ML20035D821
| ML20035D821 | |
| Person / Time | |
|---|---|
| Issue date: | 10/09/1992 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | Advisory Committee on Reactor Safeguards |
| References | |
| ACRS-2850, NUDOCS 9304140048 | |
| Download: ML20035D821 (20) | |
Text
h C7*,UZ W UQ N[yNMbd M tam n m.:.....,4 m we/o lhhhhh hh b7" "S
10/9/92 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS COMPUTERS IN NUCLEAR POWER PLANT OPERATIONS SUBCOMMITTEE MEETING MINUTES SPECIAL INTERNATIONAL MEETING SEPTEMBER 22, 1992 BETHESDA, MARYLAhT INTRODUCTION:
The ACRS Subcommittee on Computers in Nuclear Power Plant Operations held a meeting on September 22, 1992, in Room P-110, 7920 Norfolk Avenue,
- Bethesda, Maryland to hear from invited representatives from the international community on the subject of advances in computer-based reactor instrumentation and control (I&C) systems.
The entire meeting was open to public attendance.
Mr.
S.
Duraiswamy was the cognizant ACRS staff engineer for this meeting.
The presentation schedule for the meeting is attached.
The meeting was convened at 8:30 am and adjourned at 4:45 pm.
ATTENDEES:
AGES H.
Lewis, Chairman J.
Carroll, Member T.
Kress, Member W.
Lindblad, Member C. Michelson, Member C. Wylie, Mad er W.
Kerr, Consultant S. Duraiswamy, ACRS staff D.
Coe, ACRS staff The principal presenters were:
INTERNATIONAL INDUSTRY P. Van Gemst, ABB Atom AB G. Guesnier, Electricite de France A.
Parry, Framatome R.
Olmstead, Atomic Energy Canada Ltd.
K.
Sullivan, Siemens Power Corp.
T.
Ichimura, Japan Atomic Power Corporation T. Shirakawa, Tokyo Electric Power Company I. Smith, AEA Technology R. White, Nuclear Electric h2C M.
Chiramal, NRR A complete attendance list is included in the attachment.
Y
\\
4l I
0 930414oo4e 921oo9 mmm m un PDR ACRS I
ff d,
2850 ppg 3
g
1
)
-- t f
Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 Chai; man's ODening Remarks Dr. Lewis, the Subcommittee Chairman, convened the meeting at 8:30 am and stated that the purpose of the meeting was to hear presentations by and hold discussions with representatives of the international nuclear power industry regarding their experiences and views related to the application of digital technology to the instrumentation, control, and protection systems of nuclear power plants.
There were no written comments or requests for time to make oral statements received from members of the public.
PRESENTATIONS OF INVITED INTERNATIONAL SPEAKERS l
i ASEA BROWN BOVERI, Mr.
van Gemst discussed ABB's introduction of digital I&C i
technology to nuclear power plants, and current I&C systems for j
their Process Inherent Ultimate Safety (PIUS) and BWR 90 designs.
He said that late in the 1970s, ABB did not consider digital technology sufficiently advanced to use in nuclear plant control and protection systems.
- However, implementing a
- planned, progressive strategy, ABB first developed and applied digital I&C to BWR waste processing systems in the early 1980s.
Building upon this experience and that gained from ABB non-nuclear digital applications, in the mid-1980s ABB employed digital systems in BWR e
feedwater, reactor power, turbine control, and in Cl=.ss 1E neutron i
flux monitoring instrumentation systems.
Currently, ABB has designed its BWR 90 and PIUS plants with completely digital I&C systems.
Other key points noted during this discussion included the following:
Standards The ABB design philosophy uses "off-the-shelf" digital technology, both hardware and sof tware, which has been in non-t nuclear commercial use.
This technology is then refined and i
improved to qualify for nuclear-related applications.
The system is designed using modularity (both hardware and software) to limit complexity.
The new ABB plants are designed to meet the provisions of the International Electrotechnical Commission (IEC) standards, and not the U.S.
Code of Federal Regulations (CFR) and Institute of Electrical and Electronics Engineers (IEEE) standards, which have been used historically.
In addition, the Title 10 CFR Single Failure Criterion is being replaced, for certain classes of i
-2
I t
Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 i
safety equipment, by a European standard which requires double failure without loss of safety function (the N-2 criteria).
This is to account for occasional equipment inoperability i
during online maintenance, and is part of an overall i
International Atomic Energy Agency (IAEA) classification j
scheme for safety-related equipment, under which various requirements such as Single Failure Criteria, N-2, PRA (system l
reliability goals), diversity, separation, and qualification are applied depending on the classification of the equipment.
ABB designates these classes:
1, 2,
3, or NA (not
^
applicable).
System Architecture and Diversity Against Common-mode Failure t
PIUS:
The first barrier of defense-in-depth is a software i
driven safety I&C system, with four redundant channels, which provides protective safety actions such as
- scram, core cooling, and emergency diesel generator start.
The second barrier is a sof tware driven, non-safety I&C system, with two redundant channels, which uses diverse software and provides back-up protection for all safety system actions.
A third barrier is PIUS' inherently safe response to accidents (e.g.
passive fluidic diodes which allow cold borated water to enter an overheated core).
i BWR 90:
This design currently employs the first two barriers noted above, with the exception that high probability event reactor scram actuation (e.g.
on low level / pressure) is i
implemented via a completely safety-grade hardwired (non-digital)
- system, due to Finnish regulatory requirements.
However, some of the inputs to this hardwired system, for low probability events like a LOCA, are generated from the digital i
safety I&C system.
Based on ABB's review of about 1,000 reported software f ailures, their preliminary conclusion was that logical errors in redundant safety-grade sof tware channels will almost always J
i result in random (not common-mode) failures.
This is because each channel is not synchronous with the other channels and will have slightly dif ferent channelized inputs. However, the l
probability of a common-mode failure is recognized to exist, but at the probability level of a LOCA or Safe Shutdown l
None of the reported failures resulted in two j
redundant channels being rendered inoperable simultaneously, t
j even though about two percent of the failures were classified as common-mode.
2 j
a
+ j i
i
P' Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 Use of Hardwired Backup PIUS:
This design uses hardwired controls to allow manual activation of safety and non-safety I&C system signals, but is not hardwired to the components (pumps, valves, etc.) which receive these signals.
In addition, certain basic parameters from plant process systems are hardwired to control room indicators.
EWR 90:
This design uses hardwired controls which allow manual activation of safety I&C system signals, but is not hardwired to the components which receive these signals.
As noted above, because ABB is vying for a Finnish order for its EWR 90, the scram function was required to be hardwired from the sensors through a safety-grade non-digital system and then to the scram valves.
Dr. Lewis asked if the need to include certain hardwired diverse systems was a result of an analysis which showed digital systems to be unreliable.
Mr. van Gemst said that it was more a matter of the
" nervousness" of the regulatory authorities.
ELECTRICITE de FRANCE / FPAv.ATOME, Mr.
G.
Guesnier, Electricite de France, and Mr. A.
Parry, Framatome Mr. Guesnier discussed an overview of the current generation 1300 MWe plant I&C architecture, and the safety approach and overall I&C architecture for the next generation N4 (14 00 MWe) plants.
Mr.
Parry then discussed the N4 protection system, its software development, and the handling of failures within the protection system.
Other key points noted during this discussion included the following:
Standards Since 1984, nineteen 1300 MWe units have been placed in service in France utilizing a first-generation digital reactor protection system (SPIN).
At the time this system was designed, international standard IEC 880 was not available and therefore the system has been qualified by experience.
\\
Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 The next generation N4 plants will use four new safety classes to specify the qualification requirements for plant systems, including I&C systems.
EdF/Framatome calls these classes:
1E (reactor protection system and engineered safeguards system, rapid response safety functions).
2E (post-accident instruments and equipment, medium and long term safety functions).
Important-For-Safety /Non-Classified (IFS /NC)
(post-accident, long term functions not relied upon in the safety demonstration).
Non-Classified (NC) (beyond design basis event mitigation equipment such as Anticipated Transient Without Trip
[ATWT)).
The next generation N4 plants will use a nearly identical SPIN system, but will modify the programmable logic controller to handle 2E, IFS /NC, and NC functions.
The IEC 880 and the U.S.
Department of Defense 2167A standards for system and sof tware development have been applied.
System Architecture and Diversity Against Common-mode Failure The N4 SPIN system is a four channel protection system utilizing digital processing, and fiber-optic data transfer between processor and output units, but communicates with instrumentation and actuators via hardwired means.
The reactor control system utilizes digital programmable logic controllers.
Every analyzed accident is detected and acted upon by two different protective trip functions related to two different system parameters, thereby providing functional diversity as a first defense against common-mode software errors.
The "C"
programming language is used due to its high level, logical J
structure, speed, and widespread use.
l Common-mode software errors which could defeat turbine trip, 1
reactor trip, or auxiliary feedwater initiation are also defended against by a digital backup system which is diverse in hardware and software.
Upon actuation, this system will open the control rod drive motor generator output breakers, causing a reactor trip without reliance on the reactor trip breakers.
With the quality program requirements in place for
[
a Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 software and system development and testing, the resulting system meets an acceptable level of safety.
Use of Hardwired Backup Hardwired backup is provided only for manual actuation of safety equipment.
Mr.
Lindblad asked what controls were in place to prevent unauthorized tampering with safety-grade sof tware. Mr Parry stated that the software is implemented in Read-Only-Memory units which are only accessible to specialists, and not to operating personnel.
Furthermore, the software is never modified at the plant site.
ONTARIO HYDRO /AECL, Mr.
R. Olmstead, Atomic Energy Canada Ltd.
Mr. Olmstead discussed the evolution of computer technology applied to successive generations of CANDU reactor designs.
Other key points noted during this discussion included the following:
i In the early 1960s, the first CANDU 200 MWe demonstration plant made extensive use of computers for react.or control and protection.
In the early 1970s, based on the success in the 1960s, further use was made of computers in the 600 MWe units for protection, and integrated controls for the
- reactor, boiler, feedwater, and turbine.
In
- addition, online refueling processes were computerized.
The 1980s saw the replacement of many of the traditional control board indicators and controls with Cathode Ray Tube (CRT) displays.
During a five year period from 1982 to 1987, one plant, which used 10 digital and two analog reactor protection trips, sustained a number of failures which would potentially have defeated an analog channel from tripping properly, but sustained no such failures in the digital channels.
The 1990s has seen the continued refinement of CRT technology to include better display methods, and more automated testing and monitoring functions.
The two new standard plant designs under development now are CANDU 3 (450 MWe) and CANDU 9 (9 00 - 12 00 MWe ).
These designs will employ digital systems geared toward:
- Reducing required early operator actions during an event.
f Eliminating unsafe protection system faults.
Obsolescence protection.
3
'4 Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992
- Reduction in the number and diversity of needed components.
- Better control room displays.
- Reduced costs.
Standards Although digital technology had already been extensively used, the Darlington (CANDU 6) licensing process raised questions about the reliability of safety-grade software and its potential for common-mode failure.
The original Darlington I&C system design met the provisions of IEC 880, but Canadian regulatory officials were concerned over the lack of ability to quantify software reliability.
Although the Darlington design was licensed, a joint effort is currently underway between AECL, Ontario Hydro, and the regulatory authority to reduce the probability of common-mode safety-critical sof tware errors to as low as conceivably possible.
To date the elements of this effort have been:
- Unambiguous requirements.
- Statistically significant random testing.
- Systematic verification of code against requirements.
Identification of what is safety critical.
The random testing was composed of 7,000 stimulus / response tests of the system.
It was noted that although this testing could be mathematically shown to achieve a certain confidence level in system reliability, it is not viewed as deterministic.
Instead it simply adds to the assurance that the reliability is adequate.
System Architecture and Diversity Against Common-mode Failure All CANDU designs have used two independent and diverse digital shutdown systems.
These have implemented diversity through the use of dif f erent suppliers f or hardware, dif ferent designers, programmers, and programming languages.
- However, reactor and plant control systems have used redundant, but not diverse, digital I&C systems.
The CANDU 3 and 9 designs will use digital plant controllers distribue.ed geographically near their points of utilization for system control functions.
4 Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 1
Use of Hardwire Backup Hardwired backup for the digital I&C system was considered, i
but generally rejected based on the following three paradoxes:
The intended improvement in reliability is defeated because, unlike the digital systems, the hardwired analog system cannot detect errors or perform diagnostics and then trip the channel when problems are detected, i
If analog instruments are provided as backup, operator training requirements become more complex.
Maintenance scope and complexity expands with totally j
diverse I&C systems.
J j
However, the CANDU 3 and 9 designs will retain a number of safety system indications hardwired into the control room displays based on customer concerns over the potential for complete loss of computer driven displays.
j Mr. Michelson asked if the hardware and software were designed to I
preclude spurious actuation upon loss of cooling.
Mr. Olmstead 1
stated that the system is designed for certain environmental constraints, and that the general category of loss of cooling events are analyzed probabilistically, and from that it is determined which events need to be designed against.
1 i
SIEMENS POWER CORPORATION, Mr.
K. Sullivan, Siemens Power Corp.
l l
Mr. Sullivan discussed the Siemens/KWU experiences with digital I&C i
systems in nuclear power plants, specifically addressing " defense-in-depth,a the man-machine interface, and qualification of I&C systems with respect to safety and reliability.
Other key points noted during this discussion included the following:
Siemens has approached the trend toward digital control and protection systems with caution, although they have previously applied digital technology in parallel with conventional hardwired nuclear control room display systems to improve operator
=
effectiveness.
This experience led to future control room design concepts which achieve substantial reductions in the amount of hardware needed and its associated support.
In addition, the reliability of digital systems is seen as superior to that of q
conventional analog systems.
All future Siemens-designed plants t
'7 Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 will utilize digital I&C systems for protection, control, and control room display functions.
Siemens views the operator in an all-digital control room environment as more of a technical systems manager / overseer, and less as a procedure implementor, by designing the plant control and protection functions to handle most required responses automatically.
Standards I&C system software is developed by qualifying a software tool / system, into which can be input the design requirements, and which then produces the desired code.
This was first tried on a fossil-fired plant control system closely modeled after an intended nuclear control system design.
The resulting system was tested in accordance with more than 50 l
regulations such as IAEA, IEC, IEEE, DIN (German Standard),
[
KTA (German Nuclear Safety Standard), and others, and has been implemented at a 500 MW fossil unit.
This methodology is now being used to design a nuclear plant digital protection system.
System Architecture and Diversity Against Common-mode Failure The current design concept dif ferentiates between operational and safety I&C functions, although a portion of the safety i
system interfaces with the operational system to restore plant parameters to normal bands.
Safety system design is not yet
[
]
complete.
i Use of Hardwired Backup Some backup means for the operator to interact directly with the plant is considered a design requirement by Siemens, but t
l hardwired backups are not required.
However, some customers require hardwired analog backup before accepting the design.
i 1
Mr. Lindblad asked if there were examples of how digital systems would provide improvements in safety and operation.
Mr. Sullivan stated that the benefits of higher levels of plant automation are expected to improve plant availability, and that, in general, if a j
process can be made definable, then it should be automated, even for complicated processes like online refueling (e.g. CANDU design)
}
9.
M Minutes of ACRS Subcomittee on Computers in NPP Operations September 22, 1992 JAPAN ATOMIC PCWER CORPORATION, Mr. T. Ichimura, Japan Atomic Power Corporation Mr. Ichimura discussed the objectives and history of digital I&C systems for Japanese nuclear
- plants, the Japanese Advance Pressurized Water Reactor (APWR)
I&C system design and its verification and validation (V&V) process.
Other key points noted during this discussion included the following:
The JAPC began applying digital controls to auxiliary systems in the 1980s, and subsequently applied them to reactor control systems.
The continuing objectives of digitization include higher reliability / availability, better control and monitoring, easier maintainability, and lower cost. The Ohi-3 plant was provided with a digital control system, but the safety systems were maintained as conventional analog and solid state systems because the V&V procedure for digital protection systems had not yet been established and authorized in Japan.
Newer and advanced designs will employ all-digital I&C protection and control systems.
Standards The APWR I&C system meets NUREG-0493 guidelines for functional grouping and diversification of reactor trip functions.
Verification and validation (V&V) guidelines were published in Japan in 1989 as JEAG-4609.
These guidelines are similar to ANSI /IEEE-7.4.3.2 and others.
Two key f actors in the V&V program are:
simplicity and visual traceability of the software logic.
A programming tool with graphical interf ace is used to allow visual tracing and review of the software by persons who are not software specialists.
This tool can also be used to monitor the online performance of the software.
System Architecture and Diversity Against Common-mode Failure The APWR design will utilize four redundant digital safety channels and two redundant engineered safeguards systems.
Redundant channels are physically separated and exchange information via electrically isolated fiber-optic data links.
The sof tware architecture employs only non-interrupted, fixed sequence
- tasks, and performs only necessary protection s
l Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 functions.
It uses Problem ^riented Language (POL) for simplicity and ease of t" rd party review.
Other design features for the APWR I&C system include:
Functional diversity - events will be detected by two or more different parameters in each protection channel.
This diversity is believed to be effective against common-mode failures of the application software.
Fail-safe design principles - dynamic trip logic is used to pass the logic output condition of each channel to the reactor trip breakers.
This system requires a series of generated pulses to pass through several blocking devices to a pulse-to-voltage converter which then outputs to the reactor trip breakers.
A blocking device would normally pass the pulses, but would block the pulses if a trip i
condition existed at the logic output of its own channel or of other channels.
Fully automatic testing capability considered to improve the testability of the system.
Self-diagnosis and modular architecture - considered to improve ease of maintenance.
Performance of the fully computerized main control room has been tested and evaluated using actual PWR operators on 3
prototype full-scope plant simulators.
Use of Hardwired Be-kup No hardwired analog backup is planned for new and advanced designs.
Mr. Carroll asked what gave JAPC confidence in the quality of the j
safety system software.
Mr. Ichimura stated that the V&V process I
and functional diversity gave adequate confidence in the sof tware.
- Also, full-scope prototype testing would eliminate common-mode hardware failures.
I -
M Minutes of ACRS Subcommittee on Computers in NPP Cperations September 22, 1992 TOKYO ELECTRIC PCWER COMPANY, Mr.
T.
Shirakawa, Tokyo Electric Power Company Mr. Shirakawa discussed TEPCOs development of an integrated digital control system for BWRs in Japan, including history, design considerations, system configuration, and V&V.
Other key points noted during this discussion included the following:
The objective of applying digital technology to nuclear I&C systems is higher reliability due to fewer components and driftless operation, better maintainability with self-diagnosis and modular repair, reduced cost, and easy modifications.
Such technology was applied to Japanese BWRs in the 1980s and included the employment of triplicated microprocessors for feedwater and turbine control.
It will be applied to the safety systems in the mid-1990s at Kashiwa:atki, Kariwa Units 6 and 7 (K6 and K7).
Standards The JAEG 4609 standard is used for V&V of safety software.
Also, problem oriented language (POL) is used for simplicity, visual / graphic presentation, and ease of third party review.
System Architecture and Diversity Against Common-mode Failure The digital reactor protection (RPS) and ECCS systems all employ four redundant divisions of instrumentation and trip / actuation logic.
The analog instrument inputs are digitized within each channel, transmitted via multiplexed fiber optic cable, processed by software to determine if trip / actuation conditions exist, and output to trip / actuation devices via hardwired means.
The ECCS processors, which determine if actuation conditions exist, are duplicated for redundancy within each channel, as opposed to the RPS which uses a single trip logic unit per channel.
Use of Hardwired Backup TEPCO found certain applications in which analog systems were preferable to digital.
These included local tlosed loop systems having very little control room interface, such as service air and service steam supply systems.
Others were systems requiring exceptionally short response times, such as the turbine trip signal and sequence logic.
Finally, defense-in-depth features include analog controls for the standby
- e Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 liquid control system, boron injection system, and remote shutdown systems.
The degree to which analog backup will be used for the safety-grade reactor protection systems at K6 and K7 has not been fully determined, although during the current construction permit stage of licensing it remains an option.
AEA TECHNOLOGY, Dr.
I. Smith, AEA Technology 1
Dr. Smith discussed the features and advantages of Pulse-Coded i
Logic (PCL) as it has been applied to solid state reactor protection systems, and the application of its inherent fail-safe dynamic logic to sof tware driven reactor protection systems (called ISAT).
Other key points noted during this discussion included the following:
Standards Reactor protection systems in the U.K. have used dynamic logic designs since the 1960s to maximize inherent fail-safe operation.
A PCL reactor protection system (RPS) has been determined by PRA to have a probability of failure on demand of less than 1.0E-7, but U.K.
regulatory authorities only recognize the validity of RPS failure probabilities down to 1.0E-5 for analog systems.
The more complex digital systems can be certified only to 1.0E-4.
The application of software-driven trip channel processing within the PCL scheme was advertised as having a lower than 1.0E-4 probability of failure on demand to trip.
This figure was arrived at solely through analysis of hardware failures.
System Architecture and Diversity Against Common-mode Failure Pulse Coded Logic was characterized as a three channel digital hardwired system using solid state components (no software).
Its principle feature is in artificially causing each trip unit (each trip unit is associated with a single instrument's output trip condition) within each train to briefly go to a tripped state in a time-coded sequence which is then sent to a voting logic circuit.
The voting logic circuit output is then steady-state if the time-coded sequence for all instruments is correct.
A valid trip signal which remains R
Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 i
" locked-in" will cause a periodic pulse variation of the voting logic circuit steady-state output, and will be seen by downstream logic circuits as a channel trip.
Any failure of an instrument's trip unit to properly sequence between the tripped and non-tripped states will be seen as a channel trip.
In this manner, failures of hardware or of the logic itself (e.g.
spurious signals) will always result in a tripped channel (fail-safe).
The ISAT system uses a very similar scheme to PCL.
The differences include:
multiplexing and mixing sensor inputs and continuous test signals prior to digitization, e
digital processing of corbined sensor / test signals in a a
trip algorithm computer to determine if a trip condition
- exists, t
four channel operation with two-out-of-four trip logic, and pattern recognition logic to confirm that the test signal 1
inputs are causing the expected shif ting between tripped i
and non-tripped channel output states, so as to identify i
failed hardware or logic conditions.
The ISAT scheme has been used at the Dungeness "B" Advanced Gas Cooled Reactor.
Mr. Lindblad asked if the concepts used here were of interest to the designers of the portions of the nuclear I&C systems outside of the RPS.
Dr. Smith replied that this concept could be used for high-integrity control systems, but that it was developed to address the crucial need for fail-safe design in RPS systems, whereas control systems of ten need to balance availability against safe failure.
Mr. Olmstead, AECL, asked whether the presence of software in the ISAT design would still pose a vulnerability to common-mode i
failure, in spite of the safe failure design.
Dr. Smith stated that the fail-safe design is a very powerful defense against common-mode failure, raising the probability that such failure will result in a safe condition.
In addition, he offered that the software undergoes V&V to the highest standards.
i
N s
Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 NUCLEAR ELECTRIC, Dr. R. White, Nuclear Electric Dr. White discussed the use of digital technology in the design of the Sizewell "B" plant, which is the first PWR to be built in the U.K.
Other key points noted during this discussion included the following:
The advantages of digital I&C systems were described as:
ease of modeling, freedom from drift, reduced maintenance, better reliability and maintainability, and better self-testing and interrogation capability.
Standards The regulatory limit for claims of reliability for any single system, including redundancy, is 1.0E-5 failures per demand per year.
In practice, the digital I&C systems are not assumed to be more reliable than 1.0E-4.
Since an additional regulatory rule is to have an overall plant target goal of no greater than 1.0E-7 probability for any fault sequence leading to a major uncontrolled release, there arises an immediate requirement to have two diverse protection systems with 1.0E-4 reliability each.
System design provides for frequent potential events (greater than 1.0E-3 probability per year) having full protection from both diverse RPSs.
Less frequent events receive protection only from the primary (computer-based) protection system.
The safety case demonstration of adequacy of the digital portions of the PPS for licensing purposes relies upon three principal elements:
Design quality - use of the structured software design
- approach, separate verification, and use of computer aided software verification tools.
Assessment quality - review of the code against the requirements documents, including use of the Malvern Analysis suite of codes (MALPAS) which mathematically 4
Q Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 analyzes the logical routes through the code for consistency with the requirement documents.
- Secondly, the use of a source code comparator ("back compiler").
Testing quality - dynamic testing on a prototype, and a 12 month pre-operational test run following site installation.
The MALPAS testing is not expected to be complete until the end of 1993, and to date has not identified any significant errors.
System Architecture and Diversity Against Common-mode Failure The Sizewell "B"
PPS system hardware is based on the Westinghouse " Eagle 21" series.
The Secondary RPS (SPS) system is based on a dynamic logic scheme (e.g. magnetic core logic or "laddic") used at previous HTGR/AGR stations.
Use of Hardwired Backup Certain indications and controls are hardwired into the control room, selected to enable operators to achieve and maintain hot shutdown and to handle certain specific events.
Dr.
Lewis asked for the definition of a
" major uncontrolled release "
Dr. White replied that he thought it was 30 Rem to the most affected person.
Mr. Michelson asked how the protection and control system component located within the auxiliary and control building were environmentally protected.
Dr. White replied that the control and protection system components were segregated into four separate areas which incorporate smoke, fire, and flood barriers.
Dr. Kerr asked if the PPS software code was complex.
Dr. White replied that although it was 100,000 lines of code, much of it was redundant due to modularization, and it had an overall simple structure.
Thus it would not be characterized as complex.
Mr. Wood, SEI, asked if using MALPAS was worthwhile.
Dr. White noted that MALPAS was more of a confidence building exercise rather than a significant debugging process, and that it was serving well in that purpose. 1
~
i o
t e
Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 PRESENTATION OF USNRC STAFF. Mr.
M.
Chiramal. NRR Mr. Chiramal discussed the NRC staff's contacts with international agencies on the topic of digital I&C systems for - nuclear plant applications, and the staff's proposed requirements for digital protection systems.
The following description summarizes the important points made during this discussion.
The staf f has had continuing dialogue with international regulatory agencies and vendors.
In addition, the staff maintains active participation on IEC subcommittee 45A on nuclear plant I&C systems,
- IAEA, and with IEEE.
- Finally, the staff has obtained the assistance of national laboratories and the opinions of international experts.
The staff believes that state-of-the-art design processes must be used to develop safety-grade software and hardware.
In addition, it requires adequate defense against common-mode software errors, although regulatory criteria and standards have not yet been fully defined.
However, non-safety I&C systems may be relied upon for demonstratino adequate defense-in-depth against common-mode software errors.
The staff further believes that its proposed requirement for certain hardwired indications and manual actuations at the system level is consistent with many of the international designs.
Dr. Lewis pointed out that the staff's requirement for vendors to assume that common-mode failures exist in the primary protection system, then design a secondary (backup) protection system to maintain safety, can actually create disincentive for the vendor to take all achievable measures to design the primary system against common-mode failures.
Mr. Chiramal replied that the staff would require vendor commitments to meet quality criteria within the design process, as well as design a backup defense against common-mode failure.
Mr. Michelson asked if the vendors will perform an analysis of the impact of high temperature on the digital systems, specifically with respect to unwanted actions which may result.
Mr. Chiramal stated that vendors were required to qualify the equipment (for reliable operation) to a maximum expected temperature, and if the temperature limit is exceeded, the affected channel must be removed from service.
17 -
4 P
Minutes of ACRS Subcommittee on Computers in NPP Operations d
September 22, 1992 Roundtable Discussion A brief open discussion took place among the Committee members, participants, and NRC staff members present.
Topics that were touched upon included the usefulness of static software analysis, and the ability of the operator to manually control protection and engineered safeguard system functions.
Subcommittee Action This was an information gathering meeting only and the Subcommittee took no action and made no recommendations.
Follow-uo items There were no follow-up items as a result of this meeting.
BACKGROUND MATERIAL PROVIDED THE SUBCOMMITTEE FOR THIS MEETING 1.
Memorandum from S.
Long to H.
Lewis, " BACKGROUND MATERIAL FOR COMPUTERS SUBCOMMITTEE MEETING ON LNTERNATIONAL DEVELOPMEh"rS IN DIGITAL I&C SYSTEMS, SEPTEMBER 22, 1992" dated September 11, 1992, with enclosures.
- 2. European Nuclear Instrumentation and Controls, World Technology Evaluation Center (WTEC) Panel Report, J. White and D. Lanning et.
al., December 1991.
NOTE:
Additional details of this meeting can be obtained from a transcript of this meeting available in the NRC Public Document Room, 2120 L Street, N.W.,
Washington, D.C.
20006, (202) 634-3274, or can be purchased from Ann Riley and Associates, Ltd.,
1612 K Street, N.W.,
Suite 300, Washington, D.C.
20006, (202) 292-3950.
men Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 LIST OF ATTENDEES IB.C M.
Chiramal, NPR S. Newberry, NRR L.
Beltracchi, RES F.
Coffman, RES M.
Fleishman, OCMF2 C. Antonescu, RES J. Gallagher, NRR Y. Nishiwuko, RES R.
Borchardt, NRR K. Hart, SECY Y.
Chung, NRR J. Kennedy, NRR C. Jones NMSS J. Decicco, NMSS INTERNATIONAL INDUSTRY P. Van Gemst, ABB Atom AB H. Thornburg, ABB Atom AB G. Guesnier, Electricite de France H.
Herkelmann, Electricite de France A.
Parry, Framatome R. Olmstead, Atomic Energy Canada Ltd.
B.
Ferguson, Atomic Energy Canada Ltd.
K. Sullivan, Siemens Power Corp.
R. MacDougall, Siemens Power Corp.
H. Sauer, Siemens Power Corp.
T. Nishimoto, Japan Atomic Power Corporation T.
Ichimura, Japan Atomic Power Corporation M. Takashima, Mitsubishi T. Shirak&wa, Tokyo Electric Power Company I. Smith, AEA Technology R. htite, Nuclear Electric D. Story, Nuclear Electric H. Shin, Korea Atomic Energy Research Institute Y.
Chang, Korea Atomic Energy Research Institute M. Makino, Toshiba F. Murata, Hitachi Y.
Horikawa, Kansai Electric Power ATTACHMENT
- 1
1 d'*dl Minutes of ACRS Subcommittee on Computers in NPP Operations September 22, 1992 U.S.
INDUSTRY / GOVERNMENT D. Rawkins, Westinghouse R.
Nath, Westinghouse L.
Erin, Westinghouse J.
Reid, Westinghouse T.
Starr, ABB/CE M. Ryan, ABB/CE E. Dailey, Software Engineering Institute B. Wood, Software Engineering Institute S. Stack, Dept. of Energy D.
Kaempf, Dept. of Energy S. Jilek, Dept. of Energy C. Willbanks, NUS K.
Kersah, Oak Ridge National Laboratory W.
Cawley, Mohr & Assoc.
C. Rogers, Arizona Public Service P.
Harris, SERCH/Bechtel J. Regan, MPR/EPRI P.
Eklima, E&SA J.
Leivo, JM Leivo Assoc.
R.
Eks, Smartware Assoc.
F.
Quinn, Scientech ATTACHMENT
-2
-