Discusses Wj Dircks 810119 Ltr to ACRS Re Nuclear Data Link. Nuclear Data Link Concept Implementation Cost Too High to Be Practical

ML19345G848
Person / Time
Site:	Arkansas Nuclear
Issue date:	03/11/1981
From:	Bickel J AFFILIATION NOT ASSIGNED
To:	Dircks W NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO)
Shared Package
ML19345G845	List: ML19345G848
References
NUDOCS 8104220502
Download: ML19345G848 (3)
v • d • e

Text

• "

Dr. John H. Bic kol, Ph. D.

- NuCL E A R SAFETY ENGINEER -

7416 H AMILTCN sf. ANN ANoALE. VIRGINIA 22003 March 11,1981 Mr. William J. Dircks, EDO U.S. Nu< %ar Regulatory Comission Washington, D.C. 20555 Re: The Proposed Nuclear Data Link Re ference: William J. Dircks letter to Dr. J. Carson Mark, ACRS, dated 1/19/81

Dear Mr. Dircks:

As a former ACRS fellew, I was recently supplied a copy of your letter to ACRS Chairnan, Dr. Mark, regarding the Nuclear Cata Link. I was asked by several of the ACRS Members to look into the proposed NDL in the Spring of 1950 due to my prior experience in similar systems. (Prior to my two year appointment as an ACRS Fellcw in Washington, I was involved in the design and testing of the ANO-2 digital compt.ter based Core Protection Calculator as a Senior b.;,ineer with Combustion Engineering, the ANO-2 NSSS vendor.)

It was with this experience still quite fresh in my mind that I undertook a limited review of the NRC's proposed NDL at the request of Dr. Bill Kerr.

In a memo I issued at the time, I pointed out the following items to the ACP.S:

i) There would be minimal safety impact provided that all signals where exclusively from non-safety related systems and that appropriate attention be given to assuring signal separation and isolation.

ii) I peinted out that the initial cost estimate of only about $25 million was

" pie in the sky." When the final costs were in,the final pricetag could likely be $100 million to $250 million. This was because the software costs would be the most difficult to define and that any time any revision was l requested the software vendors would likely jack up their costs substantially.

l This was based on prior experience with software based systems where I had i

observed similar trends.

iii) I was skeptical at the time whether expenditures of such a large sum for the NDL might end up diverting scance funds in the NRC away from more urgent priori ties .

iv) Of greatest concern I noted the fact that increased NRC involvement in day to day utility operations did not axiomatically imply better protection of the public.

At a later date, as the preliminary NDL design specifications were developed by SANDIA, I became aware of the fact that an unbelievably extensive interface was being planned not only with signals from the Deactor Protection System (RPS) but with the Emergency Core CooHng Systems (ECCS) n well. The magnitude of these interfaces differed in scope from any that have ever been found in the past. I was surprised upon finding out that so many of the same NRC personnel in the Electrical Instrumentation and Control Systems Branch (EICSB) who were directly involved in establishing Position # 20 in the ANO-2 Safety Evaluation 8104220 Y

Mr. William J. Dircks:

Report (which absolutely forbid a digital data link between a non-safety grade computer and a safety system) were now actively involved in "specifying" a digital data link for NRC's exclusive use.

In your letter to Dr. Mark you have attempted to establish the case that the NCL is in fact different from the data link at ANO-2. While I believe the Staff would like people to believe this point, I must respectfully disagree and I will point out specifically why.

Your letter states:"the principle concerns at ANO Unit 2 regarding the interconnection of the plant computer (a non-seismic system) with the Core Protection Calculator ( or CPC, a portion of the Class lE protection system) was the planned periodic recalibration of the CPCset points using data from the plant process computer. The proposed technique had the potential of cirectly impairing the integrity of the protection system." I would request that you have someone in the EICSB dig out the transcripts of the ACRS Subcommittee meeting on ANO-2, held in March of 1978. If you take a look you will find that the licensee had already agreed not to utilize this feature and would remove the software to a::cmplish it. Thus the point you raised regarding automatic generation and transmittal of setpoints was moot at the time. The licensee had appealled (several times, unsuccessfully) to be pemitted to use the data link solely as an informational device for the operators. In reviewing the transcripts of tne meeting you will find a consultant frcm ORNL, retained by the NRC Staff objected to even this usage based on the premise of " adverse functional feedback", a new tem that was coined at the meeting. The Staff was affraid that the data link might provide the operator with infomation that might lead him to perfom an incorrect action. Additionally the Staff raised the question of increased design com-plexity without any improvement in the reliability of the safety systems the data links were hooked up to. The question of signal isolation, while important, was not the real basis of the NRC's objections to the system. I believe it is safe to say that this question of not allowing the operator to have j information,about how his system was running,botnered a lot of the people present at the meeting. Ron Naventi, of the NRC Staff defended the NRC position, stating that with the advent of the computer based protection systems, NRC had gone back and rethought the intent of GDC-24. Their new interpretation of GDC-24 made the data link or any other data link unacceptable from a safety point of view.

P'ed on this unusual set of circumstances, I informed Dr. Kerr and several n members of tne ACRS that there were some unusual inconsistencies. On the one nand, the NRC refused to allow a data link that a licensee desired because they said it violated the intent of GDC-24, added new design complexity without reliability improvement, introduced additional failure modes not originally present in existing equiptment, and provided a potential source for " Adverse Functional Feedback". On the other hand, NRC in NUREG-0696 is now absolutely requiring a far much more complex data system than that proposed by ANO-2. The stated purpose of this data link (the NDL) is to specifically allow NRC to have information that they won't let the operators have(for fear tney might misuse it) , so that NRC can direct utility management to take certain actions during future emergencies. Either the Staff's position forbidding ANO-2's data link was wrong ( and they should be allowed to use it) or the Staff's new position requiring a much more complex data link is wrong. Discounting the

( '.

Mr. William J. Dircks:

persistent jokes one hears about "why should you expect NRC to be consistent?",

logic demands that both positions cannot be simultaneously correct, Your letter points out that the NDL is not intended for interfering with reactor operations (of course ignoring the non-trivial effort involved in installing it). You state: " .. the NRC plan clearly states that the licensee has the responsibility for taking appropriate actions within the facility in an emergency. The NRC will consult with and provide advice or recommendations to licensees only through appropriate licensee management." While I'm certain everybody within NRC has memorized this line anyone seriously believing it ought to have their head examined. If an electric utility came in and said they should be allowed to do something (like install a DC Bus Tie Breaker) because they will not pennit anyone to misuse it and they will say so in their plant procedures, do you doubt that the NRC would laugh them out of town?

I heard Vic Stello at the October ACRS meeting state that he thought everyone was too concerned about NRC trying to run nuclear pcwer plants frcm Washington.

He said this was ridiculous and NRC would never think of sucn a tning. Yes, it is ridiculous, but only two weeks later meeting with him privately in his office enemorning,he asserted to me that if he had an NCL ne would nave prevented TMI, by ordering the control room operators to put the HPSI pumps back into service. In one particular case he might improve a situation out in others he might make them far far worse. It also dcesn't take a whole let of imagination to envision a utility (hooked up to tne NDL) waiting too long to take some emergency action because they were affraid of having the NRC slap them with a $500 thousand fine so they waited for NRC's concurrence.

In summary, based on existing practice there is streng justification for scrapping tne whole concept of the NDL and all the hardware necessary to support i t (e.g. : TSCs, EOFs, etc.). When one realizes what it actually is going to cost both the government and the utility companies (and in the end the American public) to implement the NDL, one realizes we are talking of at least several billion dollars by the time we are finished. This 11rge sum of money is going to be diverted away from areas of undoubtedly greater need to make a large number of complex wiring modifications in the process signal wiring of all nuclear power plants. The wiring changes clearly amount to

" gutting" large portions of existing I & C systems. The private sector utilities who are already overloaded with existing backfit requirements (not all of which have been examined for their safety impacts) are about to be swamped with wiring changes of an unprecedented level. Not only is there no guarantee that all of these modifications are going to do anything to make a substantial safety improvement, there is an appreciable risk that the complexity and magnitude of these changes ( and the duress of meeting the compliance schedules) actually servesto reduce overall safety. As I ponder these items I unfortunately must realize that President Reagan's supposedly simplistic belief that: "Too much Big Government and all their capricious inane regulations can actually be dangerous." -- would seem to have a good basis in fact.

Best Re ards, n g.

John H. Bickel, Ph.D.