled and validated a standard software structure shall be used in all processors which

- a continuous-loop, RPS or safety system functions non-tnterruptlble software structure is prefzrred Experience has shown that V W of software has several levels of completeness that are dependent, amongst other factors, on the design attributes and operating characteristics o f the computer system that the software resides

NRC-approved platforms are deterministic, yet no benefit from this fact in the treatment of assumed CCF is afforded in BTP 7-19.

in. Mainframe systems that require multitasking to be effective c a n n o t be verified to the same level o f completeness as distributed microprocessor systems that use the preferred software structure cited above. Consequently, the assurance of reliability f o r the achievement of a safety function is not as high for a mainframe based system when compared to a microprocessor based system (the probability that the safety function would not be performed is higher f o r the mainframe system). One would, therefore, expect requirements for both deterministic hardware and software structures for IbC systems associated with safety functions whose consequence of failure would be either a significant release of radioactivity or a lower level o f release but with a higher probabi 1 ity of occurrence.

Control room displays also perform a safety function. They assist the operator in monitoring plant operation to ensure that process variables are being maintained within the lin,its assumed in the safety analysis o f the plant.

However, the failure of the control room displays are of lesser consequence because of the functions of the auto::atic protecton systems. Therefore, the degree of completeness one normally expects to get from a V&V program for software resident in a multitasked based mainframe (mini) computer system, c m o n l y used for the control room displays, would be acceptable.

REQUIREMENTS FOR ENGINEERING ACTIVITIES The requirements the NAC presently uses to determine the acceptability of a n IbC design for a system or component that is important to sdfety concentrate primarily on the implementation o f the design. For matters related to the design process, reliance is placed on references to mre general requrrements generated from 10 CFR 50, Appendix B: quality assurance criteria. There are also some specific requirements for the qualification of equipment, seismic testing, and the reference to t h e V&V process i n the ANSI/IEEE computer standards.

In contrast, Chapter 10 of the EPRI Lltility Requirements Document contains policy statements that form the basis for requirements f o r both the design of the AlWR M-HIS and the process by which this design is achieved. These statements are directed to the production o f a quality design, provided that the accompanying requirements and appropriate acceptance criteria are met.

The pol icy statements specifically address the design process for those aspects of the design that can reduce the probability o f human error, if properly specified. The human factors engineering activities include task analysis for selection and allocation o f tasks between human and machine including the appropriate level of automEtion for each monitoring, control, and protection function.

The following are important requirements for controlling the engineering actlvities that follow from these policy statements:

- discipline in the design bocess

+ verlflcatlon & validation of cotnnon mode failure prone design activities (such as software development)

- 10 -

-- diversity of skills within Specified engineering teams documentation and configuration management

- testtng, both as part of the design process (rapid prototypfngj and for qualificatlon o f equipment

- the use o f formal methods to specify the software functional requirements

- the use of automatic tools for both design and V&V The requirements in the E P R I document address a range of topics governing engineering activities. However, staff review o f the document f i n d s that it does not define acceptance criteria needed t o determine if these requirements have been properly implemented.

REQUIREMENTS FOR DESIGN IMPLEMENTATION The requirements presently referenced in t h e standard review plan address primarily the single failure criteria and redundancy. Therefore, new requirements are needed to address the potential comnon mode failure sources that are more likely to exist in digital I&C systems, In some cases, additional requirements may be needed to clarify existing requirements in order to cover features of digital computer technology.

The sources of major complexities in the requirements for digital l&C systems arise from the additional configuration dimensions dealing with the system software structures (which are in addition to the h a r d w w e strbetures) and the need for separation between redundant function sets (bechusd 6 f the increased emphasis on c m o n mode failures).

Several organizations are developing requirements for separation between redundant functions sets. The EPRI document addresses segmentation of major control and monitoring functions and other design features that reduce the probability of cMrmOn mode failures, A s discussed previously, NUREG-0493 presents guidelines for functional diversity between different echelons of defense in depth to address comnon m d e failures. A consensus agreement of the types of diversity that achieve ucceptable separation in the context of the different potential sources of c m o n mode failures has not yet been achieved.

Whlle requirements have also been developed that address specific aspects of the software structure that are potential sources of c m n mode failure, ( f o r example, IEC 880, "Software for Digital Computers In Safety Systems,"

recomnends against the use of operating systems, interrupts, etc.) there has been almost no developnent of requirements for system software drchttectwe.

Furthennore, the requlrments addressing the system hardware architecture are almost totally from the view Of independence between redundant channels or trains.

A requirement could call for a set of diagrams of system software architecture that would show the software functional configurations at the subsystem level, with designators as to the particular category of software used to perform each IEC 60880 and other companion standards have matured and used for the design of global-based I&C platforms for nuclear.

f 11 -

function that is; operating system scftware. application specific software, or embedded software. This software functional configuration could show not o n l y the software directly associated with the monitoring, control o r safety functions, but also the software support functions needed to operate the application software functions o r to transfer data between subsystem. A mapping of the system software architecture into the system hardware architecture could show any overlap o f software functions within hardware modules, and thereby identify areas where separation o f functions for protection against potential c m o n mode failures may not have been maintained.

The system software architecture can also be used in developing requirements for software structures s!milar to the use of the system block architecture in Figure 3 to develop the guidelines f o r the blocks shown in that diagram.

Additionally, requirements could also be developed for t h e following:

- diversity; functional, equipment, and software

- fault tolerance

- reliability o f software (There i s disagreement amongst software design experts with respect to quantitative versus qualitative claims for the reltability of software. Consequently, the staff has initiated a program to address software reliability and provide the basis for a regulatory position an t h i s method.)

Since the EPRI RO does contain requirements for digital system engineering and design implementation, the staff intends to use it to assist in the development o f requirements and acceptance criteria for the different classes of IbC systems that are important to safety.

I think we can now claim that the better standards, modern tools and platforms, EPRI P&Ls, etc. lead to reductions in CCF potential previously assumed.

COMMON CAUSE FAILURE 13U n Figure 1. C.fegoriea common mod0 failures Figure 2, Common muse delenco mtructure.

I I 1 I I

1 I I 1 MFUVED DERIVED I I VARIABLE VARIABLE I I

BLOCK BLOCK

\-- 3 I " /

I EW.INEERED SAFETY FEATURES 1

I I

COMMAND

- 1 I BLOCK I

I I I

I I ENQINEERED I I

SAFETY I FEATURES 1 I $ 1

EMS NOT IMPORTANT TO S A W Y RELATED %KMS SAFETY SYSTEMS SAFETY SYSTEM SUPPORT PROTECTION SrjfEM

ENCLOSURE 2 STAFF REVIEW OF ALWRs The Staff is reviewing the EPRI R D f o r the evolutionary and uassive ALWRs and two aoplications f o r desiqn certification:

the GE ABWR and +he ASEALBrown Boveri/CombuItion Enginee ing, Incorporated ( A B W C E ) System 80+.

The Standard Safety Analysis Report (SSAR) submitted for the GE ABWR does not contain sufficient design detail, as required by 10 CFR 52 and clarified by the February 15, 991, staff requirements memorandum. Thr level o f detail avai able f o r review is not adeauate f o r the staff to resolve all safety questions. The-staff requested the appiicants to provlde additional information and will continue to work with the applicants to resolve any open issues. The prototype testing required for the design certification of the microprocessor based monitoring, control and protection system, Now we have NRC in accordance with 10 CFR Part 52, paragraph 52.47 (b) (2) approved platforms that

( i ) ( 6 ) and (2) (11) is currently under review. This item is have a comprehensive a major factor in establishing the level of detail required or set of validation tests for design certification. Based on the informatton currently the generic platform available, the staff be1 ieves that prototypes wi 1 1 be needed features. to demonstrate acceptable performance of new technology.

The staff is also reviewing the SSAR for the ABB/CE System 80+ evolutionary design. The staffs preliminary conclusion i s that the ABBlCE System 8D+ design submittal is more complete than the other submittal, but additional information is needed for a design certification.

The EPRI RDs contain design process requirements and system requlrements beyond current regulatory requirements, The staff We now have mature will use the EPRI RD to assist In identifying and resolving regulatory guidance key issues for both the evolutionary and passive ALWRs.

and industry Enclosure 2 discusses these key issues and the development of standards for the requiremnts for digital systems. During the review process, design development the staff will inform the Conmission o f resolution of these process. issues since they may result in a signiflcant extension to current repulrements.

The Staff has established a section in the lnstrumentatron and Control Systems Branch in the Divlsion of Systems Technology, NRR, dedlcated to the review o f I&C systems o f AlWRs. The staff I s establishing a multi-disciplianry contractor team with technical expertise and skills to help the staff resolve the dlverse and c m p l e x ACWR issues elated to the IbC systems. As requirements and positions are flnalfzed, they will be integrated into the review process and Incorporated in the updated Standard Review Plan (SRP).

The Pacific Northwest Laboratories and the Lawrence Livermore National Laboratory will participate in these actlvlties.

Enclosure 3 (Continued)

Ditto The NRC staff i s also participating in the development and revision of both national and internatlonal standards that address the development and implementation of digital computer technology for IbC systems. The staff has members on the working groups for ANSI/IEEE-ANS-7-4.3,2,, Application Cr i teri a for Programable Digital Computer Systems in Safety Systems of Nuc 1 ear Power Generating Stat 1 ons, and the lnternat ional Electrotechnical Comnission (IEC) Standard 880, Software f o r computers i n the safety systems o f nuclear power stations.

The Office of Nuclear Reactor Regulation (NRR) staff has requested the Offiri o f Nuclear Regulatory Research ( R E S ) to provide support in a number of areas o f advanced digital I&C systems for passive plants. The results o f this effort will also Support the staff in revtewing passive ALWRs.

Retrieved from "https://kanterella.com/w/index.php?title=ML18145A017&oldid=2404202"