Technical Basis for Environmental Qualification of Microprocessor-Based Safety-Related Equipment in Nuclear Power Plants (NUREG/CR-6479, ORNL/TM-13264)
On this page:
Download complete document
Manuscript Completed: December 1997
Date Published: January 1998
K. Korsah, ORNL
M. Hassan, BNL
T.J. Tanaka, SNL
R.T. Wood, ORNL
Oak Ridge National Laboratory (ORNL)
P.O. Box 2008, MS-6006
Oak Ridge, Tennessee 37831-6010
Managed by Lockheed Martin Energy Research Corp.
Brookhaven National Laboratory (BNL)
P.O. Box 5000, Building 130
Upton, New York 11973
Managed by the U.S. Department of Energy
Sandia National Laboratories (SNL)
P.O. Box 5800
Albuquerque, New Mexico 87185-0747
Managed by Sandia Corporation
C.E. Antonescu, NRC Project Manager
Division of Systems Technology
Office of Nuclear Regulatory Research
U.S. Nuclear Regulatory Commission
Washington, DC 20555-0001
NRC Job Code L1798
This document presents the results of studies sponsored by the Nuclear Regulatory Commission to provide the technical basis for environmental qualification of computer-based safety equipment in nuclear power plants. The studies were conducted by Oak Ridge National Laboratory, Sandia National Laboratories, and Brookhaven National Laboratory.
The studies address the following: (1) adequacy of pretest test methods for qualification of digital instrumentation and control (I&C) systems; (2) preferred (i.e., Regulatory Guide-endorsed) standards; (3) recommended stressors to be included in the qualification process during type testing; (4) resolution of need for accelerated aging for equipment to be located in a benign environment; and (5) determination of an appropriate approach for addressing the impact of smoke in digital equipment qualification programs.
Significant conclusions from the studies are the following:
(1) Type testing should continue to be the preferred test method for safety-related I&C systems.
(2) The state of the art does not warrant any changes to be made with regard to aging methodologies for digital systems in nuclear power plants.
(3) A stressor not previously considered for analog safety system qualification is smoke exposure. Research documented in this report confirms that smoke is a stressor that can adversely impact digital safety equipment. However, current research and the state-of-the-art for testing do not support the explicit inclusion of smoke exposure as a stressor during type testing. Additional research into the susceptibility of digital components and modules to smoke-induced effects is ongoing and should be continued. Based on existing research, present methodologies with regard to fire and its effects (i.e., smoke, heat, ignition, explosions, and toxic gases), which are addressed via General Design Criteria (GDC) 3, Institute of Electrical and Electronics Engineers (IEEE) 384, and Appendix R of Title 10 of the Code of Federal Regulations (10 CFR 50), should continue to be applied for digital I&C safety systems.
(4) The synergistic effect of high temperature in combination with high relative humidity is potentially risk-significant to digital I&C. Therefore, although high relative humidity is not as likely in the controlled environments where digital I&C is typically located (e.g., control rooms), the synergistic effect of these two stressors needs to be considered on a case-by-case basis, especially for postaccident monitoring equipment.
(5) Based on a comparative analysis of IEEE 323-1974 and IEEE 323-1983, we recommend that IEEE 323-1983 be endorsed, with appropriate exceptions as specified in this report.
(6) The dynamic response of a distributed system under environmental stress should be considered during type testing. System response time is usually considered during design, but the sequential nature of digital processes (as opposed to the essentially instantaneous nature of analog processes) increases the significance of the potential of environmental stressors to cause intermittent upsets in subsystems, leading to degraded performance in the total system. Dynamic performance under environmental stress is especially important in postaccident monitoring systems, which typically are required to function following a reactor trip or engineered safety feature actuation.
(7) There is a need for electromagnetic compatibility standard(s) for the nuclear power plant environment. The information provided in the following reports can be used as the basis for electromagnetic compatibility of I&C systems in nuclear power plants:
- NUREG/CR-6431, "Recommended Electromagnetic Operating Envelopes for Safety-Related I&C in Nuclear Power Plants"
- NUREG/CR-5941, "Technical Basis for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related I&C Systems"
- NUREG/CR-6436, "Survey of Ambient Electromagnetic and Radio-Frequency Interference Levels in Nuclear Power Plants"
(8) The nuclear industry should adopt a new philosophy of qualification, in which the assurance that safety-related equipment will perform properly is "built-in" as well as being "tested-in." In this approach, assurance of an equipment's quality starts at the semiconductor component level. As a minimum, it might be required as part of the environment qualification standards used by the semiconductor manufacturer for stress testing. Integrated circuits are susceptible to long-term failure mechanisms under various environmental stressors so the use of components from high quality manufacturing process, as demonstrated through manufacturer stress testing, can minimize that susceptibility.
Significant findings from the studies form the technical basis for a recommended approach to the environmental qualification of microprocessor-based safety-related equipment in nuclear power plants.