Information Notice 2010-10, Implementation of a Digital Control System Under 10 CFR 50.59

From kanterella
(Redirected from ML100080281)
Jump to navigation Jump to search
Implementation of a Digital Control System Under 10 CFR 50.59
ML100080281
Person / Time
Issue date: 05/28/2010
From: David Beaulieu, Mcginty T, Tracy G
Division of Construction Inspection and Operational Programs, Generic Communications Projects Branch
To:
References
IN-10-010
Download: ML100080281 (3)
v  d  e


UNITED STATES

NUCLEAR REGULATORY COMMISSION

OFFICE OF NUCLEAR REACTOR REGULATION

OFFICE OF NEW REACTORS

WASHINGTON, DC 20555-0001 May 28, 2010

NRC INFORMATION NOTICE 2010-10: IMPLEMENTATION OF A DIGITAL CONTROL

SYSTEM UNDER 10 CFR 50.59

ADDRESSEES

All holders of an operating license or construction permit for a nuclear power reactor issued

under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of

Production and Utilization Facilities, except those who have permanently ceased operations

and have certified that fuel has been permanently removed from the reactor vessel.

All holders of or applicants for a combined license issued under 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants.

PURPOSE

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to inform

addressees about NRC inspection findings regarding a licensees evaluation under

10 CFR 50.59, Changes, Tests, and Experiments, for a plant modification that implemented a

digital control system. The NRC expects that recipients will review the information for

applicability to their facilities and will consider actions, as appropriate, to avoid similar problems.

Suggestions contained in this IN are not NRC requirements; therefore, no specific action or

written response is required.

DESCRIPTION OF CIRCUMSTANCES

In December 2009, NRC inspectors completed an inspection of a plant modification to replace

an analog-based rod control management system (RCMS) with a computer-based system at

LaSalle County Station, Unit 2. The RCMS is a nonsafety related system; however, it remains

important to safety because it directly affects core reactivity. The licensees evaluation of this

modification under 10 CFR 50.59 concluded that this modification could be performed without

prior NRC approval. However, the NRC inspectors found that the licensees 10 CFR 50.59 evaluation did not meet 10 CFR 50.59(d)(1), because the licensee failed to perform a written

evaluation that adequately provided a basis for the determination that the RCMS digital upgrade

did not require a license amendment. Specifically, while the licensee used Nuclear Energy

Institute (NEI) 01-01, Guideline on Licensing Digital Upgrades, issued March 2002 (Agencywide Documents Access and Management System (ADAMS) Accession

No. ML020860169) when performing the upgrade, the licensee did not properly evaluate the

RCMS modification in accordance with the NRC-endorsed guidance in NEI 01-01. The licensee

did not appropriately address the questions in NEI 01-01, Appendix A, Supplemental Questions

for Addressing 10 CFR 50.59 Evaluation Criteria. These questions are part of the appropriate

method that ensures the adequacy of the 10 CFR 50.59 evaluation and, as stated in NEI 01-01, the questions should be answered in sufficient detail, either by reference to a source document

or by direct statements, that an independent third party can verify judgments.

The NRC inspectors determined that the licensee had not properly evaluated questions

associated with software common-cause failure and the potential for spurious, uncontrolled

simultaneous withdrawal of four control rods. The licensee also had not adequately addressed

important aspects of the modification in terms of the effects of the resulting increase in

complexity.

NEI 01-01 states the following:

Additional measures are appropriate for systems that are highly safety

significant (i.e., high consequences) to achieve an acceptable level of risk. For

digital upgrades to such systems, the defense-in-depth and diversity in the

overall plant design are analyzed to assure that where there are vulnerabilities to

software common cause failure, the plant has adequate capability to cope with

these vulnerabilities. This defense-in-depth and diversity analysis is considered

a beyond design basis concern, reflecting an understanding that while not

quantifiable, the likelihood of a software common cause failure in a high quality

digital system is significantly below that of a single active hardware failure. The

analysis is performed as part of the design process, as the results could affect

the design of the digital upgrade.

The NRC inspectors noted that the licensees 10 CFR 50.59 evaluation did not address

software faults as a source of common-cause failure, even though the RCMS is a highly safety- significant system in which certain software common-cause failures could potentially place the

plant in a condition outside its design basis by causing unanalyzed abnormal operating

occurrences, which could potentially result in fuel cladding damage.

During discussions with the NRC inspectors, the licensee technical staff stated their belief that a

software common-cause failure did not need to be considered in the 10 CFR 50.59 evaluation, based on the guidance in NEI 01-01, Section 4.4.6. The licensee interpreted this guidance to

allow changes if the likelihood of a software common-cause failure could be justified as

sufficiently low because of the quality of the software application. The licensee determined that

the software quality was sufficiently high to provide reasonable assurance that the likelihood of

software failure was not credible and that therefore the digital upgrade would not require prior

NRC review on the basis of software common-cause failures.

However, based on the NRC inspectors concerns regarding software common-cause failure

and the potential for spurious, uncontrolled withdrawal of four control rods, the licensee revised

the 10 CFR 50.59 evaluation and addressed the supplemental questions in NEI 01-01, Appendix A. The licensee implemented compensatory actions to mitigate the consequences of

a software common-cause failure of the RCMS, such as performing cycle-specific core analyses

to demonstrate that the core safety limits could not be exceeded, even if four control rods were

spuriously withdrawn simultaneously. The NRC staff reviewed the analyses and identified no

concerns. Additional information is available in LaSalle County Station, Units 1 and 2, NRC Integrated

Inspection Report 05000373/2009005; 05000374/2009005, dated February 9, 2010 (ADAMS

Accession No. ML100400240).

BACKGROUND

Background information on this issue appears in NRC Regulatory Issue Summary

(RIS) 2002-22, Use of EPRI/NEI Joint Task Force Report, Guideline on Licensing Digital

Upgrades: EPRI TR-102348, Revision 1, NEI 01-01: A Revision of EPRI TR-102348 to Reflect

Changes to the 10 CFR 50.59 Rule, dated November 25, 2002 (ADAMS Accession No.

ML023160044).

DISCUSSION

The requirements in 10 CFR 50.59 define the criteria that establish when a license amendment

is required before implementing plant changes. NEI 01-01 provides guidance to licensees on

designing and implementing digital upgrades and performing 10 CFR 50.59 evaluations.

RIS 2002-22 communicated the NRCs endorsement NEI 01-01 for use as guidance in

designing and implementing digital upgrades to instrumentation and control systems.

RIS 2002-02 specifies that statements in the NRC staffs evaluation of NEI 01-01 qualify the

NRC staffs endorsement of the report and provide staff positions on several aspects of the

design and licensing processes.

The NRC inspection of the RCMS digital upgrade at LaSalle Unit 2 found a violation of

10 CFR 50.59(d)(1) for insufficient documentation in the 10 CFR 50.59 evaluation. However, because of the lack of clarity in the NRC guidance and requirements for digital modifications, the NRC used enforcement discretion and did not issue a violation to address the manner in

which the licensee addressed common-mode software failures in its 10 CFR 50.59 evaluation.

The NRC staff intends to further qualify the NRC staffs endorsement of NEI 01-01 to address

the issues discussed in this IN. Notwithstanding, the NEI 01-01 guidance clearly indicates that, for digital upgrades to systems that are highly safety-significant, licensees should perform a

defense-in-depth and diversity analysis as part of the design process to ensure that the plant

has adequate capability to cope with software common-cause failure vulnerabilities. The

NEI 01-01 discussion of the defense-in-depth and diversity analysis does not exclude from

consideration software common-cause failure vulnerabilities based on a high-quality software

design, implementation, and verification and validation program.

CONTACT

This IN requires no specific action or written response. Please direct any questions about this

matter to the technical contact listed below or to the appropriate Office of Nuclear Reactor

Regulation (NRR) project manager.

/RA/ /RA/ by JTappert for

Timothy McGinty, Director Glenn Tracy, Director

Division of Policy and Rulemaking Division of Construction Inspection and

Office of Nuclear Reactor Regulation Operational Programs

Office of New Reactors

Technical Contact:

Bernard Dittman, NRR

301-415-2947 E-mail: bernard.dittman@nrc.gov

Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections.

CONTACT

This IN requires no specific action or written response. Please direct any questions about this

matter to the technical contact listed below or to the appropriate Office of Nuclear Reactor

Regulation (NRR) project manager.

/RA/ /RA/ by JTappert for

Timothy McGinty, Director Glenn Tracy, Director

Division of Policy and Rulemaking Division of Construction Inspection and

Office of Nuclear Reactor Regulation Operational Programs

Office of New Reactors

Technical Contact:

Bernard Dittman, NRR

301-415-2947 E-mail: bernard.dittman@nrc.gov

Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections.

ADAMS Accession Number: ML100080281 TAC No.: ME2975 OFFICE EICB:DE:NRR Tech Editor BC:EICB:NRR BC:EB3:RIII D:DE:NRR

NAME BDittman CHsu WKemper RDaley DSkeen

DATE 04/20/10 04/12/10 e-mail 04/21/10 e-mail 04/07/10 e-mail 04/27/10

OFFICE LA:PGCB:NRR PM:PGCB:NRR BC:PGCB:NRR D:DCIP:NRO D:DPR:NRR

NAME CHawes DBeaulieu MMurphy GTracy JTappert for TMcGinty

DATE 04/27/10 04/23/10 04/28/10 05/28/10 5/28/10

OFFICE OGC NLO:NRR OGC NLO:NRO NRGA:DNRL:NRO

NAME BMizuno JMartin WBurton

DATE 05/12/10 05/12/10 05/28/10

OFFICIAL RECORD COPY


Retrieved from "https://kanterella.com/w/index.php?title=Information_Notice_2010-10,_Implementation_of_a_Digital_Control_System_Under_10_CFR_50.59&oldid=2138206"