Text

._-. _ _ - _ _ _.

CERTIFIED BY:

DATE ISSUED: 10/23/92

• Harold lavis - 10/29/92 k

'M b PPA 9/9/93

SUMMARY

/ MINUTES OF THE JOINT MEETING OF THE ACRS SUBCOMMI'PTEES ON COMPUTERS IN NUCLEAR POWER PLANT OPERATIONS AND HUMAN FACTORS MAY 5, 1992 BETHESDA, MARYLAND INTRODUCTION The ACRS Subcommittees on Computers in Nuclear Power Plant Operations and Human Factors held a joint meeting on Tuesday, May 5,

1992, in Room P-110, 7920 Norfolk Avenue,

Bethesda, Maryland.

The purpose of the meeting was to discuss international computer activities.

The meeting was convened at 3:00 p.m.

and adjourned at 5:50 p.m.

A portion of this meeting was closed to public attendance between 3:15 p.m.

and 4:35 p.m.

to discuss proprietary information.

Mr. Herman Alderman was the Cognizant ACRS Staff Engineer for this meeting.

A list of documents submitted to the Subcommittee and a copy of the presentation schedule for the meeting are included in the attachment.

PRINCIPAL ATTENDEES:

ACRS

((EQ H.

W.

Lewis, Chairman W.

Russell C.

Michelson L. Beltracchi W.

Kerr F.

Coffman C.

J.

Wylie S.

Newberry J.

E.

Wilkins H. Heimberger Chairman's Openino Remarks Dr. Lewis said that there were no written statements or requests for time to make oral statements from members of the public.

He called upon Mr. Russell, Office of Nuclear Reactor Regulation, to make the first presentation.

[The attached supplement (pages 9-13) includes PROPRIETARY discussed during this meeting)

ISUPPLDatNT RExovzD - FoIA EI(b) (4))

CE%

~

gycyCDM gp i n 4228!8

'22 2'

1. m 2818 eda

Joint Meeting of the Subcommittees 2

on CNPPO and HF - May 5, 1992 NRC STAFF PRESENTATION INTERNATIONAL ACTIVITIES - Mr.

W.

Russell. NRR Trio to Japan Mr. Russell reported on the recent trip to Japan.

He said that several members of the NRC staff and ACRS member Mr. Carroll met with MITI, Tokyo Electric Power Company, Hitachi, and Toshiba.

He said that the Japanese approach to validation and verification (V&V) for instrumentation and control (I&C) systems is very similar to the approach being contemplated by the NRC staff.

That is, an approach which goes through formal validation and verification i

methods.

Mr. Russell said that the principal difference between the Japanese V&V and the method being considered by the NRC is that the V&V l

requirements are carried out by the utilities in Japan.

The

~

completion of that activity is reported to MITI.

However, at this time, MITI does not intend to perform independent audits of the verification process.

In the U.S.,

NSSS vendors perform the V&V.

Mr.

Russell discussed the prototypes developed by Hitachi and Toshiba.

He said that a recovery from a manual scram was demon-strated on each of the prototypes.

The prototypes are driven by simulators, and are sufficiently detailed to evaluate human performance.

Three different Tokyo Electric Power crews were used on the simulators to obtain feedback on their performance in dealing with such an incident.

Mr. Russell said that the design process used in Japan was one of building a consensus.

He pointed out that the process the NRC is considering would be more formalized with explicit acceptance criteria to be met at various points before proceeding to the next point, with a demonstration as to how those criteria have been met.

NRC Staff's International Activities Mr. Russell discussed briefly some of the Staff's international activities:

Agreements with the Canadians to discuss the resolution of e

problems related to shutdown systems at the Darlington B plant.

Meetings with the British regarding their experience in the e

use of digital control systems.

=- -

4 t

Joint Meeting of the Subcommittees 3

l on CNPPO and HF - May 5, 1992 i

Discussions with the French regarding their experience with e

the N4 plant design.

INTERNATIONAL COMPUTER ACTIVITIES - L. Beltracchi. RES Canada l

Mr. Beltracchi discussed the lessons learned from the staff's I

review of Darlington.

He said that there was a greater emphasis necessary in the design process for high integrity systems such as protection systems.

The NRC staff is working on'new standards.

Professor D.

L.

Parnas, Queens University, reviewed the situation at Darlington and made the following recommendations:

e Formal inspections of software to identify the encoded functions and compare them against the performance require-j ments.

1 Thorough testing of the software including statistical i

e testing.

Use of qualified people to design, develop, code and test the e

software.

EuroDean workshoo

+

Mr. Beltracchi briefly discussed a European workshop on industrial

\\

computer systems.

He said the workshop has published a series of j

guidelines on software engineering on:

e Documentation Design and development e

Verification and validation e

Guidelines and check lists for design and assessment of safety e

related systems t

i Quality assurance e

Maintenance and modification e

e Fault-avoidance e

Fault detection Failure detection and failure containment e

i

~1 4

Joint Meeting of the Subcommittees 4

on CNPPO and HF - May 5, 1992 i

Finland Mr. Beltracchi discussed a fault detection system developed by the utility for Loviisa plant in Finland.

The functions of the system are to monitor and identify high pressure coolant leaks and to validate outputs of flow sensors in the feedwater system.

The methodology used in developing the system was to use analytical models of process and measured plant process variables.

The system alarms if deviations between calculated flow and measured flow exceed the limits.

This system has found leaks in the preheaters without providing any false alarms.

Mr. Beltracchi pointed out that this is a good example of computer based aids that can be used to help operators.

France The Center for Nuclear Studies at Saclay developed and used a case tool called OST.

A case tool is computer aided software engineer-ing.

They use OST on a host computer to simulate software implemented on their microprocessors.

It is also used in the design and development of their microprocessor-based safety systems.

This case tool is used for dynamic simulations and analyses for debugging of codes.

Mr. Beltracchi said this same i

tool is used for the safety evaluation and validation of protection software.

Germany Mr. Beltracchi said that Siemens has a ten year development program for developing microprocessor-based safety systems.

They have developed a case tool called Specification and Coding Environment.

It uses graphic symbols.

When they are satisfied with the verification and validation of the specification, they translate it into a code.

He said that TUV Norddeutschland, a state regulator, is using SOSAT, which is another case tool, to evaluate the microprocessor-based safety systems.

SOSAT performs static and dynamic analysis of the software.

He pointed out that the regulators and the designers use diverse case tools.

l O

Joint Meeting of the Subcommittees 5

on CNPPO and HF - May 5, 1992 I

Norway t

Mr. Beltracchi discussed activities at the Halden Reactor Project.

He said that under man / machine interaction research, there were a number of sub areas.

He discussed the following:

STEM software test and evaluation methods:

They found that e

the use of statistical testing with the form of uniform random input data was a very effective means of assessing errors in the code.

They are also looking at formal methods.

e Interface evaluation methods:

They had a workshop to come up with guidelines and technical bases for evaluating computer-based interfaces.

Expert systems:

An example of this is COPMA.

This is a procedure tracker that was developed and tested experimentally in the laboratory at the Halden Laboratories.

Advanced control room design and test integrated surveillance e

and control systems. This is an integration of computer-based i

monitoring and control aids in a control room.

Russia Mr. Beltracchi said that there is a technical exchange between the NRC and Russia.

Working group nine dealt with diagnostic analysis of equipment and systems for supporting operators.

He said that at a September 1991 meeting, USSR personnel made presentations on:

Noise and vibration monitoring diagnostic systems.

Operational mode diagnostic systems for RBMK nuclear power i

o plants.

Problems of introducing artificial intelligence methodologies e

in the nuclear power industry.

Development of systems for early detection of anomalies during the operation of VVER type reactors.

A system of stress condition diagnostics and residual lifetime assessment of VVER plant equipment under thermal cycle loading.

4 One of the best Russian projects to date is the operational mode diagnostic system for the RBMK nuclear power plants.

The system is oriented towards detection of failures within the balance of plant

l Joint Meeting of the Subcommittees 6

on CNPPO and HF - May 5, 1992 i

systems.

It has been installed in a lead plant and has prevented five turbine trips in the first nine months of operation.

Sweden Sweden has developed a system called SAS II, which is a computer-ized operator support system.

He described it as a super safety parameter display system with the following functions:

Monitors and displays data on critical safety functions.

e Monitors and displays operation of safety systems.

o Displays emergency operating procedure related plant data on the supervisor's monitor.

Displays critical safety function alarms and direct causes.

e He said that the system is undergoing validation at the Forsmark plant in Sweden.

Following assessment of the test results, a decision will be made about installation and use in the control room.

t Darts DARTS is an acronym for Demonstration of Advanced Reliability Technologies for Safety Related Computer Systems.

This is funded by Esprit which is European Special Projects on Information Research Technology.

He said the aims of this particular project were to evaluate the tools and techniques that are being promoted for development of safety critical systems containing computers, and for evaluating software cost.

United Kinadom Mr. Beltracchi discussed activities of Rolls-Royce, Limited, an engineering firm that serves the nuclear navy.

Formal methods are used in the development of safety related software that conform to the British defense standard 0055. They use the Vienna development method as the particular formal method in their approach.

They also use static analysis ~and tools to perform static analyses.

i They have found it very useful in defining unintended functions in the code.

He explained that unintended functions are-those functions which the software will execute but are not specified in the requirements or the specifications.

j l

Joint Meeting of the Subcommittees 7

on CNPPO and HF - May 5, 1992 l

l NRC Research Prciects Class 1E digital computer systems are being surveyed in order to l

develop the technical basis for regulatory guidance for design, development, testing and acceptance.

The project is nearing completion.

u Another project will define attributes of high integrity software for nuclear power plant systems.

The positive and negative attributes resulting from the use of standards and case tools associated with the design, development, evaluation, and certifica-l tion of high quality integrity software -- particularly for power plant safety systems -- will be identified and documented.

Dr. Kerr mentioned that if you are designing a lE system, you should design it so a single failure in software does not cause any problems.

Mr. Beltracchi agreed.

t Dr. Kerr, referring back.to his previous remark, said the general design criteria for a 1E system require that single failure tolerances be demonstrated.

Mr. Beltracchi responded that the National Institute of Standards and Technology have reviewed a national / international design and qualification standard with this requirement in mind.

Development of verification and validation guidelines for expert systems is being funded by NRC and EPRI.

The contractor is Science l

Application International Corporation.

The objectives are to develop and document guidelines for verifying and validating expert systems.

Conventional V&V methodologies and knowledge based certification have been reviewed for applicability, while test and acceptance criteria will be studied in the future.

Another project will establish a baseline of user performance as a function of safety system interface.

The objective is to try to i

measure human performance for existing interfaces in control rooms.

In response to a question regarding what facet of performance one 1

should look at, Mr. Beltracchi replied that:

1.

The operator should be able to understand and comprehend the i

situation that he sees, and j

i 2.

The operator must be able to take corrective actions to prevent a violation of a critical safety function.

Finland - H. Heimberoer. RES Foreian Assionee Mr. Heinberger is Chief of the Automation Section at STUK, the Center for Radiation and Nuclear Safety in Finland.

He is l

l l

4 l

F k

j Joint Meeting of the Subcommittees 8

l on CNPPO and HF - May 5, 1992 j

1 i

4

)

l temporarily assigned to the NRC Office of Research.

He briefly described the organization and functions of STUK.

{

i j

He discussed the changeover of the plant computer at the Loviisa i

power station.

This plant is about ten years old and has been l

4 performing quite well, with availability factors higher than 90 l

percent per year for both units.

The plant computer was becoming old and expensive to maintain.

The decision was made to replace the plant computer without any loss of plant production and without

~j immediately removing the existing plant computer.

The existing j

wiring was maintained and the new computer was installed in j

parallel to the old system.

The changeover was done during normal operation of the plant.

l Mr. Heimberger presented some of the features of the new computer system.

These included:

5 Logic diagrams displayed on the CRTs l

q e

Trend information included in displays l

e Display of process information e

j i

Safety function monitoring system accessibility j

e Early fault detection display i

l Leakage monitoring system display l

e 4

l l

Puture Action f

There were no actions, agreements, or commitments resulting from l

this meeting.

l The Subcommittee plans to continue its discussions of matters associated with the use of computers in nuclear power plants at l

future meetings.

j i

~

j NOTE:

Additional meeting details can be obtained from a l

transcript of this meeting available in the NRC Public l

Document Room, 2120 L Street, IN, Washington, DC 20006,

)

(202) 634-3273 or can be purchased from Ann Riley and j

Associates, Ltd., 1612 K Street,IN, Suite 300, Washing-

{

]

ton, DC 20006, (202) 293-3950.

j 1

l l

)

t i

i

- =. - -..

t l

I Joint Meeting of the Subcommittees 9

l on CNPPO and HF - May 5, 1992 i

SUPPLEMENT TO THE MINUTES OF THE JOINT MEETING i

OF THE ACRS SUBCOMM m tES ON COMPUTERS IN 1

NUCLEAR POWER PLANT OPERATIONS AND HUMAN FACTORS

?

May 5, 1992 (Closed Session - 3:15 p.m.

- 4:35 p.m.)

i I

i PAGES 9-12 i

CLOSED SESSION DELETED DUE TO PROPRIETARY INFORMATION i

FOIA EX(b) (4) l i

i c

i i

L h

i i

k i

i

?

e I

i I

9 I

Joint Meeting of the Subcommittees 13 on CNPPO and HF - May 5, 1992 l

l l

CLOSED SESSION DELETED DUE TO PROPRIETARY INFORMATION FOIA EX (b) (4 )

Attachment A - Documents submitted to the Subcommittee 1.

Design and QA/QC Activities of Safety-Protection System for Kashiwazaki-Kariwa Unit no. 6&7 (Proprietary) 2.

Overview of International Exchange and Experience Involving Computer Systems (Limited Distribution) 3.

RES Staf f Presentation - International Computer Activities for.

Nuclear Plants 4.

Finnish Regulatory Practices And Experiences Of Activities On Automation And Computer Systems 5.

Comments On WTEC Panel Report On " European Nuclear Instrumen-tation And Control" t

_ - _ - _ _ _ _ _ _ - _ - - _ _ _. -