Design Practices for Communications and Workstations in Highly Integrated Control Rooms (NUREG/CR-6991)
On this page:
Download complete document
Manuscript Completed: February 2009
Date Published: September 2009
R. Kisner, D. Holcomb, J. Mullens, T. Wilson,
R. Wood, K. Korsah, M. Muhlheim, A. Qualls,
M. Howlader, G. Wetherington, Jr.,
P. Chiaro, Jr., and A. Loebl
Oak Ridge National Laboratory
P.O. Box 2008
Oak Ridge, TN 37831-6075
P.J. Rebstock, NRC Project Manager
Office of Nuclear Regulatory Research
U.S. Nuclear Regulatory Commission
Washington, DC 20555-0001
NRC Job Code N6350
This report presents the findings and observations obtained in the course of the associated research and does not indicate NRC endorsement of the designs and methods reported. The Foreword to this report provides additional information concerning this subject.
This report presents the results of research used in the development of review guidance and associated acceptance criteria for use by regulatory staff in confirming that highly integrated control room (HICR) designs are in conformance with Nuclear Regulatory Commission (NRC) requirements. The principal features of the HICR are extensive use of digital network communications and digital operator workstations. The purpose of this report is to document technical considerations that support the development of guidance that specifically addresses issues related to communication among safety divisions and between safety-related equipment and equipment that is not safety related. This information is intended to provide clarification in recognition of the possible variations in digitalcommunication- based systems.
Documents such as IEEE 7-4.3.2, Regulatory Guide 1.152, and IEEE 603 (considered current industry and NRC guidance) are not sufficiently detailed for evaluating interdivisional communications independence. Thus, the NRC seeks to establish evaluation criteria for safety systems communications that can be uniformly applied in a variety of safety system designs.
The report examines (1) operating experience and lessons learned, (2) accepted consensus practices, and (3) analysis of credible failure mechanisms arising from several possible network architectures and message types. A structured approach for evaluation of safety-to-safety and nonsafety-to-safety communications systems has emerged from this study. Two general failure categories can be considered: (1) information and (2) communication. Information failure encompasses any situation in which a message or data to a safety system appears valid but is wrong (e.g., incorrect, misguided). A communication failure refers to the loss of messages or data because of transmission.
Information for this report was obtained through publicly available sources such as published papers, reports, and presentations. No proprietary information is represented.