Environmental Testing of an Experimental Digital Safety Channel (NUREG/CR-6406)

On this page:

• Publication Information
• Abstract

Download complete document

• NUREG/CR-6406 (PDF - 5.78 MB)

Publication Information

Manuscript Completed: August 1996
Date Published: September 1996

Prepared by:
K. Korsah, ORNL
T. J. Thnaka, SNL
T. L Wilson, Jr., R. T. Wood, ORNL

Oak Ridge National Laboratory
Managed by Lockheed Martin Energy Research Corp.

Sandia National Laboratories
Managed by Lockheed Martin, Inc.

Oak Ridge National Laboratory
Oak Ridge, TN 37831-6010

Sandia National Laboratories
Albuquerque, NM 87185-0747

C. Antonescu, NRC Project Manager

Prepared for:
Division of Systems Technology
Office of Nuclear Regulatory Research
U.S. Nuclear Regulatory Commission
Washington, DC 20555-0001

Availability Notice

Abstract

This document presents the results of environmental stress tests performed on an experimental digital safety channel (EDSC) assembled at the Oak Ridge National Laboratory (ORNL) as part of the NRC-sponsored Qualification of Advanced Instrumentation and Controls (I&C) System program. The objective of this study is to investigate failure modes and vulnerabilities of microprocessor-based technologies when subjected to environmental stressors. The study contributes to the technical basis for environmental qualification of safety-related digital I&C systems.

The EDSC employs technologies and digital subsystems representative of those proposed for use in advanced light-water reactors (ALWRs) or for retrofits in existing plants. Subsystems include computers, electrical and optical serial communication links, fiber-optic network links, analog-to-digital and digital-to-analog converters, and multiplexers. The EDSC was subjected to selected stressors that are a potential risk to digital equipment in a mild environment. The selected stressors were electromagnetic and radio-frequency interference (EMI/RFI), temperature, humidity, and smoke exposure. The stressors were applied over ranges that were considerably higher than what the channel is likely to experience in a normal nuclear power plant environment. Ranges of stress were selected at a sufficiently high level to induce errors so that failure modes that are characteristic of the technologies employed could be identified.

Significant findings from the environmental tests are the following:

1. Interfaces were found to be the most vulnerable elements of the EDSC. The majority of effects resulting from the application of the stressors were communication errors, particularly for serial communication links. Many of these errors were intermittent timeout errors or corrupted transmissions, indicating failure of a microprocessor to receive data from an associated multiplexer, optical serial link, or network node. Because of similarities in fabrication and packaging technologies, other digital safety systems are likely to be vulnerable to similar upsets. As was experienced with the EDSC, intermittent component upsets will typically impede communication, either on the board level (e.g., during bus transfers of data) or on the subsystem level (e.g., during serial or network data transfers). Thus, qualification testing should confirm the response of any digital interfaces to environmental stress.

2. Based on incidence of errors during testing, EMI/RFI, smoke exposure, and high temperature coupled with high relative humidity were found to be the most significant of the stressors investigated. The most prevalent stressor-induced upsets, as well as the most severe, were found to occur during the EMI/RFI tests. For example, these tests produced the only permanent failure of the EDSC (i.e., power supply). Also, the effect of the stressor was typically immediate, whereas the occurrence of high temperature/humidity and smoke exposure effects was delayed for some interval (i.e., tens of minutes) after the application of the stressor.

3. While the EDSC test demonstrated system level effects for both conducted and radiated EMI, the commercial components used exhibited greater susceptibility to conducted EMI. This observation is consistent with general industrial experience by European EMI experts. It should be noted that the relative susceptibility of particular systems can be mitigated by grounding, shielding, isolation, and surge withstand practices.

4. With regard to temperature and humidity, the study found that the combination of high temperature and high relative humidity (RH) were the conditions that affected the EDSC, rather than temperature alone. High RH is not as likely in a controlled environment such as a control room, but such conditions still need to be considered in qualification, especially for postaccident monitoring (PAM) equipment.

5. For smoke exposure, important failure mechanisms are not only long-term effects such as corrosion, but also short-term and perhaps intermittent effects such as current leakage. Smoke can cause circuit bridging and thus affect the operation of digital equipment. Because the edge connections and interfaces are typically uncoated, the most likely effect of the smoke is to impede communication and data transfer between subsystems.

6. During the smoke tests, upsets typically were not encountered until about an hour into the exposure tests. The EDSC did not lose functionality when exposed to smoke equivalent to large control room panel fire conditions (smoke density of about 3 g/m³). A large control room panel fire has been postulated by Steve Nowlen as the most severe fire that might be experienced in the main control room. This represents the smallest smoke density of the three fire scenarios postulated. Because of similarities between the EDSC and proposed advanced digital safety systems with regard to circuit board and chip fabrication and packaging, it is reasonable to postulate that commercial digital equipment will likely maintain functionality during its initial period of exposure to smoke equivalent to large control room panel fire conditions. Given early detection of a fire and subsequent fire suppression, digital systems should maintain functionality (to allow safe shutdown) for about an hour following exposure, provided that the equipment is not directly exposed to the fire.

7. The solder mask on commercial electronic boards appears to be effective in preventing catastrophic and/or permanent failure of the board even when the boards are exposed to a reasonably high level of smoke. The lower limit that necessitates cleaning of circuit boards, due to chloride deposits from smoke, is often specified to be 10 pg chloride/cm². For comparison, analysis of the largest smoke load used (160 g/m³) showed the chloride deposition to be 742 pg chloride/cm². (Tests with uncoated boards using comparable smoke loads showed a marked decrease in resistance.)

The results of this study, along with results from related studies by Sandia National Laboratories and Brookhaven National Laboratory, will be used to develop the technical basis for possible enhancement of current qualification processes in a planned NUREG/CR report on an overall framework for the environmental qualification of digital safety-related I&C systems.