ML17101A323

From kanterella
Jump to navigation Jump to search
NEI Rev 0 Draft Fundamental I and C Design Principles White Paper for MP4
ML17101A323
Person / Time
Site: Nuclear Energy Institute
Issue date: 04/11/2017
From:
Nuclear Energy Institute
To:
Office of Nuclear Reactor Regulation
Jordan, Nate
References
Download: ML17101A323 (8)
v  d  e


Text

FUNDAMENTAL INSTRUMENTATION AND CONTROL DESIGN PRINCIPLES Prepared by the Nuclear Energy Institute APRIL 2017 Rev 0 DRAFT The Nuclear Energy Institute is the nuclear energy industrys policy organization.

This white paper and additional information about nuclear energy are available at nei.org.

1201 F Street, NW Washington, DC 20004 NEI.org

© 2017 Nuclear Energy Institute

Purpose The purpose of this position paper is to re-affirm the four fundamental Instrumentation and Control (I&C) design principles of redundancy, independence, deterministic behavior, and defense-in-depth and diversity (also referred to as the four pillars) and one attribute of an appropriate level of simplicity, as a solid and effective foundation for demonstrating nuclear safety and reliability. Adequate documentation of conformance to the aforementioned principles provide sufficient basis to support the licensing process and specifically the license amendment review (LAR) process, inclusive of digital systems and equipment. The licensing review process for digital I&C systems and equipment is defined currently in U.S. NRC Digital Instrumentation and Control Interim Staff Guidance #6 (DI&C-ISG ISG-06),

Revision 1, Task Working Group #6: Licensing Process (ADAMS Accession No. ML110140103).

This discussion is also intended to provide perspectives on steps that could be taken to support fulfillment of the objectives of SECY-16-0070, Integrated Strategy to Modernize the Nuclear Regulatory Commissions Digital Instrumentation and Controls Regulatory Infrastructure. This paper is focused on Modernization Plan (MP) #4 which focuses on identifying and implementing a complete set of activities needed to provide near-term regulatory clarity and support industry confidence in performing digital I&C upgrades, while being mindful of the licensing basis differences of the nuclear fleet.

This paper is not intended to solve all of the issues identified, but rather to provide a line of sight to issue resolution. This paper provides a vehicle to facilitate constructive discussions and gain NRC staff/industry concurrence on a path forward.

Introduction There is an urgent need to establish a clear, unambiguous regulatory roadmap for digital I&C to achieve certainty, consistency, and reasonable focus in the licensing review on attributes that are relevant to nuclear safety and reliability. With a focus on I&C, the overarching goal is to sustain nuclear safety consciousness coupled with a high regard for efficiency and effectiveness in relevant processes, thereby reducing unnecessary regulatory burden. This approach should not compromise public health and safety, security, and environmental stewardship.

The fundamental I&C four design principles of redundancy, independence, deterministic behavior, and defense-in-depth and diversity provide definitive and relevant criteria that can be applied consistently to make a safety determination and support licensing reviews of proposed changes to the existing operating plants as well as design reviews of new plants. This approach is performance-based as it supports the foundation of the plant safety analyses, technology neutral, and supportive of initiatives to modernize the regulatory infrastructure. Additionally, this approach supports initiatives to provide durable guidance. Furthermore, the I&C

© 2017 Nuclear Energy Institute 2

design principles have meaningful correspondence to 10 CFR 50 Appendix A, General Design Criteria for Nuclear Power Plants (GDC), and are directly relevant to safety significant I&C systems and equipment (the attached figure provides a high-level graphical representation of this association).

(ANSI/)IEEE Std. 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations IEEE Std. 603-1991 (with 1995 Correction), Criteria for Safety Systems for Nuclear Power Generating Stations As identified in DI&C-ISG-06 Rev. 1: the purpose of the NRC review is to assess whether the facility and equipment, the proposed use of the equipment, the processes to be performed, and other technical criteria will comply with the regulations (e.g., 10 CFR 50) and that public health and safety will be protected. It is not intended that the review or audit activities by the reviewer include an evaluation of all aspects of the design and implementation of the I&C system. The review scope is of sufficient detail to allow the reviewer to conclude the LAR complies with the regulations. DI&C-ISG-06 Rev. 1 notes that while process is important, software lifecycle processes are not a substitute for a detailed review of

© 2017 Nuclear Energy Institute 3

the hardware and software architectures to conclude that the system, hardware, software architecture and human-systems interface meet the four fundamental design principles and provide an appropriate level of simplicity.

These four fundamental design principles are also applied in the review standard for small modular reactors (SMRs) as discussed in the mPower and NuScale Design-Specific Review Standard (DSRS). The additional cross-cutting attribute of Simplicity is described in the DSRS (Section 7.0, Appendix C, Instrumentation and Controls -

Simplicity) as well as in DI&C-ISG-06.

In order to determine the relevant Instrumentation and Controls review guidance, it is essential to establish a common frame of reference on the specific safety criteria associated with nuclear power plant design. Once the safety criteria are affirmed, the requirements associated with the criteria can be elicited to establish a consistent and meaningful framework. This is not intended to assert that the existing regulatory framework is not meaningful, but there are aspects of the framework that could be considered extraneous, loosely defined, difficult to apply to changing technology, or subjective. These aspects create uncertainty and variability in the review process.

DI&C-ISG-06 Rev. 1 entails the submittal of a significant number of software lifecycle documents. However, there is no documented acceptance evaluation criteria (other than BTP 7-14) that has been provided or applied to the documentation associated with safety-related software. Additionally, it is not clear that this documentation provides or demonstrates any discernible correspondence to software quality (vs. process adherence) and more specifically to integration of the safety significant attributes such as correctness, fault avoidance, fault tolerance, fault detection, fault removal, integrity, dependability, fail-safe operation, or graceful degradation.

The following attributes can be shown to relate directly to, or support assurance of, nuclear safety and reliability:

  • A description of the system and the ability to perform the design basis function, including how the system architecture, plant interfaces, and human-system interfaces function
  • A description of the functional requirements associated with the system
  • A description of how the four pillars are used in the design
  • A description of the simplicity, and a defense of the rationale behind complexities added to the system, to support key system attributes including reliability, maintenance, calibration, test, operation, safety, reliability, etc.
  • A description of the area of change or of the new system or equipment and basis for the change
  • A description of the hardware and software aspects of the change and relationship to the system

© 2017 Nuclear Energy Institute 4

  • Demonstration of conformance to the regulatory requirements as embodied in the fundamental I&C design principles
  • A description of relevant regulatory criteria beyond the fundamental four design principles and one attribute, including demonstration of conformance to the design principles and attribute
  • A discussion with proof of reliability, deterministic behavior, and deterministic timing, including consideration of common cause failure
  • A discussion of the requirements and methods for equipment qualification tests and analyses
  • A demonstration that hazards are accounted for adequately in relationship to system performance, interfacing systems and equipment, human-system interfaces, and overall plant and operator response relative to the response credited in the safety analysis
  • A discussion of how the safety, reliability, and cyber security claims will be demonstrated throughout the development life cycle and in operation in the plant The documents submitted should support the evaluation of the impact on nuclear safety and adherence to nuclear safety principles. Review of submittals should focus on the methods used to implement the nuclear safety philosophy and thus document how the system assures implementation of the principal safety functions and maintains integrity of the principal safety barriers. These safety principles are tied directly to regulatory guidance and industry standards.

The three principal (nuclear) safety functions are:

  • Control of reactivity and avoiding reactivity excursions
  • Adequate cooling of the core and fuel
  • Confinement of radiation The three principal safety barriers that we maintain are:
  • Containment integrity A reasonable assurance case or safety claim can be made with the adoption of the following principles that comprise the fundamental four design principles and one attribute:
a. Maintain independence from the resultant effects of a design basis event so that the effects of the event or the hazards that precipitated the event do not have a resultant adverse effect on performance of systems credited in mitigating the event. Maintain independence between the redundant channels, divisions, and trains so that the any faults or failures in one

© 2017 Nuclear Energy Institute 5

channel, division, or train do not affect the redundant channels, divisions, or trains. This should incorporate CCF considerations and protection from internal and external events, as well as design assurance of the required performance capability]. The philosophy of independence extends to system interaction to ensure that the interactions do not result in unintended, adverse consequences.

b. To assure acceptable safety margin, the fundamental design approach is to avoid reliance on, or crediting of, a single I&C system or single train of equipment to perform a safety-related function.
1. This principle is embodied in the single failure criteria (SFC). The SFC fundamentally implies the application of systems and equipment redundancy. This redundancy can occur through the installation of multiple divisions of I&C systems and trains of equipment, and may be extended into redundancy within each division of I&C equipment.
2. This principle is also embodied in the defense-in-depth and diversity philosophy which deploys functionally diversity as a primary defense, implementing multiple methods (barriers) to preclude failure of one method to protect the fundamental safety barriers. This may include diverse systems and equipment as necessary to achieve high safety margin and reliability, such as the Anticipated Transients without Scram (ATWS) mitigating system or multiple different systems for emergency core cooling.
3. The defense-in-depth approach is further applied in the design for protection against common cause failures in sensors, transmitters, and output devices.
c. Minimize the probability of failure of systems and equipment when required to mitigate postulated design basis events. This philosophy drives a deterministic design which provides deterministic behavior and deterministic timing. The deterministic design provides predictable and repeatable performance of the safety functions.
1. This is achieved by deploying highly reliable and dependable equipment and systems which are designed to exhibit deterministic behavior and deterministic timing.
2. As an extension of this deterministic design philosophy, systems and equipment are required to fail to a safe state or to a known, defined state determined not to jeopardize safety. Thus, reactor trip systems fail to the tripped state, but engineered safety features systems fail either as-is or non-actuated.
3. Systems are required to be testable to provide assurance of continued operability and availability when required.
4. System maintainability is a fundamental aspect of the design, extending down to software by ensuring documented, well-designed, understandable code.

© 2017 Nuclear Energy Institute 6

d. An implicit approach to reliability is to deploy the design with minimal complexity, with the knowledge that complexity may be required to enhance reliability or reduce the potential for human error. Where complexity is required (e.g., self-diagnostics, redundancy within the equipment in a single division), the complexity is documented and justified as necessary and appropriate for enhancing reliability, surveillance, calibration, and other required system or equipment attributes. Of course, there are tradeoffs in complexity, such as increasing the complexity by designing the system to reduce the human actions necessary for surveillance which also decreases the potential for human error, which enhances system reliability.

A fundamental precept is that the overall plant design applies good engineering practices for design, construction, operation, and maintenance, which relates to conformance to regulatory requirements, as well as industry codes and standards and norms for achieving high dependability in performance.

The licensees or applicants have the burden of proof (production of satisfactory evidence) that the plant and the systems, structures and components (SSCs) are designed, implemented, constructed, installed, operated, and maintained safely with respect to their application and maintenance of these guiding principles. Additionally, changes must be performed using the same guiding principles, using the same (or better) methods and processes to avoid compromising safety.

To address this urgent need, the following six recommendations are proposed.

These salient regulatory issues addressing digital design are discussed with reference to recommended resolution approaches. Since this paper is not intended to solve the issues but only provides a line of sight to issue resolution and potential paths forward. This discussion therefore ties into the NRC IAP and the MPs identified to address industry issues.

  • Normalize reviews using a discrete set of fundamental I&C design principles, which is the focus of this discussion. Establish a relevant set of design features that could be applied consistently to achieve a safety and reliability claim (e.g., application of EPRI 3002005326, Methods for Assuring Safety and Dependability when Applying Digital Instrumentation and Control Systems)
  • Improve the efficiency and effectiveness of the 10 CFR 50.90, Application for amendment of license, construction permit, or early site permit process for digital upgrades by streamlining the guidance in DI&C ISG-06 and reviews to the extent feasible by targeting the inputs that are relevant and germane to demonstrating adequate nuclear safety and for critically evaluating the attributes that distinguish the acceptability (i.e., safety and dependability) of digital designs. This urgent need is captured in MP 4.A.b (Assessment for Modernization of the Instrument & Control Regulatory Infrastructure),

updating licensing guidance including evaluating lessons learned from review of license applications. This recommendation is being addressed in a separate paper to be provided later.

© 2017 Nuclear Energy Institute 7

  • Critically evaluate the approach taken to review software designs and assure production and implementation of fault-tolerant and high reliability software relative to the current review approach outlined in NUREG-0800 (U.S. NRC Standard Review Plan) Branch Technical Position (BTP) 7-14 (Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems), giving consideration to the various life cycle and structured development approaches. This recommendation is being addressed in a separate paper to be provided later.
  • Provide stable guidance on treatment of software common cause failure as it relates to defense-in-depth and diversity approaches as well as 10 CFR 50.59, Changes, tests and experiments, guidance as part of a separate activity to implement MP #1 (Protection Against Common Cause Failure) and MP #2 (Considering Digital Instrumentation & Control in Accordance with 10 CFR 50.59). A path to resolution is provided in NEI 16-16 (Guidance for Addressing Digital Common Cause Failure). NEI 96-07 Appendix D, Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications, will provide relevant 50.59 guidance in support of digital upgrades. In the short term, the NRC is enhancing 10 CFR 50.59 guidance in a new Regulatory Issue Summary (RIS) for NEI 01-01 Rev. 1 Guideline on Licensing Digital Upgrades (EPRI TR-102348), which will provide a path forward for some safety significant system replacements.
  • Acknowledge that regulatory reviews of new plant design and large scale (multi-system, multi-function, perhaps implemented sequentially) digital upgrades could be challenging without a targeted and systematic treatment of the overall I&C architecture, including thoughtful consideration and adoption of defense-in-depth, guidance on an acceptable overall I&C framework that considers a plant design basis and functional approach. Such an approach would consider the risk significance of combining certain non-safety related functions that could yield unacceptable or undesirable challenges to plant safety for both new and existing plants. Recommendation on a path to resolution is addressed in a separate paper to be provided later.
  • Technology and innovation are drivers. Competitive markets and nuclear generation viability dictate product innovation. Obsolescence and product support for digital products will be challenged. The nuclear industry requires a path to resolution that considers commercial dedication approaches, which is addressed in a separate working group for MP #3 (Commercial Grade Dedication of Digital Equipment).

Changes in the regulatory infrastructure that relates to licensee submittals should identify the minimum set of documents that provide direct relevance to the demonstration and assurance of adequate nuclear safety and reliability, with acceptance criteria that can be interpreted and applied consistently.

© 2017 Nuclear Energy Institute 8

Retrieved from "https://kanterella.com/w/index.php?title=ML17101A323&oldid=2439648"