ML17068A092
| ML17068A092 | |
| Person / Time | |
|---|---|
| Site: | Nuclear Energy Institute |
| Issue date: | 03/16/2017 |
| From: | Louise Lund Licensing Processes Branch (DPR) |
| To: | Remer S Nuclear Energy Institute |
| Drake J, NRR/DPR, 301-415-8378 | |
| References | |
| CAC MF8115 | |
| Download: ML17068A092 (9) | |
Text
March 16, 2017 Mr. S. Jason Remer Director, Plant Life Extension Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004
SUBJECT:
U.S. NUCLEAR REGULATORY COMMISSION STAFF COMMENTS TO NEI 96-07, APPENDIX D, SUPPLEMENTAL GUIDANCE FOR APPLICATION OF 10 CFR 50.59 TO DIGITAL MODIFICATIONS, DRAFT REVISION 0, SECTION 3, SCREEN GUIDANCE, DATED APRIL 4, 2016 (CAC NO. MF8115)
Dear Mr. Remer:
By letter dated April 4, 2016 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML16126A197), the Nuclear Energy Institute (NEI) submitted Draft NEI 96-07, Appendix D, Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications, draft Revision 0, for the U.S. Nuclear Regulatory Commission (NRC) staff review and endorsement through a Regulatory Guide. NEI provided draft Appendix D to address guidance and technical concerns that the NRC staff identified for NEI 01-01, Guideline on Licensing Digital Upgrades, by letter dated November 5, 2013 (ADAMS Accession No. ML13298A787). In preparation for a public meeting with the NRC on December 14, 2016 (ADAMS Accession No. ML16312A356), NEI provided a proposed revision to Appendix D, Section 3, Screen Guidance (ADAMS Accession No. ML16334A000).
NEI has identified that Appendix D is intended as guidance for implementing Title 10 of the Code of Federal Regulations (10 CFR) 50.59 for digital modifications and to replace NEI 01-01 with respect to 10 CFR 50.59. The Appendix D guidance is also intended to supplement the base guidance in NEI 96-07, Revision 1, Guidelines for 10 CFR 50.59 Evaluations, endorsed by Regulatory Guide 1.187, Guidance for Implementation of 10 CFR 50.59, Changes, Tests, And Experiments, which would also applies to digital modifications. The NRC staff conducted its review of Appendix D based on the assumption that the user(s) of this document will have the requisite knowledge and expertise necessary to implement the guidance contained therein.
The NRC staff has completed the review of the updated draft NEI 96-07, Appendix D, Section 3 provided on December 14, 2016 and has included formal comments as an enclosure to this letter. The NRC staffs formal comments contain the specific issues to be resolved as well as recommended corrections to ensure that the identified issues are addressed in a manner that the NRC staff finds acceptable and are consistent with previously established guidance. The NRC staff has previously identified several of these issues during public meetings on the draft Appendix D. It is the position of the NRC staff that clear and concise resolution of the formal comments will be required before Appendix D, Section 3, of NEI 96-07 can be endorsed.
If you have questions or require additional information, please feel free to contact, Jason Drake at (301) 415-8378 or Jason.Drake@nrc.gov.
Sincerely,
/RA/
Louise Lund, Director Division of Policy and Rulemaking Office of Nuclear Reactor Regulation Project No. 689
Enclosure:
As stated cc: See next page
ML17068A092 *concurred via email NRR-043 OFFICE NRR/DPR/PLPB/PM*
NRR/DPR/PLPB/LA*
NRR/DE/EICB/BC*
NRO/DEIA/ICE/BC*
NAME JDrake DHarrison MWaters DCurtis DATE 3/14/17 3/13/17 3/14/17 3/14/17 OFFICE RES/DE/ICEEB/BC*
NRR/DPR/PLPB/BC NRO/DEIA RES/DE NAME IJung KHsueh BCaldwell*
BThomas*
DATE 3/14/17 3/14/17 3/15/17 3/15/17 OFFICE NRR/DIRS*
NRR/DE*
NRR/DPR NAME MKing JLubinski LLund DATE 3/15/17 3/15/17 3/16/17
NEI - Nuclear Energy Institute Project No. 689 cc:
Mr. Stephen Geier Senior Project Manager Nuclear Energy Institute 1201 F Street, Suite 1100 Washington DC 20004 seg@nei.org Ms. Kati Austgen Project Manager Nuclear Energy Institute 1201 F Street, Suite 1100 Washington DC 20004 kra@nei.org
Enclosure Comment Table No.
Text Location NRC Comments Proposed Correction (i.e., addition, deletion or modification) 1 General Informally (ML17006A341) a similar or related comment was previously provided as Comment No. [A1]. (the comments below only include the comment no.)
Overall, it is not clear, in some cases, which Section of NEI 96-07 is being augmented and supplemented by the proposed guidance in draft Appendix D.
To improve the clarity of and usability of Appendix D, including references between the NEI 96-07 and Appendix D, section numbering and heading (including pointers) should be changed in Appendix D to align with NEI 96-07.
Staff recommends changing all section numbering and headings for future drafts of Appendix D to align with NEI 96-07.
2 Section 3.1, Introduction As stated in the January 11, 2017, public meeting (ML17012A014): Since this is an Introduction section, it should not contain guidance or examples; the guidance and examples can be moved to another sub-section where it can be explained in more detail.
For example, the first paragraph of the introduction section states, in part:
The introduction of software or digital hardware, in and of itself, does not cause the proposed activity to be adverse (i.e. screen in).
This is guidance, without any supporting explanation. This wording should be moved to an appropriate section where proper justification for this statement exists, or it could be modified to make it more of an introductory statement, for example:
The introduction of software or digital hardware, in and of itself, does not cause the proposed activity to be adverse (i.e. screen in)[, therefore, the following sections explain when a digital modification is (and is not) adverse].
Staff recommends removing guidance/examples from introductory text and place into appropriate subsection and ensure adequate justification exists.
3 Section 3.1, Introduction 1st paragraph
[A3 - 1st Paragraph, First Sentence] This first sentences potentially conflicts with other NRC-established technical positions with regard to DI&C. For example, there is NRC guidance that states that new electronics may be adverse (e.g., RG, 1.180) and there is an NRC policy statement that in certain ways digital system should be considered adverse to analog systems (i.e.,
CCF is postulated for Digital systems and not for analog systems, per SRM to SECY-93-087).
Staff recommends removing the phrase or technical from the first sentence of the first paragraph of Section 3.1.
4 Section 3.1, Introduction 2nd paragraph
[A6] [A7] [A8] This paragraph seems to conflict with the SRP (i.e., NUREG-0800 Chapter 7 Appendix 7.0-A - ML16019A085) which states: Digital I&C systems are fundamentally different from analog I&C systems In the screening section of NEI 96-07 the concepts of fundamental change and how a design function is performed or controlled are only applied to procedure changes (e.g., NEI 96-07 Section 4.2.1.2). If NEI wants to apply these two terms to equipment, then criteria must be provided; otherwise, guidance should be included that these phrases (and concepts) should not be applied to equipment. Note: Examples 3-1 & 3-2 do not seem to exemplify any explicitly stated criteria in Appendix D, rather these two examples are the only guidance for what is (or is not) a fundamental change in how a design function is performed or controlled.
The concept of fundamental change is not necessary for equipment, and could be removed from those portions of Appendix D. Rather guidance in the body of the screening section of Appendix D should directly address adverse effects. For example, Section 3.2.1.2, SSC Characteristics, seems to address the concept of changing from analog to digital, without getting into any of the details; therefore this might be a good section to incorporate this fundamental change guidance and examples.
The Staff expressed its concern with the term fundamental change being applied to equipment in the January 11, 2017, Public meeting (Summary:
ML17012A014 & Detailed Draft Comments: ML17006A341 - See Comment No. [A6]).
Staff recommends removing the phrase Fundamental Change in how a design function is performed or controlled from the introduction section (for equipment) and ensure that related guidance/examples in Appendix D account for the removal of the application of this term from applicability to equipment.
Staff recommends adding guidance in the body of the screening section of Appendix D that directly address adverse effects, rather than indirectly (e.g., not a fundamental change therefore not adverse).
5 Section 3.1, Introduction 3rd paragraph &
Examples 3-1 &
3-2.
[A10-A16] These two examples should not contain the phrase Fundamental Change, for the reasons described in Comment No. 4 of this file, or guidance should be included as to what is (and what is not) a fundamental change with respect to equipment (and HSI).
Staff recommends removing the phrase Fundamental Change from the two cited examples.
6 Section 3.2.1.2 SSC Characteristics
[A2] [A3 - 2nd & 4th paragraphs] [A4] [A5] There is only one characteristic regarding adversity of digital systems provided in this section: if software is (or is not) installed in redundant trains. This section could have been named to describe this one characteristic (e.g., Redundancy and Diversity). However, other characteristics should be included in this section (e.g., Comment Nos. 4, 5, & 7).
Staff recommends adding: One important question when screening digital upgrades is whether adverse effects are created by software. An adverse effect may be the potential marginal increase in likelihood of failure due to the introduction of software.
For redundant safety systems, this marginal increase in likelihood creates a similar marginal increase in the likelihood of a common failure in redundant safety systems.
On this basis, most digital upgrades to redundant safety systems should be conservatively treated as adverse and screened in for further evaluation under the 10 CFR 50.59 process. However, for some digital equipment, engineering evaluations may show that the digital modification contains design attributes that meet NRC-endorsed acceptance criteria to eliminate consideration of software common cause failure. In such a case, even when it affects redundant systems, the digital modification would not screen in.
7 Section 3.2.1.2 SSC Characteristics
[A2] [A3 - 2nd & 4th paragraphs] [A4] [A5] There is only one characteristic regarding adversity of digital systems provided in this section; however, the Staff believes that there are other digital characteristics that a 50.59 screener should consider when making an adversity determination, such as: Equipment Qualification, Diversity, and Defense-in-Depth.
Staff recommends adding: The reliability of a digital modification can be adversely affected by plant environmental and seismic envelopes (e.g., electromagnetic susceptibility in a higher frequency range).
The new equipment could also create an environment (e.g., temperature, humidity, seismic, EMI/RFI emissions, and airborne particulates) which adversely affects other equipment.
Staff recommends adding to Section 3.2.1.2:
A change that would reduce system/equipment redundancy, diversity, separation, or independence should be screen in in accordance with the guidance of NEI 96-07 Rev. 1 Section 4.3.2, Example
- 6.
8 Section 3.1, Introduction 2nd paragraph Last sentence
[A8] This sentence could be understood to be referring to the misbehaviors of the HSI equipment. However, all HSI screenings must consider (1) the equipment misbehaviors (similar to any other equipment change), and (2) the potential adverse impact of the HSI characteristics on the operator; guidance for both of these considerations should be included.
The last clause of this sentence contains unsupported guidance: if the digital device (hardware and software) cannot produce erroneous operations or controls due to failures any different from those produced by the analog devices. However, if this clause were to be replaced with, therefore, Section 3.2.2 explains when an HSl modification is (and is not) adverse, then it would be introductory.
Staff recommends changing the last clause from if the digital device (hardware and software) cannot produce erroneous operations or controls due to failures any different from those produced by the analog devices. to, therefore, Section 3.2.2 explains when an HSl modification is (and is not) adverse, Staff recommends addressing erroneous operation by both categories of origin: (1) the device, and (2) the operator, in Section 3.2.2.
9 Section 3.2.1.1, Scope 1st paragraph and General
[A19 - A20] [A27-28] [A33-A34] [A40] [A49] [A63] [A83] NEI 96-07 Section
4.2.1 states
Consistent with historical practice, changes affecting SSCs or functions not described in the UFSAR must be screened for their effects (so-called "indirect effects") on UFSAR-described design functions. {emphasis added}
By using the term facility as described in the UFSAR, it appears that the guidance is explicitly excluding the indirect effects.
Staff recommends changing facility as described in the UFSAR to facility throughout (except for in the title of Section 3.2.1).
Staff recommends addressing all other instances of excluded indirect effects.
10 Section 3.2.1.1, Scope
[A21-A24] As discussed during the meeting on January 11, 2017, NEI stated it planned to remove the proposed graded approach wording.
Staff recommends removing newly inserted discussion on graded approach 11 Section 3.2.1.2, SSC Characteristics
[A29] Regarding:
For redundant SSCs that must satisfy single failure criteria requirements, the following guidance applies:
- 1. The use of the same software in two or more redundant SSCs is ADVERSE because the independence of the SSCs has been reduced.
- 2. The use of different software in two or more redundant SSCs is NOT ADVERSE because the independence of the SSCs has been maintained. {emphasis added}
The Staff agrees that this guidance is correct; however, there is concern that there is no guidance for redundant systems that are not required to meet single failure and/or independence criteria.
Staff recommends changing: For redundant SSCs that must satisfy single failure criteria requirements, the following guidance applies to For redundant SSCs that must satisfy single failure and/or independence requirements the following guidance applies:
Staff recommends adding guidance for systems that do not have single failure and/or independence requirements.
12 Section 3.2.1.3, Combination of Components/Fu nctions 1st Paragraph This section uses variety and/or layers of design. These terms are not used in other guidance, or elsewhere in this guidance, and are not defined. In addition, the use of this term is not necessary.
In a public meeting on November 2, 2016, NEI agreed these terms were not defined or used and should be removed.
Staff recommends removing the term variety and/or layers of design.
13 Section 3.2.1.3, Combination of Components/Fu nctions Example 3-4
[A42] Regarding the following quote: (1) No design functions for any of the sub-components are described in the UFSAR. Since no design functions are described for a particular subcomponent, then no adverse impacts can occur.
This statement is inconsistent with NEI 96-07 Rev. 1 which states: Consistent with historical practice, changes affecting SSCs or functions not described in Staff recommends removing this statement:
No design functions for any of the sub-components are described in the UFSAR.
Since no design functions are described for a particular subcomponent, then no adverse impacts can occur.
the UFSAR must be screened for their effects (so-called "indirect effects") on UFSAR-described design functions. {emphasis added}
Staff recommends addressing all other instances of indirect effects.
14 Section 3.2.1.1 This section only list three aspects of digital equipment to consider when screening equipment changes: SSC Characteristics, Combination of Components/Functions, and Dependability; however, the Staff believes that additional consideration is needed.
Staff recommends adding the following guidance: Other Digital Issues in the Screening Process In addition to the software question, other characteristics of a digital upgrade modification could cause the change to screen in to a 10 CFR 50.59 evaluation.
Some potentially adverse effects that should be evaluated when screening digital modifications upgrades include:
Changing performance from UFSAR-described requirements (e.g., for response time, accuracy, etc.).
Changing functionality in a way that increases complexity, potentially creating new malfunctions.
Introducing different behavior or potential failure modes (for which the risk is not negligible) that could affect the design function.
15 Section 3.2.1.3, Combination of Components/Fu nctions Example 3-5
[A48] Generally 50.59 includes:
(1) Outcomes (e.g., consequences & results), and (2) frequency & likelihood.
This example rationale only addresses analyzed outcomes. It does not address frequency & likelihood. In the old design, a total loss of feedwater (due to control system failures) only occurred as a result of two independent random failures, but in the new system, a single failure of the new control system would result in the total loss of feedwater. In order for there to be no increase in the frequency or likelihood of total loss of feedwater, the new digital system failure rate must be equal to the failure rate of two independent failures of the old system. This is hard to achieve or demonstrate without analysis; therefore, this item should screen in. (OR the frequency or likelihood of total loss of feed water is dominated by other equipment, either argument must be explicitly addressed)
Staff recommends addressing frequency &
likelihood of failure in this example.
16 Section 3.2.1.3, Combination of Components/Fu nctions Example 3-8
[A54] Regarding: In this case, the proposed activity would be adverse because a new malfunction has been created (i.e., loss of both feedwater control systems and the loss of the turbine control system) that was not previously considered in the licensing basis. [emphasis added]
The misbehavior of this new created system is called a malfunction whereas is should be referred to as an accident (both previously independent system failures were analyzed as AOOs, which are accidents under 50.59, so the concurrent failure of both functions should also be an accident). This distinction will be important when performing the evaluation since the criteria for new accidents and new malfunctions are different under 50.59 (i.e., see questions 5 & 6).
Staff recommends changing example to demonstrate that this is a new type of accident or revise the example to accurately depict a malfunction based upon combination of components / functions.
17 Section 3.2.1.4, First 2 Paragraphs Appendix D inserts [design] into a quotation form NEI 96-07; however, this addition is not justified.
By adding the term design, it could be later understood that it was appropriate to decrease the reliability of a [non-design] function whose failure could initiate an accident, as is implied by the addition.
Staff recommends describing why the term design was added to the quotation.
18 Section 3.2.2 Last Sentence Section 3.2.2 states, in part, If the digital modification does not involve or include a Human-System Interface (e.g., the replacement of an analog relay with a digital relay that has no features involving personnel interaction), then Staff recommends changing the sentence to:
If the digital modification does not include or affect a Human-System Interface (e.g.,
may involve an impact on operator response
this section does not apply and may be excluded from the Screen assessment. {emphasis added}
The staff notes that, whereas this may be possible and true in many cases, there may be circumstances where the digital modification may have an impact on operator response times (i.e., feasibility and reliability of manual operator actions), which is discussed in Section 3.2.2.2.
A further analysis can yield a number of questions that could be relevant to HSI changes that may not be apparent at first, but should be considered. For example, can digital relays have unexpected effects on operators? For instance, can they feed into digital processors that can get overloaded with signals during accidents causing delays to information refresh rates on main control room (MCR), displays thus affecting situation awareness and possibly causing operators to make errors? The example itself may cause uncertainty by potentially leading the reader to incorrectly assume that a given modification is unrelated to HSI because the digital relay in question does not have features involving personnel interaction, which is an ambiguous phrase.
times, and therefore, should not be excluded from the Screen assessment), then this section does not apply and may be excluded from the Screen assessment. {emphasis added}
19 Section 3.2.2.1 Scope This section lists four items (identified as (a) through (d) which are reflected in the subsections of 3.2.2.2. However, following these four items, there is some bulleted text from NEI 01-01 Section 4.3.4 that was inserted, but this material does not include corresponding guidance in Section 3.2.2.2.
The bulleted list should be augmented and supplemented with guidance because it is not clear how it addressed key HFE concerns. For example, does the modification:
- Involve leaving non-functioning legacy equipment installed next to functioning new equipment or having old and new systems both functioning simultaneously?
- Cause changes in the operator skills, knowledge, or abilities needed to successfully complete manual actions?
- Have the potential for performance shaping factors (such as stress, lighting, communication, task complexity, ergonomics, etc.) to influence the reliability of manual actions?
- Resemble licensing actions from other facilities that have experienced human performance problems as a result of similar changes?
- Add, delete, or modify operator manual actions?
- Include time-critical manual actions?
- Cause changes in the operator skills, knowledge, or abilities needed to successfully complete manual actions?
- Change the amount of time needed or available to complete a manual action?
Staff recommends including guidance and examples to address the bulleted material.
Alternatively, this material can be move into the appropriate place in Section 3.2.2.2 and supplementing with guidance and examples.
20 Section 3.2.2.1 Scope Last paragraph
[A43] The first paragraph of the inserted text from NEI 01-01 Section 4.3.4 states, but not limited to, which implies the list of HSI changes in this section is NOT all-inclusive. This appears contradictory to the last paragraph of this section where it states, If the HSI changes do not exhibit these characteristics, then it may be reasonable to conclude that the method of performing or controlling the design function is not adversely affected.
Staff recommends changing the last paragraph of this section to be clear that this is not an all-inclusive list, for example: If the HSI changes do not exhibit characteristics such as those listed above.
21 Section 3.2.2.2 Title Physical Interface - The title of this section is potentially misleading. Physical interface may be perceived as relating only to hardware, whereas the subsections may easily also be affected by changes to software. Human-System Interface is a more accurate title for the section.
Staff recommends changing title of Section 3.2.2.2 to Human-System Interface or similarly appropriate title.
22 Section 3.2.2.2, Physical Interface
[A91] The general approach of this section is that a screening is based on a description of the HSI in the FSAR (as updated). However, please recall that NEI 96-07 states: Consistent with historical practice, changes affecting SSCs or functions not described in the UFSAR must be screened for their effects (so-called "indirect effects") on UFSAR-described design functions.
{emphasis added}
Staff recommends this general approach of relying on FSAR descriptions of HSI should be expanded (i.e., provide guidance and examples) to include HSI not described in the FSAR that could have indirect effects on a design function.
23 Section 3.2.2.3 Example 3-9 Examining only the physical interaction aspect (i.e., ignoring the impact on operator response time or the number and/or sequence of steps necessary to access the new digital controls)
The example should further clarify that the abovementioned additional considerations (impact on operator response time or the number and/or sequence of steps necessary to access the new digital controls) should also be considered, even if the evaluation of the physical interaction results in No Adverse Impact determination.
Staff recommends changing i.e. to e.g. in order to indicate the list is not all inclusive.
24
- 3. Section 3.2.2.2, Information Presentation.
The bulleted list of examples of activities that have the potential to cause an adverse effect should be expanded beyond the two examples provided (i.e.,
addition or removal of a dead-band and replacement of instantaneous readings with time-averaged readings (or vice-versa). For example, the list should include the addition of steps that the operator has to take in order to access the information, as mentioned in example 3-13.
Staff recommends expanding the bulleted list. For example, the list should include the addition of steps that the operator has to take in order to access the information, as mentioned in Example 3-13.
25 Section 3.2.2.3 Example 3-14 And Generally throughout
[A91] The absence of a specific statement in the UFSAR regarding response time does not mean a change in response time could not have an adverse impact on a design function.
Please recall that NEI 96-07 states: Consistent with historical practice, changes affecting SSCs or functions not described in the UFSAR must be screened for their effects (so-called "indirect effects") on UFSAR-described design functions. {emphasis added}
Staff recommends removing: Overall Response Time - NOT ADVERSE because no response time requirements are described.
Staff recommends including instances of indirect effects (e.g., situational awareness &
workload).
26 Section 3.2.2 There are four categories of HSI changes that are addressed in the guidance and it is not clear why the guidance in limited to only addressing the four listed.
There are other HSI changes that could be adverse, for example:
- Situational Awareness
- Operator work load It is not clear how these are addressed in the existing guidance.
Staff recommends addressing all categories that could adversely affect a design function.