United States Nuclear Regulatory Commission - Protecting People and the Environment

Information Notice No. 93-57: Software Problems Involving Digital Control Console Systems at Non-Power Reactors

                                 UNITED STATES
                         NUCLEAR REGULATORY COMMISSION
                     OFFICE OF NUCLEAR REACTOR REGULATION
                            WASHINGTON, D.C.  20555

                                 July 23, 1993


NRC INFORMATION NOTICE 93-57:  SOFTWARE PROBLEMS INVOLVING DIGITAL CONTROL
                               CONSOLE SYSTEMS AT NON-POWER REACTORS 


Addressees

All holders of operating licenses or construction permits for test and
research reactors and nuclear power reactors.

Purpose

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information
notice to alert addressees to software problems involving digital control
console systems at two non-power reactors.  It is expected that recipients
will review the information for applicability to their facilities and consider
actions, as appropriate, to avoid similar problems.  However, suggestions
contained in this information notice are not NRC requirements; therefore, no
specific action or written response is required. 

Description of Circumstances

Armed Forces Radiobiology Research Institute (AFRRI)

On September 4, 1992, at the AFRRI Training Reactor and Isotope Production -
General Atomics (TRIGA) reactor, a problem with the interlock logic for the
digital control console was discovered during the performance of the items on
the daily startup checklist for the shutdown reactor.  The digital control
console, manufactured by General Atomics, was installed at AFRRI in the summer
of 1990 in accordance with an NRC license amendment dated July 23, 1990.  

The problem was revealed when a trainee depressed the PULSE mode button and
the rod UP button simultaneously and a control rod was driven out of the core. 
This rod movement was inconsistent with a rod withdrawal interlock for the
PULSE mode of operation.  The rod continued to withdraw even after the rod UP
button was released; this continued withdrawal is inconsistent with the design
intent of the rod control system.  Licensee personnel manually tripped the
reactor to stop the withdrawal of the control rod.  The licensee investigated
this event and found that the same rod withdrawal action would occur when the
SQUARE WAVE mode button (instead of the PULSE mode button) and the rod UP
button were depressed simultaneously.  However, the problem would not occur
when the AUTO mode button and the rod UP button were depressed simultaneously. 
The licensee tested a variety of interlock combinations for the digital
control console system and did not find any other problems.

9307190043
.

                                                            IN 93-57
                                                            July 23, 1993
                                                            Page 2 of 3


This problem had not been discovered previously for two reasons:  (1) General
Atomics, the manufacturer of both the TRIGA reactor and the digital control 
console, considered the simultaneous pressing of the mode selector and rod UP
buttons to be inconsistent with the operational design of the reactor, and
(2) these buttons were so located on the control console that it was unusual
for an operator to press both buttons simultaneously.  

As an interim measure, pending a permanent modification, the licensee
installed a switch configuration that required the operator to use both hands
to enter the pulse or square-wave mode of operation.  This change prevented an
operator from pressing a rod UP button at the same time as an operational mode
button.  

General Atomics has now developed a permanent software modification for this
problem, and the licensee installed the modification at AFRRI on September 25,
1992.  This modification was also installed at other facilities that have the
General Atomics digital control consoles.  The temporary solution for the
digital control console at AFRRI was maintained until the permanent software
modification was fully tested and accepted.  

Pennsylvania State University (Penn State)

On October 5, 1992, with the reactor shut down, operators at the Penn State
TRIGA reactor erroneously assigned a positive value to a software parameter
for their digital control console.  Power was supplied to the control rod
magnets at the time, engaging the control rods to their drive mechanisms and
resulting in allowing control rod withdrawal on the demand signal from the
control system which resulted from the software error.  The error resulted in
the unanticipated withdrawal of the transient control rod.  The transient rod
scrammed on a rod withdrawal overspeed trip.

Software subroutines in this system are typically designed to reject
irrational parameter changes and issue warning messages.  However, because
this particular parameter has a wide range of valid positive and negative
inputs, the software cannot prevent the operator from inputting erroneous
values.  

The digital control console, manufactured by Atomic Energy of Canada, Ltd., of
Mississauga, Ontario, was installed at Penn State in the summer of 1991 in
accordance with an NRC license amendment dated August 6, 1991.  The
manufacturer of the digital control console has discussed possible corrective
actions with the licensee and with other customers who could experience the
problem.  

The licensee has instituted administrative controls at Penn State that are
designed to prevent a recurrence of this type of problem.  These
administrative controls include (1) a requirement that power to the control
rod magnets be off when making software changes, (2) increased management
review of proposed changes, and (3) the use of design change procedures to .

                                                            IN 93-57
                                                            July 23, 1993
                                                            Page 3 of 3


control changes to the digital control console, providing additional assurance
that the software changes will be installed correctly and tested.

Discussion

These problems, and the increasing number and wide variety of licensees and
applications using digital technology, emphasize the importance of the design,
testing, and change control of digital systems.  

An effective verification and validation (V&V) plan for software that performs
a safety function can help ensure acceptable design and implementation.  Some
acceptable V&V plans are described in Regulatory Guide 1.152, "Criteria for
Programmable Digital Computer Software in Safety-Related Systems at Nuclear
Power Plants," and in American National Standards Institute (ANSI)/Institute
of Electrical and Electronics Engineers (IEEE) Standard 1012-1986, "IEEE
Standard for Software Verification and Validation Plans."  Guidance for
determining the design specifications that are to be verified and validated is
available in ANSI/IEEE Standard 830-1984, "IEEE Guide to Software Requirements
Specification."  

Another key element related to digital systems is the control of software
configuration changes.  Guidance for software configuration change control is
available in ANSI/IEEE Standard 828-1983, "IEEE Standard for Software
Configuration Management Plans."  

This information notice requires no specific action or written response.  If
you have any questions about the information in this notice, please contact
one of the technical contacts listed below or the appropriate Office of
Nuclear Reactor Regulation (NRR) project manager.


                                       ORIGINAL SIGNED BY


                                    Brian K. Grimes, Director
                                    Division of Operating Reactor Support
                                    Office of Nuclear Reactor Regulation


Technical contacts:  J. Stewart, NRR
                     (301) 504-0824

                     W. Eresian, NRR
                     (301) 504-1833

                     M. Mendonca, NRR
                     (301) 504-1128


Attachment:
List of Recently Issued NRC Information Notices

.
Page Last Reviewed/Updated Tuesday, November 12, 2013