ML18057B126
| ML18057B126 | |
| Person / Time | |
|---|---|
| Site: | Nuclear Energy Institute |
| Issue date: | 02/23/2018 |
| From: | Hanson J Nuclear Energy Institute |
| To: | Eric Benner Division of Operating Reactor Licensing |
| Shared Package | |
| ML18039A804 | List: |
| References | |
| Download: ML18057B126 (53) | |
Text
NRR-DMPSPEm Resource From: Benner, Eric Sent: Friday, February 23, 2018 10:00 PM To: Miller, Chris; King, Michael; Thomas, Brian; Caldwell, Robert; Wilkins, Lynnea; Govan, Tekia; Waters, Michael; Chernoff, Harold Cc: Helton, Shana; Lorson, Raymond; Holian, Brian
Subject:
Fwd: RIS 17-XX Consolidated Industry Comments Attachments: Copy of Copy of Industry Comments on Draft RIS 2017-XX 15-2018 Color.xlsx; Draft RIS 2002-22 Supplement WORD Version - Line Numbers Added.pdf As promised.
From: "HANSON, Jerud" <jeh@nei.org>
Subject:
[External_Sender] RIS 17-XX Consolidated Industry Comments Date: 23 February 2018 20:48 To: "Benner, Eric" <Eric.Benner@nrc.gov>
Cc: "COWAN, Pamela" <pbc@nei.org>, "REMER, Jason" <sjr@nei.org>, "HANSON, Jerud" <jeh@nei.org>
- Eric, Attached for your review are the consolidated industry comments on the Draft RIS 17-XX that was published for stakeholder review on January 23rd. Also attached is a PDF of the RIS that has each line within the document numbered.
These numbers in the document are associated with the first column contained within the comment table spreadsheet. The second column of the spreadsheet is color-coded with what we consider to be our more significant comments in red. This has been done to facilitate a more efficient review of the document and industry comments.
We look forward to reviewing the revised RIS scheduled to be published on the Federal Register by early next week, as well as discussing this new version and industry comments at the March 6th public meeting.
Please contact me with any questions.
Thank you, Jerud Jerud E. Hanson l Sr. Project Manager, Life Extension & New Technology 1201 F Street, NW, Suite 1100 l Washington, DC 20004 P: 202.739.8053 M: 202.497.2051 nei.org This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.
1
Sent through www.intermedia.com 2
Hearing Identifier: NRR_DMPS Email Number: 212 Mail Envelope Properties (246F4C5217D3A2890C8283646971F4BBAD35DBAB)
Subject:
Fwd: RIS 17-XX Consolidated Industry Comments Sent Date: 2/23/2018 9:59:33 PM Received Date: 2/23/2018 9:59:39 PM From: Benner, Eric Created By: Eric.Benner@nrc.gov Recipients:
"Helton, Shana" <Shana.Helton@nrc.gov>
Tracking Status: None "Lorson, Raymond" <Raymond.Lorson@nrc.gov>
Tracking Status: None "Holian, Brian" <Brian.Holian@nrc.gov>
Tracking Status: None "Miller, Chris" <Chris.Miller@nrc.gov>
Tracking Status: None "King, Michael" <Michael.King2@nrc.gov>
Tracking Status: None "Thomas, Brian" <Brian.Thomas@nrc.gov>
Tracking Status: None "Caldwell, Robert" <Robert.Caldwell@nrc.gov>
Tracking Status: None "Wilkins, Lynnea" <Lynnea.Wilkins@nrc.gov>
Tracking Status: None "Govan, Tekia" <Tekia.Govan@nrc.gov>
Tracking Status: None "Waters, Michael" <Michael.Waters@nrc.gov>
Tracking Status: None "Chernoff, Harold" <Harold.Chernoff@nrc.gov>
Tracking Status: None Post Office: unknown Files Size Date & Time MESSAGE 2672 2/23/2018 9:59:39 PM image001.jpg 15383 Copy of Copy of Industry Comments on Draft RIS 2017-XX 15-2018 Color.xlsx 40849 Draft RIS 2002-22 Supplement WORD Version - Line Numbers Added.pdf 123911 Options Priority: Standard Return Notification: No Reply Requested: No Sensitivity: Normal Expiration Date:
Recipients Received:
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN
GENERAL COMMENT
- Within the RIS attachment, there are excessive Suggest removal of most (if not all) the NEI 01-01 quotes within the RIS Providing the NEI 01-01 quotes simply increase the document length quotes from and references to NEI 01-01 that add little value to the attachment. Reference to the appropriate NEI 01-01 section and adds little value to the design engineer implementing the guidance.
document. could/should still be provided. There is no reason to quote from It is clear from lines 43 and 44 that the RIS remains in effect, so publicly available documents or paraphrase BTP 7-19 in this document. engineers should not be using the RIS in isolation.
1 NA Provide references to the document and section, if you must, but do not quote or paraphrase. The quotes and paraphrases are appropriate and correct only until the referenced document is updated, at which point, the quotes and paraphrases merely add confusion.
GENERAL COMMENT
- The RIS should stick to providing guidance that Remove technical guidance (primarily Section 5). Licensees know how to design - they have very detailed and describes what is required in a qualitative assessment to support a proceduralized guidance along with a quality assurance program. NRC determination of digital equipment reliability. The new RIS should not and licensees have not been aligned on adequate documentation of 1 NA provide design guidance. design considerations. The new RIS is supposed to provide licensees with acceptable methods for documenting qualitative assessments for relaying their design thought process in a way that an inspector can understand pertinent design considerations.
GENERAL COMMENT
- Diversity is one of many ways of creating defense- Please delete all references to diversity and solely reference defense-in-in-depth. Especially in software, it has not shown to be effective at depth.
elimination of SCCF. Rather, the few studies that have been performed 1 NA indicate that diversity merely provides multiple paths to implementing the same erronious requirements and diverse implementations of the same design/implementation mistakes.
GENERAL COMMENT
- Throughout the document, check each occurrence of words with unclear referents (e.g., most uses of "this") to ensure that 1 NA clear, unambiguous intent is communicated clearly, without requiring interpretation.
GENERAL COMMENT
- In some cases, the RIS added guidance beyond Remove information that is not specific to digital.
1 NA that of NEI 96-07, in areas that were not digital-specific. It is recommended that those sections be removed.
GENERAL COMMENT
- The draft RIS quotes from both NEI 96-07, Rev. 1 Remove quotes from external documents, reduce the amount of 50.59 and NEI 01-01. The document should avoid making interpretations of 96- provided, and stick to the original intent which was development of a 07, Rev. 1 since Appendix D to 96-07 is still being drafted and Appendix D qualitative assessment framework.
1 NA was created because some statements in NEI 01-01 appeared to contradict the intent of NEI 96-07. Licensees are trained on the use of NEI 96-07, Rev. 1, so there is no need for the RIS to add additional (and potentially conflicting) information regarding NEI 96-07/NEI 01-01.
GENERAL COMMENT
- The draft RIS appears to require non-safety related SSCs meet the same prescriptive requirements and standards that are 1 NA required for safety related SSCs (such as ISG 4 for digital communications, Appendix B documentation, etc.).
GENERAL COMMENT
- Ensure the use of "malfunction" throughout the Check all usages of "malfuntion" in the RIS to ensure consistent We appreciate the NRC's intent to use "design function" consistent with RIS aligns with the NEI 96-07, Rev. 1 definition in 3.9, "failure of SSCs to meaning. the definition in NEI 96-07, Rev. 1. The use of "malfunction" should also 1 NA perform their intended design functions described in the UFSAR" be consistent.
In Addressees and Background Information holders, and applicants for, Delete "construction permit(s)" throughout.
Part 50 construction permits are included; however, 10 CFR 50.59 does 18 2 of 8 not apply to Part 50 construction permit applicants or holders.
Page 1 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN Suggest changing the following statement to the wording provided in the Suggested wording: A licensee that already has a digital RPS/ESFAS should be able to next column: implement minor upgrades (e.g., a component or network switch "This RIS is not directed toward a complete analog to digital upgrade of replacement) under 50.59. As written, even minor changes to the "This RIS is not directed toward digital I&C upgrades and replacements of the reactor protection system (RPS) or engineered safety features RPS/ESFAS would require a LAR to implement.
50 2 of 8 reactor protection and engineered safety features actuation systems actuation system (ESFAS), since application of the guidance in this RIS (ESFAS), since application of the guidance in this RIS Supplement to such Supplement to such changes would likely involve additional changes would likely involve additional considerations." considerations."
The statement below: Suggest deleting this entire statement as it adds no value and may create confusion.
"This RIS Supplement is also not intended to provide new design process guidance for addressing software common cause failure (software CCF)."
54 3 of 8 Appears to contradict a statement on Line 381 of the RIS which states "In particular, this qualitative assessment provides a means of addressing software CCF."
The statement: Augment the discussion with references to the documents. Alternative, since this guidance does appear in the technical portion of the RIS, "Specific guidance for addressing potential common cause failure of delete this statement.
digital I&C equipment when making design changes to structures, systems, and components (SSCs) is contained in other NRC guidance 57 3 of 8 documents and NRC-endorsed industry guidance documents."
Appears to be pointing to BTP 7-19. What other NRC guidance documents or NRC industry-endorsed guidance documents address CCF?
Sentence beginning on line 93 "This RIS Supplement clarifies the RIS 2002- Recommnd striking this statement as is already contained in the Intent 22 endorsement..." and the remainder of the paragraph following should section.
93 3 of 8 not be in the Background section of the RIS. This is not background information but instead is a statement of the intent of the Draft RIS.
Sentence starting at line 122 "Making available the guidance in this RIS Delete from this sentece to the end of the paragraph.
Supplement..." and the rest of the paragraph apear to be restatements of the Digital Action Plan. If so, this information doesn't belong in the 122 4 of 8 background section since the details of the IAP are subject to revision every 6 months and the statements are extraneous.
Applicability to non-power reactors should not be in the background Move the identified section to the Summary of Issue section.
140 4 of 8 section. Would seem to be better located in the Summary of Issue section that follows.
Adverse - This implies that use of software is adverse in the context of Please remove this or clarify the intent as it relates to this RIS.
180 5 of 8 50.59.
Page 2 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN The following statement is problematic: Suggest deleting this entire statement unless there is specific evidence What is the basis for this statement? Is there conclusive evidence that to support the claim that digital equipment fails more than their analog digital equipment fails more than their analog counterparts?
"In general, digital I&C modifications may include a potential for an counterparts. In practice, introduction of digital equipment actually increase in the likelihood of equipment failures occurring within modified tends to decrease the likelihood of failure due to such things as SSCs, including common cause failures, that can lead to the failure to elimination of single points of vulnerability and self diagnostics.
183 5 of 8 perform a design function. In particular, digital I&C modifications that introduce or modify identical software within independent trains, divisions, or channels within a system, and those that introduce new shared resources, hardware, or software among multiple non-safety related control functions (e.g., controllers, communication networks or video display units), may include such a potential. "
The inclusion of these non-safety control function attributes (shared Please remove the reference to non-safety related systems, or re-resources, etc.) is an expansion of the scope of the original RIS, which perform the backfit analysis for this RIS supplement.
188 5 of 8 cited the ESFAS and RPS systems as those with concerns regarding complexity (Reference previous version of RIS, Section 3.1).
Paraphase of the regulation is incomplete and misses the key aspect of The use of appropriately-prepared qualitative assessments is also one sufficiently low likelihood. acceptable way to document the evaluation of whether a design change can result in create a possibility for accidents of a different type 192 5 of 8 or create the possibility for malfunction s of SSCs with different results than previously evaluated in the final safety analysis report (as updated).
Paraphrase of NEI 01-01 moves the emphasis from reliability to likelihood Replace: NEI 01-01 describes that for 10 CFR 50.59 evaluations, the of software failure. Instead, use the direct quote from section 5.3.1. likelihood of failure is normally demonstrated qualitatively (i.e.,
through reference to reasonable engineering practices and engineering judgment), particularly for systems or components that rely on software, because there are no well-established, accepted quantitative 195 5 of 8 methods to demonstrate the likelihood of failure from sources such as software design errors. estimate reliability. Therefore, The answer lies in evaluation of the process used to develop the software, and characteristics of the resulting design. Then delete the first sentence in the paragraph starting on line 201, as it provides too much detail for this introductory section.
These lines in RIS 2002-22 are specifically targeted at licensing process through license amendment requests, not changes implemented under 213 6 of 8 50.59. Therefore it is outside the scope of this RIS and should be removed.
Low - Use of low versus sufficiently low is not consistent in some Use consistent terminology throughout the document. This is a 251 6 of 8 cases. comment that applies to the whole document.
Lines 261 to 265 invoke SRM 93-087, section II.Q. This is incomplete without also including the commission response which modified the staff position regarding common mode failures, emphasizing that they are 261 7 of 8 beyond design basis events. Beyond design basis in that context means the common mode failure need not be considered within the licensing basis. Rather than get into that discussion and debate, suggest lines 261-165 be removed.
ML17296A852 - This document is not available in ADAMS. Please provide the details of the disposition of the public comments.
294 7 of 8 373 1 of 27 Suggest use of supplemental versus supplement.
Page 3 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN Item (2) in the paragrpah beginning "This RIS Supplement includes..." Suggest rewriting the paragraph as follows:
should not be within the RIS as this issue is purely generic with no digital-specific application. "This RIS Supplement includes guidance that licensees may use to develop adequate bases for determining that a digital modification will exhibit a sufficiently low likelihood of failure to conclude there is no 384 1 of 27 more than minimial increase in the frequency or likelihood of an accident or malfunction, whether it can create the possibility for accidents of a different type, or create the possibility for malfunctions of SSCs with different results than previously evaluated in the final safety analysis report (as updated)."
The phrase "The determination of whether a modification will exhibit a Change "modification" to "structures, systems, and components" or Modifications do not have a likelihood of failure; the SSCs affected by a sufficiently low likelihood of failure is a key element in 10 CFR 50.59" is "SSCs." Remove repeated instances of this statement within the modification have some likelihood of failure.
389 1 of 27 used in multiple location throughout the document. document.
Further, the statement should end " the 10 CFR 50.59 process."
There are two mechanisms available to answer any of the four questions Insert "Alternatively" in front of licensees. The sentence would then with a "no," that is LAR not required. The first is the likelihood threshold, read: Aternatively, Licensees can evaluate the possible effects which should be the sole focus of this supplement. If the likelihood is not 390 1 of 27 sufficiently low, or if it is more convenient to address consequences of a failure, then and only then the sentence starting with "Licensees need to understand" is relevant. It is an independent question.
Clarify the scope. The sections that follow provides one approach, acceptable to the NRC staff, for describing the scope, form, and content of a qualitative assessment to demonstrate the likelihood of software CCF is 395 1 of 27 sufficiently low to justify (1) no more than minimimal increase in the (a) likelihood of an accident, (b) likelihood of a malfunction, (2) does not create the possibility of (a) a new type of accident, or (b) an accident with a different result. The second half of each question is NOT digital-specific.
Nothing digital specific in lines 398 - 418; therefore, it should not be in Remove content in lines 398-418.
398 1 of 27 the document.
Adverse - Suggest using a different term than "adverse" here. Suggest 412 2 of 27 changing to "negative" to avoid confusion with the definition of "adverse" in licensing space.
This comment pertains to the statement below: This statement is counter to the use of "satisfy" on line 1322 and there A search of "met" and "satisfy" within the new RIS did not reveal any is no other use of "met" or "satisfy" in this context in the RIS. Suggest instances of their use in the context of a "yes" or "affirmative" answer 417 2 of 27 "When discussing 10 CFR 50.59 criteria, the words met or satisfy deleting this phrase as it adds no value and may create confusion. to a 50.59 Evaluation question.
mean that a yes or affirmative answer has been achieved and an amendment is required."
First sentence of Section 2.1 states "Qualitative assessments are Suggest changing to "Qualitative assessments can be used to justify a 422 2 of 27 needed" Other parts of the RIS states qualitative assessment may be conclusion" used.
This comment pertains to the statement below: Suggest deleting this sentence as it is not relevant to the discussion.
More relevant in the background section of the document.
"The staff notes that when performing digital modifications under 10 CFR 428 2 of 27 50.59, some licensees have experienced challenges in preparing qualitative assessments needed to support conclusions for responding to the criteria in 10 CFR 50.59(c)(2)(i), (ii), (v), and (vi)."
Section 2.1, third paragraph - the second sentence is redundant to the Delete second sentence.
434 2 of 27 first sentence.
Page 4 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN Suggest changing the statement below to that proposed in the next Proposed wording: It is unclear what "modified digital components" is referring to.
column:
435 2 of 27 "(e.g., based on the dependability of the digital component(s) to be
"(e.g., based on the dependability of the modified digital components)" installed)"
Suggest deleting Footnote 3 as it pulls in D3 which will ultimately create 441 2 of 27 confusion.
Cumbersome sentence structure: "The qualitative assessment reaches a Suggest revising to "The qualitative assessment justifies that the digital conclusion through engineering judgment that there is an adequate basis modification will exhibit a sufficiently low likelihood of failure by 442 2 of 27 for concluding that the digital modification will exhibit a sufficiently low considering the aggregate of these factors."
likelihood of failure by considering the aggregate of these factors."
The following statement is problematic: Suggest deleting this statement as it is irrelevant to the discussion and In practice, the introduction of digital equipment has proven to is not an accurate statement. The potential for SCCF is not directly decrease the likelihood of failure due to such things as elimination of "For digital modifications, particularly those that introduce software, proportional to the potential increase in likelihood of failure, as not all single points of vulnerability and self diagnostics.
450 2 of 27 there may be the potential increase in likelihood of failure, including a failures are common cause.
single failure. For redundant SSCs, this potential increase in the likelihood of failure creates a similar increase in the likelihood of a common cause failure."
Suggest removing reference to "Single Failure", or providing technical 451 2 of 27 basis explaining how the introduction of software is related to an increase in single failure.
The sentence starting "The threshold for determining" is difficult to Suggest replacing the sentence with "The threshold for determining interpret. whether an event is credible or not credible is if the event is as likely 492 3 of 27 as (i.e., not much lower than) malfunctions already assumed in the UFSAR.
Suggest deleting the following statement: Suggest deleting this statement as it is irrelevant to the discussion and may cause confusion. In addition, the term is not used anywhere else
"[Note: This sufficiently low threshold is not interchangeable with that in the document.
490 3 of 27 for distinguishing between events that are credible or not credible.
The threshold for determining whether an event is credible or not is whether it is as likely as (i.e., not much lower than) malfunctions already assumed in the UFSAR.]"
This comment pertains to the statement below: Suggest deleting this parenthetical statement. The point being made is straightforward - an example is not needed to clarify the statement.
506 3 of 27 "...(e.g., an increase in the likelihood of a steam generator tube failure has a corresponding increase in the frequency of a steam generator tube rupture accident)"
Replace "Thus, an increase in likelihood of failure of the modified Modest increases in the likelihood of failure are normally offset by equipment" with "Thus any non-trivial increase in the likelihood of increased reliability as well as fault and failure detection. That idea 508 3 of 27 failure for the modified equipment" should be expressed in this document, by including the positive along with dwelling on the negative.
This comment pertains to the statement below: Suggest deleting this parenthetical statement. The point being made is straightforward - an example is not needed to clarify the statement.
"...(e.g., an increase in the likelihood of failure of an auxiliary feedwater 523 4 of 27 (AFW) pump has a corresponding increase in the likelihood of occurrence of a malfunction of SSCs - the AFW pump and AFW system)"
Not all equipment in a system that performs a design function has an This should be clarified here, and in other sections of the document equal contribution to the likelihood of malfunction of that design that use this discussion.
527 4 of 27 function. It may be directly related, but may not directly increase the likelihood.
568 5 of 27 Delete section 2.2. None of this discussion is digital specific.
Page 5 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN The "Additional Considerations" will be interpretted as "new As stated in the comment above, consider deleting this section as the 568 5 of 27 requirements" by licensees. discussion is not digital specific.
System level - There has been considerable discussion with the staff Delete this bullet. Although this quoted excerpt is accurate, it is clear from NEI 96-07 about the evaluation of malfunctions at a much higher level than the Appendix D meetings that there is not alignment on its meaning.
603 5 of 27 "system level". Including it in the RIS does not add clarity and appears to pre-judge the outcome of Appendix D discussions.
These bullets are included in Step 3: Determine malfunction results, but Delete these bullets.
are quoting guidance about comparison of results and, if NRC wants to 606 5 of 27 retain them, they are more suitable for inclusion in Step 5.
Suggest a definition, or discussion on what bounded means, in the 649 6 of 27 context of this document.
The "LAR is required" is too strong. Suggest " not bounded by the previously evaluated results and the design cannot be changed to 649 6 of 27 eliminate the new malfunction, then a LAR is required."
The wording in Section 3 implies that an all-inclusive list of technical design characteristics and plant modifications, provided by NRC staff, that cannot be implemented under 50.59. For example, the last sentence of the first paragraph (Page 7 of 27) states, The NRC staff has determined that proposed digital I&C modifications having all
[underlined for emphasis] the characteristics listed below are likely to require a Licensing Amendment. This position is reinforced in the last sentence of the last paragraph in this section (page 8 of 27) which states 662 7 of 27 "Proposed modifications beyond these types would likely require a license amendment." This statement is basically stating any changes that include these NRC-specified characteristics or modification scope will require a LAR to implement. This would seem to contradict the 50.59 regulation that allows the licensee to evaluate any change under 50.59 and determine if a LAR is required. As currently written, this section would seem to have crossed over into the rulemaking arena.
The use of the phrase .. "all the characteristics" is too restrictive, and Please delete the word all to clarify the applicability of the below 669 7 of 27 implies that these are all "required". criteria as "desired" versus "required".
Consider rewriting the list of modification characteristics that are not Suggested changes to the list of characteristics will be provided. The list of characteristics provided in the RIS will cause confusion and likely to result in a LAR. needs to be greatly simplified - otherwise, the list is likely to be widely 676 7 of 27 misinterpreted across the industry. A proposed simplified list will be provided.
CCF vulnerability is not an issue if, when created, is either bounded by Suggest rewording. This also applies to (b). The only relevant aspect of (a) and (b) is the impact on the design existing analyses or has no safety impact. function. This is not a digital-specific issue. All that is necessary is that 678 7 of 27 the assessment of the impact on the design functions should consider combination and integration of functions.
Item 1.b would indicate that a LAR would be required for implementation Suggest deleting or rewording item 1.b. NRC staff has indicated in previous meetings that their intent is not to of a non-safety related distributed control system (DCS). A number of require a LAR for non-safety DCS upgrades. However, as currently 682 7 of 27 licensees have implemented these types of projects under 50.59 using written, licensees will likely not implement a number of non-safety existing guidance. related DCS projects as this guidance would seem to indicate a LAR would be required.
Remove the "implicitly described" from this section. By definition, design functions are UFSAR described, i.e., they are not 684 7 of 27 implied.
Page 6 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN Characteristics of a design that happens to include independence as a Please revise this section to indicate that it only applies if the 685 7 of 27 good design practice doesn't mean that it is a required feature of the independence was required by regulation or commitment.
design to meet regulatory requirements.
Based on this text, consider the case where the non-safety related BOP Rewrite the paragraph to state clearly what requires consideration of DCS controllers talk to the MCR HSIs on a common network. Further, no SCCF, or provide technical basis to demonstrate that the example to data is shared between the controllers. The way this reads, would a the left is vulnerable to a credible CCF.
694 7 of 27 licensee have to consider a SCCF vulnerability in this case? This appears to rule out the potential for using a DCS with segmented controllers, or using multiple, cooperating, data-sharing controllers to run a complex system. That cannot be the intent.
Implicit - Same comment as previous, with respect to the implicit 699 7 of 27 requirements or assumptions, it is too vague, suggest removing it.
Section 3, Item 2 states, in part, "CCF vulnerability due to a reduction in 704 7 of 27 any aspect of independence" The term "any" is too vague. Suggest deleting "of any aspect" from the sentence.
Please expand on the "credited" in the UFSAR, to mean that it is "credited" in Safety Analyses. Descriptive information in the UFSAR 705 7 of 27 about system design features does not mean that these are "credited".
Section 3, Item 3 - Current interpretation of these words is that the 708 7 of 27 criteria here cannot be satisfied.
The industry has previously commented on the use of the term "100%" These should be noted as examples of, but not the only examples of, Further, these are not necessarily useful, implementable examples, as 709 7 of 27 testing, and the terms "simple" or "simplicity". design attributes that can be used in conjunction with other things, demonstrated in several Westinghouse 7300 replacement discussions.
such as quality and Operating Experience.
Please provide an explanation of the source and the intended application of the term "adequate internal or external systematic diversity".
712 8 of 27 Diversity is just another design attribute that can be used in conjunction with other measures described in the RIS.
This comment pertains to the statement below: Suggest deleting this statement as it will severely limit the digital Further, this extension does not fit within policy as stated in SECY upgrades that can be implemented using this RIS. For example, if 087.
"(2) the proposed modification is not an extension of an ESF actuation, sequencers cannot be upgraded, then emergency diesel generators 719 8 of 27 such as emergency power bus load sequencers" cannot be upgraded. Also, an inspector could easily reason that an associated chiller system would be out of scope for this RIS if it provides cooling to elements of the RPS or ESFAS.
The notion of an extension of ESF actuation functions is not discussed The scope of protection systems (RPS and ESFAS) should be limited to in the I&C regulatory framework. Please remove this requirement. Also, the IEEE-279 scope, or later versions of the IEEE standards as described 720 8 of 27 EDG load sequencers are typically addressed in Chapter 8 (electrical in the plant specific design and licensing bases.
systems), not I&C, as described in SRP Chapter 8.3 and RG 1.9.
If the load sequencers were "100% testable and tested" (or at least close Clarify the statement about new or changed requirements in this 720 8 of 27 enough to completely tested), would this still apply? paragraph to correspond with this example. The example also should consider digital reactor trip breakers.
Item (4) is unnecessarily restrictive for data transfers, even through serial The same issue exists in the text between lines 904-907 (page 13 of 27, communication links. Taking data from RPS or ESF should not be a last sentences in 4.3.1, Design Attributes to Reduce the Likelihood of concern, as there is nothing that a uni-directl data link can do to affect Failure.
722 8 of 27 the performance of the RPS or ESF. However, providing data to RPS or ESF is a concern.
Page 7 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN Suggest replacing "This would..." in this sentence with Reactor protection and ESF actuation system upgrades that are within the scope 724 8 of 27 of this RIS would" The suggested clarifies the scope of applicability.
The statement below is problematic: Suggest deleting this statement as it seems to indicate that simple items such as safety related circuit breakers or timing relays would be "This would include possible changes to individual, non-shared channel out of scope for the RIS.
724 8 of 27 inputs to reactor protection systems logic, reactor protection systems power supplies, or output actuators (relays/breakers)."
Suggest removing the comparison between quantitative and qualitative Change the heading of Section 4.1 to "Qualitative Assessment" and 731 8 of 27 assessments. The document is based on qualitative assessments - there is delete information provided on quantitative assessments. No value is no need to provide this comparison. added by discussing quantitative assessment.
Revise design "changes" to design "features." Changes to the design 737 8 of 27 occurred way before a 50.59 is completed. Appropriate design features don't require a change.
Replace "tens of thousands of hours" with "extensive operating 746 8 of 27 experience."
Delete second sentence. It is redundant and a repeat of previous Delete: As stated above, NEI 01-01 describes that for 10 CFR 50.59 information. It adds length without adding value. evaluations, the likelihood of failure is normally demonstrated qualitatively (i.e., through reference to reasonable engineering 750 8 of 27 practices and engineering judgment) particularly for systems or components that rely on software, because there are no well-established, accepted quantitative methods to demonstrate the likelihood of failure from software design errors.
Not sure why it is necessary in this RIS to identify attributes associated Delete this paragraph and the associated bulleted list in its entirety. The RIS should only provide guidance on development and with engineering judgement. This is part of the licensees design The paragraph and the list add no value to the issue of CCF and 10 CFR documentation of an adequate qualitative assessment. The new RIS 755 8 of 27 process, along with many other items. 50.59 screening and evaluation. does not need to (and should not) provide design guidance as licensees already have procedures and processes in place that govern how to design.
Delete the bulleted item: "The evaluation process follows the applicable Most licensees do not (and likely will not) have procedures for As a general note on this subject, it would be best to delete all the corporate engineering or plant engineering procedures for performing developing these qualitative assessments (most likely do not have bulleted items in this section as most of these items are quality issues such engineering evaluations or calculations." procedures for implementing the guidance in NEI 01-01). This bullet and are covered under the licensee's QA program.
760 8 of 27 would appear to indicate that licensees will need to develop such procedural guidance. With this bulleted item, an inspector may asked to see the licensees procedure for development of a qualitative assessment.
777 9 of 27 Section 4.2 is redundant and provides no added value. Delete section 4.2.
Suggest revising the following statement as follows: By following EPRI TR-106439, the commercial grade dedication process should provide adequate documentation on the development process.
"Although in many cases this development process would be 853 10 of 27 documented and available for referencing in the qualitative assessment for proposed modifications to safety-related equipment, for commercial-grade-dedicated or non-safety related equipment it may not be readily available. "
Table 1 - Sufficiently simple - Not sure what the likelihood of occurrence Please clarify. Is this intended to be something more like " likelihood of occurrence 883 11 of 27 of input/output states not tested means, or what the intent is. of untested input, output, and state combinations."
There were a number of comments on Table 1 - a suggested revision to A revised Table 1 will be provided by industry.
883 11 of 27 Table 1 will be provided.
Page 8 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN Table 1, Quality of the Design Proces, fifth bullet: The examples in EPRI 883 11 of 27 TR-107339 should not be quoted. EPRI TR-107339 is not endorsed guidance.
Table 1, under Operating Experience - Not sure what the basis is for the Suggest removing this sentence from Table 1. If this is in reference to cyber security concerns for installation of statement regarding delay for software revisions. Implementing patches, this is an inappropriate vehicle to convey that concern. This 885 13 of 27 software patches or upgrades may be required, and these would not has very little to do with the 50.59 process.
have sufficient operating experience.
Table 1, Operating Experience, next to last bullet: Delaying version upgrades is a good way to introduce cyber security vulnerabilities, which 885 13 of 27 is not necessarily something that should be considered in 50.59 evaluations, or at least is not something required by regulatory guidance.
Table 1, Operating Experience - The draft RIS places unreasonable 885 13 of 27 requirements on operating experience such that it conformance to these items becomes unachievable.
Suggest deleting the words "deterministic" and "deterministically" Use of these terms will likely cause confusion and their use adds no 891 13 of 27 throughout the document. value.
The following statement is very problematic for industry because it Suggest changing this sentence to: It is possible to couple two systems over a common network backbone, would seem to indicate that similar digital devices installed in non- with appropriate protections for denial-of-service attacks and similar associated and completely unrelated SSCs need to be evaluated: "If these individual SSCs are combined within the same digital device or cyber security issues, and not introduce CCF concerns at the application 904 13 of 27 are coupled to each other (e.g., using data provided from one system level.
"If these individual SSCs are combined with (e.g., controlled by a common to another over digital communication), then the potential for digital component, employ the same software in separate digital malfunctions with a different result or accidents of a different type devices)..." would be reviewed under 10 CFR 50.59."
Clarification of the term digital communication is needed. This is due to the widespread use of plant computers where many plant systems 906 13 of 27 provide data input to. It should be clear that digital communications is some level of 2-way communication or data exchange.
Diversity is another design attribute and should be treated as such. BTP A lengthy discussion on Diversity, or D3 is really not required in the RIS.
909 13 of 27 7-19 and the SECY/SRM 93-087 apply to RPS and ESFAS, which are essentially out of the scope of this RIS.
Section 4.3.1.1 on diversity is inappropriate in this document, since this Diversity in the non-safety related systems is also a means of making 909 13 of 27 RIS does not apply to RPS and ESF, and D3 is only required by policy for maintenance a nightmare in an operating NPP.
The paragraph on Diversity and Common Cause Failure is confusing and Suggest changing this paragraph to:
may lead some licensees into believing that D3 is a requirement for digital upgrades regardless of licensing basis or safety classification. "Some safety related SSCs are subject to regulatory requirements and/or design criteria to which the licensee is committed regarding the use of diversity in the design. In these cases, the qualitative assessment should describe how the use of digital equipment does not 911 13 of 27 affect diversity requirements of the affected SSC(s). In all other cases, the licensees need not consider the use of diversity in evaluating a proposed modification under 10 CFR 50.59. However, incorporating diversity within the design is a powerful means which may significantly reduce the likelihood of malfunctions affecting the accomplishment of design functions."
Page 9 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN The paragraph on Digital Communications provides guidance that a Suggest changing this paragraph to:
licensee may interpret as required for non-safety related equipment.
Suggest deleting reference to ISG-04. "Digital communications can reduce SSC independence credited or 930 14 of 27 assumed in the UFSAR. Reduction in independence may create the possibility of a new failure that could result in concurrent failures not considered in the UFSAR. Careful consideration is needed to preclude adverse effects on safety and non-safety related SSC independence."
The scope of ISG-04 is for the communication between safety related and Please consider these comments and update the RIS accordingly.
non-safety related systems. It uses IEEE-603 as the basis for many of the positions. Most plants are not licensed to IEEE-603. The ISG also has 932 14 of 27 different requirements for what is an acceptable way of demonstrating 100% testing, than what is contained in this RIS.
Suggest replacing the first paragraph of Section 4.3.1.3 with the Avoid the use of "defense-in-depth" and "echelons" as these terms are following: widely misinterpreted.
"Combining design functions of different safety-related or non-safety 943 14 of 27 related SSCs in a manner not previously evaluated or described in the UFSAR could introduce new interdependencies and interactions that make it more difficult to account for new potential failure modes that can lead to accidents of a different type or malfunctions with a different result "
Suggest replacing the second paragraph of Section 4.3.1.3 with the New failure modes can be created, however, the new failure modes following cannot lead to an accident of a different type or malfunction with a different result.
"Combining previously separate component functions can result in more dependable system performance due to the tightly coupled nature of the Removed "generally" from "generally acceptable" within this paragraph components and a reduction in complexity. If such a combination does as the term "generally acceptable" will cause issues.
not create an accident of a different type or malfunction with a different 950 14 of 27 result, it is acceptable. In all cases in which a licensee proposes to combine previously separate design functions within a safety-related or non-safety related SSC, the qualitative assessment needs to weigh the risks against the benefits of combining the previously separately controlled functions. Where applicable, failure modes and effects analyses and control system segmentation analyses can be performed for the proposed modification."
Section 4.3.2 seems to imply that industry standards, such IEEE 7-4.3.2, Suggest revising this section to make it clear that, for non-safety are required for non-safety related equipment. In most cases, non-safety related equipment, compliance with industry standards is not required 960 14 of 27 equipment will not have fully complied with industry standards. to make a determination of adequate quality.
Suggest changing the Section 5 heading from "Engineering Evaluations 1015 15 of 27 Supporting Qualitative Assessments" to "Documentation of Qualitative Assessment".
The following statement is problematic for industry: Suggest deleting the entire paragraph. This statement would seem to imply that use of the same digital device in completely unrelated and perhaps isolated SSCs need to be
"...new sources of common cause failure could be introduced as part of evaluated. For example, with the guidance as currently written, if a 1028 16 of 27 the digital I&C design, such as through the introduction of identical licensee desired to install digital valve controllers on a given SSC, the software into redundant channels; through the use of shared resources; design engineer would have to identify every other instance of where or common hardware and software among systems performing different that same DVC is used and then provide an analysis of the potential for design functions." simultaneous failure of the DVCs in completely separate and isolated systems.
Page 10 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN Hardware - there is no requirement to evaluate common hardware as a Safety related I&C hardware undergoes equipment qualification, which source of common cause failure if the hardware is safety related. For environmental stressors from SCCF consideration. Anything else (e.g.,
1031 16 of 27 non-safety systems, this is not a requirement. the "purple plague" of the 1960s and other similar design errors in the integrated circuit) should not be invoked.
1037 16 of 27 Delete reference to NEI 01-01 Section 3.2.2 and associated quote.
Suggest deletion of the entire paragraph that starts with "Such key This section should simply describe the contents of a qualitative 1054 16 of 27 evaluation activities" analysis. The additional "guidance" only creates confusion.
Suggest deletion of "Design Process Considerations" and associated Licensees know how to design - they have very detailed and paragraphs as this section provides design guidance which is not the proceduralized guidance along with a quality assurance program. NRC scope of the RIS. The RIS should only provide a qualitative assessment and licensees have not been aligned on adequate documentation of 1065 16 of 27 framework. design considerations. The new RIS is supposed to provide licensees with acceptable methods for documenting qualitative assessments for relaying their design thought process in a way that an inspector can understand pertinent design considerations.
Suggest deletion of "5.2 Key Engineering Evaluation" and all associated Licensees know how to design - they have very detailed and paragraphs as this section provides design guidance which is not the proceduralized guidance along with a quality assurance program. NRC scope of the RIS. The RIS should only provide a qualitative assessment and licensees have not been aligned on adequate documentation of 1102 17 of 27 framework. design considerations. The new RIS is supposed to provide licensees with acceptable methods for documenting qualitative assessments for relaying their design thought process in a way that an inspector can understand pertinent design considerations.
Design attributes cannot "prevent" the occurrence of a possible software Please reword the sentence to something more like "reduce the 1116 17 of 27 CCF. potential to an acceptable level" which is achievable.
Suggest deletion of Section 5.2.1, Failure Analysis and all associated Licensees know how to design - they have very detailed and paragraphs as this section provides design guidance which is not the proceduralized guidance along with a quality assurance program. NRC scope of the RIS. The RIS should only provide a qualitative assessment and licensees have not been aligned on adequate documentation of 1120 17 of 27 framework. design considerations. The new RIS is supposed to provide licensees with acceptable methods for documenting qualitative assessments for relaying their design thought process in a way that an inspector can understand pertinent design considerations.
It is not clear what the connection is between software CCF and Suggest deleting such that the resulting design could reduce 1129 18 of 27 reduction in redundancy, diversity, separation, or independence. redundancy, diversity, separation, or independence from this sentence.
Use of low risk here is not clear. Perhaps should be low likelihood."
1137 18 of 27 This whole paragraph duplicates information already provided and Delete the paragraph.
1177 19 of 27 should be deleted. The last sentence is particularly confusing, as SCCF is really not an issue unless there is a common trigger.
This section seems to imply that non-safety systems that are assumed to If the staff has identified such requirements, please refer to them in The safety analysis typically does not credit any non-safety related remain functional (or operational) are required to meet the single failure this section. systems as non-safety related SSCs are assumed to fail. In some cases, if 1178 19 of 27 criteria, and/or are required to be designed against common cause continued operation of the non-safety SSC would result in making the failure. There is no regulatory requirement for non-safety related event worse, then the non-safety SSC may be used in the analysis.
systems in this regard.
Page 11 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN This section implies that common hardware used in control systems is a potential source of common cause failure. This seems to contradict other statements in this RIS and NEI 01-01 that discuss defects and 1186 19 of 27 failures in software, not hardware. For safety systems, hardware qualification is managed by the various Appendix B design processes. For non-safety systems, there is no requirement to assess potential vulnerabilities with respect to common hardware.
Based on studies (e.g., Leveson and Knight), diversity does not necessarily resolve significant issues, as diversity usually results in N 1199 19 of 27 versions all exactly incorporating the faulty requirements. Building N versions of bad requirements is a simple way to incorporate SCCF into the system.
Suggest deletion of Section 5.2.2, Dependability Evaluation and all Licensees know how to design - they have very detailed and associated paragraphs as this section provides design guidance which is proceduralized guidance along with a quality assurance program. NRC not the scope of the RIS. The RIS should only provide a qualitative and licensees have not been aligned on adequate documentation of 1203 19 of 27 assessment framework. design considerations. The new RIS is supposed to provide licensees with acceptable methods for documenting qualitative assessments for relaying their design thought process in a way that an inspector can understand pertinent design considerations.
1224 20 of 27 It is not clear what is meant by sufficiently dependable. Please provide a source and definition for this term.
Suggest revise to required design function(s) from required 1227 20 of 27 functions.
The basis for the sentence beginning with "Although not stated in NEI 01-01..." is not clear and would appear to be based on staff's belief that judgements are not alone sufficient. Please clarify what the technical 1235 20 of 27 basis for this is. There are numerous uses of the term judgement throughout the document, and there does not appear to be a consistent view of what judgement is acceptable or not. NEI 01-01 did address this.
The use of the term risk significant needs to be clarified here and in other places in the document. The context appears to be implying safety significant. If that is the case, then the document should tie 1244 20 of 27 together this concept by equating risk significant to important to safety in technical space. This would better align with the use of design functions in 50.59 space.
Complexity of an I&C design is only an important consideration if it 1244 20 of 27 directly relates to the performance of a design function. This should be made clear here.
This paraphrase of NEI 01-01 does not add value to the document, and Either provide guidance on applying this requirement, or delete the 1248 20 of 27 the last sentence provides no implementation guidance. whole paragraph. As is, the paragraph provides no useable guidance for completing a qualitative assessment.
The section on D3 is really not required as the RPS and ESFAS systems Delete Section 5.2.3, Defense-in-Depth Analysis, and all associated have been essentially excluded from the scope of the RIS. It should not paragraphs.
1251 20 of 27 be applied to non-safety systems as the design requirements and acceptance criteria is different.
Page 12 of 13
INDUSTRY COMMENTS ON JANUARY 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 LINE NO. PAGE NO. INDUSTRY COMMENT RECOMMENDED CHANGE ADDITIONAL COMMENTS ACTION TAKEN Suggest deletion of Section 5.2.3, Defense-in-Depth Analyses as this Licensees know how to design - they have very detailed and section provides design guidance which is not the scope of the RIS. The proceduralized guidance along with a quality assurance program. NRC RIS should only provide a qualitative assessment framework. and licensees have not been aligned on adequate documentation of 1251 20 of 27 design considerations. The new RIS is supposed to provide licensees with acceptable methods for documenting qualitative assessments for relaying their design thought process in a way that an inspector can understand pertinent design considerations.
The word "potential" does not provide a reasonable boundary for this Suggest removing "potential" and simply state "If a new common evaluation. "Credible potential" comes closer, as this eliminates the very cause failure vulnerability has been introduced "
1262 20 of 27 limited potential for a meteorite providing a CCF of the RTS.
The goal is to provide acceptable defense-in-depth (not diversity) when If "diversity and defense-in-depth" is to be retained, the order of the 1271 21 of 27 required. Diversity is, of itself, not a design goal. Diversity is only a phrase should be replaced with "defense-in-depth and diversity" potential means of providing adequate defense-in-depth. throughout the document.
Suggest deletion of Section 5.3, Appropriate Resolution to Identified This section is simply stating the obvious.
1316 22 of 27 Failures and all associated paragraphs.
It is not clear why, if backup capability is installed as part of the same Please provide additional clarification why installing new backup 1377 23 of 27 modification, NRC approval would be required. capability along with the proposed modification would require prior NRC approval.
Suggest deletion of Section 5.4, Documentation of Engineering This supplemental guidance is supposed to provide a method of Evaluations. developing a qualitative assessment for use in determining failure likelihood. The terms "qualitative assessment" and "engineering 1379 24 of 27 evaluations" may get confusing. Most would consider a qualitative assessment as being a form of engineering evaluation.
The section on "Engineering Evaluations and Documentation for Non- Suggested wording: With the proposed statement, it will be clear to a licensee that if a Safety Related SSCs" should be revised to that provided in the next digital change screens-out (not adverse), a qualitative assessment is not column. The wording in this section states the obvious - that an adequate "Documentation for non-safety related modifications should be required.
1398 24 of 27 engineering evaluation (qualitative assessment) will help ensure consistent with the licensees procedures. Licensees need not prepare undesirable events don't happen. formal qualitative assessments for proposed digital modification to non-safety related SSCs where the nature of the proposed modification does not have the potential to adversely impact a UFSAR-described design function."
Suggest combining the first and second bullets in this section to simplify that the end goal is to keep the plant from being in an unanalyzed 1409 24 of 27 condition. It may be acceptable to combine design functions so long as plant safety is not impacted.
Table 2 - Step 1, last bullet - The applicability of plant operating modes to the information that is in the UFSAR about the design functions may 1422 24 of 27 need to be clarified. It is unclear what the intent of this mode transition consideration is.
1422 24 of 27 There are a number of comments associated with Table 2. A proposed revision to Table 2 will be provided by industry.
Section 6 - Qualitative Assessment Documentation. Suggest deleting Suggested wording:
existing contents and add proposed wording provided in the next column. "Qualitative assessments should be written such that a knowledgeable reviewer will reach the same conclusion. Details of the considerations 1428 27 of 27 made and their separate and aggregate effect need to be included or clearly referenced in the 10 CFR 50.59 documentation. Qualitative assessments should be retrievable and either referenced within the 10 CFR 50.59 document or provided as an attachment."
Page 13 of 13
The following document is a preliminary draft being made publically available to support a Category 3 public meeting on January 26, 2018. NRC staff review of this draft document has not been completed.
NRC DRAFT REGULATORY ISSUE
SUMMARY
2002-22, SUPPLEMENT 1 CLARIFICATION ON ENDORSEMENT OF NUCLEAR ENERGY INSTITUTE GUIDANCE IN DESIGNING DIGITAL UPGRADES IN INSTRUMENTATION AND CONTROL SYSTEMS
RIS 2002-22 Supplement 1 Page 2 of 8 1
2 3 UNITED STATES 4 NUCLEAR REGULATORY COMMISSION 5 OFFICE OF NUCLEAR REACTOR REGULATION 6 OFFICE OF NEW REACTORS 7 WASHINGTON, D.C. 20555-0001 8
9 January XX, 2018 10 11 NRC REGULATORY ISSUE
SUMMARY
2002-22, SUPPLEMENT 1 12 CLARIFICATION ON ENDORSEMENT OF NUCLEAR ENERGY INSTITUTE GUIDANCE IN 13 DESIGNING DIGITAL UPGRADES IN INSTRUMENTATION AND CONTROL SYSTEMS 14 15 16 ADDRESSEES 17 18 All holders and applicants for power reactor operating licenses or construction permits under 19 Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of 20 Production and Utilization Facilities.
21 22 All holders of and applicants for a combined license, standard design approval, or 23 manufacturing license under 10 CFR Part 52, Licenses, Certifications, and Approvals for 24 Nuclear Power Plants. All applicants for a standard design certification, including such 25 applicants after initial issuance of a design certification rule.
26 27 All holders of, and applicants for, a construction permit or an operating license for non-power 28 production or utilization facilities under 10 CFR Part 50, including all existing non-power reactors 29 and proposed facilities for the production of medical radioisotopes, such as molybdenum-99, 30 except those that have permanently ceased operations and have returned all of their fuel to the 31 U.S. Department of Energy.
32 33 INTENT 34 35 The U.S. Nuclear Regulatory Commission (NRC) is issuing a supplement to Regulatory Issue 36 Summary (RIS) 2002-22, dated November 25, 2002 (Agencywide Documents Access and 37 Management System (ADAMS) Accession No. ML023160044). In RIS 2002-22, the NRC staff 38 endorsed Guideline on Licensing Digital Upgrades: EPRI TR-102348, Revision 1, NEI 01-01: A 39 Revision of EPRI TR-102348 to Reflect Changes to the 10 CFR 50.59 Rule, (Nuclear Energy 40 Institute (NEI) hereinafter NEI 01-01) (ADAMS Accession No. ML020860169). NEI 01-01 41 provides guidance for designing, licensing, and implementing digital upgrades and 42 replacements to instrumentation and control (I&C) systems (hereinafter digital I&C) in a 43 consistent and comprehensive manner. The purpose of this RIS Supplement is to clarify RIS 44 2002-22, which remains in effect. The NRC continues to endorse NEI 01-01 as stated in RIS 45 2002-22, as clarified by this RIS Supplement. This RIS Supplement clarifies the guidance for 46 preparing and documenting qualitative assessments that licensees can use to develop written 47 evaluations to address the criteria in 10 CFR 50.59, Changes, tests and experiments. This 48 RIS Supplement is intended to reduce regulatory uncertainty for licensees applying the 49 10 CFR 50.59 process and making digital I&C modifications without prior NRC approval. This 50 RIS Supplement is not directed toward digital I&C upgrades and replacements of reactor
RIS 2002-22 Supplement 1 Page 3 of 8 51 52 protection systems and engineered safety features actuation systems (ESFAS), since 53 application of the guidance in this RIS Supplement to such changes would likely involve 54 additional considerations. This RIS Supplement is also not intended to provide new design 55 process guidance for addressing software common cause failure (software CCF) or methods for 56 addressing common cause failure of the reactor protection systems and engineered safety 57 features actuation systems. Specific guidance for addressing potential common cause failure of 58 digital I&C equipment when making design changes to structures, systems, and components 59 (SSCs) is contained in other NRC guidance documents and NRC-endorsed industry guidance 60 documents.
61 62 This RIS Supplement requires no action or written response on the part of an addressee.
63 64 BACKGROUND INFORMATION 65 66 By letter dated March 15, 2002, NEI submitted EPRI TR-102348, Revision 1 (NEI 01-01) for 67 NRC staff review. NEI 01-01 replaced the original version of EPRI TR-102348, dated 68 December 1993, which the NRC endorsed in Generic Letter 1995-02, Use of NUMARC/EPRI 69 Report TR-102348, Guideline on Licensing Digital Upgrades, in Determining the Acceptability 70 of Performing Analog-to-Digital Replacements Under 10 CFR 50.59, dated April 26, 1995 71 (ADAMS Accession No. ML031070081). In 2002, the NRC staff issued RIS 2002-22 to notify 72 addressees that the NRC staff had reviewed NEI 01-01 and was endorsing the report for use as 73 guidance in designing and implementing digital upgrades to nuclear power plant instrumentation 74 and control systems.
75 76 Following the NRC staffs 2002 endorsement of NEI 01-01, holders of construction permits and 77 operating licenses have used this guidance in support of digital design modifications in 78 conjunction with Regulatory Guide 1.187, Guidance for Implementation of 10 CFR 50.59, 79 Changes, Tests, and Experiments, dated November 2000 (ADAMS Accession 80 No. ML003759710), which endorsed NEI 96-07, Guidelines for 10 CFR 50.59 Implementation, 81 Revision 1, dated November 2000 (ADAMS Accession No. ML003771157).
82 83 The regulations in 10 CFR 50.59(d)(1) state: The licensee shall maintain records of changes in 84 the facility, of changes in procedures, and of tests and experiments made pursuant to paragraph 85 (c) of this section. These records must include a written evaluation which provides the bases for 86 the determination that the change, test, or experiment does not require a license amendment 87 pursuant to paragraph (c)(2) of this section.
88 89 The NRC inspections of documentation for digital I&C plant modifications prepared by some 90 licensees using the guidance in NEI 01-01 uncovered inconsistencies in the performance and 91 documentation of engineering evaluations of digital I&C modifications and inadequacies in the 92 documentation of the technical bases supporting responses to the 10 CFR 50.59(c)(2) 93 evaluation criteria. This RIS Supplement clarifies the RIS 2002-22 endorsement of the 94 NEI 01-01 guidance by providing additional guidance for developing and documenting 95 qualitative assessments adequate for use as bases for licensee evaluations addressing the 96 criteria of 10 CFR 50.59(c)(2). In particular, this RIS Supplement clarifies the guidance for 97 documenting licensee determinations that a digital modification will exhibit a sufficiently low"1 98 99 1 NEI 01-01, Page 4-20, defines sufficiently low to mean much lower than the likelihood of failures that are 100 considered in the UFSAR (e.g., single failures) and comparable to other common cause failures that are not 101 considered in the UFSAR (e.g., design flaws, maintenance errors, calibration errors).
RIS 2002-22 Supplement 1 Page 4 of 8 102 103 likelihood of failure. This determination then serves as a technical basis supporting the 104 conclusions that are reached when a licensee evaluates a proposed design against the criteria 105 of 10 CFR 50.59(c)(2) to determine whether prior NRC staff approval is needed before the 106 proposed design can be implemented.
107 108 In response to staff requirements memorandum (SRM)-SECY-16-0070 Integrated Strategy to 109 Modernize the Nuclear Regulatory Commissions Digital Instrumentation and Control Regulatory 110 Infrastructure (ADAMS Accession No. ML16299A157), NRC staff has engaged NEI and 111 industry representatives to improve the guidance for applying 10 CFR 50.59 to digital 112 I&C-related design modifications as part of a broader effort to modernize I&C regulatory 113 infrastructure. The NRC staffs plan for accomplishing this update is outlined in the NRCs 114 Integrated Action Plan to Modernize Digital Instrumentation and Controls Regulatory 115 Infrastructure (ADAMS Accession No. ML17102B307). This plan, which is updated 116 semiannually, provides a comprehensive view of NRC activities associated with improvements 117 to the digital I&C regulatory infrastructure, including a planned schedule for completion of key 118 regulatory infrastructure documents. In Section 5 of the NRC staffs Integrated Action Plan 119 (IAP), the NRC staff outlines how it plans to clarify its previous endorsement of the NEI 01-01 120 guidance by providing additional guidance for developing and documenting acceptable 121 qualitative assessments in support of the performance of 10 CFR 50.59 evaluations of proposed 122 digital I&C modifications. Making available the guidance in this RIS Supplement is described as 123 a near-term action in the IAP to provide specific guidance for documenting qualitative 124 assessments that a proposed digital I&C modification will exhibit a sufficiently low likelihood of 125 failure. The use of appropriately-prepared qualitative assessments is one acceptable way to 126 document the evaluation of whether a design change can result in more than a minimal increase 127 in the frequency of an accident or the likelihood of occurrence of a malfunction of an SSC 128 important to safety previously evaluated in the final safety analysis report. The use of 129 appropriately-prepared qualitative assessments is also one acceptable way to document the 130 evaluation of whether a design change can result in accidents of a different type or malfunctions 131 of SSCs with different results than previously evaluated. The assessment of such malfunctions 132 includes the need to address the potential for common cause failures, (which is within the scope 133 of the IAP), when proposing changes to SSCs that are of lesser importance to safety than that 134 of reactor protection systems and Engineered Safety Features Actuation Systems. The IAP 135 also describes a longer-term plan for incorporating the guidance of this RIS Supplement into 136 durable guidance documents that are now under development. The NRC staff will continue to 137 engage with stakeholders on the development of new guidance to address the identified issues 138 and needs.
139 140 Applicability to Non-Power Reactor Licensees 141 142 The examples and specific discussion in this RIS Supplement and other guidance referenced by 143 this RIS Supplement (i.e., NEI 01-01 and original RIS 2002-22) primarily focus on power 144 reactors. Nonetheless, licensees of non-power production or utilization facilities (NPUFs) may 145 also use the guidance in RIS 2002-22 and apply the guidance in this RIS Supplement to 146 develop written evaluations to address the criteria in 10 CFR 50.59(c)(2). In particular, NPUF 147 licensees may use the guidance to prepare qualitative assessments that consider design 148 attributes, quality measures, and applicable operating experience to evaluate proposed digital 149 I&C changes to their facilities as described in Sections 4, 5, and Appendix A of NEI 01-01.
150 However, certain aspects of the guidance that discuss the relationship of regulatory 151 requirements to 10 CFR 50.59 may not be fully applicable to NPUFs (e.g., 10 CFR Part 50, 152 Appendix A and B are not applicable to NPUFs).
RIS 2002-22 Supplement 1 Page 5 of 8 153 154 155
SUMMARY
OF ISSUE 156 157 Section 3.2.3 of the NRC staffs evaluation of NEI 01-01 (Attachment 1 to RIS 2002-22) states:
158 159 The staffs position regarding documentation of 10 CFR 50.59 evaluations is 160 accurately reflected in the second paragraph in Appendix A to the submittal, 161 which states: The 10 CFR 50.59 questions should be answered in sufficient 162 detail, either by reference to a source document or by direct statements, that an 163 independent third party can verify the judgements. The staff has reviewed 164 Appendix A, Supplemental Questions for Addressing 10 CFR 50.59 Evaluation 165 Criteria, and Appendix B, Outline for Documenting 10 CFR 50.59 Screens and 166 Evaluations, and, based on the foregoing, concludes that the guidance therein is 167 acceptable for licensees to use in performing and documenting their 168 10 CFR 50.59 evaluations.
169 170 This RIS Supplement emphasizes the staffs paragraph above.
171 172 Specifically, this RIS Supplement provides additional guidance on what is needed to ensure that 173 licensees adequately perform and document qualitative assessments used to provide an 174 adequate basis for a determination that a digital modification will exhibit a sufficiently low 175 likelihood of failure, which is a key element in 10 CFR 50.59 evaluations of whether a change 176 requires prior NRC approval. Digital hardware being introduced in a nuclear facility modification 177 is typically expected to be more dependable than the equipment it is replacing. However, there 178 are no established consensus methods for accurately quantifying the reliability of software. NEI 179 96-07 Revision 1, Section 4.2.1 states: If a change has both positive and adverse effects, the 180 change should be screened in. The 10 CFR 50.59 evaluation should focus on the adverse 181 effects.
182 183 In general, digital I&C modifications may include a potential for an increase in the likelihood of 184 equipment failures occurring within modified SSCs, including common cause failures, that can 185 lead to the failure to perform a design function. In particular, digital I&C modifications that 186 introduce or modify identical software within independent trains, divisions, or channels within a 187 system, and those that introduce new shared resources, hardware, or software among multiple 188 non-safety related control functions (e.g., controllers, communication networks or video display 189 units), may include such a potential. The qualitative assessment can be used to support a 190 conclusion that there is not more than a minimal increase in the frequency of occurrence of 191 accidents or in the likelihood of occurrence of malfunctions [10 CFR 50.59(c)(2)(i) and (ii)]. The 192 qualitative assessment can also be used to support a conclusion that the proposed modification 193 does not create the possibility of an accident of a different type or malfunction with a different 194 result than previously evaluated in the UFSAR [10 CFR 50.59(c)(2)(v) and (vi)]. NEI 01-01 195 describes that for 10 CFR 50.59 evaluations, the likelihood of failure is normally demonstrated 196 qualitatively (i.e., through reference to reasonable engineering practices and engineering 197 judgment), particularly for systems or components that rely on software, because there are no 198 well-established, accepted quantitative methods to demonstrate the likelihood of failure from 199 sources such as software design errors.
200 201 For digital I&C modifications, an adequate basis for a determination that a change involves a 202 sufficiently low likelihood of failure may be derived from a qualitative assessment of factors 203 involving system design features, the quality of the design processes employed, and an
RIS 2002-22 Supplement 1 Page 6 of 8 204 205 evaluation of relevant operating experience of the software and hardware used (i.e., product 206 maturity and in-service experience). A licensee may use a qualitative assessment to record the 207 factors and rationale for concluding that there is an adequate basis for determining that a digital 208 I&C modification will exhibit a sufficiently low likelihood of failure. In doing so, a licensee may 209 consider the aggregate of these factors. The attachment to this RIS Supplement, Qualitative 210 Assessment Framework, provides guidance for performing and documenting this qualitative 211 assessment.
212 213 This RIS Supplement does not change the NRC staff positions in RIS 2002-22 endorsing NEI 214 01-01. Specifically, RIS 2002-22 states:
215 216 Because there is currently no acceptable way to quantitatively establish the 217 reliability of digital systems, [NEI 01-01] gives considerable attention to the 218 qualitative assessment of the dependability of and risk associated with I&C 219 systems. The guidance in the submittal [NEI 01-01] identifies qualitative 220 approaches within existing endorsed guidance with regard to software issues, 221 including software-related common-cause failure issues, without proposing 222 alternatives to the existing guidance. Therefore, the guidance in [NEI 01-01]
223 does not propose to alter, or offer less conservative guidance for, the existing 224 licensing process for license amendment requests to implement digital 225 replacements.
226 227 There is no change in NRC staff position regarding its endorsement of the guidance in NEI 228 01-01 for addressing digital I&C modifications under the 10 CFR 50.59 process. However, this 229 RIS Supplement clarifies the staffs previous endorsement in RIS 2002-22 of the guidance in 230 NEI 01-01 pertaining to the performance and documentation of adequate technical evaluations 231 and adequately documented qualitative assessments to meet the requirements of 232 10 CFR 50.59. Specifically, the guidance in this RIS Supplement clarifies the NRC staffs 233 endorsement of the guidance pertaining to Sections 4, 5, and Appendices A and B of NEI 01-01.
234 The attachment to this RIS Supplement provides a framework for preparing and documenting 235 qualitative assessments considered acceptable to serve as a technical basis supporting the 236 responses to key 10 CFR 50.59(c)(2) evaluations.
237 238 Clarification of Guidance for Addressing Digital I&C Changes under 10 CFR 50.59 239 240 NEI 01-01 supports the use of qualitative assessments, engineering judgment, and industry 241 precedent when addressing whether frequency of occurrence of an accident or the likelihood of 242 occurrence of a malfunction of an SSC important to safety would be more than minimally 243 increased (evaluation criteria 10 CFR 50.59(c)(2)(i) and (ii)). NEI 01-01 also supports the use of 244 such qualitative assessments when addressing whether a possibility for an accident of a 245 different type or a malfunction of an SSC important to safety with a different result than any 246 previously evaluated in the UFSAR would be created (evaluation criteria 10 CFR 50.59(c)(2)(v) 247 and (vi)). This RIS Supplement describes the importance of documenting how the 248 implementation of key design attributes, quality of the design processes, and an evaluation of 249 relevant operating experience is being credited as the basis for making engineering judgments 250 that the likelihood of failures of SSCs that are introduced by a proposed digital modification is 251 low. Such qualitative assessments are used to provide an adequate basis for determining that 252 the likelihood of failure for proposed modifications is low. The guidance in NEI 01-01 provides a 253 road map to relevant standards and other sources of detailed guidance. The attachment to 254 this RIS Supplement clarifies how the aggregate of the proposed digital I&C system design
RIS 2002-22 Supplement 1 Page 7 of 8 255 256 features, quality of the design processes, and equipment and software operating experience 257 that are applied to the proposed design using such standards and guidance can be documented 258 by licensees when preparing qualitative assessments to support conclusions within a 259 10 CFR 50.59(c)(2) evaluation that a license amendment is not needed.
260 261 In addition, this RIS Supplement clarifies the applicability of some aspects of the NRC policy 262 described in Item II.Q of SRM/SECY 93-087, Policy, Technical, and Licensing Issues 263 Pertaining to Evolutionary and Advanced Light Water Reactor Designs, (ADAMS 264 No. ML003708056), in regard to the application of 10 CFR 50.59(c)(2) criteria for digital I&C 265 modifications.
266 267 To assist licensees in documenting adequate qualitative assessments for evaluating the 268 10 CFR 50.59(c)(2) criteria, the attachment to this RIS Supplement also clarifies the NRC staff 269 position on the content, rationale, and evaluation factors that can be addressed and evaluated 270 within licensee-developed qualitative assessments. Specifically, the attachment describes how 271 such qualitative assessments can be documented to clearly demonstrate an adequate technical 272 basis for the conclusion that the change does not require prior NRC staff approval.
273 274 BACKFITTING AND ISSUE FINALITY DISCUSSION 275 276 This RIS Supplement clarifies but does not supersede RIS 2002-22, and includes additional 277 guidance regarding how to perform and document qualitative assessments for digital I&C 278 changes under 10 CFR 50.59.
279 280 The NRC does not intend or approve any imposition of the guidance in this RIS Supplement, 281 and this RIS Supplement does not contain new or changed requirements or staff positions.
282 Therefore, this RIS Supplement does not represent backfitting as defined in 283 10 CFR 50.109(a)(1), nor is it otherwise inconsistent with any issue finality provision in 284 10 CFR Part 52. Consequently, the NRC staff did not perform a backfit analysis for this RIS 285 Supplement or further address the issue finality criteria in 10 CFR Part 52.
286 287 FEDERAL REGISTER NOTIFICATION 288 289 The NRC published a notice of opportunity for public comment on this RIS in the Federal 290 Register on July 3, 2017 (82 FR 30913). The NRC received comments from 13 commenters.
291 The NRC considered all comments, some of which resulted in changes to the RIS. The 292 evaluation of these comments and the resulting changes to the RIS are discussed in a 293 publicly-available memorandum that is available in ADAMS under Accession 294 No. ML17296A852.
295 296 CONGRESSIONAL REVIEW ACT 297 298 This RIS is a rule as defined in the Congressional Review Act (5 U.S.C. §§ 801-808). However, 299 the Office of Management and Budget has not found it to be a major rule as defined in the 300 Congressional Review Act.
301 302 PAPERWORK REDUCTION ACT STATEMENT 303 304 This RIS provides guidance for implementing mandatory information collections covered by 305 10 CFR Part 50 that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et.
RIS 2002-22 Supplement 1 Page 8 of 8 306 307 seq.). This information collection was approved by the Office of Management and Budget 308 (OMB) under control number 3150-0011. Send comments regarding this information collection 309 to the Information Services Branch, U.S. Nuclear Regulatory Commission, Washington, DC 310 20555-0001, or by e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of 311 Information and Regulatory Affairs, NEOB-10202, (3150-0011) Office of Management and 312 Budget, Washington, DC 20503.
313 314 315 Public Protection Notification 316 317 The NRC may not conduct or sponsor, and a person is not required to respond to, a request for 318 information or an information collection requirement unless the requesting document displays a 319 currently valid OMB control number.
320 321 CONTACT 322 323 Please direct any questions about this matter to the technical contact(s) or the Lead Project 324 Manager listed below.
325 326 Timothy J. McGinty, Director Christopher G. Miller, Director 327 Division of Construction Inspection Division of Inspection and Regional Support 328 and Operation Programs Office of Nuclear Reactor Regulation 329 Office of New Reactors 330 331 332 Technical Contacts: David Rahn, NRR Wendell Morton, NRO 333 301-415-1315 301-415-1658 334 e-mail: David.Rahn@nrc.gov e-mail: Wendell.Morton@nrc.gov 335 336 Norbert Carte, NRR David Beaulieu, NRR 337 301-415-5890 301-415-3243 338 e-mail: Norbert.Carte@nrc.gov e-mail: David.Beaulieu@nrc.gov 339 340 Duane Hardesty, NRR 341 301-415-3724 342 email: Duane.Hardesty@nrc.gov (Specifically for non-power reactors) 343 344 345 Project Manager
Contact:
Tekia Govan, NRR 346 301-415-6197 347 e-mail: Tekia.Govan@nrc.gov 348 349 350 Note: NRC generic communications may be found on the NRC public Web site, 351 http://www.nrc.gov, under NRC Library/Document Collections.
352 353 354
Attachment:
Qualitative Assessment Framework
355 Qualitative Assessment Framework 356 357 358 1. Purpose 359 360 Regulatory Issue Summary (RIS) 2002-22 provided the NRC staffs endorsement of Nuclear 361 Energy Institute (NEI) Guidance document NEI 01-01, Guideline on Licensing Digital Upgrades:
362 EPRI TR-102348, Revision 1, NEI 01-01: A Revision of EPRI TR-102348 To Reflect Changes 363 to the 10 CFR 50.59 Rule. NEI 01-01 provides guidance for implementing and licensing digital 364 upgrades, in a consistent, comprehensive, and predictable manner, as well as guidance in 365 performing qualitative assessments of the dependability of digital instrumentation and control 366 (I&C) systems.
367 368 The purpose of this attachment is to provide supplemental clarifying guidance to licensees to 369 ensure that, if qualitative assessments are used, they are described and documented 370 consistently, through an evaluation of appropriate qualitative evidence available. Following the 371 guidance in RIS 2002-22 and NEI 01-01, as clarified by the guidance in this RIS Supplement, 372 will help licensees document qualitative assessments in sufficient detail that an independent 373 third party can verify the judgements, as stated in NEI 01-01. This RIS supplement guidance 374 presumes that the qualitative assessment will be performed after all technical work (e.g. failure 375 modes and effects analysis, and revised design documentation) is complete and that the 376 proposed modification has already been determined to have a potential adverse effect (i.e. it 377 has been screened in as described in NEI 96-07).
378 379 If the qualitative assessment determines that a potential failure (e.g., software common cause 380 failure [CCF]) has a sufficiently low likelihood, then the effects of this failure do not need to be 381 considered in the 10 CFR 50.59 evaluation. In particular, this qualitative assessment provides 382 a means of addressing software CCF.
383 384 This RIS Supplement includes guidance that licensees may use to develop adequate bases for 385 determining that (1) a digital modification will exhibit a sufficiently low likelihood of failure, or, (2) 386 if a digital I&C modification failure can be postulated, the effects of that failure will not result in a 387 new type of accident or a malfunction of structures, systems, and components (SSCs) with 388 different result than previously evaluated in the updated final safety analysis report (UFSAR).
389 The determination of whether a modification will exhibit a sufficiently low likelihood of failure is a 390 key element in 10 CFR 50.59. Licensees need to understand the possible effects of failures of 391 a digital I&C modification to ensure that such effects will not create a possibility for an accident 392 of a different type or a malfunction of an SSC with a different result than previously evaluated in 393 the updated final safety analysis report.
394 395 The sections that follow provides one approach, acceptable to the NRC staff, for describing the 396 scope, form, and content of a qualitative assessment.
397 398 2. Regulatory ClarificationApplication of Qualitative Assessments to Title 10 of the 399 Code of Federal Regulations, Section 50.59 400 401 After determining that an activity is safe and effective through appropriate engineering and 402 technical evaluations, the 10 CFR 50.59 process is applied. 10 CFR 50.59 provides a threshold 403 for regulatory review, not the final determination of safety, for the proposed activities.
404 10 CFR 50.59 establishes the conditions under which licensees may make changes to the 405 facility or procedures and conduct tests or experiments without prior NRC approval.
406 407 408 Attachment
RIS 2002-22 Supplement 1, Attachment Page 2 of 27 409 410 411 Evaluations must address all elements of proposed changes. Elements of a change can have 412 positive effects on SSC failure likelihood while other elements of the change can have adverse 413 effects. As derived from the guidance in NEI 96-07, positive and negative elements can be 414 considered together if they are interdependent. This means that if elements are not 415 interdependent, they must be evaluated separately.
416 417 When discussing 10 CFR 50.59 criteria, the words met or satisfy mean that a yes or 418 affirmative answer has been achieved and an amendment is required.
419 420 2.1 Likelihood Justifications 421 422 Qualitative assessments are needed to document the bases to support a conclusion that a 423 proposed digital I&C modification has a sufficiently low2 likelihood of failure, consistent with the 424 UFSAR analysis assumptions. This conclusion is used in the Title 10 of the Code of Federal 425 Regulations (10 CFR) 50.59, Changes tests and experiments, written evaluation to determine 426 whether prior NRC approval is required.
427 428 The staff notes that when performing digital modifications under 10 CFR 50.59, some licensees 429 have experienced challenges in preparing qualitative assessments needed to support 430 conclusions for responding to the criteria in 10 CFR 50.59(c)(2)(i), (ii), (v), and (vi).
431 432 The ability to provide an adequate basis for a determination that the digital modification will 433 exhibit a sufficiently low likelihood of failure is a key element of 10 CFR 50.59 evaluations to 434 determine whether the change requires prior NRC approval. To support the 10 CFR 50.59 435 process, methods are needed to evaluate the digital system likelihood of failure (e.g., based on 436 the dependability of the modified digital components) that could result in a malfunction of an 437 SSC important to safety. For digital equipment, however, there may not be well-established, 438 accepted quantitative methods that can be used to estimate their dependability or likelihood of 439 failure. Therefore, for digital SSCs, an adequate basis for determining sufficiently low likelihood 440 of failure may be derived from a qualitative assessment of factors involving the inclusion of key 441 system design features,3 the quality of the design process used, and an evaluation of relevant 442 operating experience (i.e., product maturity and in-service experience). The qualitative 443 assessment reaches a conclusion through engineering judgment that there is an adequate basis 444 for concluding that the digital modification will exhibit a sufficiently low likelihood of failure by 445 considering the aggregate of these factors.
446 447 Likelihood Thresholds for 10 CFR 50.59(c)(2)(i), (ii), (v), and (vi) 448 449 A key element of 10 CFR 50.59 evaluations is demonstrating that the modification will exhibit a 450 sufficiently low likelihood of failure. For digital modifications, particularly those that introduce 451 software, there may be the potential increase in likelihood of failure, including a single failure.
452 453 454 2 NEI 01-01, Page 4-20, defines sufficiently low to mean much lower than the likelihood of failures that are 455 considered in the UFSAR (e.g., single failures) and comparable to other common cause failures that are not 456 considered in the UFSAR (e.g., design flaws, maintenance errors, calibration errors).
457 3 System design features are used to address anticipatable and quantifiable threats (e.g., the qualification of a piece 458 of equipment to meet the plant seismic criteria ensures that the likelihood of failure from seismic event is sufficiently 459 low). Defense-in-depth and diversity are system design features to address anticipatable but non-quantifiable threats 460 (e.g., software CCF). These deterministic measures must be implemented under the appropriate quality processes.
RIS 2002-22 Supplement 1, Attachment Page 3 of 27 461 462 For redundant SSCs, this potential increase in the likelihood of failure creates a similar increase 463 in the likelihood of a common cause failure.
464 465 The sufficiently low threshold discussions have been developed using criteria from NEI 96-07, 466 Revision 1, and NEI 01-01. They are intended to clarify the existing 10 CFR 50.59 guidance 467 and should not be interpreted as a new or modified NRC position.
468 469 Qualitative Assessment 470 471 The determination that a digital I&C modification will exhibit a sufficiently low likelihood of failure 472 can be derived from a qualitative assessment of factors involving system design attributes, the 473 quality of the design processes employed, and the operating experience of the software and 474 hardware used (i.e., product maturity and in-service experience). The qualitative assessment 475 documents the factors, rationale, and reasoning for determining that the digital I&C modification 476 exhibits a sufficiently low likelihood of failure by considering the aggregate of these factors.
477 478 The determination of likelihood of failure may consider the aggregate of all the factors described 479 above. Some of these factors may compensate for weaknesses in other areas. For example, 480 for a digital device that is simple and highly testable, thorough testing may provide additional 481 assurance of a low likelihood of failure that helps compensate for a lack of operating 482 experience.
483 484 Qualitative Assessment Outcome 485 486 There are two possible outcomes of the qualitative assessment: (1) failure likelihood is 487 sufficiently low, and (2) failure likelihood is not sufficiently low. NEI 01-01, Section 4.3.6, 488 states, sufficiently low means much lower than the likelihood of failures that are considered in 489 the UFSAR (e.g., single failures) and comparable to other common cause failures that are not 490 considered in the UFSAR (e.g., design flaws, maintenance error, calibration errors). [Note:
491 This sufficiently low threshold is not interchangeable with that for distinguishing between 492 events that are credible or not credible. The threshold for determining whether an event is 493 credible or not is whether it is as likely as (i.e., not much lower than) malfunctions already 494 assumed in the UFSAR.]
495 496 Criteria 497 498 A qualitative assessment outcome of sufficiently low supports a no or negative answer for 499 10 CFR 50.59(c)(2)(i), (ii), (v), and (vi) as follows:
500 10 CFR 50.59(c)(2)(i) 501 502 Does the activity result in more than a minimal increase in the frequency of occurrence of an 503 accident previously evaluated in the UFSAR?
504 505 Sufficiently low threshold - The frequency of occurrence of an accident is directly 506 related to likelihood of failure of equipment that initiates the accident (e.g., an increase in 507 the likelihood of a steam generator tube failure has a corresponding increase in the 508 frequency of a steam generator tube rupture accident). Thus, an increase in likelihood 509 of failure of the modified equipment results in an increase in the frequency of the 510 accident. Therefore, if the qualitative assessment outcome is sufficiently low, then
RIS 2002-22 Supplement 1, Attachment Page 4 of 27 511 512 there is a no more than a minimal increase in the frequency of occurrence of an accident 513 previously evaluated in the UFSAR.
514 515 10 CFR 50.59(c)(2)(ii) 516 517 Does the activity result in more than a minimal increase in the likelihood of occurrence of a 518 malfunction of a structure, system, or component (SSC) important to safety4 previously 519 evaluated in the UFSAR?
520 521 Sufficiently low threshold - The likelihood of occurrence of a malfunction of an SSC 522 important to safety is directly related to likelihood of failure of equipment that causes a 523 failure of SSCs to perform their intended design functions (e.g., an increase in the 524 likelihood of failure of an auxiliary feedwater (AFW) pump has a corresponding increase 525 in the likelihood of occurrence of a malfunction of SSCs - the AFW pump and AFW 526 system). Thus, the likelihood of failure of modified equipment that causes the failure of 527 SSCs to perform their intended design functions is directly related to the likelihood of 528 occurrence of a malfunction of an SSC important to safety. Therefore, if the qualitative 529 assessment outcome is sufficiently low, then the activity does not result in more than a 530 minimal increase in the likelihood of occurrence of a malfunction of an SSC important to 531 safety previously evaluated in the UFSAR.
532 533 10 CFR 50.59(c)(2)(v) 534 535 Does the activity create a possibility for an accident of a different type than any previously 536 evaluated in the UFSAR?
537 538 Sufficiently low threshold - NEI 96-07, Revision 1, Section 4.3.5, states, Accidents of 539 a different type are limited to those as likely to happen as those in the UFSAR.
540 Accidents of a different type are caused by failures of equipment that initiate an accident 541 of a different type. Only failures of equipment that are as likely to happen as those in 542 the UFSAR can create a possibility of an accident of a different type. If the qualitative 543 assessment outcome is sufficiently low, then there are no failures introduced by the 544 activity that are as likely to happen as those in the UFSAR that can initiate an accident of 545 a different type. Therefore, the activity does not create a possibility for an accident of a 546 different type than any previously evaluated in the UFSAR.
547 548 10 CFR 50.59(c)(2)(vi) 549 550 Does the activity create a possibility for a malfunction of an SSC important to safety with a 551 different result than any previously evaluated in the UFSAR?
552 553 Sufficiently low threshold - NEI 96-07, Section 4.3.6, states, Malfunctions with a 554 different result are limited to those as likely to happen as those in the UFSAR. A 555 malfunction of an SSC important to safety is an equipment failure that causes the failure 556 of SSCs to perform their intended design functions. Only failures of equipment that are 557 as likely to happen as those in the UFSAR can create a possibility of a malfunction 558 559 4 NEI 96-07, Revision 1, Section 3.9, states, Malfunction of SSCs important to safety means the failure of SSCs to 560 perform their intended design functions described in the UFSAR (whether or not classified as safety-related in 561 accordance with 10 CFR 50, Appendix B).
RIS 2002-22 Supplement 1, Attachment Page 5 of 27 562 563 with a different result. If the qualitative assessment outcome is sufficiently low, then 564 there are no failures introduced by the activity that are as likely to happen as those in the 565 UFSAR. Therefore, the activity does not create a possibility for a malfunction of an SSC 566 important to safety with a different result than any previously evaluated in the UFSAR.
567 568 2.2 Additional Considerations for 10 CFR 50.59 evaluation of criterion (c)(2)(vi) 569 570 The 10 CFR 50.59 evaluation of criterion (c)(2)(vi) can be viewed as a five-step process that 571 stems from NEI 96-07, Revision 1, Section 4.3.6, which states: The possible malfunctions with 572 a different result are limited to those that are as likely to happen as those described in the 573 UFSAR. This section provides excerpts from NEI 96-07, Revision 1, and NEI 01-01 and 574 groups them into five steps to more clearly describe the considerations for addressing 575 10 CFR 50.59 criterion (c)(2)(vi). The section should not be interpreted as creating new or 576 revised NRC positions:
577 578 Step 1: Develop a list of ways (i.e., failure modes of SSCs important to safety that are affected 579 by the proposed modification) in which SSCs can fail to perform their intended design functions.
580 581 x malfunction of SSCs important to safety means the failure of SSCs to perform their 582 intended design functions described in the UFSAR (whether or not classified as 583 safety-related in accordance with 10 CFR Part 50, Appendix B.) [NEI 96-07, Rev. 1, 584 Section 3.9, Definition of Malfunction of SSCs, page 18.]
585 586 Step 2: Perform a qualitative assessment of the likelihood of occurrence of each failure mode to 587 determine which ones are as likely to happen as those described in the UFSAR.
588 589 x For digital systems, reasonable assurance of adequate quality and low likelihood of 590 failure is derived from a qualitative assessment of the design process and the system 591 design features. [NEI 01-01, Section 5.3.1, page 5-14]
592 593 If the qualitative assessment outcome is not sufficiently low, then perform Steps 3, 4, and 5 to 594 evaluate the results of these failures against 10 CFR 50.59 criterion (c)(2)(vi).
595 596 Step 3: Determine the malfunction results.
597 598 x The key issue is the effect of failures of the digital device on the system in which it is 599 installed. [NEI 01-01, Section 4.4.6, page 4-19]
600 601 x Another way to determine the appropriate level of detail is to consider the level at which 602 design functions are described in the UFSAR. If the relevant design functions are 603 assigned at the system level, then it is appropriate to evaluate the effects of malfunctions 604 at this level. [NEI 01-01, Section 4.4.6, page 4-19]
605 606 x If failures of the digital device cause the system to malfunction (i.e., not perform its 607 design function), then the evaluation needs to determine if the result of the system 608 malfunction is bounded by or different than those previously evaluated. [NEI 01-01, 609 Section 4.4.6, page 4-19]
RIS 2002-22 Supplement 1, Attachment Page 6 of 27 610 611 x NEI 01-01, Section 5.2, page 5-10 states that, reanalysis of design basis events is 612 permitted using best estimate conditions and realistic assumptions Unless already 613 incorporated into the design and licensing basis, best-estimate methods cannot be 614 used for evaluating different results than those previously evaluated in the UFSAR. For 615 failures in which likelihood is not sufficiently low, the results of these failures are to be 616 analyzed using methods consistent with the plants design and licensing basis.
617 618 x An example of a change that would create the possibility for a malfunction with a 619 different result is a substantial modification or upgrade to control station alarms, controls, 620 or displays that are associated with SSCs important to safety that creates a new or 621 common cause failure that is not bounded by previous analyses or evaluations. [NEI 622 96-07, Section 4.3.1, page 55.]
623 624 x If a feedwater control system is being upgraded from an analog to a digital system, new 625 components may be added that could fail in ways other than the components in the 626 original design. Provided the end result of the component or subsystem failure is the 627 same as, or is bounded by, the results of malfunctions currently described in the UFSAR 628 (i.e., failure to maximum demand, failure to minimum demand, failure as-is, etc.), then 629 this upgrade would not create a malfunction with a different result. [NEI 96-07, Section 630 4.3.6, page 54; also see NEI 01-01, Section 4.4.6, page 4-19.]
631 632 Note that [for criterion (vi)] new types of malfunctions are not the issue. NEI 96-07, 633 Revision 1, states that a new failure mechanism is not a malfunction with a different 634 result if the result or effect is the same as, or is bounded by, that previously evaluated in 635 the UFSAR. [NEI 01-01, Section 4.4.6, page 4-19]
636 637 Step 4: Identify the associated malfunctions and results previously evaluated in the UFSAR.
638 639 x the evaluation needs to consider the level of detail that was previously evaluated in the 640 UFSAR (i.e., component versus division/train versus system level failures). [NEI 01-01, 641 Section 4.4.6, page 4-19]
642 643 x Another way to determine the appropriate level of detail is to consider the level at which 644 design functions are described in the UFSAR. If the relevant design functions are 645 assigned at the system level, then it is appropriate to evaluate the effects of malfunctions 646 at this level. [NEI 01-01, Section 4.4.6, page 4-19]
647 648 Step 5: Compare the newly created results to the results of malfunctions previously evaluated 649 in the UFSAR. If the created results are not bounded by the previously evaluated results, 650 then an LAR is required.
651 652 x Once the malfunctions previously evaluated in the UFSAR and the results of these 653 malfunctions have been determined, then the types and results of failure modes that the 654 proposed activity could create are identified. Comparing the two lists can provide the 655 answer to the criterion question. [NEI 96-07, Rev. 1, Section 4.3.6, page 55]
656 657 x A new failure mechanism is not a malfunction with a different result if the result or effect 658 is the same as, or is bounded by, that previously evaluated in the UFSAR. [NEI 01-01, 659 Section 4.4.6, page 4-19]
RIS 2002-22 Supplement 1, Attachment Page 7 of 27 660 661 662 3. Producing Qualitative Assessments that Support a Sufficiently Low Likelihood 663 Conclusion 664 665 The qualitative assessment framework described herein may be used to develop and document 666 the technical basis supporting a conclusion that a proposed digital modification satisfies each of 667 the likelihood thresholds outlined above. The resulting qualitative assessments may then be 668 used as part of the reasoning and rationale serving as the basis for a 10 CFR 50.59 evaluation.
669 The NRC staff has determined that proposed digital I&C modifications having all the 670 characteristics listed below are likely to result in qualitative assessment results that support a 671 determination that a license amendment is not required by 10 CFR 50.59:
672 673 [Note: The term design functions, as used in this RIS Supplement, conforms to the 674 definition of design functions in NEI 96-07, Revision 1.]
675 676 1. Digital I&C design-functions replacing I&C design-functions that:
677 678 a) Do not create a CCF vulnerability due to the integration of subsystems or 679 components from different systems that combine design functions that were not 680 previously combined within the same system, subsystem, or component being 681 replaced, and 682 b) Do not create a CCF vulnerability due to the incorporation of new shared resources 683 (such as power supplies, controllers, and human-machine interfaces) with other 684 design functions either explicitly (or implicitly) described in the final safety analysis 685 report as updated (UFSAR) as functioning independently from other plant system 686 functions, or modeled in the current design basis to be functioning independently 687 from other plant design functions, and 688 c) Do not affect reactor trip or engineered safety feature initiation/control logic design 689 functions.
690 691 Integration, as used in this RIS clarification refers to the process of combining software 692 components, hardware components, or both into an overall system, or the merger of the 693 design function of two or more systems or components into a functioning, unified system 694 or component. Integration also refers to the coupling of design functions (software/
695 hardware) via digital communications. Modifications can result in design functions of 696 different systems being integrated or combined either directly in the same digital device 697 or indirectly via shared resources, such as digital communications or networks, common 698 controllers, power supplies, or visual display units. Such integration could be 699 problematic because the safety analysis may have explicitly or implicitly modeled the 700 equipment performing the design functions that would be integrated on the basis that it is 701 not subject to any potential source of common cause failure.
702 703 2. Digital I&C modifications to SSCs that do not result in a CCF vulnerability due to a 704 reduction of any aspect of independence (or separation), single failure tolerance, or 705 diversity credited in the UFSAR (including a reduction in diversity due to hardware or 706 software resources shared among non-safety related control functions); and 707 708 3. Digital I&C modifications to facility SSCs, where a malfunction due to a design defect is 709 precluded through: (a) simplicity (as demonstrated through 100 percent testing or a 710 combination of testing and input/output state analysis); or (b) a demonstration of
RIS 2002-22 Supplement 1, Attachment Page 8 of 27 711 712 adequate internal or external systematic diversity, or where a design defect is assumed, 713 postulated to be triggered, and demonstrated to result in no new malfunction or a 714 malfunction that is bounded at the level previously evaluated in the safety analysis.
715 716 Licensees may evaluate digital I&C modifications to SSCs associated with reactor protection 717 systems and ESF actuation systems using the qualitative assessment clarification in this RIS 718 Supplement with the following four considerations: (1) the proposed modification is not part of 719 the actuation/control logic portion of reactor protection systems and ESF systems, (2) the 720 proposed modification is not an extension of an ESF actuation, such as emergency power bus 721 load sequencers, (3) the design function will continue to be accomplished and the proposed 722 design will continue to satisfy applicable NRC requirements, and (4) any new input or output 723 devices do not communicate with the actuation logic portion of reactor protection systems or 724 ESF actuation systems using digital data communications. This would include possible 725 changes to individual, non-shared channel inputs to reactor protection systems logic, reactor 726 protection systems power supplies, or output actuators (relays/breakers). Proposed 727 modifications beyond these types would likely require a license amendment.
728 729 4. Qualitative Assessment 730 731 4.1. Quantitative vs. Qualitative 732 733 A quantitative assessment is one capable of representing the SSC by a mathematical model, 734 such as apportioning the reliability and availability goals among parts of the system, assigning 735 probabilities to each failure mode of concern, and reconciling the calculated estimates of 736 reliability and availability with the overall SSC goals. A qualitative assessment identifies 737 possible ways in which an SSC can fail, and identifies appropriate precautions (design changes, 738 administrative procedures, etc.) that will reduce the frequency or consequences of such failures.
739 For example, a licensee may be able to rely on a qualitative assessment of a particular digital 740 controller even if it is difficult to demonstrate that the controller uses an error-free operating 741 system and error-free application-specific system software logic commands. Specifically, it may 742 be possible to demonstrate qualitatively that the controller has a set of specific attributes that 743 allow its installation without prior NRC approval. One acceptable set of attributes is that (1) 744 software for that controller has been prepared using a high-quality software development 745 process, (2) the controller was tested thoroughly during acceptance and post-installation tests, 746 and (3) the particular controller has been used in tens of thousands of hours of successful 747 operation at other locations under similar plant conditions and for similar purposes, and there 748 has been no evidence of operational failures due to software defects.
749 750 The qualitative assessment conclusion makes use of engineering judgment. As stated above, 751 NEI 01-01 describes that for 10 CFR 50.59 evaluations, the likelihood of failure is normally 752 demonstrated qualitatively (i.e., through reference to reasonable engineering practices and 753 engineering judgment) particularly for systems or components that rely on software, because 754 there are no well-established, accepted quantitative methods to demonstrate the likelihood of 755 failure from software design errors. When applying engineering judgment, the following 756 principles and general considerations may be followed:
757 758 x The technical qualifications of the personnel performing such evaluations will be appropriate 759 for the evaluation preparation and reviews.
760 x The evaluation process follows the applicable corporate engineering or plant engineering 761 procedures for performing such engineering evaluations or calculations.
RIS 2002-22 Supplement 1, Attachment Page 9 of 27 762 763 x The basis for conclusions relying on engineering judgment are clearly documented in the 764 evaluation/analysis.
765 x A sound technical basis or rationale for the judgment (e.g., recognized engineering 766 principles, standards, trend evaluations, and empirical data; previous engineering 767 experience, calculations, or evaluations; demonstrated industry practices, etc.) is 768 established.
769 x The level of detail used to justify the engineering judgment may be commensurate with the 770 safety significance and complexity of the design function affected in accordance with 771 licensees procedures.
772 x The level of detail permits another technical reviewer with similar expertise, and without 773 recourse to the author, to understand the author's rationale.
774 x Simplified models and estimation techniques can provide supporting bases for engineering 775 judgement.
776 777 4.2. Overview of Design Information that Supports Qualitative Assessments 778 779 Technical information is needed to support a conclusion that a proposed digital I&C modification 780 will exhibit a sufficiently low likelihood of failure. As described in greater detail below, an 781 adequate basis for determining sufficiently low likelihood of failure may be derived from a 782 qualitative assessment of factors involving the inclusion of key system design features, the 783 quality of the design process used, and an evaluation of relevant operating experience (i.e.,
784 product maturity and in-service experience). The qualitative assessment reaches a conclusion 785 through engineering judgment that there is an adequate basis for concluding that the digital 786 modification will exhibit a sufficiently low likelihood of failure by considering the aggregate of 787 these factors. Section 5 of this Attachment provides further discussion regarding technical 788 information supporting qualitative assessments.
789 790 4.3. Qualitative Assessment Categories 791 792 Consistent with the guidance provided in NEI 01-01, this attachment specifies three general 793 categories of proposed design-related characteristics (described in Table 1 of this document) 794 that can be used to develop justifications that demonstrate a sufficiently low likelihood of failure 795 for a proposed modification. The aggregate of the three qualitative assessment categories form 796 the technical basis for developing justifications based upon the likelihood of failure (i.e., single 797 failures and CCF) of a digital I&C modification to a system or components. The aggregate of all 798 three categories below needs to be evaluated to demonstrate that there is an adequate basis for 799 concluding that the proposed modification will exhibit a sufficiently low likelihood of failure such 800 that the criteria described in Section 2 of this attachment can be addressed:
801 802 x Design attributes:
803 NEI 01-01 Section 5.3.1 states:
804 805 To determine whether a digital system is sufficiently dependable, and 806 therefore that the likelihood of failure is sufficiently low, there are some 807 important characteristics that should be evaluated. These characteristics, 808 discussed in more detail in the following sections include. . .
RIS 2002-22 Supplement 1, Attachment Page 10 of 27 809 810 Hardware and software design features that contribute to high 811 dependability (See Section 5.3.4). Such [hardware and software design]
812 features include built-in fault detection and failure management schemes, 813 internal redundancy and diagnostics, and use of software and hardware 814 architectures designed to minimize failure consequences and facilitate 815 problem diagnosis.
816 817 Consistent with the above-quoted text, design attributes of the proposed modification 818 can prevent or limit failures from occurring or mitigate the consequences of such 819 possible failures. The qualitative assessment documents and describes hardware and 820 software design features that contribute to high dependability. Design attributes focus 821 primarily on built-in features such as fault detection and failure management schemes, 822 internal redundancy and diagnostics, and use of software and hardware architectures 823 designed to minimize failure consequences and facilitate problem diagnosis. However, 824 design features external to the proposed modification (e.g., mechanical stops on valves) 825 may also need to be considered.
826 827 During the design process, it is important to consider both the positive effects of 828 installing the digital equipment (e.g., elimination of single-point vulnerabilities (SPVs),
829 ability to perform signal validation, diagnostic capabilities, etc.) with the potential 830 negative effects (e.g., software CCF, etc.).
831 832 Within the concept of defense-in-depth, acceptable justification for concluding an 833 accident of a different type will not be initiated could include, if supported by the facts, 834 that the postulated new accident is only possible after a sequence of multiple unlikely 835 independent failures. This type of justification is summarized and documented as part of 836 the qualitative assessment.
837 838 x Quality of the Design Process:
839 Section 5.3.3 of NEI 01-01 states:
840 For digital equipment incorporating software, it is well recognized that 841 prerequisites for quality and dependability are experienced software 842 engineering professionals combined with well-defined processes for 843 project management, software design, development, implementation, 844 verification, validation, software safety analysis, change control, and 845 configuration control.
846 847 Consistent with the guidance provided in NEI 01-01, Quality Design Processes means 848 those processes employed in the development of the proposed modification. Such 849 processes include software development, hardware and software integration processes, 850 hardware design, and validation and testing processes that have been incorporated into 851 the development process. Although in many cases this development process would be 852 documented and available for referencing in the qualitative assessment for proposed 853 modifications to safety-related equipment, for commercial- grade-dedicated or 854 non-safety related equipment it may not be readily available. In such cases, the 855 qualitative assessment may place greater emphasis on the design attributes included 856 and the extent of successful operating experience for the equipment proposed.
RIS 2002-22 Supplement 1, Attachment Page 11 of 27 857 858 x Operating Experience:
859 Section 5.3.1 of NEI 01-01 states, Substantial applicable operating history reduces 860 uncertainty in demonstrating adequate dependability.
861 862 Consistent with the above-quoted text, relevant operating experience can be used as a 863 means to help demonstrate that software and hardware employed in a proposed 864 modification have adequate dependability. The licensee may document information 865 showing that the proposed system or component modification employs equipment with 866 significant operating experience in nuclear power plant applications, or in non-nuclear 867 applications with comparable performance standards and operating environment. The 868 licensee may also consider whether the suppliers of such equipment incorporate quality 869 processes such as continual process improvement, incorporation of lessons learned, 870 etc., and document how that information demonstrates adequate equipment 871 dependability.
872 873 These categories are not mutually exclusive and may overlap in certain areas. Adequate 874 qualitative assessments for SSCs fully address each of the above categories. Qualitative 875 assessment documentation for the proposed modification to SSCs is retained in accordance 876 with the licensees design engineering procedures, procedures implementing 877 10 CFR 50.59(d)(1), and NRC-approved QA program.
878 879 Table 1 provides acceptable examples of design attributes, quality of the design processes, and 880 documentation of operating experience. This listing is not all inclusive, it merely provides 881 examples. Licensees may consider additional design attributes, quality of the design 882 processes, and documentation of operating experience in their qualitative assessment and need 883 not use these specific examples.
RIS 2002-22 Supplement 1, Attachment Page 12 of 27 Table 1Qualitative Assessment Category Examples Categories Acceptable Examples for Each Category Design Attributes x Design criteriaDiversity (if applicable), Independence, and Redundancy.
x Inherent design features for software, hardware or architectural/network Watchdog timers that operate independent of software, isolation devices, segmentation, self-testing, and self-diagnostic features.
x Basis for identifying that possible triggers are non-concurrent.
x Sufficiently simple (i.e., enabling 100 percent testing or comprehensive testing in combination with analysis of likelihood of occurrence of input/output states not tested).
x Unlikely series of eventsEvaluation of a given digital I&C modification would necessarily have to postulate multiple independent random failures in order to arrive at a state in which a CCF is possible.
x Failure state always known to be safe, or at least the same state as allowed by the previously installed equipment safety analysis.
Quality of the x Justification for use of industry consensus standardsfor codes and Design Process standards not endorsed by the NRC.
x Justification for use of the other standards.
x Justification for applicability of standards used.
x Use of Appendix B vendors. If not an Appendix B vendor, the analysis can state which generally accepted industrial quality program was applied.
x Use of Commercial Grade Dedication processes per guidance of EPRI TR-106439, Annex D of IEEE 7-4.3.2, and examples within EPRI TR-107339.
x Demonstrated tolerance (e.g., through qualification testing) to withstand environmental conditions within which the SSC is credited to perform its design function (e.g., EMI/RFI, Seismic).
x Development process rigor (adherence to generally-accepted commercial or nuclear standards.)
x The use of custom software using code for application software will typically call for extensive evaluation or testing or both to demonstrate dependability, where there is inadequate information to conclude that a quality design process has been used.
Operating x Wide range of operating experience in similar applications, operating Experience environments, duty cycles, loading, comparable configurations, etc.,
to that of the proposed modification.
x History of lessons learned from field experience addressed in the design.
x Relevant operating experience: Architecture of the referenced equipment and software along with the design conditions and modes of operation of the equipment should be substantially similar to those of the system being proposed as a digital I&C modification.
884
RIS 2002-22 Supplement 1, Attachment Page 13 of 27 885 x High volume production usage in different applicationsNote that for software, the concern is centered on lower volume, custom, or user-configurable software applications. High volume, high quality commercial products with relevant operating experience used in other applications have the potential to avoid design errors.
x Evaluation of the operating experience for specific versions of operating system software designed by high quality commercial grade equipment vendors may be one of the only means by which a degree of assurance of reliability may be judged. For some applications and custom-developed software, operating experience may be the most reliable justification that the software is acceptable. It may be necessary to delay implementing major application software use and software revisions until the software version has sufficient operating experience.
x The operating system and application level software may need to be considered. In some cases it may be necessary to address vendor software that creates the configuration files as well as the 886 configuration file itself.
887 888 4.3.1 Design Attributes to Reduce the Likelihood of Failure 889 890 Many system design attributes, procedures, and practices can contribute to significantly 891 reducing the likelihood of failure (e.g., CCF). A licensee can account for this by deterministically 892 assessing the specific vulnerabilities through the introduction of failure modes (e.g., software 893 CCF) within a proposed modification and applying specific design attributes to address those 894 vulnerabilities (see Table 1 above). An adequate qualitative justification regarding the likelihood 895 of failure of a proposed modification would consist of a description of: (a) the identified 896 vulnerabilities of the proposed modification, (b) the design attributes used to address the 897 identified vulnerabilities, and (c) a clear description explaining why the chosen design attributes 898 and features are adequate.
899 900 Changes in control system design need to be evaluated for potential vulnerabilities to CCF. In 901 addition, there are some SSCs that have few applicable requirements (e.g. no diversity or 902 redundancy requirements). These SSCs may have been implemented in a manner (i.e.,
903 relatively independently) such that only individual SSC malfunctions or failures were considered 904 in the UFSAR. If these individual SSCs are combined with (e.g., controlled by a common digital 905 component, employ the same software in separate digital devices), or are coupled to each other 906 (e.g., by digital communication), then the potential for malfunctions with a different result or 907 accidents of a different type would be evaluated under 10 CFR 50.59.
908 909 4.3.1.1 Diversity and Common Cause Failure 910 911 Diversity is one example of a design attribute of an SSC that can be used as part of the bases 912 for demonstrating an SSC modified with digital technology will exhibit a low likelihood of a loss 913 of design function due to a potential common cause failure. The design of certain SSCs is 914 required to include diversity to the extent practical. (For example, for protection systems, 915 diversity is to be used to the extent practical to prevent loss of the protection function.
916 (10 CFR Part 50 Appendix A, Criterion 22.)). Some licensees have already followed staff 917 guidance, such as NUREG-0800, Chapter 7, Branch Technical Position 7-19, in establishing the
RIS 2002-22 Supplement 1, Attachment Page 14 of 27 918 919 design basis of certain SSCs. Further, some SSCs are subject to existing regulatory 920 requirements or other acceptance criteria to which the licensee is committed, and include 921 diversity in the design. In these cases, the licensees have incorporated diversity into the design 922 basis. In all other cases, the licensees need not consider the use of diversity (i.e., as described 923 in the staff requirements memorandum on SECY 93-087) in evaluating a proposed modification 924 under 10 CFR 50.59. However, diversity within the proposed design, and any affected SSCs is 925 a powerful means which may significantly reduce the likelihood of malfunctions affecting the 926 accomplishment of design functions.
927 928 4.3.1.2 Digital Communications 929 930 Digital communications can reduce SSC independence credited or assumed in the UFSAR.
931 Reduction in independence may create the possibility of a new failure that could result in 932 concurrent failures not considered in the UFSAR. Careful consideration is needed to preclude 933 adverse effects on safety and non-safety related SSC independence. DI&C-ISG-04, Revision 1, 934 Highly-Integrated Control RoomsCommunications Issues (ADAMS Accession Number 935 ML083310185) provides an acceptable means of addressing digital communication between 936 redundant SSCs, echelons of defense-in-depth, or SSCs with different safety classifications.
937 DI&C-ISG-04 was developed to address digital communication among safety-related and 938 between safety-related and non-safety related SSCs. The principles of this ISG or other 939 technically justifiable considerations, may be used to assess non-safety related SSCs.
940 941 4.3.1.3 Combining (Integration) of Functions 942 943 Combining design functions of different safety-related or non-safety related SSCs in a manner 944 not previously evaluated or described in the UFSAR could introduce new interdependencies and 945 interactions that make it more difficult to account for new potential failure modes (i.e., single 946 failures and CCF). Failure of combined design functions that: 1) can effect malfunctions of 947 SSCs or accidents evaluated in the UFSAR; or, 2) involve different defense-in-depth echelons5; 948 are of significant concern.
949 950 Combining previously separate component functions can result in more dependable system 951 performance due to the tightly coupled nature of the components and a reduction in complexity.
952 If such a combination does not create a new failure mode, it is generally acceptable. In all 953 cases in which a licensee proposes to combine previously separate design functions in a 954 safety-related and/or non-safety related digital I&C, the qualitative assessment needs to weigh 955 the risks of possible new malfunctions against the benefits of combining the previously 956 separately controlled functions. Where possible, failure modes and effects analyses and 957 non-safety related control system segmentation analyses can be performed for the proposed 958 modification.
959 960 4.3.2 Quality of the Design Process and the use of Quality Standards 961 962 963 964 965 966 5 As stated in NEI 01-01, Section 5.2, a fundamental concept in the regulatory requirements and expectations for 967 instrumentation and control systems in nuclear power plants is the use of four echelons of defense-in-depth: 1) 968 Control Systems; 2) Reactor Trip System (RTS) and Anticipated Transient without SCRAM (ATWS); 3) Engineered 969 Safety Features Actuation System (ESFAS); and 4) Monitoring and indications.
RIS 2002-22 Supplement 1, Attachment Page 15 of 27 970 971 Quality of the design process is a key element that determines the dependability of proposed 972 modifications. Licensees employing design processes consistent with the requirements of their 973 NRC approved quality assurance program will result in a quality design process.
974 975 When possible, the use of applicable industry consensus standards contributes to a quality 976 design process and provides a previously established acceptable approach (e.g IEEE Std. 977 1074-2006, IEEE Standard for Developing a Software Project Life Cycle Process, RG 1.173, 978 Developing Software Life Cycle Processes for Digital Computer Software Used in Safety 979 Systems of Nuclear Power Plant). In some cases, other nuclear or non-nuclear standards also 980 provide technically justifiable approaches that can be used if confirmed applicable for the 981 specific application.
982 983 Quality standards should not be confused with quality assurance programs or procedures.
984 Quality standards are those standards which describe the benchmarks that are specified to be 985 achieved in a design. Quality standards should be documents that are established by 986 consensus and approved by an accredited standards development organization. For example, 987 IEEE publishes consensus-based quality standards relevant to digital I&C modifications and is a 988 recognized standards development organization. Quality standards used to ensure the 989 proposed change has been developed using a quality design process do not need to be solely 990 those endorsed by the NRC staff. The qualitative assessment document should demonstrate 991 that the standard being applied is valid for the circumstances for which it is being used.
992 993 4.3.3 Evaluation of Relevant Operating Experience 994 995 Operating experience relevant to a proposed digital I&C change may be credited as part of an 996 adequate basis for a determination that the proposed change does not result in more than a 997 minimal increase in the frequency of occurrence of initiating events that can lead to accidents, 998 or in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC 999 important to safety previously evaluated in the UFSAR. Differences may exist in the specific 1000 digital I&C application between the proposed digital I&C modification and that of the equipment 1001 and software whose operating experience is being credited. In all cases, however, the 1002 architecture of the referenced equipment and software should be substantially similar to that of 1003 the system being proposed. Further, the design conditions and modes of operation of the 1004 equipment whose operating experience is being referenced also needs to be substantially 1005 similar to that being proposed as a digital I&C modification. For example, it is important to 1006 recognize that when crediting operating experience from other facilities, one needs to 1007 understand what design features were present in the design whose operating experience is 1008 being credited, and what operating conditions (e.g., ambient environment, continuous duty, etc.)
1009 were experienced by the referenced design. Design features, which serve to prevent or limit 1010 possible common cause failures, and references into relevant operating experience, should be 1011 noted, and considered in the proposed design. Doing so would provide additional support for a 1012 determination that the dependability of the proposed design will be similar to the referenced 1013 application.
1014 1015 5. Engineering Evaluations Supporting Qualitative Assessments 1016 1017 5.1 Introduction 1018 1019 This section describes approaches that could be used for conducting and documenting 1020 engineering evaluations when they are used to support qualitative assessments. In some cases
RIS 2002-22 Supplement 1, Attachment Page 16 of 27 1021 1022 these approaches describe efforts beyond those discussed in NEI 01-01. This information is 1023 provided for consideration only. They do not represent an NRC position of what is necessary or 1024 required. Use of any of this information is at the discretion of licensees.
1025 1026 Prior to implementing new digital I&C designs, engineering evaluations of the proposed design 1027 need to be performed as part of the design and verification processes. Although the plant is 1028 designed to cope with single failures of SSCs, it is possible that new sources of common cause 1029 failure could be introduced as part of the digital I&C design, such as through the introduction of 1030 identical software into redundant channels; through the use of shared resources; or common 1031 hardware and software among systems performing different design functions. Therefore it is 1032 essential that such sources of common cause failure be identified, to the extent practicable, and 1033 addressed during the design stage as one acceptable method to support the technical basis 1034 concluding that a proposed new design has a low likelihood of failure that is evaluated in the 1035 subsequent licensing evaluation.
1036 1037 Section 3.2.2 of NEI 01-01 states:
1038 1039 For digital systems, the likelihood of software-related failure is minimized using 1040 the same basic approach of controlling the design, implementation, operation, 1041 and maintenance processes. Compliance with industry standards and regulatory 1042 requirements coupled with tests, evaluations, and reviews is used to assure a 1043 very low likelihood of failure. The important activities that are performed 1044 throughout the various phases of the digital modification process and that 1045 contribute to minimizing risk are summarized in Section 3.3 [Phases of the Plant 1046 Modification Process] and discussed in detail in Section 5 [Additional Guidance 1047 on Addressing Digital Upgrade Issues.] Results of these activities are then used 1048 in the 10 CFR 50.59 process as described in Section 4 [Licensing Process and 1049 10 CFR 50.59.] With respect to failures due to software, including common 1050 cause failures, the key to addressing these in licensing is having performed 1051 appropriate design, analysis and evaluation activities to provide reasonable 1052 assurance that such failures have a very low likelihood. [emphasis added]
1053 1054 Such key evaluation activities may include, but are not limited to: a) the deterministic analysis of 1055 the conformance of the design with regulatory requirements, engineering standards, and 1056 regulatory guidance, as well as the licensing basis of the plant; b) the performance of adequate 1057 deterministic failure analyses, including analysis of the effects of digital I&C failures at the 1058 component-level, system-level, and plant-level; c) the evaluation of the proposed modification 1059 for its overall dependability; and d) the deterministic evaluation of the design for the adequacy 1060 of its ability to provide adequate defense-in-depth. It should be noted that items b), c), & d) may 1061 be distinct analyses from a), but they are performed as a consequence of a). The qualitative 1062 assessment framework discussed in the previous sections of this Attachment relies, in part, on 1063 the technical bases and conclusions documented within these engineering evaluations.
1064 1065 Design Process Considerations 1066 1067 Section 3.2 of NEI 01-01 includes a figure (Figure 3-2, Using Failure Analysis to Understand 1068 and Manage Risk) that illustrates "how failure analysis is applied during the design process to 1069 understand and manage risk. Risk is a function of both the likelihood and the consequences of 1070 potential failures and hazards. Depending on the combination, risk could be judged to be 1071 negligible, non-negligible (but acceptable), or unacceptable. In practice, the design process
RIS 2002-22 Supplement 1, Attachment Page 17 of 27 1072 1073 identifies unacceptable risks and makes adjustments accordingly, so by the time a proposed 1074 change is ready for implementation in the plant or for NRC review, it will always lie in the region 1075 of negligible or acceptable risk. [emphasis added]
1076 1077 The design process, in part, answers the following questions: a) what can go wrong? b) how 1078 likely is it to occur?; and c) what actions are needed to address it? In Section 5.2, key 1079 engineering evaluations are described that provide insights to whether adequate design 1080 attributes and features have been incorporated to minimize the occurrence of system failures, 1081 and to demonstrate sufficient system/equipment redundancy, diversity, separation, or 1082 independence.
1083 1084 Section 3.1 of NEI 01-01 states:
1085 1086 Engineering evaluations include the collection of activities that are performed to 1087 demonstrate reasonable assurance that the system is safe and satisfies the 1088 specified requirements (e.g., for quality, dependability, and performance). This 1089 may include evaluating and interpreting the results of the failure analysis, design 1090 verifications, software V&V, and review of vendor software design and 1091 development processes. Where appropriate, analyses of overall 1092 defense-in-depth and diversity of the plant may be warranted to demonstrate the 1093 ability to cope with common cause failures.
1094 1095 Section 4.1.1 of NEI 01-01 states that two key elements of the engineering evaluations are 1096 evaluating the dependability of the digital equipment and its associated software, and analyzing 1097 potential failures. One of the key considerations in licensing digital upgrades is determining 1098 whether failures due to software are as likely as other potential failures addressed in the 1099 UFSAR. This issue is addressed by establishing reasonable assurance that such failures are 1100 unlikely, based on the engineering evaluations performed as part of the design process.
1101 1102 5.2 Key Engineering Evaluations 1103 1104 Section 4 Engineering Evaluations of Appendix B, Outline for Documenting 10 CFR 50.59 1105 Screens and Evaluations, of NEI 01-01 provides guidance for documenting why the proposed 1106 digital I&C modification as designed is considered appropriate for the application. This 1107 Appendix section describes types of engineering evaluations that may be used to provide 1108 justification as to why the proposed design is appropriate. These include an evaluation of the 1109 design for conformance with applicable design criteria, regulatory requirements and industry 1110 standards.
1111 1112 The analyses described below represent acceptable methods for performing engineering 1113 evaluations supporting a qualitative assessment. One result of performing these evaluations is 1114 to provide insights as to whether a proposed digital I&C design modification may need to be 1115 enhanced with the inclusion of different or additional design attributes. Such different or 1116 additional design attributes would serve to prevent the occurrence of a possible software CCF, 1117 reduce the likelihood of occurrence of a possible software CCF, or mitigate the effects of a 1118 software CCF that can occur.
1119 1120 5.2.1 Failure Analyses
RIS 2002-22 Supplement 1, Attachment Page 18 of 27 1121 1122 As stated in Section 5.1 of NEI 01-01, a digital I&C modification failure analysis is a part of the 1123 design process that should be performed as part of plant design procedures and should be 1124 documented as part of the design process. The performance of such a deterministic failure 1125 analysis of a proposed digital I&C modification is one acceptable method for providing insights 1126 regarding the possible failure modes of the modification that are needed to support such 1127 licensing evaluations, which are typically performed later in the modification process. The 1128 failure analysis provides, in part, the insights needed to determine if a proposed digital I&C 1129 modification is vulnerable to possible software CCF such that the resulting design could reduce 1130 redundancy, diversity, separation, or independence, which could result in more than a minimal 1131 increase in the likelihood of occurrence of accidents or malfunctions. Such deterministic failure 1132 analyses provide feedback to the designers regarding effects of possible failures of the 1133 proposed digital I&C modification on plant systems so that the designers can make 1134 determinations as to whether there is a need to further modify the design to address any design 1135 issues that are uncovered. For example, a failure analysis may reveal that due to the adequacy 1136 of design features already included within a proposed design, the possible occurrence of 1137 failures due to a software CCF vulnerability is considered to have such a low risk that the 1138 proposed design is considered to be adequate.
1139 1140 NEI 01-01 Section 5.1 states, in part, that the failure analysis should include the following 1141 elements..:
1142 1143 x Identification of potential system-level failure and undesirable behavior (which 1144 may not be technically failures) and their consequences. This includes 1145 consideration of potential single failures as well as plausible common cause 1146 failures.
1147 1148 x Identification of potential vulnerabilities, which could lead to system failures or 1149 undesirable conditions.
1150 1151 x Assessment of the significance and risk of identified vulnerabilities.
1152 1153 x Identification of appropriate resolutions for identified vulnerabilities, including 1154 provide [sic] means for annunciating system failures to the operator.
1155 1156 NEI 01-01 Section 5.1 also states:
1157 1158 A variety of methodologies and analysis techniques can be used in these 1159 evaluations, and the scope of the evaluations performed and documentation 1160 produced depends on the scope and complexity of the upgrade. The analysis 1161 maintains a focus at the level of the design functions performed by the system, 1162 because it is the effects of the failure on the system and the resulting impact on 1163 the plant that are important. Failures that impact plant safety are those that 1164 could: prevent performance of a safety function of the system, affect the ability of 1165 other systems to perform their safety functions, or lead to plant trips or transients 1166 that could challenge safety systems.
1167 1168 NEI 01-01 Section 5.1.1 states, in part,
RIS 2002-22 Supplement 1, Attachment Page 19 of 27 1169 1170 It is useful at this stage to review the UFSAR to determine how failures of the 1171 affected system are described and analyzed. An understanding of the UFSAR-1172 described failures and their results is needed to support the 10 CFR 50.59 1173 evaluation discussed in Section 4 [Licensing Process and 10 CFR 50.59.] If the 1174 plant design change introduces any failures that cause results different from 1175 those analyzed in the UFSAR, then a license amendment may be required.
1176 1177 The introduction of new digital designs having sources of CCF in common with other plant 1178 non-safety related designs that have been assumed in the safety analyses to remain functional, 1179 may result in the plant being put into a condition for which it has not been analyzed. This is 1180 particularly the case when such common sources of CCF also are subject to common triggers.
1181 1182 An adequate failure analysis is one that includes a sufficient level of detail to enable licensees to 1183 make a determination as to the possibility for and likelihood of potential new failures that could 1184 be introduced by a proposed modification. This includes an understanding of the operations of 1185 any external connections of the modified SSC(s) to and from other SSCs, as well as an 1186 understanding of how identical hardware and software, power supplies, human-machine 1187 interfaces, etc. may have been employed elsewhere in the plant, such that after the modification 1188 has been implemented, there remains a possible commonality in vulnerabilities to the same 1189 common cause sources and their triggers. NEI 01-01, Section 4.1.2 states that additional 1190 factors that can contribute to the determination that the likelihood of software CCF is acceptably 1191 low include:
1192 1193 Simple software architecture, few inputs/outputs, well-defined failure states, built-1194 in fault tolerance (see Section 5.3.2). Systems that are sufficiently simple can 1195 have well defined failure modes and tend to allow for more thorough testing of all 1196 input and output combinations than complex systems. The simplicity of the 1197 digital equipment itself and of the application should be considered.
1198 1199 Modifications that employ effective design attributes and features such as internal or external 1200 systematic diversity help to ensure that possible vulnerabilities do not result in CCFs. The 1201 design of such systems are deemed to be adequate.
1202 1203 5.2.2 Dependability Evaluation 1204 1205 The dependability of a design is described in NEI 01-01 (Page 2-3) as a broad concept 1206 incorporating various characteristics of digital equipment, including reliability, safety, availability, 1207 maintainability, and others. Section 4.1.2 of NEI 01-01 states:
1208 1209 To determine whether a digital system poses a significant risk of software failure, 1210 the factors that contribute to its dependability (or likelihood of failure) and quality 1211 need to be evaluated.
1212 1213 NEI 01-01, Section 4.1.2 further states that additional factors that can contribute to the 1214 determination that the likelihood of software CCF is acceptably low include:
1215 1216 The maturity of the product and substantial relevant history of satisfactory 1217 operation in similar application (including operating experience at other plants 1218 and in other industries). Additional confidence is gained if the same equipment
RIS 2002-22 Supplement 1, Attachment Page 20 of 27 1219 1220 and application program have been used successfully in other nuclear plants or 1221 other similar applications.
1222 1223 Technical evaluation in combination with deterministic design measures can be used to make a 1224 determination as to whether a proposed I&C modification is sufficiently dependable. However, 1225 there might not be clearly applicable consensus methods for accurately quantifying the reliability 1226 of software. Therefore, it may be necessary to use engineering judgment as to whether the 1227 proposed design is still sufficiently dependable in its ability to perform its required functions 1228 while significantly limiting, or avoiding the introduction of possible new sources of software CCF.
1229 1230 The dependability evaluation relies on some degree of engineering judgment to support a 1231 conclusion that the digital modification is considered to be sufficiently dependable. When 1232 performing a dependability evaluation, one acceptable method is to consider: (1) inclusion of 1233 any deterministically-applied defensive design features and attributes, (2) conformance with 1234 applicable standards regarding quality of the design process for software and hardware, and (3) 1235 relevant operating experience. Although not stated in NEI 01-01, staff believes that judgements 1236 regarding the quality of the design process and operating experience may supplement, but not 1237 replace the inclusion of design features and attributes.
1238 1239 For proposed designs that are more complex or more risk significant, the inclusion of design 1240 features and attributes that: serve to prevent vulnerabilities to software CCF, significantly reduce 1241 the possible occurrence of software CCF, or significantly limit the consequences of such 1242 software CCF, should be key considerations for supporting a sufficiently dependable 1243 determination. Design features maximizing reliable system performance, to the extent 1244 practicable, can be critical in establishing a basis for the dependability of complex or risk 1245 significant designs.
1246 1247 Section 5.1.3 of NEI 01-01 states that Judgments regarding dependability, likelihood of failures, 1248 and significance of identified potential failures should be documented. It may be challenging 1249 to demonstrate sufficient dependability using solely the quality of the design process.
1250 1251 5.2.3 Defense-in-Depth Analyses 1252 1253 If there are specific licensing basis discussions for diversity or defense-in-depth applicable to 1254 the affected design function they must be explicitly addressed. For example, as discussed in 1255 Section 5.2 of NEI 01-01, a defense-in-depth and diversity (D3) analysis is required when the 1256 trip logic and actuation portions of the RTS and/or ESFAS are modified with digital equipment.
1257 1258 Although a formal D3 analysis is not required for non-protection systems, a defense-in-depth 1259 analysis should also be considered for complex digital modifications of non-protection systems to 1260 determine the impact of any new potential vulnerabilities to common cause failures due to the 1261 introduction of shared resources, common hardware and software, or the combination of design 1262 functions of systems that were previously considered to be independent of one another. If a new 1263 potential common cause vulnerability has been introduced, the defense in depth analysis can 1264 identify whether there may be diverse manual or automatic means that can perform the same or 1265 different functions or whether additional design features (e.g., internal diversity) are appropriate 1266 for incorporation.
1267 1268 Possible software CCFs that have been identified in the failure analysis (and not eliminated from 1269 consideration based on the dependability evaluation) can be assessed to determine whether
RIS 2002-22 Supplement 1, Attachment Page 21 of 27 1270 1271 adequate diversity and defense-in-depth will remain after the digital I&C modification is 1272 implemented. Possible means, for ensuring adequate diversity and defense-in-depth will 1273 remain at the system or plant level, can include: (a) the use of design attributes to achieve 1274 adequate diversity, (b) the crediting of available high-quality, non-safety related, but 1275 independent systems, or (c) manual actions that are already analyzed and credited in the 1276 UFSAR safety analysis.
1277
RIS 2002-22 Supplement 1, Attachment Page 22 of 27 1278 1279 Section 5.2.1 of NEI 01-01 states:
1280 1281 The cumulative effects of a series of upgrades or modifications should also be 1282 considered in the determination of whether a defense-in-depth and diversity 1283 analysis is performed. For any change to the plant, consideration should be 1284 given to the effects the change may have on diversity and defense-in-depth for 1285 RTS/ESFAS functions. If the change would affect the diversity and defense-in-1286 depth of the RTS/ESFAS functions, then the analysis should be performed.
1287 1288 Also, if other I&C systems, including ATWS and other non-safety systems, are 1289 being upgraded to digital in plants where digital upgrades to RTS and/or ESFAS 1290 have already been done, prior defense-in-depth and diversity analyses should be 1291 reviewed. If the I&C system under consideration was credited in the prior 1292 analysis as providing backup, then the replacement digital equipment should be 1293 diverse from that used in the protection systems. NUREG-6303 provides 1294 guidance on methods that can be used to assess the diversity of digital systems.
1295 1296 For RPS and ESFAS, BTP 7-19, Revision 7, Section 1.9 states that many system design 1297 attributes, testing, procedures, and practices can contribute to significantly reducing the 1298 probability of CCF occurrence. However, there are two design attributes, either of which is 1299 sufficient to eliminate consideration of software based or software logic based CCF. For other 1300 systems, different design attributes and testing can be used if: (1) technically acceptable, (2) 1301 suitable for the application, and (3) defensible. Properly implemented, these different attributes 1302 could serve to significantly reduce uncertainty and establish that the risk is determined 1303 negligible or acceptable.
1304 1305 To simplify and to facilitate the D3 analysis, a CCF may be assessed using best-estimate 1306 methods and realistic assumptions. However, such methods are not appropriate for use in 1307 evaluating the effects of failures when performing 50.59 evaluations. Unless already 1308 incorporated into the design and licensing basis, best-estimate methods cannot be used for 1309 evaluating different results than those previously evaluated in the UFSAR.
1310 1311 A defense-in-depth evaluation may reveal any direct or indirect impacts on interfaces with 1312 existing plant SSCs. This type of evaluation may reveal there are existing backup capabilities 1313 that could serve to mitigate any negative effects of possible low likelihood failures that could be 1314 introduced through the proposed design of the modification.
1315 1316 5.3 Appropriate Resolution to Identified Failures 1317 1318 If a postulated common cause failure of a digital modification has been provisionally determined 1319 to be not sufficiently low, in general, the following options can be considered:
1320 1321 - seek NRC approval first, pursuant 10 CFR 50.90 for the modification; 1322 - satisfy 10 CFR 50.59 criteria using an alternative approach6; or 1323 - redesign the proposed modification so that a sufficiently low likelihood of failure conclusion 1324 could be made.
1325 1326 1327 6 An example of an alternative approach is a deterministic conclusion that failure likelihood is less than comparable 1328 failures in the UFSAR.
RIS 2002-22 Supplement 1, Attachment Page 23 of 27 1329 1330 NEI 01-01 Section 5.1.4, states, in part, with regard to appropriate resolution for identified 1331 potential failures, the following:
1332 1333 Modify the design or apply greater emphasis to appropriate parts of the design 1334 process to address the potential failure. If the failure is considered significant 1335 because of a lack of confidence (or difficulty in achieving reasonable assurance) 1336 in a portion of the design or in a particular software element in the design, then 1337 one option may be to apply additional design verification or testing activities.
1338 This additional design verification or testing could develop the needed confidence 1339 and achieve reasonable assurance that the likelihood of the failure is such that it 1340 is no longer considered a significant risk [sufficiently low]. Alternatively, the 1341 design itself may be modified to either preclude the failure (e.g., make it fail safe 1342 for this particular failure) or add internal backups in the design, such as 1343 redundancy or diversity.
1344 1345 Redesigning a proposed modification to include additional design attributes, design features (e.g.,
1346 internal or external systematic diversity) and/or additional design verification and testing activities 1347 is a recommended option for licensees to consider if the licensee wants to implement the 1348 modification without prior NRC approval. Redesigning could also help ensure potential new 1349 failure modes and misbehaviors are adequately addressed in the design. Providing additional 1350 design verification and/or testing activities on software or software-based elements of a proposed 1351 design that demonstrates high reliability can be a key consideration in demonstrating the overall 1352 dependability of the proposed modification and that the modification will exhibit a low likelihood of 1353 failure.
1354 1355 NEI 01-01 Section 5.1.4, also states, in part, with regard to appropriate resolution for identified 1356 potential failures, the following:
1357 1358 Rely on existing backup capability offered by existing systems to address the 1359 failure - other equipment or systems that provide alternate ways of 1360 accomplishing the function or otherwise provide backup for this failure. This may 1361 include operator action if there is adequate information and time available for the 1362 operator to act, and with appropriate procedures and/or training.
1363 1364 Supplement the existing backup capability such that the failure is adequately 1365 addressed. This could include improving the ability to detect the failure 1366 automatically so the repair response will be timely, improving procedures and 1367 training for the operators to mitigate the effects of the failure, or providing 1368 additional backup capability (e.g., manually operated switches for critical 1369 functions and procedural guidance for their use), so that the resulting risk is 1370 insignificant.
1371 1372 Reliance on existing backup capability that has been evaluated and documented as part of a 1373 plants licensing bases is one acceptable means to address postulated failure modes and 1374 undesirable behaviors of a proposed digital I&C modification. Similarly, re-design of existing 1375 backup capabilities is also considered acceptable, as a means to address failures that can be 1376 introduced by the modification. In cases where reliance on back-up capability or operator actions 1377 is not part of the plants licensing basis, prior NRC approval would likely be required.
RIS 2002-22 Supplement 1, Attachment Page 24 of 27 1378 1379 5.4 Documentation of Engineering Evaluations 1380 1381 The documentation of adequate engineering evaluation outlines the identification of potential 1382 new failure modes or undesirable behaviors on the design function of the modified SSC(s) or 1383 other SSC(s), the possible effects of these vulnerabilities on plant safety, and the design 1384 features or operating provisions that are being put into place to prevent and/or mitigate their 1385 occurrence as well as descriptions of the types of engineering evaluations performed.
1386 Documenting an adequate engineering evaluation of appropriate resolutions to the identified 1387 vulnerabilities permits a clear understanding by designers and future evaluators of the potential 1388 effects of the vulnerabilities to plant safety and operations.
1389 1390 Table 2 below provides a suggested outline for documentation to support NEI 01-01 Appendix B 1391 guidance for engineering evaluations that supports and forms the basis for qualitative 1392 assessments for safety-related and non-safety related SSCs, as applicable. Although not 1393 required, licensees may use Table 2 as an example basis for the level of detail, types of 1394 evaluations, and documentation such that technical conclusions reached through the 1395 engineering evaluations can be verified independently. Implementation details are at the 1396 discretion of the licensee, consistent with the licensees procedures.
1397 1398 Engineering Evaluations and Documentation for Non-Safety Related SSCs 1399 1400 With regard to engineering evaluations of non-safety related SSCs, there may be differences in 1401 the level of detail, types of analyses and documentation based upon the non-safety related 1402 SSC(s) being modified and the characteristics of the design within the proposed modification.
1403 1404 Adequate engineering evaluation for non-safety related SSCs helps ensure:
1405 1406 x Postulated new failure modes do not result in concurrent failures in shared resources, 1407 common hardware and software, or communications among two or more different 1408 non-safety related SSCs such as the combining of different design functions that were 1409 previously separate (e.g. Feedwater and Turbine Bypass controls).
1410 1411 x Postulated new failure modes do not exist that could propagate to two or more different 1412 non-safety related SSCs such that the effect could place the plant into an unanalyzed 1413 condition based upon the plants existing safety analysis.
1414 1415 x Identified vulnerabilities have been adequately addressed (e.g. specific design features, 1416 quality of the design processes or demonstration of relevant operating experience).
1417 1418 Documentation for non-safety related modifications should be consistent with the licensees 1419 procedures. Licensees need not prepare formal qualitative assessments for every proposed 1420 digital modification to non-safety related SSCs where the nature of the proposed modification 1421 does not have the characteristics described above (i.e., with the potential to impact assumptions 1422 in the safety analysis), consistent with requirements of licensee procedures.
RIS 2002-22 Supplement 1, Attachment Page 25 of 27 Table 2Example - Engineering Evaluation Documentation Outline to support a Qualitative Assessment Topical Area Description Step 1 Describe the full extent of the SSCs to be modifiedboundaries of the Identification design change, interconnections with other SSCs, and potential commonality to vulnerabilities with existing equipment.
x What are all of the UFSAR-described design functions of the upgraded/modified components within the context of the plant system, subsystem, etc.?
x Describe what design function(s) that were provided by the previously installed equipment are affected and how those same design functions will be accomplished by the modified design. Also describe any new design functions to be performed by the modified design that were not part of the original design.
x What assumptions and conditions are expected for each associated design function for either safety-related or power generation purposes? For example, the evaluation should consider both active and inactive states, as well as transitions from one mode of operation to another.
Step 2Identify Consider the possibility that the proposed modification may have potential introduced potential single failures and plausible common cause failures.
vulnerabilities: failure x What are potential new undesirable behaviors of the modified modes and system? A key consideration is that undesirable behaviors may undesirable behavior not necessarily constitute a SSC failure, but a mis-operation. (e.g.,
spurious actuation) x Consider errors or failures as a result of hardware, software including operating systems, application software, combining of functions onto the same controller(s), introduction of shared resources, or common hardware and software, etc.
x Are there interconnections or interdependencies among the modified SSC and other SSCs? This could be facilitated by use of digital communications, modification of control logic, common usage of hardware/software, etc.
x Are there potential new sources of common cause failure being introduced that are also subject to common triggering mechanisms with those of other SSCs not being modified?
x What potential failure modes or undesired behaviors may be introduced as a result of the modification (e.g. new operator interfaces, introduction of digital communications)
Step 3Assess the x Could the possible new failure mode or undesired behavior lead to effects of the a plant trip or transient?
identified x Could the possible new failure mode or undesired behavior vulnerabilities prevent performance of a safety function of the SSC(s) being modified?
x Can the possible new failure mode or undesired behavior affect the ability of other SSCs to perform their safety function?
x Could the possible new failure mode of the SSC, concurrent with a similar failure of another SSC not being modified but sharing a 1423
RIS 2002-22 Supplement 1, Attachment Page 26 of 27 Table 2Example - Engineering Evaluation Documentation Outline to support a Qualitative Assessment Topical Area Description common vulnerability and triggering mechanism, place the plant into an unanalyzed condition, or into a condition for which the other SSC was assumed to function as expected for a particular event analyzed in the existing safety analysis?
x What are the results of the postulated new failure(s) of the modified SSC(s) compared to previous evaluation results described in the UFSAR?
x Does the possible new failure mode or undesired behavior affect the ability of the modified SSC or other SSCs to provide its design function (as defined in NEI 96-07)?
Step 4Identify What actions are being taken (or were taken) to address significant appropriate identified vulnerabilities?
resolutions for each x Are further actions required?
identified vulnerabilit x Re-design in order to add additional design features or attributes?
x Credit existing backup capability?
x Is there means to annunciate the postulated failure or misbehavior to the operator?
Step 5Rationale Provide a brief description of why the identified resolutions described in Step 4 of this table adequately address the identified vulnerabilities in Step 3 of this table.
Step 6 x An acceptable documentation describes each of the resolutions Documentation of needed to address the potential low likelihood failure modes Available Evidence identified in Step 2 of this table x Conformance to regulatory requirements (e.g. General Design Criteria and Regulatory Guides) and Industry consensus standards, etc. that are met or credited. (e.g., seismic, EMI/RFI, ambient temperature, heat contribution, etc.), as applicable.
x Quality of the Design Processes employed in such as within the software life cycle development (e.g., verification and validation processes used as evident in a traceability matrix, quality assurance (QA) documentation, unit test and system test results, etc.,),
x Description of relevant Operating History (e.g., platform used in numerous applications worldwide, etc. with minimal failure history, etc.)
x Description of how the design features/attributes are credited towards resolution of the vulnerabilities identified (e.g., internal design features within the digital I&C architectures such as self-diagnostic and self-testing features or physical restrictions external to the digital I&C portions of the modified SSC(s)),
defense-in-depth (e.g., internal systematic diversity, internal back-up capability, etc.)
x Engineering evaluations performed such as failure analysis, dependability analysis, defense-in-depth analysis, etc.
1424
RIS 2002-22 Supplement 1, Attachment Page 27 of 27 1425 Table 2Example - Engineering Evaluation Documentation Outline to support a Qualitative Assessment Topical Area Description Step 7Conclusion Apply the results of the engineering evaluation to the qualitative assessment to respond to the 50.59 evaluation questions as appropriate.
1426 1427 1428 6. Qualitative Assessment Documentation 1429 1430 NRC endorsed guidance for documenting 10 CFR 50,59 evaluations to meet the requirements 1431 of 10 CFR 50.59 (d) is provided in both NEI 96-07, Revision 1 in Section 5.0, Documentation 1432 and Reporting and NEI 01-01, Appendix B. Both of these documents reiterate the principals 1433 that documentation should include an explanation providing adequate basis for the 1434 conclusion so that a knowledgeable reviewer could draw the same conclusion.
1435 1436 Considerations and conclusions reached while performing qualitative assessments supporting 1437 the evaluation criteria of 10 CFR 50.59, are subject to the aforementioned principles. In order 1438 for a knowledgeable reviewer to draw the same conclusion regarding qualitative assessments, 1439 details of the considerations made, and their separate and aggregate effect on any qualitative 1440 assessments need to be included or clearly referenced in the 10 CFR 50.59 evaluation 1441 documentation. Documentation of referenced documents includes the document name and 1442 location of the information within any referenced document.
1443 1444 If the qualitative assessment categories discussed in Section 4.3 are used, each category would 1445 be discussed in the documentation including positive and negative aspects considered, 1446 consistent with the examples provided in Table 1. In addition, a discussion of the degree to 1447 which each of the categories was relied on to reach the qualitative assessment conclusion 1448 would be documented.
RIS 2002-22 Supplement 1, Attachment Page 28 of 27 1449 1450
SUBJECT:
NRC REGULATORY ISSUE
SUMMARY
, CLARIFICATION ON ENDORSEMENT 1451 OF NUCLEAR ENERGY INSTITUTE GUIDANCE IN DESIGNING DIGITAL UPGRADES IN 1452 INSTRUMENTATION AND CONTROL SYSTEMS, SUPPLEMENT 1 TO RIS 2002-22, 1453 DATE: January XX, 2018 1454 1455 1456