Text

DRAFT INTERIM GUIDANCE FOR EVALUATION OF DIVERSITY AND DEFENSE-IN-DEPTH IN DIGITAL COMPUTER-BASED INSTRUMENTATION AND CONTROL SYSTEMS This draft interim guidance provides one acceptable method of complying with the requirements for diversity and defense-in-depth in digital instrumentation and control systems. This guidance is consistent with current Commission policy on digital I&C systems and it is not intended to be a substitute for NRC's regulations. The purpose of the draft interim guidance is to clarify the criteria the staff would use in evaluating whether an applicant/licensee meets the requirements for diversity and defense-in-depth when making licensing decisions in the interim until final guidance is developed and promulgated. The staff intends to continue working with stakeholders in refining the guidance and in developing final guidance.

There should be no distinction between the requirements for diversity and defense-in-depth (D3) in new (future) reactors and current operating plants.

While common cause failures in digital systems are considered to be beyond design basis, digital reactor protection systems should be protected against common cause failures.

In order to demonstrate that vulnerabilities to a common cause failure (CCF) have been adequately addressed, a D3 analysis should be performed. NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, dated December 1994, and BTP-19 are an acceptable means for a D3 analysis. If the D3 analysis determines the system or systems are subject to a CCF, an analysis of the plant responses to all Chapter 15 events calculated using best-estimate methods with realistic assumptions should be preformed to determine the time frame for necessary protective actions.

In those instances where the protective action is required in less than 30 minutes, an independent and diverse automated backup, achieving the same or equivalent function, should be required. This independent and diverse automated backup function may be performed by a non-safety system if the system is of sufficient quality to perform the necessary function(s) under the associated event conditions. These independent and diverse automated backup systems should be similar in quality to the systems required by the Anticipated Transient Without Scram (ATWS) rule (10 CFR 50.62), as described in the enclosure to Generic Letter 85-06, Quality Assurance Guidance for ATWS Equipment That Is Not Safety-Related, dated April 16, 1985 (Accession No. 8504120206).

In those cases where plant response analysis shows that the protective action is not required for at least 30 minutes, the protective action may be performed by manual operator actions.

The licensee will be required to demonstrate that sufficient information and controls (safety or non-safety), independent and diverse from the RPS discussed above, are provided in the main control room, and that the information displays and controls are not subject to the same CCF.

In addition to the above, a set of displays and controls (safety or non-safety) should be provided in the main control room for manual actuation and control of safety equipment to manage plant critical safety functions, including reactivity control, reactor core cooling and heat removal from the primary system, reactor coolant system integrity, radioactivity control, and containment conditions. The displays and controls should be independent and diverse from the RPS discussed above. However, these displays and controls could be those used for manual operator action as described above. Where they serve as required backup capabilities, the

DRAFT INTERIM GUIDANCE FOR EVALUATION OF DIVERSITY AND DEFENSE-IN-DEPTH IN DIGITAL COMPUTER-BASED INSTRUMENTATION AND CONTROL SYSTEMS displays and controls should be hard-wired downstream of the lowest-level software-based components.

Example 1: The RPS is designed so that for each safety function, two channels use one type of digital system, and the other two channels use a diverse digital system. The D3 analysis, e.g., performed in accordance with NUREG/CR-6303 and BTP-19, determines the two diverse digital systems are not subject to a CCF. In this case, no additional diversity would be required.

Example 2: The safety functions are performed on a common computer system replicated in the redundant channels. The D3 analysis shows that certain safety functions could be subject to a CCF; therefore, a documented basis for a diverse means of accomplishing the safety functions should be provided. The D3 analysis of the plant responses to all Chapter 15 events determines that the RPS protective action is required in less than 30 minutes. In this instance, an independent and diverse automated backup system is required to perform the safety function to adequately respond to the postulated accident or anticipated operational occurrence. The non-safety independent and diverse automated backup system is required to be of enhanced quality, similar to systems required by the ATWS rule.

Example 3: As in example 2, the safety functions are determined to be subject to a CCF; however, the analysis of the plant responses to all Chapter 15 events determines that the RPS protective action is not required for at least 30 minutes. In this instance, the diverse method of responding to the postulated accident or anticipated operational occurrence may be accomplished by manual operator action.

ML071720249.wpd June 21, 2007 (11:20am)

ADAMS Accession Number: ML071720249