Text

o DATE ISSUED:

10/27/92 i

4ERTIFIED BY.

Thodas ) ess 1/ 92

$${glp/f$3

SUMMARY

/ MINUTES OF THE JOINT MEETING OF THE ACRS SUBCOMMITTEES ON COMPUTERS IN NUCLEAR POWER PLANT OPERATIONS AND RELIABILITY AND QUALITY JUNE 16, 1992 BETHESDA, MARYLAND INTRODUCTION The ACRS Subcommittees on Computers in Nuclear Power Plant Operations and Reliability and Quality held a joint meeting on

Tuesday, June 16,

1992, in Room P-110, 7920 Norfolk Avenue, Bethesda, Maryland.

The purpose of this meeting was to discuss research activities related to the environmental qualification of digital instrumentation and control (I&C) systems.

The entire meeting was open to public attendance.

Mr. Herman Alderman was the Cognizant ACRS Staff Engineer for this meeting.

A list of documents submitted to the Subcommittees and a copy of the presentation schedule for the meeting are attached.

ATTENDEES:

Principal meeting attendees included:

ACRS H.

Lewis, Chairman, Computers in Nuclear Power Plant Operations Subcommittee T.

Kress, Chairman, Reliability and Quality Subcommittee J.

Carroll, Member C.

Wylie, Member D.

Ward, Member C.

Michelson, Member W.

Kerr, Member H. Alderman, Cognizant ACRS Staff Engineer Princioal Speakers S.

Newberry, NRC, NRR M.

Chiramal, NRC, NRR J.

Mauck, NRC, NRR M. Vagins, NRC, RES C.

Antonescu, NRC, RES j

R.

Kisner, ORNL K.

Korsah, ORNL CHAIRMAN'S OPENING REMARKS Dr. Lewis convened the meeting at 8:30 a.m.,

and stated that the purpose of the meeting was to discuss research activities related to the digital instrumentation and control systems.

He stated that 9306250293 921232 DESIGNATED ORIGINAL

{O PDR ACRS Nl PDR C M 1 Tied P7-0

~ ~~~~

n.

Joint Meeting of Subctes.

-2 June 16, 1992 on CNPPO and R&Q the Subcommittees had received neither written comments nor requests for time to make oral statements from members of the public.

Dr. Kress declared a conflict of interest on this subject because of the NRC staff's research contract with the Oak Ridge National Laboratory (ORNL).

Dr. Kress did not participate in the discussion of the research being performed by ORNL in this area.

Reaulatory Reauirements - Mr.

S.

Newberry and Mr.

J. Mauck, NRR Mr. Newberry said that the thrust of the presentation would be on existing requirements and standards related to the environmental qualification of digital I&C systems.

He said that standards need to be improved and have to be endorsed by the NRC.

He emphasized the need for a research program.

Mr. Mauck said that as safety grade digital systems have been backfitted into operating plants, the staff has become more aware of the susceptibility and sensitivity of these digital systems ~to environmental conditions such as high temperature, and electromagnetic and radio interferences.

He noted a

number of regulatory requirements including the following:

e GDC 2-pertains to natural environmental conditions suJh as fires, floods, earthquakes, and lightning.

GDC 4-pertains to normal and accident conditions.

e e

GDC 23-requires protection systems to go into a fail-safe mode, given the loss of their functions due to environmental conditions.

10 CFR 50.49 discusses environmental qualification.

e He said that IEEE Standard 603-1980, has a section on environmental conditions.

Mr. Mauck said.that in addition to the regulatory requirements, there are guidance documents that have evolved from these regulatory requirements.

The one that the staf f has been using for operating nuclear power plants is IEEE Standard 323, that lists numerous environmental conditions for the design of protection or safety systems.

Joint _ Meeting of Subctes. June 16, 1992 on CNPPO and R&Q Mr. Michelson asked whether a two-divisional safety system, which has one of its divisions subjected to an environmental stress, like a fire, must be designed to protect only the uninvolved division from the effects of the fire.

In other words, is the safety function preserved by isolating the division not directly affected while assuming the other division fails because it has no resistance to the environmental stress.

Mr. Mauck said this was not the case.

His view was that all of the protection system equipment had to be protected against the event, and that at the same time you have to be able to sustain a single failure in the unaffected division.

Mr. Michelson noted that it is hard to design equipment to operate in a fire.

He said with an additional single failure, both trains would be lost.

Mr. Michelson paraphrased the staff response to his question as each division must be fully qualified within itself for the events that occur within that division.

Mr. Mauck said that was correct.

i Dr. Kerr asked whether this criteria would apply to a three channel system.

Mr. Mauck said that his view was that each channel, whether a two, three, or four channel system, has to be able to withstand all transient and accident environments that could be postulated at that particular location.

Dr. Kerr questioned whether the existing standards are adequate or not.

Mr. Vagins replied that there wasn't any single standard that was adequate.

He said that they were trying to assemble a i

regulatory document that would be specific as to what the standards were.

Mr. Mauck added that there are no specific standards-for a

electromagnetic interference (EMI) and radiofrequency interference (RFI).

'Mr.

Carroll asked how Zion convinced the staff that they didn't have any problems with EMI and RFI.

Mr. Mauck said that they would provide the Subcommittees'with a copy of the Zion Safety Analysis Report (SER).

He noted that the SER provides the details of the analysis.

Mr.

Wylie asked whether there was a void in the regulations regarding grounding practices to protect equipment against lightning and power surges.

Mr. Vagins said that a research program has been under way to resolve this issue,

4-Joint Meeting of Subctes.

-4 June 16, 1992 on CNPPO and R&Q Overview of NRC Research Procram on I&C - Mr. M. Vacins. RES Mr. Vagins said that the need for upgrading I&C systems is clear.

Most of the existing I&C systems represent technologies from the 1950s and 1960s.

Aging I&C equipment may exhibit higher failure rates than more modern analog or digital components.

He noted that the Electric Power Research Institute (EPRI) has developed a plan for I&C system upgrades.

He said that the Babcock and Wilcox Owners Group is working on an advanced digital I&C system.

Regarding the I&C systems for advanced reactors, Mr. Vagins said that these will present a new set of problems.

He predicted that sensitive equipment (A to D converters, transmitters, fiber optic cables, multiplexers, etc.) will be used inside containment.

This presents problems in protection against water, smoke, and other environmental hazards.

He noted that the adequacy of monitoring and diagnostic equipment to detect degradation of I&C components and systems needs to be evaluated.

NRC Research Procram - Ms.

C.

Antonescu. RES Ms. Antonescu discussed the research programs being carried out by ORNL.

The first is development of the basis for a regulatory guide and acceptance criteria for EMI and RFI.

These will be used for certification efforts for the Advanced Light Water Reactor designs.

She mentioned that the ORNL work will also be used to develop a technical basis for endorsing the IEEE standard 1050 on grounding and shielding.

l Additional research by ORNL includes:

Development of verification and validation criteria.

Research on EMI and RFI affecting digital systems.

Development of a preliminary in-plant validation methodology.

Procedures for performing plant site EMI measurements.

Ms. Antonescu said that in addition to the research on EMI/RFI issues, there is a research program relating to the qualification methods for advanced I&C systems.

The objective of this program is to provide a technical basis for developing a regulatory guide on operability and qualification for advanced analog and digital I&C systems.

Joint Meeting of Subctes. June 16, 1992 on CNPPO and R&Q NRC Research at ORNL - Mr.

R. Kisner, ORNL Mr. Kisney said that the main emphasis in this program is on digital systems, although the work applies to analog systems as well.

The work in the equipment qualification program'looks at stressors in the environment.

Mr. Michelson questioned why the work on EMI/RFI was done first.

Mr.

Kisner said that operating experience has revealed that equipment in nuclear and fossil power plants is very vulnerable to EMI/RFI.

Mr. Wylie said he believed the objective of this research is not only to identify the environmental stressors and then to protect the equipment against the stressors, but also to come up with recommendations on how to control these stressors.

He asked if this was correct.

Mr. Vagins said that the fundamental purpose of the research is to set test standards to qualify equipment against these contingencies.

He noted that there will always be a need to allow radio equipment for walkdowns and security activities in plant areas with safety grade equipment.

Research on EMI/RFI at Oak Ridae - Mr. P.

Ewinc ORNL Mr. Ewing discussed the development work for the technical basis for regulatory guidance on the susceptibility of digital systems to an EMI/RFI.

The tasks involved were:

e Literature search.

Review of standards, Evaluation of industry programs.

o Development of EMI/RFI testing and validation criteria, Development of the technical basis for regulatory guidance.

e Evaluation of EMI modeling software.

e Mr. Ewing said that they believed that lowering of the operating voltages on digital instrumentation will result in greater susceptibility to EMI.

Mr. Ewing referred to some of the standards.

He said that some'of test requirements in MIL Standard 461-C are applicable to the needs of the NRC and should be given strong consideration when evaluating the susceptibility of digital systems to an EMI/RFI. He noted that IEEE Standard 1050 discusses grounding and noise minimization techniques for I&C systems.

He pointed out that IEEE 1050 was weak in its treatment of grounding practices for signal cable shields.

-4 Joint Meeting of Subetes. June 16, 1992 on CNPPO and R&Q Mr. Carroll commented that the certification for the ABWR will be complete by the end of the 1993.

He asked if anyone knows enough to write an EMI requirement into the design acceptance criteria for certification.

Mr. Ewing said he didn't know.

FUNCTIONAL ISSUES AND ENVIRONMENTAL OUALIFICATION - MR. K. KORSAH, ORNL Functional Issues Mr. Korsah discussed the work on environmental qualification and functional issues for the protection system.

He defined the functional issues as the internal functions as contrasted with the input / output functions.

He said that if a digital system is.being retrofitted, and even if the input and output functions are the same you could still have internal differences.-

The current research involves the assessment of the unique issues in qualifying and evaluating advanced I&C systems.

Specific tasks include:

Conducting a survey of advanced instrumentation that are being e

proposed by Nuclear Steam Supply System (NSSS) vendors.

Reviewing applicable existing regulatory guides and standards e

to form the basis for a new regulatory guide.

Evaluating surveillance and diagnostic methods for new e

microprocessor-based systems.

Reviewing manufacturer test programs for I&C system components.

Mr. Korsah discussed some of the potential problems for digital I&C systems.

i He said that the digital systems incorporate software that have multiple functions that are built in.

The increased number of functions leads to complexity that may result in software logic errors affecting the system outputs. Use of software increases the potential for common-mode failures.

If there is a bug in the

software, it is introduced simultaneously into all the other channels.

F The software handles a number of tasks in sequence.

The fact that you have multiple functions in the module reduces the overall reliability.

Joint Meeting of Subctes. June 16, 1992 on CNPPO and R&Q He pointed out that one of the advantages of digital systems is that it contains small number of components as compared to analog systems.

The analog system has a larger number of components (relays etc.) ; consequently, there is a potential for reduction in reliability.

Mr. Michelson said the digital systems have a very fast response time.

They will respond to a momentary change in the position of a contact that an analog system would not respond to, because its micronecond noise and the analog works in millisecond ranges.

He pointed out that the system may recognize a momentary contact during an earthquake, for example, as a real signal because it is in the microsecond range.

Mr. Korsah said that was a good point and they would look into it.

Environmental Oualification Mr. Korsah said they want to look at where the systems are placed and how they will function in specified environments.

He said that the typical radiation exposure in the containment is about 40 kilorads over a 20-year life.

The transmitters will have to be qualified to meet this exposure.

He said that they are looking at the applicable standards that are used to qualify each of the subsystems.

They will be looking at calibration and testing capabilities and the way the system is designed to reject noise.

Also, they will be looking at failure detection methods to determine how the failure would affect the other channels via interchannel communication.

One of the areas being looked at is failure prediction based on environmental monitoring.

Some of the I

systems monitor the environment to determine how well the system can be assumed to work in an environment and for how long.

Mr.

Michelson asked if the failure prediction is based on environmental monitoring, or just a review of what the vendor is doing.

Mr. Korsah said that they are looking to see what the vendors are doing, and determining whether these failure models are adequate for the system design that they have developed.

Mr. Korsah briefly discussed protection of elt ;ronic systems.

He said that the choice of radiation resistant components can help in.

protection against radiation.

Proper mounting can help against vibration.

Heat dissipation can be improved by using heat sinks.

Improvement against EMI/RFI susceptibility can be gained by proper shielding.

Protection against smoke, particulates, and corrosive gases can be gained by the board layout and material coating.

Mr. Michelson pointed out that the coatings protect the boards but they do not protect the contacts where the boards are plugged in.

~

Joint Meeting of Subctes. June 16, 1992 on CNPPO and R&Q Mr. Michelson asked if they had considered fire protection.

Mr.

Korsah said that halon or water would be used.

Mr. Michelson said that if you turn the halon system on, you will get rapid cooling and you would possibly have a spurious operation of the system.

Mr. Kisner, ORNL, said that was something that would have to be looked at.

Dr. Lewis said in the event of a fire, it is not' unusual to have black smoke.

Black smoke can deposit soot and damage electronic equipment.

He asked how they plan to protect against this.

Mr.

Korsah said that they were not sure about this.

Mr. Korsah said that the room in which the equipment is located can afford some protection.

The

heating, ventilation, and. air conditioning system can filter particulates.

Dr. Lewis questioned the priorities used in the ORNL study.

He said that he was not convinced that EMI was a primary threat.

-He suggested that more viable threats to electronics in a nuclear power plan be selected.

Mr. Michelson suggested that staff should concentrate on the ABWR, then on System 80+,

and then finally on passive plants.

Mr. Korsah said that channel. independence has to be redefined.

He defined channel independence as electrical and physical independence.

He noted that now you have a situation where you have to consider functional independence because you have communication among the channels.

Mr. Korsah said that diversity should encompass'not only hardware but also software.

The software diversity is an issue that needs to be resolved because there is disagreement whether it is necessary or not.

The issues of internal redundancy and independence in multiplexing systems need to be addressed because of the multiple system parameters connected to the same multiplexer.

Dr. Kerr said that we need to be careful about the nomenclature that we use.

He cited the term independence.

He said that independence is not an end in itself.

It is a means to achieve reliability.

If it turns out that the lack of independence-improves reliability, one should not try to achieve independence at -

all costs.

He said that one should relook at the concept of diversity, and see if it really is achieving what it is we are trying to achieve.

Joint Meeting of Subctes. June 16, 1992 on CNPPO and R&Q 1

Mr. Korsah said that if some of the parameters have been proven in the past to improve reliability of a system, then they should still be used.

He said that if it has been shown that functional diversity does indeed improve system reliability, then you can require that at least two subsystems be used per channel so that half of the parameters can be monitored on one board and another half on another board so there is a built-in reliability.

Dr. Lewis asked if the NRC staff had been in contact with the telephone companies.

He said that they have mixtures of analog and digital equipment in their switching

systems, and they are concerned with reliability.

Ms. Antonescu said they hadn't but probably will in the future.

In conclusion, Mr. Korsah noted that they have identified several issues arising from proposed advanced protection system designs, including the following:

EMI/RFI susceptibility is of greater concern due to the increased concentrations of functions in microprocessors, The susceptibility is not only from the outside but also from e

the inside.

Many of the subsystems have clocks, and these clocks generate EMI.

Failure modes for advanced systems with inter-channel communication may introduce vulnerabilities arising from common-mode effects.

o Guidelines for implementing on-line automatic calibration, surveillance, and diagnostics may be necessary, Regulatory guides may need to be augmented to address safety e

issues related to ALWR safety system designs.

Dr. Kerr commented that he hadn't heard'a convincing argument that EMI should be a high priority item.

ACTIONS. AGREEMENTS. COMMITMENTS 1.

The Subcommittee requested copies of the safety evaluation report for the replacement of the analog protection system with a digital system at the Zion plant.

This has been provided to the ACRS.

2.

The Subcommittee requested copies of an EPRI workshop on digital instrumentation.

This has been distributed to the subcommittee.

i-Joint Meeting of Subctes. June 16, 1992 on CNPPO and R&Q 3.

The Subcommittee requested time at the July ACRS meeting to report to the full Committee, and to discuss how to set priorities on the environmental threats to electronics and-computing systems.

The meeting was adjourned at 3:00 p.m.

NOTE:

Additional meeting details can be obtained from a transcript of this meeting available in the NRC-Public Document Room, 2120 L Street, NW, Washington, DC 20006, (202) 634-3273, or can be purchased from Ann Riley and Associates, Ltd.,

1612 K

Street, NW, Suite

300, Washington, DC 20006, (202) 293-3950.

1

'I j

ATTACHMENT - A DOCUMENTS SUBMITTED TO THE SUBCOMMITTEES 1.

EMI/RFI and Equipment Qualification for Digital I&C Systems-Oak Ridge National Laboratory (ORNL) 2.

Regulatory Requirements for Environmental Qualification-NRC Staff 3.

Overview of NRC Research Program on Digital I&C Qualification and EMI/RFI-NRC Staff 4.

Qualification of Advanced Instrumentation and Control Systems-ORNL 5.

Qualification Methods for Advanced I&C Systems and Regulatory Guide and Acceptance Criteria for Electromagnetic Interference in Digital Systems

'h n

e

e AITACHMENT - B e

Final Acenda for ACRS Joint Subcommittee Meetina on Dictital I&C Enviromental Oualification Date/ Location: June 16 1992/ Phillips Bldg., Bethesda, Md.

Time:

8:30 a.m. to 2:30 p.m.

Subcommittees: Computers in NPP Operations /

Reliability & Quality

Participants:

NRC Staff (RES & NRR), ORNL 8:30 - 8:40 Opening Remarks 8:40 - 9:10 Regulatory Requirements by NRR

( S. Newberry, M.

Chiramal, J. Mauck) 9:10 - 9:55 Overview of NRC Research Program on I&C Qualifications and EMI/RFI

( M.Vagins,C. Antonescu) l 9:55 -10:10 BREAK l

10:10- 12:00 Main Program Contracts with ORNL for IGC Advanced Reactor Research Program

( R. Kisner, K. Korsah)

• Qualification Methods for Advanced I&C Systems for Digital Systems ( Including ORNL Draft Report on the Evaluation of a Digital Safety Channel) e Technical bases for Requlatory Guide Acceptance Criteria for Electromagnetic and Radio Frequency Interference 12:00 - 1:00 LUNCH 1:00 -1:40 Main Program with ORNL (continued)

)

1:40 -2:30 Open Discussion with RES & NRR Staff 8

Future RES Plans e ACRS Interests & Suggestions 2:30 Adjourn

. _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _. _