05000331/FIN-2007007-03
From kanterella
Jump to navigation
Jump to search
Finding | |
|---|---|
| Title | Digital Upgrade for the Reactor Building Vent Shaft and Control Building Air Intake Radiation Monitors |
| Description | The inspectors identified an Unresolved Item involving a digital upgrade for the Reactor Building Vent Shaft and Control Building Air Intake Radiation Monitors. Specifically, the inspectors identified that potential failure modes for the digital software appeared to have not been adequately addressed in the safety evaluation performed in accordance with 10 CFR 50.59. In 2001, Duane Arnold replaced the analog Reactor Building Vent Shaft and Control Building Air Intake Radiation Monitoring systems with a new digital Sorrento radiation monitoring system. This change was evaluated by the licensee under 10 CFR 50.59. NEI 01-01/EPRI TR-102348, Guideline on Licensing Digital Upgrades, provides NRC endorsed guidance that a licensee should use for evaluating this type of digital upgrade in accordance with 10 CFR 50.59. The licensee states in their 10 CFR 50.59 evaluation that NEI 01-01 was used as a guideline for their evaluation. However, after review of the 10 CFR 50.59 evaluation, the inspectors determined that the evaluation performed by the licensee appeared to be less than adequate. NEI 01-01 provides guidance for using a failure analysis to address potential impacts to the plant. Specifically, in reference to potential malfunctions of the equipment, it states: The evaluation needs to compare results of malfunctions evaluated in the UFSAR with the results of failures that the proposed activity could create. The key issue is the effect of failures of the digital device on the system in which it is installed. The failure analysis will provide insights to system failures and their effects on Systems, Structures, and Components (SSCs). For digital systems, particularly with safety related applications, a Failure Modes Effects Analysis is performed to determine the potential failures that the digital software could experience. This potential failure modes analysis is usually performed by the vendor and evaluated by the licensee for adverse effects on the plant. At Duane Arnold, the digital upgrade of the Reactor Building Vent Shaft and Control Building Air Intake Radiation monitoring systems was evaluated against the historical failure history of the digital system. While historical failure analyses may be useful to determine failures that have already occurred, they do not provide the necessary insight that is provided by a failure analysis of potential failure mechanisms, since this analysis would determine all potential failures as opposed to only failures that have actually occurred. The only potential failure analysis performed by the licensee was contained in the 10 CFR 50.59 evaluation. This failure analysis states, in part, that, This comparison reveals that the failure of new components due to loss of power, a short circuit, an open circuit or loss of input signal is not any different that the failure of the existing components. Two other potential failures of concern include a common-mode software failure, i.e., a simultaneous or nearly simultaneous failure in both system trains and a processor lockup event. Consideration of these events, however, shows that no new failure modes have been created. The new monitors include a watchdog timer circuit that will place the unit in an alarming/tripped condition upon a non-self-evident failure (lockup) of the microprocessor or software. This feature combined with the fail-safe configuration of the monitor will act to prevent a common-mode software failure from introducing a new and unanalyzed failure mode into the component. The inspectors were concerned, because based upon review of the limited failure analysis available, and based upon discussions of the upgrade with the licensee, it appeared that the basis for acceptance was a functional failure state type analysis rather than an in-depth evaluation of the digital equipment and software. Based upon this, the inspectors asked if the vendor had performed an in-depth potential failure analysis of the digital equipment. The licensee did not know if one had been performed. Additionally, even though the licensee seemed to emphasize the importance of the watchdog circuitry in their evaluation, they were unable to address the inspectors questions concerning potential failures of the watchdog circuitry. Because of the complexity of the digital software and because of the need for technical assistance with the inspection of this evaluation, this issue is unresolved pending further NRC review of the modification and the 10 CFR 50.59 evaluation. (URI 05000331/2007007-03(DRS)) |
| Site: | Duane Arnold  |
|---|---|
| Report | IR 05000331/2007007 Section 1R02 |
| Date counted | Dec 31, 2007 (2007Q4) |
| Type: | URI: |
| cornerstone | Mitigating Systems |
| Identified by: | NRC identified |
| Inspection Procedure: | IP 71111.02 |
| Inspectors (proximate) | R Daley J Jandovitz V Meghanir Orlikowskis Sheldon R Baker T Go K Reimer |
| INPO aspect | |
| ' | |
Finding - Duane Arnold - IR 05000331/2007007 | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Finding List (Duane Arnold) @ 2007Q4
| |||||||||||||||||||||