No. S-09-007

PDF Version

A Regulatory Perspective of the Digital Evolution

Remarks by The Honorable Peter B. Lyons
Commissioner
U.S. Nuclear Regulatory Commission
                                                                             
6th American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation, Controls, and Human Machine Interface Technology
Knoxville, Tennessee
April 7, 2009

Good evening. I am pleased and honored to be delivering this banquet speech at the 6th American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation, Controls, and Human Machine Interface Technology. Because this is the banquet speech, my staff has advised me that it needs to be significantly lighter than my typical speeches. Therefore, they prepared some audience specific and appropriate humor that I hope you will enjoy. I’ll start with my attempt at a software joke: 

I just got around to partially embracing the digital evolution at home. I set up an account for online banking, but so far I don’t think I am going to like it. Every time I connect to my bank’s computer it sends the same message, IO IO IO.

Now that that is over with….

The significantly long title of this meeting helps to frame the magnitude of issues you are undertaking. The science behind these topics has been studied, modeled, and in some areas perfected. However, the combination of specific digital systems that must meet exacting performance standards to initiate automatic functions or to reliably elicit the desired response and relay the intended command from the human operator remains the challenge before you. From the perspective of a nuclear regulator, we must evaluate your application of this technology to assure that the fundamental design criteria of functionality, defense-in-depth, redundancy, diversity, and security are met. During my talk this evening, I will provide you with my perspective on several aspects of this challenge and also frame some areas of concern. One caveat, my remarks today are my personal views, and may not represent the collective view of the Commission.

Before we skip all the way to the issues before you, I would like to take a moment to ease into the necessary mindset by briefly recapping history. Consistent with the theme that these are my thoughts, this is also my version of history.

One of the earliest reactor control systems was the backup safety system for the Chicago Pile-1 reactor. This diverse and redundant backup control system included a control rod suspended from a rope. A dedicated operator armed with an ax was stationed to sever the rope and add negative reactivity in the event that the reactor was not controllable by the primary means. Although beautifully simplistic, the ax-man method had numerous limitations and liabilities, such as response time and the possibility of personnel injury after many hours alone with an ax. Since this time, reactor systems have significantly evolved to incorporate automatic digital control systems and improvements in human-machine interface.

As regulators, we are here to assure the fundamental characteristics of defense in depth, diversity, security, and appropriate human-machine interface are carried forward as new technologies are employed. Ironically, the duties of the ax man are not so different from modern day reactor operators who occasionally need to push the scram button to initiate a reactor shutdown.

To understand the importance of the independent role of the Nuclear Regulatory Commission (NRC), one needs to first understand a little of the agency’s history and of the agency’s experiences with new and evolving technologies. The birth of commercial nuclear power in the United States was authorized by the Atomic Energy Act of 1954 with oversight responsibility assigned to the U.S. Atomic Energy Commission (AEC). At that time, the AEC's regulatory mandate was to ensure public health and safety without imposing excessive requirements that might inhibit the growth of the industry.

From the late 1960s, the nuclear industry flourished with newer and bigger plants with increasingly complex systems. During this period, the necessity for redundancy and diversity was emerging. In 1974, Congress created the NRC with a goal of alleviating debates over the dual function of the AEC and to provide a stronger focus on licensing activities. This growing trend continued until March 28, 1979, when the event at Three Mile Island rocked the industry and the then-young NRC. Although research into accidents, redundancy, and diversity had begun well before Three Mile Island, this event placed new emphasis on these concepts and added focus to the function of the control room and the all-important interface between the operators and the machine. In fact, several years ago, on a tour of the Three Mile Island site, I had the opportunity to speak with Ed Frederick, the operator at the controls that morning. Mr. Frederick’s account of the events afforded me a whole new understanding of the significance of the control room interface and on how this contributed to the TMI event.

The NRC’s regulatory framework can be traced, with some exaggeration, to revolutionary times surprisingly pre-dating Fermi’s pile. As the NRC moves forward with industry through the evolution of digital instrumentation and control systems, the agency must do so as an independent and technically strong regulator, with the vital mission of assuring the public that nuclear plants are being operated safely and securely. I believe that the level of public assurance depends on the NRC being a fair but tough regulator. Our job is to ask the tough questions and make the tough calls; however, we must do so in an environment that strives to be as open and transparent as possible. Thus, we make significant efforts to open our regulatory processes to public scrutiny and participation wherever appropriate. This includes utilizing input from organizations such as the American Nuclear Society to provide the scientific basis, which provides the foundation for our regulatory decisions.

The application of digital systems in the nuclear industry, as you know, is not new. In the United Kingdom, that regulator was grappling with similar decisions over the application for the Sizewell B design in the early 1990s. This was studied with great interest by the NRC and other regulators. Early domestic applications have centered on important but non-safety functions such as radiation monitoring systems, fire protection systems, and feedwater controls. Although generally successful, these early applications identified vulnerabilities that in some cases resulted in unintended system operation and required corrective actions. These issues, which are common to most nuclear power plants, included items such as operational practices, radiofrequency interference, and software control issues.

In the area of human interface designs, the Halden project in Norway is a notable example of a test bed capable of evaluating the impacts of various human interface designs in a controlled environment. As significant and extensive as this research has been and despite my strong support for the Halden work, my apprehension about the application of all of this data to U.S. reactors evolves around the simple fact that the Halden testing was not done with American reactor operators. In my view, more research like that at Halden should be done in this country as well. One only needs to travel abroad for a short time to be reminded that subtle differences in labeling and configuration reduce the intuitive nature of even routine operations. A recent trip to South Africa that included driving on what I continue to consider the wrong side of the road is a perfect example. Although my travels were successful, I considered the drive neither intuitive nor relaxing.

However, the good news is that we have already established that operators can adjust to about anything. In the United States. we have many configurations of control rooms and every day the operators operate these plants safely. However, moving operators from one plant to another will typically result in a tirade about the inadequate design of the new facility. For operators of the future, it should get better. It is my expectation that through the efforts of the group assembled here, with the help of digital technology, the human interface can be simplified to minimize errors, reduce operator fatigue, increase operator awareness, and generally improve operational safety.

As the staff is progressing through the evaluation and licensing of digital systems, issues, sometimes significant, are being identified by industry and staff. The formation of the Digital I&C Steering Committee and its work to form seven specific task working groups, each dedicated to a specific area of concern, has proven that these issues can be defined and resolved. I want to compliment the efforts of staff and of many of you in this room who came together in a collaborative way to find solutions.

The ongoing licensing activities involving the use of field programmable gate arrays for main steam and feedwater isolation at Wolf Creek, and the full digital reactor trip and engineered safety features actuation system upgrade at Oconee, are further encouragement that this evolution is progressing. The engineers and managers involved may not appreciate it at this time, but one day the nightmares will subside and history will likely record their contributions as important steps in this evolutionary process.

As another notable example of digital evolution, the University of Florida is partnering with Areva and Siemens to install a two-channel digital safety system in its 1950s, 100 kw, Argonaut reactor. At first, this may appear as logical as putting fuel injection on a Model A, but I am encouraged that this project will provide significant insights and further advance the digital evolution. It should serve to expose a new generation of scientists and engineers to the challenges of digital applications in a nuclear environment as well as provide a platform for additional research at the University of Florida and at other participating schools.

I encountered a more visual example of the digital evolution during my recent visit to the simulator prototypes under development by Westinghouse and Mitsubishi near Pittsburgh. Both of these projects are significant advancements from the control rooms of today, incorporating digital software to assist the operators in understanding and responding to the needs of the plant. Features like electronic procedures, which pop up based on prioritized alarms and then automatically link the operators to appropriate screens for information and control functions, are enhancements that our friend the ax man did not even know he was missing. These projects had many similarities and just as many differences, both in the digital systems and the human interface. I was pleased to learn that current operators are providing feedback to the vendors to optimize these systems. In my view, such differences in the digital system designs are technical decisions, which very well may have multiple and equally acceptable solutions.  

The differences in the human interface systems of different vendors are by nature far more subjective, and I will not tread anywhere near calling one right and one wrong. However, these differences do point out the need for more relevant research in this area. Although, I am confident that our resilient operators could adapt to either design. The question is, which design features will preclude statements such as: unknown to the operators… the operators inadvertently… was improperly restored… and many similar statements that are apparently mandatory in all classic event reports? Without these statements, it is my hope that many future event reports will not need to be written.

Now let me touch on some of the new reactor activities that will all involve this technology. The NRC currently has 17 combined license applications for 26 reactors using five designs. One note related to my slide, the staff’s review of most of the ESBWR applications are currently on hold pending further direction from the applicants. To accommodate this extraordinary increase in regulatory review workload, the NRC staff is implementing a design-centered approach to facilitate parallel review of multiple standardized combined license applications.

This approach is directly dependent upon the industry’s commitment to standardize COL applications for a specific reactor design. In the context of this meeting, standardization means standardizing the designs for digital systems. I believe this approach to licensing is crucial to completing timely reviews for multiple applications. It is based on the principle of “one issue, one review, one position” for multiple COL applications, and it is intended to optimize the NRC’s review effort and the resources needed.

The benefits of a design-centered licensing review will be achieved only to the extent that the reactor vendor and the utilities standardize the pertinent sections of the applications. This will be particularly true in the more technically-complex areas such as digital I&C and safety systems. In addition, reactor vendors and COL applicants must submit applications that are complete and meet very high-quality, technical standards. We will not compromise our standards to expedite approvals. NRC staff has developed guidance to assist the COL applicant’s understanding of what is necessary to meet our standards. Future applicants should be paying close attention and learning from the NRC’s assessment of the first applications.

In addition to the licensing activities, both NRC and the U.S. nuclear industry have a lot of work ahead of us in preparing for new construction under the new licensing and approval process in Part 52 of our regulations. NRC has been developing and will be implementing its new Construction Inspection Program. Our inspection focus will be centered out of our Atlanta regional office. Much of the efficiency and timeliness of our inspection activities will depend on how well industry adheres to the necessary high quality standards required for a nuclear plant. As NRC continues to develop our inspection program and train our inspectors, we are using lessons learned from our regulatory partners in other countries, such as Finland, France, Korea, China, Taiwan, and Japan, who have very current experience. We are also exploring ways to test construction inspection methods using the current construction of Watts Bar 2. This facility was licensed for construction in 1973 under the 10 CFR Part 50 licensing process but stalled at approximately 80 percent completion in 1988. Under the new Part 52 process, the Commission must find that all necessary inspections, tests, and analyses have been performed and associated acceptance criteria have been met before granting authorization to load fuel and begin operations.

Let me turn now to a few of the important challenges that face both the NRC and industry. As you consider the importance and impact of each of these challenges, I offer a timeless perspective from Alfred North Whitehead. “The art of progress is to preserve order amid change and to preserve change amid order.”  This simple statement serves to underscore the importance of maintaining the safety of the nation’s operating reactors as we move forward with challenges associated with the design, construction, and operation of new reactors.

As I discuss these challenges, I am going to stay away from the details that all of you know far too well. These are the core challenges specific to the implementation of digital systems that brought you to this meeting and what you have been and will be discussing all this week. I am confident that a lot of good minds are well on their way to solving these. Therefore, I will focus on the bigger implementation issues that will truly enable the efficient and effective use of this technology.

As any of you who are currently working on new reactor projects know, the digital I&C systems and control room designs for the new facilities were included as what we call design acceptance criteria or DAC, and were not specified as part of any certified design. This decision allowed the NRC to proceed with the design certification process without locking the designers into any specific configurations for these systems. However, it also creates an opportunity for individual projects to evolve independently, counter to the goal of standardization.

The globalization of the nuclear supply chain has created an unprecedented diversity of global sources for nuclear components. I anticipate that these components will include those used in digital I&C systems. This makes it increasingly important for regulatory bodies, as well as industry consensus standards organizations, to carefully coordinate to ensure both consistency and satisfaction of the standards. This isn’t an academic or hypothetical point. The NRC has previously identified counterfeit and deficient parts and continues to seek better ways of monitoring the increasing globalization of the nuclear supply chain through our international collaborations. Quality issues in the 1970s contributed to halting several nuclear plants under construction. In today’s global manufacturing economy, global collaboration will be imperative to the nuclear industry.  

Change control is an area of concern that, although not unique to digital systems, is equally important. This ties to several NRC regulations.  Perhaps most notable is 10 CFR 50.59, the regulation that requires in its simplest terms, a series of tests to make sure the proposed change does not invalidate the analysis that supported the NRC’s safety conclusion. Another related requirement is the new safety/security interface rule. This rule was added as part of our recent upgrade of the security regulations to require licensees to evaluate the unintended consequences that changes to security systems may have on safety and vice versa.

A tragic example of this was a safety upgrade made to many U.S. police cars in the 1990s that coupled the brake lights to the roof flashing lights so that the brake lights would flash on and off with the roof lights. Unfortunately, in many vehicle models the brake lights were part of the interlock circuit that prevents the shift lever from moving out of park unless the brakes are engaged. This, of course, is intended to be a safety interlock. However, on these modified police cars this safety interlock was actually turning on and off with the flashing lights. This came to light in 1999 only in an accident investigation for a tragedy in which a parked police car was shifted into gear at full throttle, hitting several parade-goers. This can serve as an example of the problems that can happen from connecting safety systems together, either inadvertently or by design, without careful analysis of all the implications.

Another challenge is that changes in our world, as demonstrated by the events of 9/11, have necessitated new requirements to enhance the security of nuclear power plants. The addition of a cyber threat to the NRC’s design basis threat rule and the addition of specific requirements for a cyber security plan to 10 CFR 73.55 are two examples. In general, substantial enhancements have been made. The NRC is confident of the adequacy of security at operating reactors today, but new reactor designs must achieve this level of security despite greater opportunities for intrusion. Through the design and operation of digital systems, security must be accounted for and maintained. Your designs will be tested and vulnerabilities will be exploited by those with malicious intent.

Complexities, such as the digital systems, serve to underscore the ongoing challenge of building up the necessary quality workforce and the educational infrastructure to maintain it. The human capital challenge that confronts the nuclear industry, academia, and the NRC is immense. Future projections indicate that we need more trained workers, but many factors limit our ability to rapidly increase this workforce. One such factor is the expected retirement of the current workforce. It has been estimated that about 35 percent of those working at U.S. nuclear utilities
will be eligible for retirement in the next five to ten years and that 90,000 new workers will be needed by 2011, just to continue operating the existing plants. Within NRC, approximately 15 percent of our workforce is currently retirement eligible and that number will increase to 33 percent within the next 5 years. The potential labor shortage not only affects utilities and the NRC, but also impacts the entire nuclear infrastructure, including national laboratories, other Federal and state agencies, nuclear technology vendors and manufacturing companies, nuclear construction companies, and university nuclear engineering departments.  

However, I am pleased to note that NRC has made significant progress in this arena as we increased our staff to handle the new applications. For the past 3 years, NRC has added over 200 new hires a year above attrition, some with experience and training in the areas of digital I&C and human factors, to assure our ability to meet the demands of new reactor licensing. These new hires represent a mix of senior, mid-career, and entry-level personnel.

Additionally, NRC’s FY 2008 Nuclear Education Scholarship and Fellowship Program provided $15 million to support education in nuclear science, engineering, and related technologies. These funds were used for college scholarships and graduate fellowships in nuclear science, engineering, and health physics; faculty development grants supporting faculty in these academic areas; and scholarships for trade schools in the nuclear-related trades. Statistics collected by DOE indicate that student enrollment and graduation rates in nuclear engineering and radiation health programs are increasing. But even with these increases, there will still be a personnel shortfall, based on the projected demand.

In closing, I hope I have accomplished three things today.

First, I hope you can agree that the maintenance of a strong and independent nuclear regulator is not only necessary, but adds significant value to public confidence and assurance.

Second, you should appreciate the amount of new licensing work that the NRC is expecting and has started, and our commitment to performing effective safety reviews in an efficient and timely manner.

And, third, you should appreciate the challenges that face the nuclear industry as well as the NRC. Some of these challenges rely on continued progress by those in this meeting.

Finally, I would like to thank everyone involved with putting on this and the previous five NPIC&HMIT meetings. It is only through the hard work of a large number of dedicated individuals and the support of their organizations that meetings like this can be successful. I am very happy to note that NRC and its staff have been active supporters of this meeting since its inception in 1993, with the agency providing frequent banquet and plenary speakers, active participation in the planning and organization of the meetings, speakers and session chairs at this and the past meetings, and even one of the five past General Chairs of this meeting. I encourage all of you to continue your support for this meeting and similar meetings. Forums like this provide a unique opportunity to discuss current and future research, development and regulatory topics in digital I&C and human machine interface technologies. We need these interactions to help ensure continued progress in these critical areas.

Thank you for your attention.

NRC speeches are available through a free list serve subscription at the following Web address: http://www.nrc.gov/public-involve/listserver.html. The NRC homepage at www.nrc.gov also offers a SUBSCRIBE link. E-mail notifications are sent to subscribers when speeches are posted to NRC's Web site.

Privacy Policy | Site Disclaimer
Thursday, April 09, 2009