ENVIRONMENTAL TESTS OF A DIGITAL SAFETY CHANNEL - AN INVESTIGATION OFSTRESS-RELATED VULNERABILITIES OF COMPUTER-BASED SAFETY SYSTEMS

This article presents the results of environmental stress tests perfor med on an experimental digital safety channel (EDSC) assembled at the Oak Ridge National Laboratory as part of the Qualification of Advanced Instrumentation and Controls Systems Research program, which was spon sored by the U.S. Nuclear Regulatory Commission. The program is expect ed to provide recommendations for environmental qualification of digit al safety systems. The purpose of the study was To investigate potenti al vulnerabilities of distributed computer systems used in safety appl ications when subjected to environmental stressors. The EDSC assembled for the tests employs technologies and digital subsystems representat ive of those proposed for use in advanced light-water reactors or as r etrofits in existing plants. Subsystems include computers, electrical and optical serial communication links, fiber-optic network links, ana log-to-digital and digital-to-analog converters, and multiplexers. The EDSC was subjected to selected stressors that ave a potential risk to digital equipment in a mild environment. The selected stressors were electromagnetic and radio-frequency interferences (EMI-RFI), temperatu re, humidity, and smoke exposure. The stressors were applied at levels of intensity considerably higher than the safety channel is likely to experience in a normal nuclear power plant environment. Ranges of str ess were selected at a sufficiently high level to induce errors so tha t failure modes that are characteristic of the technologies employed c ould be identified. Interfaces were found to be the most vulnerable el ements of the EDSC. The majority of effects resulting from the applica tion of the stressors were communication errors, particularly for seri al communication links. Many of these errors were intermittent timeout errors or corrupted transmissions, which indicate failure of a microp rocessor to receive (correctly) data from an associated multiplexer, o ptical serial link, or network node. Because of similarities in fabric ation and packaging technologies, other digital safety systems are lik ely to be vulnerable to similar upsets. On the basis of the incidence of functional errors observed during testing, EMI-RFI, smoke exposure, and high temperature coupled with high relative humidity, in that ord er, were found to have the greatest impact of the stressors investigat ed. The most prevalent stressor-induced upsets, as well as the most se vere, were found to occur during the EMI-RFI tests.