Information Notice No. 93-57: Software Problems Involving Digital Control Console Systems at Non-Power Reactors
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555
July 23, 1993
NRC INFORMATION NOTICE 93-57: SOFTWARE PROBLEMS INVOLVING DIGITAL CONTROL
CONSOLE SYSTEMS AT NON-POWER REACTORS
All holders of operating licenses or construction permits for test and
research reactors and nuclear power reactors.
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information
notice to alert addressees to software problems involving digital control
console systems at two non-power reactors. It is expected that recipients
will review the information for applicability to their facilities and consider
actions, as appropriate, to avoid similar problems. However, suggestions
contained in this information notice are not NRC requirements; therefore, no
specific action or written response is required.
Description of Circumstances
Armed Forces Radiobiology Research Institute (AFRRI)
On September 4, 1992, at the AFRRI Training Reactor and Isotope Production -
General Atomics (TRIGA) reactor, a problem with the interlock logic for the
digital control console was discovered during the performance of the items on
the daily startup checklist for the shutdown reactor. The digital control
console, manufactured by General Atomics, was installed at AFRRI in the summer
of 1990 in accordance with an NRC license amendment dated July 23, 1990.
The problem was revealed when a trainee depressed the PULSE mode button and
the rod UP button simultaneously and a control rod was driven out of the core.
This rod movement was inconsistent with a rod withdrawal interlock for the
PULSE mode of operation. The rod continued to withdraw even after the rod UP
button was released; this continued withdrawal is inconsistent with the design
intent of the rod control system. Licensee personnel manually tripped the
reactor to stop the withdrawal of the control rod. The licensee investigated
this event and found that the same rod withdrawal action would occur when the
SQUARE WAVE mode button (instead of the PULSE mode button) and the rod UP
button were depressed simultaneously. However, the problem would not occur
when the AUTO mode button and the rod UP button were depressed simultaneously.
The licensee tested a variety of interlock combinations for the digital
control console system and did not find any other problems.
July 23, 1993
Page 2 of 3
This problem had not been discovered previously for two reasons: (1) General
Atomics, the manufacturer of both the TRIGA reactor and the digital control
console, considered the simultaneous pressing of the mode selector and rod UP
buttons to be inconsistent with the operational design of the reactor, and
(2) these buttons were so located on the control console that it was unusual
for an operator to press both buttons simultaneously.
As an interim measure, pending a permanent modification, the licensee
installed a switch configuration that required the operator to use both hands
to enter the pulse or square-wave mode of operation. This change prevented an
operator from pressing a rod UP button at the same time as an operational mode
General Atomics has now developed a permanent software modification for this
problem, and the licensee installed the modification at AFRRI on September 25,
1992. This modification was also installed at other facilities that have the
General Atomics digital control consoles. The temporary solution for the
digital control console at AFRRI was maintained until the permanent software
modification was fully tested and accepted.
Pennsylvania State University (Penn State)
On October 5, 1992, with the reactor shut down, operators at the Penn State
TRIGA reactor erroneously assigned a positive value to a software parameter
for their digital control console. Power was supplied to the control rod
magnets at the time, engaging the control rods to their drive mechanisms and
resulting in allowing control rod withdrawal on the demand signal from the
control system which resulted from the software error. The error resulted in
the unanticipated withdrawal of the transient control rod. The transient rod
scrammed on a rod withdrawal overspeed trip.
Software subroutines in this system are typically designed to reject
irrational parameter changes and issue warning messages. However, because
this particular parameter has a wide range of valid positive and negative
inputs, the software cannot prevent the operator from inputting erroneous
The digital control console, manufactured by Atomic Energy of Canada, Ltd., of
Mississauga, Ontario, was installed at Penn State in the summer of 1991 in
accordance with an NRC license amendment dated August 6, 1991. The
manufacturer of the digital control console has discussed possible corrective
actions with the licensee and with other customers who could experience the
The licensee has instituted administrative controls at Penn State that are
designed to prevent a recurrence of this type of problem. These
administrative controls include (1) a requirement that power to the control
rod magnets be off when making software changes, (2) increased management
review of proposed changes, and (3) the use of design change procedures to .
July 23, 1993
Page 3 of 3
control changes to the digital control console, providing additional assurance
that the software changes will be installed correctly and tested.
These problems, and the increasing number and wide variety of licensees and
applications using digital technology, emphasize the importance of the design,
testing, and change control of digital systems.
An effective verification and validation (V&V) plan for software that performs
a safety function can help ensure acceptable design and implementation. Some
acceptable V&V plans are described in Regulatory Guide 1.152, "Criteria for
Programmable Digital Computer Software in Safety-Related Systems at Nuclear
Power Plants," and in American National Standards Institute (ANSI)/Institute
of Electrical and Electronics Engineers (IEEE) Standard 1012-1986, "IEEE
Standard for Software Verification and Validation Plans." Guidance for
determining the design specifications that are to be verified and validated is
available in ANSI/IEEE Standard 830-1984, "IEEE Guide to Software Requirements
Another key element related to digital systems is the control of software
configuration changes. Guidance for software configuration change control is
available in ANSI/IEEE Standard 828-1983, "IEEE Standard for Software
Configuration Management Plans."
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please contact
one of the technical contacts listed below or the appropriate Office of
Nuclear Reactor Regulation (NRR) project manager.
ORIGINAL SIGNED BY
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: J. Stewart, NRR
W. Eresian, NRR
M. Mendonca, NRR
List of Recently Issued NRC Information Notices
Page Last Reviewed/Updated Friday, May 22, 2015