Search Options | ||||
Index | Site Map | FAQ | Facility Info | Reading Rm | New | Help | Glossary | Contact Us |
|
Frequently Asked Questions About Digital I&COn this page:
Index to All Frequently Asked Questions Pages What changes to existing guidance and what new guidance might be expected as a result of ongoing NRC research efforts? The NRC Office of Nuclear Regulatory Research (RES) is engaged in research that will both augment and enhance the current staff review guidance and will develop information needed to assist in the review of new technologies. RES is not engaged in rulemaking efforts, nor are the results of the research designed to provide new policy. The research is designed to enhance staff acceptance criteria for licensing activities where new technology may render earlier guidance less effective.
Regulatory Guide 1.206,“Combined License Applications for Nuclear Power Plants” (draft issued as DG-1145), was issued in June 2007. Updates to the Standard Review Plan were completed in early 2007. The first set of combined license applications are expected in September of 2007.
Regulatory Guide 1.206, “Combined License Applications for Nuclear Power Plants,” includes a discussion of what must be submitted by a licensee not referencing an accepted design. This same material would be needed for digital installations in safety service in existing nuclear power plants.
There is no regulation concerning acceptable timeframes. It is commonly believed that 30 minutes is a reasonable lower limit for operator action, but requirements are assessed on a case by case basis. The Highly-Integrated Control Room- Human Factors task working group (TWG), consisting of various NRC staff members and industry participants, is working on establishing an acceptable timeframe for operator actions.
The System Aspects of Digital Technology program involves research pertaining to internal and external factors that affect the performance of a digital system as a whole. The Software Quality Assurance program involves research pertaining to establishing a quantitative means of assessing the quality of safety system software. The Digital System Risk Assessment research program will establish a program and process to facilitate risk-informing digital system reviews. The Emerging Digital Technology assessment program involves research into new innovations in digital I&C technology that have the potential for deployment in existing, new, or advanced nuclear facility I&C system designs. The Digital System Security program involves research that will address potential security vulnerabilities as part of the system development process and will maintain security of the system after it is installed from threats such as external cyber attacks as well as electromagnetic interference or electromagnetic pulse attacks. The Advanced and Future Plant Digital System program involves research to develop needed regulatory guidance to support the review of future reactor I&C systems and highly integrated digital control rooms. For more details on these research programs, please refer to the NRC Digital System Research Plan for FY 2005–FY 2009.
During the past 20 years, there have been a significant number of safety-related and important-to-safety digital systems or components installed in operating nuclear power plants. The safety-related digital systems were developed in accordance with the requirements in Appendix B to 10 CFR Part 50 and generally have operated safely. However, 38 out of approximately 100 operating plants have reported potential and actual common-mode failures in many of these systems. Some common-mode failures affected a single plant, while others affected several plants using the same digital system.
NUREG/CR-6303, “Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems,” describes a method for analyzing digital safety systems to determine points of design for which credible common-mode failures are compensated for by diversity or defense in depth. Diversity is complementary to defense in depth and increases the likelihood that defenses at a particular level or depth will be actuated when needed. The types of digital system diversity may be classified into the following six categories:
What different acceptable strategies may address common-mode failure vulnerabilities in digital safety system designs? The staff guidance in NUREG/CR-6303, “Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems,” provides a set of recommended criteria for each diversity attribute, ranked in order of relative importance within each attribute. The Diversity and Defense-in-Depth (D3) research project will explore combinations of equipment diversity in microprocessor hardware and software and will assess the strengths and weaknesses of the resulting system D3. This research will provide recommendations for staff guidance in terms of best practices for digital system D3 design strategies. In addition, a task working group (TWG), consisting of various NRC staff members and industry participants, has been formed to identify and resolve technical issues that will result in more efficient licensing of digital I&C systems for new reactor applications and for retrofits at operating reactors/facilities.
The Diversity and Defense-in-Depth (D3) research project will develop combinations of diversity attributes and associated criteria that provide acceptable D3 strategies for addressing common-mode failure vulnerabilities in digital safety system designs. The information obtained from this research project will be used to develop a revision to NUREG/CR-6303, “Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems,” or a new NUREG that will provide enhanced technical guidance to the staff on appropriate common-mode failure mitigation measures using diversity attributes and criteria. It will also be used to develop regulatory acceptance criteria that will complement existing NRC regulatory processes (i.e., BTP-19, “Guidance on Evaluation of Defense-in-Depth and Diversity (D3) of Digital I&C”) for confirming appropriate implementation of common-mode failure mitigation strategies. A regulatory guide could ultimately result from this project.
The staff guidance in NUREG/CR-6303, “Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems,” provides a set of recommended criteria for each diversity attribute, ranked in order of relative importance within each attribute. The Diversity and Defense-in-Depth (D3) research project will explore combinations of equipment diversity in microprocessor hardware and software and will assess the strengths and weaknesses of the resulting system D3. This research will provide recommendations for staff guidance in terms of best practices for digital system D3 design strategies. However, licensees can and have used the existing guidance to design digital safety systems that satisfy agency requirements.
The staff intends to provide one acceptable method that can be applied to current NRC guidance for using probabilistic risk assessment in risk-informing licensing decisions (Regulatory Guide 1.174, “An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis”). In addition, a task working group (TWG), consisting of various NRC staff members and industry participants, has been formed to identify and rsolve technical issues that will result in more efficient licensing of digital I&C systems for new reactor applications and for retrofits at operating reactors/facilities.
Other industries have developed methods to model digital systems by using a number of methods, including fault trees, dynamic fault trees (used by the National Aeronautics and Space Administration (NASA)), Markov methods (used by NASA, the transportation industry, and others), dynamic flow graph methodology (used by NASA), and Petri nets. In the case of the space station, for example, the digital system model used is a Markov model that was then partially integrated into the larger station event tree/fault tree model. Although these methods have some limitations (e.g., the space station model does not dynamically link the digital system model to the rest of the probabilistic risk assessment), the staff believes that these modeling methods can be adapted and improved to provide an acceptable method for modeling digital systems in nuclear power plants.
The NRC Office of Nuclear Regulatory Research will be collaborating with other industries, foreign regulators, other government agencies, and reactor vendors to incorporate lessons learned from the controls industry into agency regulatory programs. Examples of these collaborations include interactions with the following:
What will be the final product of the NRC research regarding digital system cyber vulnerabilities? The research end products will augment and supplement the staff’s review process described in relevant sections of the updated Standard Review Plan. The results are expected to be in the following form:
How is the NRC staff interfacing with the U.S. Department of Homeland Security on cyber security? The NRC staff has been engaged with the U.S. Department of Homeland Security (DHS) on the National Infrastructure Protection Plan, which allowed the staff to identify areas for potential collaboration on cyber security and on the application of the DHS cyber assessment process, which may be applicable to nuclear power plants.
Microprocessors are general-purpose state machines that perform operations on programs stored in memory locations. Microprocessors fetch instructions and data from memory locations, decode the instructions, execute the application software instructions using the data, and then write the results to a memory location for subsequent use in the next program step. A field programmable gate array (FPGA) is a semiconductor device containing programmable logic components and programmable interconnects. The programmable logic components can be programmed to duplicate the functionality of basic logic gates (such as AND, OR, XOR, NOR) or more complex combinational functions (such as decoders or simple mathematical functions). In most FPGAs, these programmable logic components (or logic blocks, in FPGA parlance) also include memory elements, which may be simple flip-flops or more complete blocks of memories. A hierarchy of programmable interconnects allows the logic blocks of an FPGA to be interconnected as needed by the system designer, somewhat like a one-chip programmable breadboard. These logic blocks and interconnects can be programmed after the manufacturing process by the customer/designer (hence the term “field programmable”) so that the FPGA can perform whatever logical function is needed. Once programmed, an FPGA executes only that program repetitively.
Because field programmable gate arrays (FPGAs) are significantly simpler than microprocessors and link only the functions needed for a given application, the complexity of the resulting application system can be significantly less than that of a microprocessor-based system. Also, FPGAs have burned-in programmed logic that reacts to incoming information and do not rely on application software continuously running to process incoming information.
The safety evaluation report (SER) that approved the generic concept of online monitoring (OLM) also mandated 14 requirements that an OLM system would have to meet if the calibration frequency were to be extended (including the need to conduct a detailed uncertainty analysis). Additionally, the SER did not provide any guidance on the acceptability of any particular analytical method for implementing OLM for calibration frequency extension. The new guidance will provide the staff with detailed technical information that it can use to evaluate licensee responses to the 14 requirements in the SER and with methods for identifying and evaluating the assumptions and limitations associated with the analytical methods that are being applied in OLM systems.
The Federal Aviation Administration (FAA) has developed guidelines (DO-248B and DO-178B) for all software to be installed on aircraft. The FAA has extensive experience with the licensing of flat panels as well as the use of emerging technologies. The NRC has initiated research (e.g., highly integrated control room research and field programmable gate array (FPGA) research) with a number of external agencies and organizations, including FAA, to develop licensing guidance on the basis of experience gained from other types of mission-critical and safety-significant applications.
To the NRC’s knowledge, all possible digital system failure modes have not been compiled. This is one focus area of ongoing NRC research into digital system risk. Ideally, a list of all digital system failures would be highly desirable; however, in practicality, a well designed, redundant, and diverse digital system should address all system failure modes. |
Privacy Policy |
Site Disclaimer |