Text

s Linear Ac e e ac i t F AX:(6191455 3865 September 8,1993 Mr. Brian K. Grimes Director, Division of Operating Reactor Support Office of Nuclear Reactor Regulation M/S OWFN 9 A2 U. S. Nuclear Regulatory Commission Washington D. C. 20555

Subject:

NRC Information Notice 93-57:

Software Problems Involving Digital Control Console Systems at Non-Power Reactors.

Dear Mr. Grimes:

General Atomics (GA) has received a copy of the subject information notice addressed to all holders of operating licenses or construction permits for test and research reactors and nuclear power reactors. The purpose of the notice was to alert addressees of software problems involving two different digital instrumentation and control (I&C) systems at non-power reactors. Since one of the two digital I&C systems [at the Armed Forces Radiobiology Research Institute (AFRRI)] under question in this notice was designed, manufactured and installed by GA, we find it necessary to respond to the subject notice to point out actions required of - and taken by - GA to correct the situation, compared to the actions required of-and taken by - Penn State University and the manufacturer of the Penn State digital I&C system, AECL Technologies, Inc. based in the United States (not Atomic Energy of Canada, Ltd., of Mississauga, Ontario, Canada as stated in the notice). In particular, GA would like to bring to your attention, and seek an explanation of, the discrepancy in the actions required of GA and AECL as suppliers (and AFRRI and Penn State as licensees) to prevent recurrences of these problems.

Circumstances Related to Occurrence at AFRIU The problem related to the GA designed and installed digital I&C system was revealed when an extremely low probability event was initiated by reactor operators at AFRRI, that being the simultaneous actuation of the mode selector switch and a control rod UP button. As correctly stated in the information notice, it is extremely unusual for an operator to press both these buttons simultaneously. However, when the problem was discovered and reported to us by AFRRI and NRC. staff, GA immediately notified the 1

four other facilities which operate pulsing reactors (non-pulsing facilities were not affected) with the GA digital I&C system. In fact, since we were informed on a Friday afternoon of the problem at AFRRI, GA made the effort to contact some licensee i

managers at their homes in the event they were contemplating weekend operations.

i b^pn(f8pe ?

I 0A ta ba 930921005e 93o90s II 8

O PDR ADDCK 05000005 !9 89048 0

PDR f!

M.')'W $

3550 GEN!8tAL ATOMICS COURT. SAN DEGO,U92121-1194 PO BOX 85608. SAN DEGO.th 92186 9YB4 y 1619 455 3000 j

(.

j

il

' Mr. Brian K. Grimes Nuclear Regulatory Commission Page 2 In telephone conversations with NRC staff at the time of this occurrence at AFRRI, my staff and I were told that even though this is an extremely low probability event, systems related to safety cannot be controlled administratively, and that a permanent modification MUST be developed by GA to be acceptable to NRC staff. GA therefore, expeditiously set about to locate the software problem and perform the necessary modification to prevent this highly unlikely event that was observed at AFRRI. During the short time period that software modifications were being made, GA recommended that administrative measures be put in place to prevent such an occurrence, as highly unlikely as it may be. Indeed, GA put in such administrative controls at its own R-38 TRIGA Mark I reactor, even though such a problem has never been encountered and reported at GA by any one on our own large licensed staff, nor for that matter elsewhere except for the single AFRR1 incident.

Even though GA considered this change unnecessary, we complied with NRC directions received in telephone conversations with your staff and spent the necessary resources to develop and install the modiDeations at all affected pulsing reactors.

Circunistances Related to Occurrence at Penn State University The subject information notice also brought to the attention of licensees the occurrence at the Penn State non-power reactor, where an AECL supplied digital I&C system allowed an unanticipated withdrawal of a control rod to occur. This unanticipated withdrawal apparently occurred from a software error, which did not issue a warning message to the operator that power was supplied to the control rods while software parameters affectin, control rod movement were being changed by the operator. In other words, the system allowed the opemtor to change software parameters which affected 1

safety related synems - including the input of erroneous values - without rejecting it or as a minimum, giving warning messages. Yet, NRC staff found it acceptable that the licensee institute only administrative controls to prevent a recurrence of unanticipated rod withdrawals. No action was required of the supplier (or the licensee) that permanent software modiDeations be developed and installed on the system, as was required of GA by NRC staff.

GA Dnds this uneven handling of the situation by NRC staff to be troubling and of concern which we would like to see addressed. Even though the occurrence with the GA system was a highly unlikely event, and described in the sioject notice as " inconsistent with the operational design of the reactor," the software was required to undergo a permanent modiDeation. At the same time, unanticipated control rod withdrawal on the AECL designed digital I&C system which apparently can occur because of operator error, was required to be remedied using only administrative actions on the part of the licensec. The latter is inconsistent with the staff policy stated to GA, that systems related to safety, even if not part of the actual safety system, p;mnet be administratively controlled.

2 l

l

9 Mr. Brian K. Grimes Nuclear Regulatory Commission Page 3 GA recommends consistency in the actions of NRC staff to remediate the situations reported in the notice, and asks that the staff also require that the AECL designed I&C system at Penn State be permanently modified to prevent the occurrence of unanticipated rod withdrawals by the system software. Licensees operating with GA supplied systems should not be required to operate under different conditions than licensees who have obtained such systems from other suppliers.

Very truly yours, N

V Brian E. Thurgood Managing Director TRIGA Reactors Division cc:

Dr. Seymour Weiss Director, Non-Power Reactor Directorate U. S. Nuclear Regulatory Commission M/S OWFN 11 B20 Washington DC 20555 Mr. Alexander Adams U.S. Nuclear Regulatory Commission M/S OWFN 11 B20 Washington DC 20555 Mr. Marvin Mendonca U.S. Nuclear Regulatory Commission M/S OWFN 11 B20 Washington DC 20555 l

,