Digital Instrumentation and Controls Research
The NRC Office of Nuclear Regulatory Research (RES) performs research related to tools, methods, procedures, acceptance criteria, and guidance to assess the safety and security of digital instrumentation and controls (I&C) systems in the U.S. nuclear industry. RES provides technical information to support licensing decisions and prepares for the future by evaluating the safety implications of new technologies and designs in the area of digital I&C. RES coordinates research and development activities with other NRC offices and external stakeholders (e.g., universities, national laboratories) to address digital I&C issues and support the use of consensus standards.
In the knowledge management area, RES collaborates research efforts domestically and internationally to support the sharing of regulatory standards and research data for digital I&C systems. The staff is engaged in ongoing efforts to share operational experience data and analysis techniques with U.S. industry and with research organizations in other countries. RES supports the harmonization of international nuclear power plant digital I&C system standards and the improvement of NRC knowledge management and regulatory efficiency.
The following links provide more information on the NRC's research related to digital I&C systems of operating reactors, new reactors, advanced reactors, and other nuclear facilities. They summarize the specific research areas of digital I&C research conducted by RES and the current research activities.
Specific Research Areas
The specific areas of research pursued by the NRC have changed over time in response to the perceived need. The following summarizes some of the research areas related to digital I&C.
Analytical Assessment of Digital I&C Systems
Within the area of safety aspects of digital systems, RES conducted an analytical assessment to support safety evaluations of digital I&C systems. This research included developing an inventory and classification system for nuclear power plant (NPP) digital systems; exploring the state-of-the-art of safety-critical digital systems analysis; failure mode and operational experience analysis; and a needs assessment for new regulatory review tools, such as a system hazard analysis, a safety demonstration framework, and guidance for review of software tools. This research improved the general understanding of how digital systems may fail and supported the development of criteria to ensure that these systems will not adversely affect NPP safety. Other research projects investigated fault-tolerant testing techniques and advanced diagnostics and prognostics. The NRC and the industry have been interested in risk-informing digital safety system licensing reviews and further research on the failure modes of digital systems and quantitative software reliability.
RESEARCH INFORMATION LETTER 1001: Software-Related Uncertainties in the Assurance of Digital Safety Systems—Expert Clinic Findings, Part 1.
This research information letter (RIL) transmits knowledge about uncertainties in assurance of digital safety systems associated with software and other manifestations of complex logic. Its purpose is to support the judgment exercised in licensing reviews of complex digital safety systems. This knowledge was acquired through an expert elicitation activity. Uncertainties in the assurance of digital instrumentation and control (DI&C) systems for safety functions in a variety of application domains are increasingly emanating from systemic causes, as in software. To learn from experiences outside of the commercial nuclear power plant (NPP) industry, such as defense, space flight, commercial aviation, medical devices, automobiles, telecommunications, and railways, NRC elicited knowledge from experts with safety-critical software and systems research experience in these application domains. RIL-1001 identifies the dominating sources of uncertainties in safety assurance and promising approaches to address them.
RESEARCH INFORMATION LETTER 1002: Identification of Failure Modes in Digital Safety Systems – Expert Clinic Findings, Part 2.
RIL-1002 reports findings with respect to identifying failure modes for use in assurance of a Digital Instrumentation and Controls (DI&C) safety system. The work was performed per Commission direction as stated in Staff Requirements Memorandum (SRM) M0806058B. In this report, "failure" is defined as the termination of the ability of an item to perform a required function. The term "failure mode" is used in the context of an overall DI&C system to describe how a failure is observed to occur. Results were obtained by surveying existing knowledge from a diverse panel of safety critical digital system experts consulted by the NRC during an expert elicitation process conducted in 2010, through supplemental research that included a review of over 150 public and non-public documents, and additional interviews with experts not part of the elicitation process. Findings are summarized and synthesized in ten sets of "generic" digital system failure modes for each function of the system. Furthermore, in addition to "generic" failure modes, findings indicate that there may be additional system-specific failure modes. Research on this topic is continuing in several places. Alternative analytical approaches are being investigated to support needs for safety assurance.
The report also includes results from staff investigations on the efficacy of Software Fault Modes and Effects Analysis (SFMEA) as a method for identifying faults leading to system failures impairing a safety function. Whereas the term "failure mode" is used in the context of an overall DI&C system, the corresponding concept for a software item is "fault mode." Software used in digital safety systems is complex logic. The ability of software in DI&C safety systems to perform a required function does not terminate due to wear and tear. The term "failure" (in the meaning stated above) does not apply to software in DI&C safety systems. A "fault" is defined as the state of an item characterized by the inability to perform a required function, excluding the inability during preventive maintenance or other planned actions or due to lack of external resources. The term "fault mode" is defined as one of the possible states of a faulty item for a required function. Six distinct SFMEA methods were found, but the staff did not find a sound technical basis to require NRC applicants and licensees to perform an SFMEA similar to any of these methods. NUREG/IA-0254, listed below, provides additional information supporting this conclusion. Results and conclusions presented in this RIL concern assurance of digital safety systems.
RESEARCH INFORMATION LETTER 1101:
Technical Basis to Review Hazard Analysis of Digital Safety Systems.
The Office of Nuclear Regulatory Research (RES) prepared RIL-1101 in response to an Office of New Reactors (NRO) user need request, dated December 8, 2011, seeking the technical basis for the regulatory review of an applicant's hazard analysis (HA). The requested information supports improvements to the regulatory guidance for evaluation of an applicant's HA and would also be useful in performing a confirmatory HA. Many of the challenges experienced in the licensing reviews of new reactors were rooted in hazards from systemic causes. RIL-1101 also identifies conditions to address the (contributory) hazards and reduce the hazard space. These conditions to reduce the hazard space represent the technical basis for potential acceptance criteria for regulatory reviews of future new and advanced reactor applications.
Adopters of the hazard-analysis approach in RIL-1101 can apply it to an early-stage functional concept, and iterate the approach on the successive work products, as the development progresses. When applying the hazard-analysis approach in RIL-1101, the resulting design criteria and design bases would intrinsically include constraints that avoid hazardous conditions. Early Identification of these avoidable contributory hazards and constraints to eliminate them drive downstream engineering to prevent later problems. The prevention of problems earlier in the lifecycle improves lifecycle economics while increasing safety.
NUREG/IA-0254, June 2011
International Agreement Report, "Suitability of fault modes and effects analysis for regulatory assurance of complex logic in digital instrumentation and control systems".
The Institut de Radioprotection et de Surete Nucleaire (IRSN) and the NRC jointly investigated and evaluated the suitability of applying fault modes and effects analysis (FMEA), as a technique for identifying faults attributable to Complex Logic in digital instrumentation and controls for safety functions in nuclear power plants. Complex Logic refers to logic in the form of software, or in the form of programmed hardware, for which it is not practicable to ensure the correctness of all behaviors through verification alone. Whereas the term, "failure modes and effects analysis" is used in the context of the overall DI&C system, the corresponding concept for software (and other forms of complex logic) in a DI&C system is "fault modes and effects analysis." When FMEA techniques which have been used effectively for traditional hardware are applied to Complex Logic, such extension does not yield a similar benefit to regulatory assurance, because of the fundamental differences in the nature of faults in traditional hardware versus Complex Logic. Whereas hardwired devices (such as electromechanical relays) have only a few predetermined fault modes, the potential fault space in Complex Logic is much greater; yet the actual number of faults is an extremely small fraction of the potential fault space. Finding these faults through FMEA is akin to searching for a needle in a haystack. Through analysis and examples of several real-life catastrophes, this report shows that FMEA could not have helped in the discovery of the underlying faults. The report concludes that the contribution of FMEA to regulatory assurance of Complex Logic, especially software, in a nuclear power plant safety system is marginal.
International Agreement Report, "(Availability of) An International Report on Safety Critical Software for Nuclear Reactors by the Regulator Task Force on Safety Critical Software (TF-SCS)".
The Regulator Task Force on Safety Critical Software (TF SCS) for nuclear reactors, which, at that time, was comprised of seven international nuclear regulators and authorized technical-support organizations, and the U.S. Nuclear Regulatory Commission (NRC) had exchanged information seeking consistency in the technical basis for licensing reviews of software in safety-related digital instrumentation and control systems for nuclear power plants. The TF SCS has documented its consensus technical basis in the technical report (embedded in NUREG/IA-0463) and invited the NRC's review and comments. Although the NRC was not a member of the TF SCS, the NRC staff had participated in meetings and provided comments on the TF SCS report. As a result, the NRC collaborated with the TF SCS by reviewing and providing comments to improve the technical report documenting the TF SCS's common positions. This NUREG includes the TF SCS report titled "Licensing of Safety Critical Software for Nuclear Reactors - Common Position of International Nuclear Regulators and Authorised Technical Support Organisations." The NRC added an Appendix after the TF SCS report to assist NRC staff in using the information as a technical reference in any future changes to NRC's regulatory guidance framework.
Cybersecurity of Digital I&C Systems
In 2009, the NRC published cybersecurity rule, Title 10 of the Code of Federal Regulations (10 CFR) 73.54, "Protection of Digital Computer and Communication Systems and Network.” The cybersecurity rule is a performance-based programmatic requirement that ensures that the functions of digital computers, communication systems, and networks associated with safety, important-to-safety, security, and emergency preparedness are protected from cyber-attacks.
The NRC engages with other Federal agencies, including the U.S. Department of Homeland Security, the Federal Energy Regulatory Commission, and the North American Electric Reliability Corporation (NERC) on cybersecurity efforts. The 2010 digital I&C system research plan also included cybersecurity of digital I&C systems as a research program area. The NRC signed a memorandum of understanding with NERC to clarify the regulatory roles and responsibilities of each organization, including inspection protocols and enforcement actions.
In support of 10 CFR 73.54, the NRC published Regulatory Guide (RG) 5.71, "Cybersecurity Programs for Nuclear Facilities," in 2010. RES completed research to explore cyber vulnerabilities in digital systems and networks, including wireless networks that were expected to be deployed in NPPs. This research validated the need for the new regulatory guidance and cybersecurity programs required under 10 CFR 73.54.
RES supports the continued review of RG 5.71 to ensure that digital I&C systems can maintain safe operating environments in nuclear facilities. The NRC I&C research staff participates in governmentwide, academic, and industry working groups that provide the latest information and tools to address cyber threats. Continuous evaluation is required to maintain expertise that can address concerns that arise in this rapidly changing environment.
Smoke Effects on Electronic Equipment
The NRC addresses the effects of fire and smoke on equipment through its fire protection programs. Fire is a design-basis event. To demonstrate that it can be handled, licensees perform a post-fire safe-shutdown analysis to assure that a train of shutdown structures, systems, and components remains free of fire damage for a single fire in any single plant fire area. Industry has developed methods for evaluating the effects of fire-induced circuit failures on safe-shutdown capability. Nuclear Energy Institute report NEI-00-01, Revision 2, "Guidance for Post-Fire Safe Shutdown Circuit Analysis," May 2009, provides one acceptable method for performing a post-fire safe-shutdown circuit analysis when used with RG 1.189, Revision 3, "Fire Protection for Nuclear Power Plants," issued February 2018.
The NRC gives fire protection requirements for commercial NPPs in 10 CFR 50.48, "Fire Protection." This regulation requires that each operating license issued under 10 CFR Part 50, "Domestic Licensing of Production and Utilization Facilities," or combined operating license issued under 10 CFR Part 52, "Licenses, Certifications, and Approvals for Nuclear Power Plants," must have a fire protection plan that satisfies 10 CFR Part 50, Appendix A, "General Design Criteria for Nuclear Power Plants," General Design Criterion 3, "Fire Protection." The NRC staff reviews the fire protection plan described in the licensee's or applicant's submittal with reference to the acceptance criteria provided in NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition," Section 220.127.116.11, "Fire Protection Program."
The NRC has sponsored research to support the development of the agency position in this area. The following table lists digital I&C-related research reports.
|NUREG/CR-6220, "An Assessment of Fire Vulnerability for Aged Electrical Relays" (March 1995)
||This report details testing to assess the impact of aging on the fire vulnerability of Agastat and General Electric relays. Both aged and unaged relays were tested. Aged relays were subjected to operational cycling under rated load and thermally aged for 60 days. All relays were exposed to one of three different fire temperature profiles in the Severe Combined Environments Test Chamber located at Sandia National Laboratories. The ability to operate properly in the given fire environment was monitored. Results for the aged and unaged relays were examined to determine the impact of aging on the relays' ability to sustain operation under the test conditions. Overall results indicated that the aged relays' performance was not significantly different from that of the unaged relays.
|NUREG/CR-6476, "Circuit Bridging of Components by Smoke" (October 1996)
||Smoke can adversely affect digital electronics; in the short term, it can lead to circuit bridging and in the long term to corrosion of metal parts. This report is a summary of the work to date and component-level tests by Sandia National Laboratories for the NRC to determine the impact of smoke on digital instrumentation and control equipment. The component tests focused on short-term effects such as circuit bridging in typical components and the factors that can influence how much the smoke will affect them. These factors include the component technology and packaging, physical board protection, and environmental conditions such as the amount of smoke, temperature of burn, and humidity level. The likelihood of circuit bridging was tested by measuring leakage currents and converting those currents to resistance in ohms. Hermetically sealed ceramic packages were more resistant to smoke than plastic packages. Coating the boards with an acrylic spray provided some protection against circuit bridging. The smoke generation factors that affect the resistance the most are humidity, fuel level, and burn temperature. The use of carbon dioxide as a fire suppressant, the presence of galvanic metal, and the presence of polyvinyl chloride did not significantly affect the outcome of these results.
|NUREG/CR-6543, "Effects of Smoke on Functional Circuits" (October 1997)
||Nuclear power plants are converting to digital I&C systems; however, the effects of abnormal environments such as fire and smoke on such systems are not known. There are no standard tests for smoke, but previous smoke exposure tests at Sandia National Laboratories have shown that digital communications can be temporarily interrupted during a smoke exposure. Another concern is the long-term corrosion of metals exposed to the acidic gases produced by a cable fire. This report documents measurements of basic functional circuits during and up to 1 day after exposure to smoke created by burning cable insulation. Printed wiring boards were exposed to the smoke in an enclosed chamber for 1 hour. For high-resistance circuits, the smoke lowered the resistance of the surface of the board and caused the circuits to short during the exposure. These circuits recovered after the smoke was vented. For low-resistance circuits, the smoke caused their resistance to increase slightly. A polyurethane conformal coating substantially reduced the effects of smoke. A high-speed digital circuit was unaffected. A second experiment on different logic chip technologies showed that the critical shunt resistance that would cause failure was dependent on the chip technology and that the components used in the smoke exposures were some of the most smoke tolerant. The smoke densities in these tests were high enough to cause changes in high impedance (resistance) circuits during exposure, but they did not affect most of the other circuits. Conformal coatings and the characteristics of chip technologies should be considered when designing digital circuitry for nuclear power plant safety systems, which must be highly reliable under a variety of operating and accident conditions.
|NUREG/CR-6597, "Results and Insights on the Impact of Smoke on Digital Instrumentation and Control" (January 2001)
||Smoke can cause interruptions and upsets in active electronics. Because nuclear power plants are replacing analog with digital I&C systems, qualification guidelines for new systems are being reviewed for severe environments such as smoke and electromagnetic interference. Active digital systems, individual components, and active circuits have been exposed to smoke in a program sponsored by the NRC. The circuits and systems were all monitored during the smoke exposure, indicating any immediate effects of the smoke. The major effect of smoke has been to increase leakage currents (through circuit bridging across contacts and leads) and to cause momentary upsets and failures in digital systems. This report summarizes two previous reports and presents new results from conformal coating, memory chip, and hard drive tests. The report describes practices for mitigation of smoke damage through digital system design, fire barriers, ventilation, fir suppressants, and post-fire procedures.
|NUREG/CR-7123, "A Literature Review of the Effects of Smoke from a Fire on Electrical Equipment" (July 2012)
||A review is presented of the state-of-the-art of smoke production measurement, prediction of smoke impact as part of computer-based fire modeling, and measurement and prediction of the impact of smoke through deposition of soot on and corrosion of electrical equipment. The literature review on smoke corrosivity testing and damage due to smoke deposition emphasizes (despite extensive research on smoke corrosivity) the lack of validated and widely applicable prescriptive or performance-based methods to assure electrical equipment survivability given exposure to smoke from a fire. Circuit bridging via current leakage through deposited smoke was identified as a potentially important mechanism of electronic and electrical equipment failure during nuclear power plant fires.
In the near term, assessment of potential damage can reasonably be based on the airborne smoke exposure concentration and the exposure duration. Hence, models that can predict the airborne smoke concentration would be sufficient to provide upper limit estimates of potential damage. In the longer term, it would be desirable to develop models that could estimate the deposition behavior of smoke and specifically correlate the combination of deposited and airborne smoke to component damage.
|NUREG-1635, "Review and Evaluation of the Nuclear Regulatory Commission Safety Research Program" (December 2014)
||This Advisory Committee on Reactor Safeguards report states that "Research projects should address…heat on fiber optic cables, the effects of heat on digital equipment, and the effects of smoke damage to digital signal processing and computation modules" (page 5 and discussed in more detail on pages 27–28).
|Scoping Study on Heat-Induced Signal/Actuations on Digital Equipment (9/27/2017)
||This report documents the findings obtained through a literature search and interviews of key personnel from industries involved with digital systems, including systems with large amounts of data. The focus of this work is to identify and assess the protection of digital equipment from the effects of heat and
Online monitoring refers to automated techniques used to assess instrumentation performance or health while the facility is operating. Online monitoring seeks to determine whether the equipment has encountered an anomaly or fault or if recalibration is needed. For example, some systems can detect an eventual bearing failure in a pump by monitoring vibrations; other systems are capable of monitoring safety signals when a protection channel is drifting out of the allowable tolerance.
The availability of online monitoring may result in licensees seeking approval to change surveillance and maintenance practices at nuclear facilities. For this reason, the NRC proactively seeks to ensure that it is prepared to evaluate, provide timely decisions, and offer regulatory guidance on the safe use of online monitoring methods.
In May 2009, the NRC published NUREG/CR-6895, "Technical Review of On-Line Monitoring Techniques for Performance Assessment," a three-volume report on online monitoring. Volume 1, "State of the Art," gives a general overview of sensor calibration monitoring technologies and their uncertainty analysis, and a review of supporting information for assessing these online monitoring techniques. Volume 2, "Theoretical Issues," evaluates the application of the most commonly employed online monitoring methods. Volume 3, "Limiting Case Studies," applies the modeling and uncertainty analysis techniques in Volume 2 to a plant dataset to consider the effects of modeling assumptions. An overview of the report is available.
Current Research Activities
The instrumentation and controls (I&C) arena continues to evolve, and the U.S. Nuclear Regulatory Commission (NRC) continues to refine its regulatory approach to comport with technological advancements in this area. The NRC continues to perform research that supports development of licensing criteria to evaluate new digital I&C systems.
To address the principles of the Commission's direction in the Staff Requirements Memorandum SECY-15-0106, the NRC staff developed the Integrated Action Plan (IAP) and updates the plan as a living document. The IAP considers the broad context of digital I&C regulatory challenges and focuses on improving the regulatory infrastructure so that it integrates performance based and technology neutral engineering concepts for safety assurance. The IAP is the overarching plan to modernize the digital I&C regulatory infrastructure to assist stakeholders in demonstrating the safety and security of I&C systems and assists the NRC staff in performing regulatory reviews and I&C system inspections in a more efficient, effective, consistent, and risk-informed manner. In the interest of efficiency and more timely updates, the IAP and its management steering committee oversight is leveraged to update plans for I&C research activities in lieu of a separate 5-year NRC digital system research plan.
Digital I&C Regulatory Infrastructure Research
The NRC has identified three research activities to modernize its digital I&C regulatory infrastructure. The IAP provides the basis for these research activities. These three research efforts will develop and consolidate technical knowledge in the areas of most immediate concern for digital I&C, producing technical bases and recommendations for the improvement of the regulatory infrastructure. The information produced by these research efforts will support future transformation efforts in the regulation of digital I&C. The staff in the Office of Nuclear Reactor Regulation (NRR) and RES discussed and mutually agreed upon the proposed scope and schedule described for the below user need requests (UNRs). Two of these UNRs are expected to span approximately 2 years, with the third requiring an additional 2 years, as indicated below. Work on all three UNRs is expected to be performed simultaneously.
Embedded Digital Devices and Emerging Technologies
Embedded digital devices (EDDs) and related emerging technologies may introduce new hazards or other safety concerns, as presented in Regulatory Issue Summary 2016-05, "Embedded Digital Devices in Safety-Related Systems," dated April 29, 2016. The purpose of this research is to develop the technical basis for evaluating EDDs and emerging technologies.
Common Cause Failure in Digital I&C Systems
A common cause failure (CCF) of redundant digital I&C systems could result in the complete loss of a safety function or auxiliary systems that support safety systems. The purpose of this research is to develop the technical basis for evaluating CCF of digital I&C systems.
Risk-Informed Reviews of I&C Systems and Components
The current I&C regulatory infrastructure is based on compliance with the Institute of Electrical and Electronic Engineers (IEEE) design and quality standards and the NRC's defense in depth policy. This research will establish the technical basis to integrate risk-informed approaches into technical reviews and inspections of digital systems. It will also provide recommendations for integrating risk insights into the digital I&C regulatory infrastructure, including methods and tools.
Halden Reactor Project (HRP)
The OECD/NEA Halden Reactor Project (HRP) – in operation since 1958 and its largest joint project with over 19 participating countries – includes digital systems research in its man, technology and organization (MTO) area. It aims to provide its member organizations improved capability for safe use of digital technology nuclear power plants (NPP). As digital technologies are evolving rapidly, members' needs are evolving and HRP's digital research program has been adapting correspondingly in three-year increments. Recent programs have included research to support the development, assurance, and maintenance of digital systems.
Aspects of the 2018–2020 program of potential value to the NRC and its stakeholders include: (1) an approach to address Safety and Security properties of a digital system in an integrated manner, including integrated hazard analysis from the conceptual stage of a digital system with the support of model-based engineering, and (2) a case-study in safety assurance to identify gaps in current capabilities and promising directions to address these gaps. An earlier case study in the 2015-2017 period focused on a subset of a reactor protection system and examined its design certification document (DCD) to understand the reasoning-chain relating evidence to its safety claim. This case study identified weaknesses which hampered unambiguous comprehension of the reasoning argument and formulated recommendations to overcome these weaknesses. These results can be found in HRP's technical report # HWR-1193.
The Halden Workshops are another dimension of beneficial contribution from the HRP's digital systems research. These workshops have brought together subject matter experts from industry, regulators, and research and technical support organizations to evolve towards a shared understanding of the nature of the problems in the assurance of digital systems. These workshops have also shaped Halden's successive three-year digital systems research proposals. The HRP has conducted three of these workshops at the NRC headquarters, immediately after the NRC-hosted Regulatory Information Conferences in 2014, 2017, and 2019. Results of the 2017 workshop may be found in HRP's technical report # HWR-1220, and of the 2019 workshop, in report #HWR-1249. The theme of the 2019 workshop was "International Assessment of Safety Assurance Approaches ." It covered the safety assurance approaches used in international nuclear reactor protection and in various applications of similar safety criticality . For example, participants learned about the use of formal methods used in nuclear regulation in Canada and safety case structures, as used by the Office of Nuclear Regulation in the United Kingdom. Participants learned that both experiences showed improved effectiveness.
Page Last Reviewed/Updated Tuesday, July 07, 2020