Home > NRC Library > Document Collections > Generic Communications > Information Notices > 1993 > IN 93-57
Information Notice No. 93-57: Software Problems Involving Digital Control Console Systems at Non-Power Reactors
UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION WASHINGTON, D.C. 20555 July 23, 1993 NRC INFORMATION NOTICE 93-57: SOFTWARE PROBLEMS INVOLVING DIGITAL CONTROL CONSOLE SYSTEMS AT NON-POWER REACTORS Addressees All holders of operating licenses or construction permits for test and research reactors and nuclear power reactors. Purpose The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice to alert addressees to software problems involving digital control console systems at two non-power reactors. It is expected that recipients will review the information for applicability to their facilities and consider actions, as appropriate, to avoid similar problems. However, suggestions contained in this information notice are not NRC requirements; therefore, no specific action or written response is required. Description of Circumstances Armed Forces Radiobiology Research Institute (AFRRI) On September 4, 1992, at the AFRRI Training Reactor and Isotope Production - General Atomics (TRIGA) reactor, a problem with the interlock logic for the digital control console was discovered during the performance of the items on the daily startup checklist for the shutdown reactor. The digital control console, manufactured by General Atomics, was installed at AFRRI in the summer of 1990 in accordance with an NRC license amendment dated July 23, 1990. The problem was revealed when a trainee depressed the PULSE mode button and the rod UP button simultaneously and a control rod was driven out of the core. This rod movement was inconsistent with a rod withdrawal interlock for the PULSE mode of operation. The rod continued to withdraw even after the rod UP button was released; this continued withdrawal is inconsistent with the design intent of the rod control system. Licensee personnel manually tripped the reactor to stop the withdrawal of the control rod. The licensee investigated this event and found that the same rod withdrawal action would occur when the SQUARE WAVE mode button (instead of the PULSE mode button) and the rod UP button were depressed simultaneously. However, the problem would not occur when the AUTO mode button and the rod UP button were depressed simultaneously. The licensee tested a variety of interlock combinations for the digital control console system and did not find any other problems. 9307190043 . IN 93-57 July 23, 1993 Page 2 of 3 This problem had not been discovered previously for two reasons: (1) General Atomics, the manufacturer of both the TRIGA reactor and the digital control console, considered the simultaneous pressing of the mode selector and rod UP buttons to be inconsistent with the operational design of the reactor, and (2) these buttons were so located on the control console that it was unusual for an operator to press both buttons simultaneously. As an interim measure, pending a permanent modification, the licensee installed a switch configuration that required the operator to use both hands to enter the pulse or square-wave mode of operation. This change prevented an operator from pressing a rod UP button at the same time as an operational mode button. General Atomics has now developed a permanent software modification for this problem, and the licensee installed the modification at AFRRI on September 25, 1992. This modification was also installed at other facilities that have the General Atomics digital control consoles. The temporary solution for the digital control console at AFRRI was maintained until the permanent software modification was fully tested and accepted. Pennsylvania State University (Penn State) On October 5, 1992, with the reactor shut down, operators at the Penn State TRIGA reactor erroneously assigned a positive value to a software parameter for their digital control console. Power was supplied to the control rod magnets at the time, engaging the control rods to their drive mechanisms and resulting in allowing control rod withdrawal on the demand signal from the control system which resulted from the software error. The error resulted in the unanticipated withdrawal of the transient control rod. The transient rod scrammed on a rod withdrawal overspeed trip. Software subroutines in this system are typically designed to reject irrational parameter changes and issue warning messages. However, because this particular parameter has a wide range of valid positive and negative inputs, the software cannot prevent the operator from inputting erroneous values. The digital control console, manufactured by Atomic Energy of Canada, Ltd., of Mississauga, Ontario, was installed at Penn State in the summer of 1991 in accordance with an NRC license amendment dated August 6, 1991. The manufacturer of the digital control console has discussed possible corrective actions with the licensee and with other customers who could experience the problem. The licensee has instituted administrative controls at Penn State that are designed to prevent a recurrence of this type of problem. These administrative controls include (1) a requirement that power to the control rod magnets be off when making software changes, (2) increased management review of proposed changes, and (3) the use of design change procedures to . IN 93-57 July 23, 1993 Page 3 of 3 control changes to the digital control console, providing additional assurance that the software changes will be installed correctly and tested. Discussion These problems, and the increasing number and wide variety of licensees and applications using digital technology, emphasize the importance of the design, testing, and change control of digital systems. An effective verification and validation (V&V) plan for software that performs a safety function can help ensure acceptable design and implementation. Some acceptable V&V plans are described in Regulatory Guide 1.152, "Criteria for Programmable Digital Computer Software in Safety-Related Systems at Nuclear Power Plants," and in American National Standards Institute (ANSI)/Institute of Electrical and Electronics Engineers (IEEE) Standard 1012-1986, "IEEE Standard for Software Verification and Validation Plans." Guidance for determining the design specifications that are to be verified and validated is available in ANSI/IEEE Standard 830-1984, "IEEE Guide to Software Requirements Specification." Another key element related to digital systems is the control of software configuration changes. Guidance for software configuration change control is available in ANSI/IEEE Standard 828-1983, "IEEE Standard for Software Configuration Management Plans." This information notice requires no specific action or written response. If you have any questions about the information in this notice, please contact one of the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager. ORIGINAL SIGNED BY Brian K. Grimes, Director Division of Operating Reactor Support Office of Nuclear Reactor Regulation Technical contacts: J. Stewart, NRR (301) 504-0824 W. Eresian, NRR (301) 504-1833 M. Mendonca, NRR (301) 504-1128 Attachment: List of Recently Issued NRC Information Notices .
Page Last Reviewed/Updated Tuesday, November 12, 2013