skip navigation links 
 
 Search Options 
Index | Site Map | FAQ | Facility Info | Reading Rm | New | Help | Glossary | Contact Us blue spacer  
secondary page banner Return to NRC Home Page
Digital I&C Key Issues
Diversity & Defense in Depth
Control Room Communication Systems
Control Room Human Factors
Cyber Security
Risk-Informed Regulation

Home > About NRC > How We Regulate > Research Activities > Digital I&C > Key Issues > Control Room Communication Systems

Highly Integrated Control Rooms—Digital Communication Systems

On this page

To top of page

Communication between Safety and Nonsafety Systems

With digital I&C technology, judicious communication between redundant safety channels and between safety and nonsafety systems may enhance reliability and safety more than could have been attained when existing operating nuclear power plants were designed with analog technology. Proposed designs include varying degrees of communication between redundant safety channels and between safety and nonsafety systems to validate signals and ensure high reliability.

To top of page

Requirement for Unimpaired Safety Function

It should be demonstrated that the provisions for the implementation of communications among redundant safety channels and between safety and nonsafety systems and the communication processes and messages themselves do not impair the proper execution of the associated safety functions through unintended behaviors or inadequately managed failure modes or by any other means or influence.

The NRC is developing consolidated guidelines to support staff reviews of proposed communication protocols and systems. Issues such as two-way communication, data density, and communication traffic levels appropriate for safety-related applications need to be addressed in the documentation of the proposed designs.

To top of page

General Design Criterion 24

In Appendix A to 10 CFR Part 50, General Design Criterion (GDC 24), “Separation of Protection and Control Systems,” states the following requirement:

The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.

GDC 24 provisions regarding interconnection of the protection and control systems limit two-way communication between safety and nonsafety systems. Consensus standards indicate that such communication pathways are acceptable as long as

  • failure of the communication system does not impair the safety function, and
  • the safety function does not rely on nonsafety system inputs to operate.

The NRC has approved digital safety systems that use limited two-way communications between safety and nonsafety components to allow safety system reconfigurations while in operating modes specifically designed to accept changes (e.g., test mode for testing a channel and Inop mode for changing setpoints and performing channel maintenance).

To top of page

Requirement for Independence and Isolation

Some of the new control room designs may apply strategies for integrating safety- and nonsafety-related controls within the same controller or display device. The proposed controls and displays could include extensive two-way communications among safety channels and between safety and nonsafety channels. Applicants should demonstrate that proposed mixed channel displays and controls and operation of safety devices by means of nonsafety controls or of controls in other channels maintain the required independence and isolation of redundant safety systems.

To top of page

Failure Analysis Techniques and Mitigation Measures

The NRC is developing failure analysis techniques for use in the evaluation of complex digital communication systems proposed for use within and among redundant safety channels and between safety and nonsafety channels. As part of this development, the NRC will use case studies of current technologies to identify scenarios that could challenge a safety system and to identify mitigation measures to address those challenges.

The primary objective of this effort is to develop a comprehensive process for confirming that an integrated control room design conforms with 10 CFR Part 50.55a(h), “Protection and Safety Systems” requirements and the requirements in associated standards and regulatory criteria for areas such as

  • electrical separation and independence between safety- and nonsafety-related displays and controls;
  • single failure criteria;
  • equipment qualification of Class 1E safety-related displays and controls; and
  • data communication isolation.

The regulatory criteria for these requirements are found in Regulatory Guide 1.152, “Criteria for Digital Computers in Safety Systems of Nuclear Power Plants,” which endorses with exceptions IEEE 7-4.3.2-2003, “IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations.”

To top of page


Privacy Policy | Site Disclaimer
Wednesday, July 11, 2007