ML17216A642
ML17216A642 | |
Person / Time | |
---|---|
Site: | Nuclear Energy Institute |
Issue date: | 04/24/2017 |
From: | Fregonese V Nuclear Energy Institute |
To: | James Drake Licensing Processes Branch (DPR) |
Drake J | |
Shared Package | |
ML17221A232 | List: |
References | |
Download: ML17216A642 (11) | |
Text
Attachment 1 RIS 2017-XX Draft - Qualitative Assessment Framework 1 Introduction This draft framework outlines the NRC staffs initial thoughts on clarifying guidance for the Commented [vxf1]: Editorial comment - This qualitative assessment process that takes into account differences in the level of evidence needed paragraph appears to have a different font type than the remainder of the document.
for SSCs of varying safety significance. The NRC staff recognizes that greater clarity in guidance for documenting the technical basis supporting proposed digital I&C modifications to SSCs of lower safety significance under 10 CFR 50.59 is needed. Commented [vxf2]: This term is not defined in The term qualitative assessment is referenced in both NEI 96-07 (as endorsed by RG 1.187) approved 50.59 guidance documents. Please remove or clarify.
and NEI 01-01 (as endorsed by RIS 2002-22). For example, Section 5.3.1 of NEI 01-01 states, in part, that .reasonable assurance of adequate quality and low likelihood of failure is derived from a qualitative assessment of the design process and the system design features. Reliance on high quality development or design processes alone may not always serve as a sufficient qualitative argument. The intent of this clarifying guidance is to enable licensees to ensure that adequate qualitative arguments are presented consistently, through an considerationevaluation of all appropriate qualitative evidence available, and the use of a consistent format and rationale by which the evidence supports the conclusions needed to respond to the criteria within a 10 CFR 50.59 Evaluation..
RIS 2002-22 provided the staffs endorsement, with clarifications, of NEI Guidance document NEI 01-01, Guideline on Licensing Digital Upgrades: EPRI TR-102348, Revision 1, NEI 01-01:
A Revision of EPRI TR-102348 To Reflect Changes to the 10 CFR 50.59 Rule, for use as guidance in designing and implementing digital upgrades to instrumentation and control systems. The purpose of Revision 1 to NEI 01-01 was to assist licensees in designing and Commented [vxf3]: NEI 01-01 is actually Revision 1 implementing licensing digital replacements in a consistent manner. NEI 01-01 provides to the EPRI TR-102348.
guidance in performing qualitative assessments of the dependability of and risk associated with digital I&C systems. The NRC staff expects that licensees will document these such qualitative assessments be adequately, documented with the level of detail and topical area coverage needed to support licensing decisions, while enabling staff inspectors or other licensee reviewers of such assessments to easily understand the technical basis for the assessment conclusions easily.
2 Purpose This enclosure provides clarification of the staffs previous endorsement of NEI guidance for performing and documenting qualitative assessments developed in support of performing a10 CFR 50.59 Eevaluations forof proposed digital modifications. Such qualitative assessments are needed to document the technical bases for concluding whether there is reasonable assurance that any failures or failure modes resulting from due to the implementation of the proposed digital modification are consistent with the UFSAR analysis assumptions at the plant level. This determination is needed because a decision must be made as to whether the proposed change meets the evaluation criteria in 10 CFR 50.59(c)(2) without prior NRC staff approval, or whether for a license amendment request (LAR) or the change can be implemented without NRC approval. will be required.
1
Attachment 1 RIS 2017-XX The qualitative assessment is needed to support the process for making the following conclusions:
- The activity does not result in more than a minimal increase in the frequency of occurrence of an accident or the likelihood of malfunction or failure of an SSC important to safety to perform its intended design functions.
- The activity does not result in the more than minimal increase in the consequences of an accident or malfunction.
- The activity does not result in a new type of accident, or a malfunction with a different result.
2.1 For activities that introduce a potential CCF that meets the above conditions, the CCF alone Commented [vxf4]: Staff comments on NEI 01-01 would not require the change to be approved under 10 CFR50.90 through a LAR. Appendix D have requested CCF be changed to SCCF (Software Common Cause Failure). Suggest further discussion on going forward use of CCF versus 2.2 For activities that introduce a potential CCF that do not meet the above conditions, the CCF SCCF, and correcting all instances in this document would need to become part of the licensing basis; a LAR licensee amendment would be required under. (via 10 CFR 50.90.).
2.3 This qualitative assessment clarification is intended to augmentclarify, rather than replace the guidance provided for qualitative assessments that are described in NEI 01-01, Sections 4.4
, 5.1, and 5.3 as well as Appendix A, (Items Nos. 2(i) & 6(b)). Commented [vxf5]: Calling these 2 sections of Appendix A out may imply limiting the scope to just software, but many upgrades are more than software.
3 Qualitative Assessment Consider just referring to the appropriate NEI 01-01 sections and Appendix A.
3.1 Scope The qualitative assessment process may be applied to any proposed digital I&C plant modifications to safety and non-safety systems. However, at this time, it is not intended for this RIS to apply to reactor tripprotection or essential safety feature initiation functions. Consistent Commented [vxf6]: The RIS discusses logic with the staffs endorsement of NEI 01-01 in RIS 2002-22, it is likely that when applying NEI 01- functions. Please clarify this area to be consistent.
01 for completing the the10 CFR 50.59 Eevaluation process defined in NEI 01-01 will require a LAR for proposedto implement significant changes to reactor trip protection and engineered Commented [vxf7]: Clarification may be required for safeguards initiation systems., it will be found that a license amendment request will be the use of significant here. The intent would be to remain consistent with the logic functions addressed necessary to make the change. elsewhere in the RIS and Attachment. Also, some digital to digital, or other module/piece part RTS or ESFAS changes may be desired to be done under 3.2 Quantitative vs. Qualitative 50.59, and addressed appropriately in the Qualitative Assessment.
A quantitative assessment involves the use of numbers in measurements, comparisons, or calculations. A qualitative assessment is any other assessment that is not quantitative. For example, an electrical independence requirement can be demonstrated, quantitatively, by comparing the capacity of an electrical isolation device with anticipated challenges to it.
Alternatively, an electrical independence requirement can be demonstrated qualitatively by showing that the independent channels of equipment have no shared common components and have no electrical connections between them.
2
Attachment 1 RIS 2017-XX 3.3 Qualitative Argument Cornerstones This Qualitative Assessment clarification highlights four general categories of proposed design-related characteristics, each of which needs to be assessedevaluated to formulate effective qualitative arguments deemed sufficient to address the three questions posed in the Purpose section above. The staff finds that anAn evaluation of the degree to which each category of design characteristic has been addressed and weighed collectively in the design is adequate to support arguments within acceptable technical bases for responding to the 50.59(c)(2) criteria.evaluation questions. These areas should be assessedevaluated , as applicable, in conjunction with the questions provided in NEI 01-01, Appendix A. Those four general categories are:
- Design Attributes of the proposed modification that serve to prevent or limit failures from occurring, or that mitigate the consequences of such possible failures. The assessment should document and describe eEvidence of design attributes supporting arguments for the high reliability and dependability of the proposed modification should be described.
- Quality Processes employed in the development of the proposed modification, including software development, hardware and software integration processes, hardware design, and validation and testing processes that have been incorporated into the development process.
- Defense in Depth: Must be documented and show eEvidence that the proposed design incorporates both internal and external layers of defense against potential failures of the modified I&C system or component. The design must respond appropriately to avoid generating that could result in modes of failure not already analyzed in the UFSAR or result in the initiation of a design basis Anticipated Operational Occurrence (AOO) or Postulated Accident (PA), or in the initiation of new AOOs or PAs that have not been previously analyzed. Commented [vxf8]: Consider whether this should be measured against the 50.59 criterion of result in more than a minimal increase in the frequency of occurrence
- Operating Experience: must be documented to show Evidence that the proposed of an accident previously evaluated in the final safety system or component modification employs equipment with significant operating history analysis report in nuclear power plant applications or non-nuclear applications with comparable Commented [vxf9]: Consider clarification somewhere performance requirements, and the suppliers of such equipment incorporate quality in the document that if the activity could result in a new AOO or PA that has not been previously analyzed (this processes such as continual process improvement, incorporation of lessons learned, would be an accident of a different type), Evaluation deficiency and failure tracking and disposition, etc. Question 5 would be answered YES and a LAR would be required to implement These categories are not mutually exclusive and may overlap in certain areas. Adequate qualitative arguments for systems of varying safety significance should address the degree to which the proposed modification has addressed each of the above categories. Its theThe staffs expectsation the evaluation will address thateach ALL of these categories be addressed to the degree possible. See Table 1.
Table 1 - Qualitative Argument Topical Areas 3
Attachment 1 RIS 2017-XX Topical Area Description Design Attributes
- Design Criteria - For example: Diversity (if applicable), Commented [vxf10]: Please consider adding a Independence, Redundancy statement that makes it clear that these are examples
- Inherent Design Features for software, hardware or of design measures that could be taken - the list is not a checklist whereby all of the listed items must be architectural/network - For example: external watchdog timers, incorporated into the design.
isolation devices, segmentation, self-testing and self-diagnostic features
- Non-concurrent triggers Commented [vxf11]: NEI and staff need to discuss
- Sufficiently Simple (i.e. enabling comprehensive100% testing) further how to adequately describe and bound this topic to ensure it is not open ended and subject to
- Unlikely series of events - For example, the evaluation of a given interpretation later.
DI&C modification would necessarily have to postulate multiple independent random failures in order to arrive at a state in which a Commented [vxf12]: Please define 100% testing.
Suggested definition is:
CCF is possible. All reasonably testable combinations of input states
- Failure state always known to be safe along with a documented technical justification that any states not practical to test are not expected to ever occur for the particular application.
Quality Design
- Use ofCompliance with industry codes and standards - This includes Processes those industry codes and standards cited within the Design and Commented [vxf13]: Please consider that BTP 7-19 Licensing Basis and other NRC-endorsed industry codes and at the time NEI 01-01 was issued described simple as the component function can be completely standards where practical for the design and application. It is the demonstrated by test. Later versions introduced the expectation that for Where non-NRC endorsed codes and standards 100% testability with all the qualifying statements.
are applied to the design, the licensee must provide an explanation Commented [vxf14]: Use would be a better choice for why use of the particular non-endorsed standard(s) is acceptable. of wording. This was discussed in the recent public
- Use of Appendix B vendors, or if not Appendix B, which generally meeting. Compliance could drive to literal compliance accepted industrial quality program applies and all the explanations for what is not met, versus
- Environmental qualification (e.g. EMI/RFI, Seismic, temperature, documenting the application of what codes and standards were considered in the development of the humidity, etc.) design.
- Development Process rigor Commented [vxf15]: Please consider incorporating Defense-In-Depth
- Coping measures the approach in the RIS, which states:
- Availability of operator intervention capabilities independent of the an evaluation should be documented as to why the potential CCF, administrative controls, and sufficient time to respond particular design standards are considered to be
- Physical restrictions external to the DI&C modification (e.g. adequate for the particular application, commensurate with the level of safety significance of the proposed mechanical restrictions on control valve movements, pump/turbine/vfd modification, or its consequences of failure.
speed limits, rod control interlocks, etc.)
Commented [vxf16]: Please clarify what the intent is Operating
- Wide range of operating history here. (sufficient) This statement could imply that Experience
- History of lessons learned from field experience addressed in the critical operator actions apply.
design
- High volume production usage in different applications- Note that for software, the concern is centered on lower volume, custom or user-configurable software applications. High volume commercial products used in different applications provides a higher likelihood of resolution of potential deficiencies.
3.3.1 Design Attributes versus Quality Process Both Design Attributes and Quality Process are needed because to some degree eachthey addresses different aspects, and to some degree they complement each other. For example, the surface of a weld should be appropriately cleaned (a Design Attribute) before the welding is performed, in part, to ensure a proper weld. It is generally not possible to tell, from inspecting the weld after it is completed, that the surfaces were properly cleaned. Therefore, Quality 4
Attachment 1 RIS 2017-XX Processes ensure and document: the welder is trained in the appropriate cleaning processes, and in-process inspections are performed to ensure the weld surfaces are cleaned. Commented [vxf17]: Consider using a digital example here in lieu of a special process like welding.
3.3.2 Design Attributes to Eliminate Consideration of CCF Many system design and testing attributes, procedures, and practices can contribute to significantly reducing the probability of CCF. However, NUREG-0800 Chapter 7, Branch Technical Position No. 7-19 only recognizes two design attributes as sufficient to eliminate consideration of software- based or programmable software logic- based CCF: Diversity or Testability. However, if CCF is considered in a larger context (i.e., software- based or software Commented [vxf18]: Please consider that the NRC programmable logic- based CCFs are not the only types of CCFs), then there are many guidance at the time NEI 01-01 was issued described simple as the component function can be completely regulatory requirements to address potential CCFs, and thereby eliminate CCFsthem from demonstrated by test. Later versions introduced the further consideration. As a result, any relaxations in how these requirements are met, are 100% testability with all the qualifying statements.
"adverse" in a 50.59 Screen should screen in (and thusi.e., require a full 50.59 Eevaluation). Commented [vxf19]: Please clarify. It might be more Changes in how requirements are met need to be assessedevaluated to ensure they do not appropriate to use design attributes rather than regulatory requirements result in a need for a license amendment. In addition, there are some SSCs that have only minimal applicable criteria. These SSCs may have been implemented in a manner (i.e.,
relatively independently) such that only individual SSC malfunction or failure was considered in Commented [vxf20]: Provide additional discussion the FSAR (as updated). If these individual SSCs are combined with (e.g., controlled by a regarding the phrase "relatively independently" to more fully explain its meaning.
common digital component) or coupled to (e.g., by digital communication) each other (e.g., by digital communication), then the new malfunction(s) and/or accident(s) must be reviewed using the 10 CFR 50.59 process evaluated under 50.59. NRC approved qualitative and/or quantitative methods can be used to evaluate attributes of the design to determine whether a license amendment may be required:
- Digital Communications: The introduction of digital communication (between redundancies, levels of defense, or between different safety classifications) that does not meet NRC- endorsed guidance for communications independence should be reviewed Commented [vxf21]: Please clarify what is meant by and approved under a LAR processed under 10 CFR 50.90. endorsed guidance. RG 1.152 R3 states that IEEE Std 7-4.3.2-2003 Annex E, Communication Independence, has not received NRC endorsement
- Combination of Functions: The combination of functions (that (i) can cause an AOO or because it provides insufficient guidance.
PA (e.g., for non-safety-related systems, combining the functions of the feedwater control system with the functions of the turbine control system), a plant transient, (ii) are credited for mitigating plant transients either directly or as an auxiliary support function, or (iii) are of different layers of defense) is "adverse" in a 50.59 Screen (i.e., requires a 50.59 Evaluation) should be evaluated under 50.59. If the 50.59 Eevaluation determines that: (A) a new type of accident, (B) a malfunction with a new result, or (C) an unbounded malfunction or accident now exists, then a LAR is required under 10 CFR 50.90..
- Defense-in-depth: Defense-in-depth is an element of the NRCs safety philosophy that employs successive compensatory measures to prevent accidents or mitigate damage if a malfunction, accident, or naturally caused event occurs at a nuclear facility. The defense-in-depth philosophy has traditionally been applied in plant design and operation to provide multiple means to accomplish safety functions and prevent the release of 5
Attachment 1 RIS 2017-XX radioactive material. Defense in DepthIt continues to be an effective way to account for uncertainties in equipment and human performance and, in particular, to account for the potential for unknown and unforeseen failure mechanisms or phenomena that, because they are unknown or unforeseen, are not reflected in either the PRA or traditional engineering analyses. The SRM on SECY-98-144, White Paper on Risk-Informed and Performance-Based Regulation, provides additional information on defense-in-depth as an element of the NRCs safety philosophy.
Appendix A, General Design Criteria for Nuclear Power Plants, to Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities, was first promulgated in 1971 and reflects the defense-in-depth principles, although Appendix A does not explicitly refer to defense-in-depth. A balance among accident prevention, accident mitigation, and limiting accident consequences is basic to the general design criteria. Specific requirements in the general design criteria exist for independence, redundancy, (often times achieved by imposing the requirement to withstand a single failure).and diversity. (oftentimes achieved by imposing the requirement to withstand a single failure). The general design criteria also require a level of quality commensurate with the safety functions of structures, systems, and components and require the capability for inspection and testing.
Both RG 1.174 Rev. 3 and BTP 7-19 contain criteria for determining whether adequate Commented [vxf22]: Please clarify the applicability of Defense-in-Depth has been maintained. A failure to meet either of these criteria should RG 1.174. Industry interpretation is that RG 1.174 would apply to license amendments with a quantitative be reviewed and approved through a LAR under a 10 CFR 50.90. That is, a failure to risk-informed basis. The RIS focus is on the use of maintain adequate defense in depth is considered to violate a criteria that is applicable qualitative assessments.
to both evaluation questions 1 and&2: Commented [vxf23]: The draft RIS speaks of BTP 7-19 D3 criteria with respect to RPS/ESFAS modifications. The discussion here seems to suggest it Although this criterion allows minimal increases, licensees must still meet be applied to all digital mods and if it cannot be met applicable regulatory requirements and other acceptance criteria to which they then a license amendment is needed. Please clarify are committed (such as, contained in regulatory guides and nationally recognized this.
industry consensus standards, e.g., the ASME B&PV Code and IEEE standards).
Further, departures from the design, fabrication, construction, testing and performance standards as outlined in the General Design Criteria (Appendix A to Part 50) are not compatible with a "no more than minimal increase" standard.
3.3.3 Design Specifics It is not possible for generic guidance to anticipate all of the ways that a design can introduce failure and malfunction modes; therefore, the features of each design must be reviewed against the applicable 10 CFR 50.59(c)(2)50.59 criteria. This is in addition to the general considerations listed above.
3.3.4 Regarding codes and standards Design attributes credited for meeting any criteria industry codes and standards criteria must be statedstipulated and documented. as being achieved 6
Attachment 1 RIS 2017-XX (per GDC 1 - For those stations committed to GDC 1, Quality Standards and Records need to align with this criteria.):
(1) Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.
The term quality standards is sometimes a source of confusion. Some understand Commented [vxf24]: In order to avoid any ambiguity, this term to mean codes and standards; however, this interpretation would render this is an area that warrants further discussion, similar to the to the topic of technical codes and standards that the first clause of the second sentence irrelevant. A better interpretation of the term NEI and NRC staff had in the last public meeting.
would be: specified criteria. It is understood that not everything important to safety has been designed according to a generally recognized code or standard.
(2) Where generally recognized codes and standards are used, they shall be identified and assessedevaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function.
This sentence allows the use of generally recognized codes and standards, when appropriate instead of requiring application specific specifications for all important to safety aspects. That is, codes and standards can be incorporated by reference in plant specific specifications of important to safety equipment.
(3) A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions.
This sentence requires process controls for important to safety equipment that is not part of an Appendix B quality assurance program.
(4) Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit.
The sentence requires documentation for important to safety equipment that is not Commented [vxf25]: More discussion on this part of an Appendix B QA program. interpretation is required to ensure it is clear on the level of documentation that would be required to support digital upgrades to non-safety related 3.3.5 Decision Process equipment.
Figure 1 of this qualitative assessment guidance provides a general overview of the types of considerations that should be made when using this guidance to address NEI 01-01 Appendix A (Items Nos. 2(i) & 6(b)). Individual assessments may vary depending upon the licensee using this qualitative assessment guidance.
7
Attachment 1 RIS 2017-XX Commented [vxf26]: There is no box for 50.59 Question #6.
Commented [vxf27]: Many of the rectangles on the flow chart do not have a yes or no. For instance, the box that contains This allows Question #2 to be answered NO. Please clarify this in the flowchart.
Commented [vxf28]: Please refer to previous comment on the 100% testability in Table 1.
Commented [vxf29]: Please clarify what the purpose of the decision block that states:
Is malfunction bounded within the existing licensing basis?
8
Attachment 1 RIS 2017-XX 4 Qualitative Assessment Documentation The qualitative assessment guidance also describes the areas of consideration that should be documented in order to present a consistent explanation of likelihood arguments supporting technical bases for responding to 10 CFR 50.59(c)(2) criteria 50.59 evaluation questions. Its the The staffs expectsation that the licensee will address eachALL of these categories be addressed to the degree possible, as shown in. See Table 2. This table provides the process flow that should be followed in terms of the structure of the qualitative assessment presentation as well as specific steps that the licensee should be addressed in the process.
4.1 Responsibilities of License Holders It is critical that the The licensees document in the design modification package should document the design codes and standards that were used in the development of the proposed digital I&C design modification. The qualitative assessment shouldwill reference the design standards used, and provide a rationale as to why the portions of those design standards, as employed by experienced software and hardware engineering professionals, are considered adequate for demonstrating that a high quality component or system will result, as evidenced by Commented [vxf30]: More discussion is needed to the fact that a well-defined process for project management, software design, development, clarify the extent of what is considered adequate for non-safety related systems, where it is unlikely to be implementation, verification, validation, software safety analysis, change control, and significant use of IEEE software or other software configuration control was used. The selection of the design standards (or portions thereof) to be safety analyses.
employed should be commensurate with the level of safety significance of the modified Commented [vxf31]: Project management may have component or system, and the possible safety consequences that may result from its failure. a different definition to a licensee than the intended meaning used here. Need to clarify the meaning of They need not be the same as the industry design standards referenced within USNRC project management when used in the context regulatory guides , however, the licensee should be able to demonstrate why the portion of the presented here.
design standard employed is considered adequate for the proposed design modification, commensurate with the level of safety significance.
4.2 Safety Significance of SSCs and Documentation of Evidence As stated previously, an important consideration for documentation of evidence to address 10 CFR 50.59(c)(2) 50.59 evaluation criteria is consideration of the relative safety significance of the SSC to be modified and a graded approach can be utilized to this end. There are numerous ways in which to correlate safety significance to level of documentation needed. Some considerations can include, but are not limited to, the following:
- Is the SSC(s) to be modified an event initiator? Commented [vxf32]: Please clarify this bullet as to
- Is the SSC(s) to be modified part of an accident mitigation system? whether it is meant that SSC to be modified is the direct cause of a previously analyzed AOO, or
- Is the SSC(s) to be modified important to maintaining barrier integrity? something else.
Another means to correlate the level of documentation versus the safety significance of the SSC(s) to be modified is consideration of the SSC(s) role in accomplishing or maintaining critical safety functions1 such as:
1 Source: IEEE Std. 497-2002 as endorsed by RG 1.97, Revision 4 9
Attachment 1 RIS 2017-XX
- Reactivity control Commented [vxf33]: Please clarify whether this it
- Reactor core cooling referring to direct reactivity control, like rods or boration/dilution, or some other secondary effects that
- Reactor coolant system integrity eventually will feedback to reactivity.
- Primary reactor containment integrity
- Radioactive effluent control Commented [vxf34]: Please clarify whether this bullet is referring to Post-accident, or non-safety radwaste systems It is the responsibility of the 10 CFR 50.59 practitioner 50.59 evaluator to demonstrate that the documentation of the design basis of the proposed modification is adequate based upon the safety significance of the SSC(s) to be modified and that this portion of the analysis is captured within the10 CFR 50.59 Eevaluation.
Table 2 - Qualitative Assessment Documentation Structure2 Topical Area Description Identification Describe the full extent of the SSC(s) to be modifiedboundaries of the design change.
Step 1 - Design
- What is the entirety of the UFSAR design function(s) of the upgraded Function component(s) within the context of the plant system, subsystem, etc.
- Describe what design functions were covered by the previously installed equipment, and how those same design functions will be accomplished by the modified design. Also describe any new design functions to be performed by the modified design that were not part of the original design.
- Assumptions and conditions associated with the expected safety or power generation functions Step 2 - Failure What are the failure modes of the upgraded component(s), and are they Modes different than the failure modes of the currently installed component(s)?
Step 3 - Results In terms of existing safety analysis or in terms of an enhanced safety analysis, of their Failure what are the consequences of any postulated single failures or CCF of Commented [vxf35]: Please consider an expanded modified SSC(s)? discussion somewhere in the document to clarify that if Step 4 - What are the assertions being made: it is concluded that CCF is not credible, whether the licensee still needs to assume a CCF and evaluate the Assertions
- The digital component is at least as reliable, dependable, etc, as the results of failure.
device previously installed?
- Its The digital components likelihood of postulated CCF likelihood is significantly lower than the likelihood of the single failures considered in the UFSAR or comparable to CCFs that are not considered in the safety analyses (e.g. design flaws, maintenance errors)?
ALL assertions should fully address the results of a postulated CCF of the SSC(s) to be modified and the likelihood status of postulated CCF. The qualitative assessment will not is not required to determine the absolute probability likelihood of failure.
2 Establishes structure specifically for qualitative assessment similar to guidance provided in NEI 01-01 Appendix B.
10
Attachment 1 RIS 2017-XX Step 5 - Evidence should support each of the assertions (e.g. evidence of the 4 Documentation of qualitative assessment arguments) including codes and standards applied, Evidence qualification for the environment (e.g., seismic, EMI/RFI, ambient temperature, humidity, heat contribution, etc.), as applicable. Quality Processes employed in the development (V&V processes used as evident in a traceability matrix, QA documentation, unit test and system test results, etc.,), defense-in-depth (e.g. inherent internal diversity, manual back-up Commented [vxf36]: Please consider clarification capability, etc.), and Operating History (e.g., platform used in numerous somewhere in this document about the applicability of applications worldwide, etc. with minimal failure history, etc.) this criteria to many modifications, such as component level, where the criteria may be too prescriptive.
The level of evidence provided should be commensurate to the safety significance of the SSC(s) to be modified.
Step 6 - Rationale State why the assertion can be considered to be true, based on the evidence provided. Include arguments both supporting and detracting (pros and cons) so that the 10 CFR 50.59 user of the qualitative analysis has a feel for the relative magnitude of the uncertainties are associated with each claim.
Provide justification supporting the use of the rationale.
Step 7 - Apply the results of the qualitative assessment to respond to each of the Conclusion 50.59 evaluation questions.
11