In most areas of industry and technology the advantages of digital over analog are so obvious that they are not worth talking about (except perhaps in audiophile circles, where you still get heated discussions about the relative merits of CD vs vinyl). But the licensing of digital systems for use in nuclear safety systems has proved a very challenging business, notably in the USA, where the situation was recently described as a “digital I&C logjam”, with potential to delay retrofits and disrupt new build schedules.
The single largest regulatory hurdle in implementing digital I&C systems has been the “software common cause failure issue”, which arises from the difficulty of proving that software is error free. Bugs can lead to common cause failures because identical copies of the software are present in redundant channels of safety related systems.
The Nuclear Regulatory Commission believes that “experience with digital I&C systems to date has shown that reliance upon quality assurance processes alone has not been adequately effective at preventing common cause failures even in high-integrity digital systems. Unanticipated common-cause failures are more likely in digital systems than in analog systems. Therefore, it is … important to ensure that digital technology is applied in a manner that addresses functional defense-in-depth, functional diversity, and system diversity features.”
Although all-digital reactor protection is now well established and widely used around the world, eg France (Spinline technology), Germany (TXS), the American regulator is not alone in having reservations about the concept. For the EPR currently construction at Olkiluoto 3, the Finnish nuclear regulator STUK “required a simple automatic hardwired back up system to cope with a total loss of digital I&C.” Going back a couple of decades, software reliability was also a major safety issue for Sizewell B, the UK’s first and, so far, only, PWR. Here also a hard wired back-up was installed in order to meet the very low core melt probability target that the project had set itself.
Digital safety-related and important-to-safety systems have in fact been used in US nuclear plants over the past couple of decades and some years ago the NRC gave generic approval to Westinghouse’s Eagle 21 and Common Q (Common Qualified Platform), Triconex (Invensys), and Teleperm XS (Areva NP) for use in safety systems. The recent regulatory issues seem to have arisen in relation to proposed complete reactor protection systems that are 100% digital, coupled with the NRC making its requirements more stringent over time (“the NRC reserves the right to be smarter than it used to be”, as one industry observer puts it).
However, there are now signs that the logjam may be breaking. A concerted effort to address the technical issues got underway in earnest in the USA about two years ago. Interim Staff Guidance (ISG) documents relating to digital I&C have been issued and are being translated into formal regulatory documents – Standard Review Plans, NUREGs, Reg. Guides, etc – that should be out for public comment by the end of this year.
A particularly significant parallel development, and one that looks likely to go a long way in helping to bring clarity to the area is the completion of the Safety Evaluation Report, expected over the next few months, for Duke’s proposed major digital I&C upgrade of its Oconee plant. This envisages, for the first time at an operating US nuclear plant, 100% digital reactor protection (reactor trip and engineered safety feature actuation systems). (Also relevant, but of much more limited scope, is a project at Wolf Creek involving the main steam and feedwater isolation system, which will be the first application of field-programmable gate arrays (FPGAs) in a nuclear safety system in the USA, for which the NRC staff expects to complete its SER by April 2009.)
The Oconee project, assuming it goes ahead, will use Areva NP’s TXS technology, which is widely employed around the world in reactor protection, including plants in Germany, Switzerland, China, Hungary, and the Flamanville 3 and OL3 EPRs currently under construction. Interestingly TXS is already employed as part of the Oconee emergency power supply, at the Keowee hydro plant.
Some flavour of what is entailed in dealing with the software CCF issue can be seen from Areva NP’s summary of the main measures it employs in TXS: “simplicity; static memory allocation; cyclic processing; asynchronous operation; no process driven interrupts; constant/predictable bus loading; watchdog monitoring; predefined/qualified function block application programming; standardisation of software development tools and function libraries; clearly defined rules for use of the software functional blocks including exception handling; no real time clock; communications independence; no uncontrolled external network connections; fail safe operation upon software error detection; a high-quality software development life-cycle; and functional diversity within a protection division.”
Areva NP says TXS achieves functional diversity “by dividing the… system into independent subsystems which… execute different I&C functions for handling one and the same event.” It assumes that any hidden fault in the software “will not take effect simultaneously in two different functions at the same time, causing both of them to fail simultaneously.”
Related ArticlesAreva says more I&C answers by year end Digital I&C breakthrough in the USA