ML18143B633
ML18143B633 | |
Person / Time | |
---|---|
Issue date: | 05/31/2018 |
From: | Mcginty T, Chris Miller Division of Construction Inspection and Operational Programs, Division of Inspection and Regional Support |
To: | |
Shared Package | |
ml18151a176 | List: |
References | |
RIS 2002-022 | |
Download: ML18143B633 (21) | |
See also: RIS 2002-22
Text
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
OFFICE OF NEW REACTORS
WASHINGTON, DC 20555-0001
May 31, 2018
NRC REGULATORY ISSUE SUMMARY 2002-22, SUPPLEMENT 1,
CLARIFICATION ON ENDORSEMENT OF NUCLEAR ENERGY INSTITUTE GUIDANCE IN
DESIGNING DIGITAL UPGRADES IN INSTRUMENTATION AND CONTROL SYSTEMS
ADDRESSEES
All holders of operating licenses under Title 10 of the Code of Federal Regulations (10 CFR)
Part 50, Domestic Licensing of Production and Utilization Facilities.
All holders of combined licenses under 10 CFR Part 52, Licenses, Certifications, and Approvals
for Nuclear Power Plants.
INTENT
The U.S. Nuclear Regulatory Commission (NRC) is issuing a supplement to Regulatory Issue
Summary (RIS) 2002-22, Use of EPRI/NEI Joint Task Force Report, Guideline on Licensing
Digital Upgrades: EPRI TR-102348, Revision 1, NEI 01-01: A Revision of EPRI TR-102348 To
Reflect Changes to the 10 CFR 50.59 Rule, dated November 25, 2002 (Agencywide
Documents Access and Management System (ADAMS) Accession No. ML023160044).
RIS 2002-22 endorses Nuclear Energy Institute (NEI) 01-01, Guideline on Licensing Digital
Upgrades: EPRI TR-102348, Revision 1, NEI 01-01: A Revision of EPRI TR-102348 To Reflect
Changes to the 10 CFR 50.59 Rule, issued March 2002 (ADAMS Accession
No. ML020860169). NEI 01-01 provides guidance for designing, licensing, and implementing
digital upgrades and replacements to instrumentation and control (I&C) systems (hereinafter
referred to as digital I&C) in a consistent and comprehensive manner.
The RIS supplement clarifies RIS 2002-22, which remains in effect. The NRC continues to
endorse NEI 01-01 as stated in RIS 2002-22, as clarified by this RIS supplement. Specifically,
the guidance in this RIS supplement clarifies the NRC staffs endorsement of the guidance
pertaining to NEI 01-01, Sections 4 and 5 and Appendices A and B. This RIS supplement
clarifies the guidance for preparing and documenting qualitative assessments that can be used
to evaluate the likelihood of failure of a proposed digital modification, including the likelihood of
failure due to a common cause (i.e., common-cause failure (CCF)). Licensees can use these
qualitative assessments to support a conclusion that a proposed digital I&C modification has a
sufficiently low1 likelihood of failure. This conclusion and the reasons for it should be
documented, as required by 10 CFR 50.59(d)(1), as part of the evaluations of proposed digital
1 On page 4-20 of NEI 01-01, NEI defines sufficiently low to mean much lower than the likelihood of failures that
are considered in the updated final safety analysis report (UFSAR) (e.g., single failures) and comparable to other
CCFs that are not considered in the UFSAR (e.g., design flaws, maintenance errors, calibration errors).
RIS 2002-22 Supplement 1
Page 2 of 5
I&C modifications against some of the criteria in 10 CFR 50.59, Changes, tests, and
experiments.
Consistent with RIS 2002-22, this RIS supplement is intended to address digital modifications to
safety-related systems or components but may also be applied to modifications of non-safety
related systems or components at the discretion of the licensee. This RIS supplement is not
directed toward digital I&C replacements of the reactor protection system, the engineered safety
features actuation system, or modification/replacement of the internal logic portions of these
systems (e.g., voting logic, bistable inputs, and signal conditioning/processing) because
application of the guidance in this RIS supplement to such changes would likely involve
additional considerations. This RIS supplement provides guidance for addressing CCF in
10 CFR 50.59 evaluations. Other NRC guidance documents address potential CCFs of digital
I&C equipment.
This RIS supplement does not require any action or written response on the part of an
addressee.
BACKGROUND INFORMATION
By letter dated March 15, 2002, NEI submitted Electric Power Research Institute (EPRI)
TR-102348, Revision 1 (NEI 01-01), for the NRC staffs review. NEI 01-01 replaced the original
version of EPRI TR-102348, issued December 1993, which the NRC endorsed in Generic Letter 1995-02, Use of NUMARC/EPRI Report TR-102348, Guideline on Licensing Digital
Upgrades, in Determining the Acceptability of Performing Analog-to-Digital Replacements
under 10 CFR 50.59, dated April 26, 1995 (ADAMS Accession No. ML031070081). On
November 25, 2002, the NRC staff issued RIS 2002-22 to notify addressees that it had
reviewed NEI 01-01 and was endorsing the report for use as guidance in designing and
implementing digital upgrades to nuclear power plant I&C systems.
Following the NRC staffs 2002 endorsement of NEI 01-01, holders of operating licenses have
used that guidance in support of digital design modifications in conjunction with Regulatory
Guide 1.187, Guidance for Implementation of 10 CFR 50.59, Changes, tests, and
experiments, issued November 2000 (ADAMS Accession No. ML003759710), which endorses
NEI 96-07, Guidelines for 10 CFR 50.59 Implementation, Revision 1, issued November 2000
(ADAMS Accession No. ML003771157).
NRC inspections of documentation for digital I&C plant modifications that some licensees
prepared using the guidance in NEI 01-01 identified inconsistencies in the performance and
documentation of licensee engineering evaluations. In addition, NRC inspections identified
documentation issues with the written evaluations of the 10 CFR 50.59(c)(2) criteria. The term
engineering evaluations refers to evaluations performed in designing digital I&C modifications
other than the 10 CFR 50.59 evaluations (e.g., evaluations performed under the licensees
NRC-approved quality assurance program). This RIS supplement clarifies the guidance for
licensees performing and documenting engineering evaluations and the development of
qualitative assessments.
In response to Staff Requirements Memorandum (SRM)-SECY-16-0070 Staff Requirements
SECY-16-0070Integrated Strategy To Modernize the Nuclear Regulatory Commissions
Digital Instrumentation and Control Regulatory Infrastructure, dated October 25, 2016 (ADAMS
Accession No. ML16299A157), the NRC staff has engaged the public, NEI, and industry
representatives to improve the guidance for applying 10 CFR 50.59 to digital I&C-related design
RIS 2002-22 Supplement 1
Page 3 of 5
modifications as part of a broader effort to modernize the I&C regulatory infrastructure. The
integrated action plan developed to implement the SRM direction described the issuance of the
guidance in this RIS supplement as a near-term action to provide specific guidance for
documenting qualitative assessments that support a conclusion that a proposed digital I&C
modification will exhibit a sufficiently low likelihood of failure.
Applicability to 10 CFR Part 50 Licensees other than Power Reactors
The examples and specific discussion in this RIS supplement and other guidance referenced by
this RIS supplement (i.e., NEI 01-01 and the original RIS 2002-22) primarily focus on power
reactors. Other licensees may also use the guidance in RIS 2002-22 and apply the guidance in
this RIS supplement to develop written evaluations that address the criteria in
10 CFR 50.59(c)(2). In particular, these licensees may use the guidance to prepare qualitative
assessments that consider design attributes, quality of the design process, and operating
experience to evaluate proposed digital I&C modifications to their facilities as described in
NEI 01-01, Section 4, Section 5, and Appendices A and B. However, certain aspects of the RIS
guidance discuss regulatory requirements that may not fully apply to these licensees (e.g.,
Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing
Plants).
SUMMARY OF ISSUE
In general, implementation of digital I&C technology can provide dependability and safety
benefits. Notably, digital technology can be designed to provide continuous diagnostic
information to plant operators on the integrity of its internal systems operation and its
availability. However, implementation of digital I&C technology may introduce potential hazards
such as software CCF or failures introduced as result of interconnectivity.
Some hazards, such as software CCF, may be addressed through a qualitative assessment.
A qualitative assessment can be used to support a conclusion that a proposed digital I&C
modification will not result in more than a minimal increase in the frequency of occurrence of
accidents or in the likelihood of occurrence of malfunctions (10 CFR 50.59(c)(2)(i) and (ii)). A
qualitative assessment can also be used to support a conclusion that the proposed modification
does not create the possibility of an accident of a different type or malfunction with a different
result than previously evaluated in the updated final safety analysis report
(10 CFR 50.59(c)(2)(v) and (vi)). These conclusions can be satisfied if a proposed digital I&C
modification has a sufficiently low likelihood of failure.
For digital I&C modifications, an adequate basis for a determination that a proposed change
involves a sufficiently low likelihood of failure may be derived from a qualitative assessment of
factors such as design attributes, the quality of the design processes used, and an evaluation of
relevant operating experience of the integrated software and hardware used (i.e., product
maturity and inservice experience). The licensee may use a qualitative assessment to
document the factors and rationale for concluding that an adequate basis exists for determining
that a digital I&C modification will exhibit a sufficiently low likelihood of failure. In doing so, the
licensee may consider the aggregate of these factors. The attachment to this RIS supplement
provides a framework for preparing and documenting qualitative assessments and engineering
evaluations including approaches for addressing interconnectivity hazards.
RIS 2002-22 Supplement 1
Page 4 of 5
BACKFITTING AND ISSUE FINALITY DISCUSSION
This RIS supplement clarifies but does not supersede RIS 2002-22 and includes additional
guidance on how to perform and document qualitative assessments and supporting engineering
evaluations for digital I&C changes under 10 CFR 50.59.
The NRC does not intend or approve any imposition of the guidance in this RIS supplement,
and this RIS supplement does not contain new or changed requirements or staff positions that
constitute either backfitting under the definition of backfitting in 10 CFR 50.109(a)(1) or a
violation of issue finality under any of the issue finality provisions in 10 CFR Part 52. Therefore,
this RIS supplement does not represent backfitting as defined in 10 CFR 50.109(a)(1), nor is it
otherwise inconsistent with any issue finality provision in 10 CFR Part 52. Consequently, the
NRC staff did not perform a backfit analysis for this RIS supplement or further address the issue
finality criteria in 10 CFR Part 52.
FEDERAL REGISTER NOTIFICATION
The NRC published a notice of opportunity for public comment on a previous draft of this RIS in
the Federal Register on July 3, 2017 (82 FR 30913). Subsequently, the NRC published a
second notice of opportunity for public comment on the revised RIS in Volume 83 of the Federal
Register, page 11154, on March 14, 2018 (83 FR 11154). As noted in the March 14, 2018
Federal Register Notice (FRN), The NRC staff engaged in multiple communications with the
public and stakeholders and continued internal discussions about the RIS. As a result of these
efforts, the NRC has substantially rewritten the RIS. Due to the extensive nature of these
revisions, and in light of this additional opportunity for comment, the NRC is not directly
responding to each comment received in the previous comment period.
The NRC received comments from seven commenters as a result of the March 14, 2018
FRN. The NRC considered all comments, some of which resulted in changes to the RIS. The
staff will document the evaluation of these comments and the resulting changes to the RIS in a
memorandum that will be made publicly available in ADAMS at a later date.
CONGRESSIONAL REVIEW ACT
This RIS is a rule as defined in the Congressional Review Act (5 U.S.C. §§ 801-808). However,
the Office of Management and Budget (OMB) has not found it to be a major rule as defined in
the Congressional Review Act.
PAPERWORK REDUCTION ACT STATEMENT
This RIS provides guidance for implementing mandatory information collections covered by
10 CFR Part 50 that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. § 3501 et. seq.).
OMB approved this information collection under control number 3150-0011. Send comments
regarding this information collection to the Information Services Branch, U.S. Nuclear Regulatory
Commission, Washington, DC 20555-0001, or by e-mail to Infocollects.Resource@nrc.gov, and to the
Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0011) Office of
Management and Budget, Washington, DC 20503.
RIS 2002-22 Supplement 1
Page 5 of 5
Public Protection Notification
The NRC may not conduct or sponsor, and a person is not required to respond to, a request for
information or an information collection requirement unless the requesting document displays a
currently valid OMB control number.
CONTACT
Please direct any questions about this matter to the technical contacts or the Project Manager
listed below.
/RA/ (Paul G. Krohn for) /RA/
Timothy J. McGinty, Director Christopher G. Miller, Director
Division of Construction Inspection Division of Inspection and Regional Support
and Operation Programs Office of Nuclear Reactor Regulation
Office of New Reactors
Technical Contacts: David Rahn, NRR Wendell Morton, NRR
301-415-1315 301-415-1658
e-mail: David.Rahn@nrc.gov e-mail: Wendell.Morton@nrc.gov
Norbert Carte, NRR David Beaulieu, NRR
301-415-5890 301-415-3243
e-mail: Norbert.Carte@nrc.gov e-mail: David.Beaulieu@nrc.gov
301-415-3724
e-mail: Duane.Hardesty@nrc.gov (specifically for nonpower reactors)
Project Manager Contact: Tekia Govan, NRR
301-415-6197
e-mail: Tekia.Govan@nrc.gov
Note: NRC generic communications may be found on the NRC public Web site,
http://www.nrc.gov, under NRC Library/Document Collections.
Attachment: Qualitative Assessment and Failure Analysis
QUALITATIVE ASSESSMENT AND FAILURE ANALYSIS
1. Purpose
Regulatory Issue Summary (RIS) 2002-22, NRC Regulatory Issue Summary 2002-022: Use of
EPRI/NEI Joint Task Force Report, Guideline on Licensing Digital Upgrades: EPRI TR-102348,
Revision 1, NEI 01-01: A Revision of EPRI TR-102348 To Reflect Changes to the
10 CFR 50.59 Rule, dated November 25, 2002 (Agencywide Documents Access and
Management System (ADAMS) Accession No. ML023160044), endorses Nuclear Energy
Institute (NEI) 01-01, Guideline on Licensing Digital Upgrades: EPRI TR-102348, Revision 1,
NEI 01-01: A Revision of EPRI TR-102348 To Reflect Changes to the 10 CFR 50.59 Rule,
issued March 2002 (ADAMS Accession No. ML020860169). NEI 01-01 provides guidance on
implementing and licensing digital upgrades and provides guidance on performing qualitative
assessments of the dependability of digital instrumentation and control (I&C) systems.
NEI 96-07, Guidelines for 10 CFR 50.59 Implementation, Revision 1, issued November 2000
(ADAMS Accession No. ML003771157), acknowledges that qualitative assessments may be
used to address some of the criteria in Title 10 of the Code of Federal Regulations (10 CFR)
50.59, Changes, tests, and experiments. This attachment provides supplemental clarifying
guidance on one acceptable approach for performing qualitative assessments of digital I&C
modifications. Following the guidance in RIS 2002-22 and NEI 01-01, as clarified by the
guidance in this RIS supplement, will help licensees document qualitative assessments in
sufficient detail that an independent third party can verify the judgements, as stated in
NEI 01-01. Although a qualitative assessment can be used to support a 10 CFR 50.59
evaluation, this RIS supplement does not provide guidance for screening nor does it presume
that all digital modifications screen in.
NEI 01-01 uses the terms qualitative assessment and dependability evaluations
interchangeably. Within this RIS supplement attachment the terms qualitative assessment
and sufficiently low1 are used in conjunction with the performance of 10 CFR 50.59
evaluations. The term dependability evaluation is used in the context of engineering
evaluations. Engineering evaluations are not part of a 10 CFR 50.59 evaluation but may
provide technical supporting information for a 10 CFR 50.59 evaluation. Engineering
evaluations are performed in accordance with the licensees U.S. Nuclear Regulatory
Commission (NRC)-approved quality assurance program in developing digital I&C
modifications.
If a qualitative assessment determines that a potential failure (e.g., software CCF) has a
sufficiently low likelihood, the 10 CFR 50.59 evaluation does not need to consider the effects of
the failure. Thus, the qualitative assessment provides a means of addressing potential failures
to support a 10 CFR 50.59 evaluation. In some cases, the effects of a potential failures may not
create a different result than any previously evaluated in the updated final safety analysis report
(UFSAR).
1 On page 4-20 of NEI 01-01, NEI defines sufficiently low to mean much lower than the likelihood of failures that
are considered in the updated final safety analysis report (UFSAR) (e.g., single failures) and comparable to other
common-cause failures (CCFs) that are not considered in the UFSAR (e.g., design flaws, maintenance errors,
calibration errors).
Attachment
RIS 2002-22, Supplement 1, Attachment
Page 2 of 16
2. Regulatory ClarificationApplication of Qualitative Assessments to 10 CFR 50.59
When a licensee decides to undertake an activity that changes its facility as described in the
UFSAR, the licensee performs the engineering and technical evaluations in accordance with
plant procedures. If the licensee determines that an activity is acceptable through appropriate
engineering and technical evaluations, the licensee enters the 10 CFR 50.59 process. The
regulations in 10 CFR 50.59 provide a threshold for regulatory review, not a determination of
safety, for the proposed activities. In addition, 10 CFR 50.59 establishes the conditions under
which licensees may make changes to the facility or procedures and conduct tests or
experiments without prior NRC approval.
These evaluations must address all elements of proposed changes. Some elements of a
change may have positive effects on the likelihood of structure, system, and component (SSC)
failures, whereas other elements of a change may have negative effects. As derived from the
guidance in NEI 96-07, positive and negative elements can be considered together if they are
interdependent. Elements that are not interdependent must be evaluated separately.
2.1 Qualitative Assessment
Properly documented qualitative assessments may be used to support a conclusion that a
proposed digital I&C modification has a sufficiently low likelihood of failure consistent with the
UFSAR analysis assumptions. The 10 CFR 50.59 written evaluation uses this conclusion to
determine whether prior NRC approval is required.
The determination that a digital I&C modification will exhibit a sufficiently low likelihood of failure
can be derived from a qualitative assessment of factors such as system design attributes, the
quality of the design processes employed, and the operating experience with the integrated
software and hardware used (i.e., product maturity and inservice experience). Documenting the
qualitative assessment includes describing the factors, rationale, and reasoning (including
engineering judgement) for determining that the digital I&C modification exhibits a sufficiently
low likelihood of failure.
The determination of likelihood of failure may consider the aggregate of all the factors described
above. Some of these factors may compensate for weaknesses in other areas. For example, a
digital device that is simple and highly testable, thorough testing coupled with an analysis
demonstrating untested states are accounted for in the proposed application, may provide
additional assurance of a sufficiently low likelihood of failure that helps compensate for a lack of
operating experience.
Sufficiently Low Outcome
One approach for a qualitative assessment employs the concept of a sufficiently low likelihood
of failures. The use of this concept results in two possible outcomes of the sufficiently low
determination: (1) failure likelihood is sufficiently low and (2) failure likelihood is not
sufficiently low. NEI 01-01, Section 4.3.6, states that sufficiently low means much lower than
the likelihood of failures that are considered in the UFSAR (e.g., single failures) and comparable
to other CCFs that are not considered in the UFSAR (e.g., design flaws, maintenance error,
calibration errors). This sufficiently low threshold is not interchangeable with that used for
distinguishing between events that are credible or not credible. The threshold for
RIS 2002-22, Supplement 1, Attachment
Page 3 of 16
determining whether an event is credible is whether it is as likely as (i.e., not much lower
than) the malfunctions already assumed in the UFSAR.
If a qualitative assessment determines that a potential failure (e.g., software CCF) has a
sufficiently low likelihood, the 10 CFR 50.59 evaluation does not need to consider the effects of
the failure. Thus, the qualitative assessment provides a means of addressing potential failures
to support a 10 CFR 50.59 evaluation.
2.2 Likelihood Thresholds for 10 CFR 50.59(c)(2)(i), (ii), (v), and (vi)
A key element of 10 CFR 50.59 evaluations is demonstrating whether the modification
considered will exhibit a sufficiently low likelihood of failure. For digital modifications,
particularly those that introduce software, the likelihood of failure may potentially increase. For
redundant SSCs, this potential increase in the likelihood of failure may create an increase in the
likelihood of a CCF.
The NRC has used the criteria from NEI 96-07, Revision 1, and NEI 01-01 in its discussions of
sufficiently low threshold. These discussions are intended to clarify the existing 10 CFR 50.59
guidance; licensees should not interpret such discussions as a new or modified NRC position.
Criteria
For this RIS supplement, the outcome of the qualitative assessment is focused on a single
likelihood threshold of sufficiently low that encompasses and satisfies the individual likelihood
thresholds of 10 CFR 50.59(c)(2)(i), (ii), (v), and (vi). Although it may be required by other
10 CFR 50.59 criteria, prior NRC approval is not required by10 CFR 50.59(c)(2)(i), (ii), (v), and
(vi) if there is a qualitative assessment outcome of sufficiently low, as described below:
Does the activity result in more than a minimal increase in the frequency of occurrence of an
accident previously evaluated in the UFSAR?
Sufficiently Low Threshold. The frequency of occurrence of an accident is directly
related to the likelihood of failure of equipment that initiates the accident (e.g., an
increase in the likelihood of a steam generator tube failure has a corresponding increase
in the frequency of a steam generator tube rupture accident). Thus, an increase in the
likelihood of failure of the modified equipment results in an increase in the frequency of
the accident. Therefore, if the qualitative assessment outcome is sufficiently low, there
is a no more than a minimal increase in the frequency of occurrence of an accident
previously evaluated in the UFSAR.
RIS 2002-22, Supplement 1, Attachment
Page 4 of 16
Does the activity result in more than a minimal increase in the likelihood of occurrence of a
malfunction of an SSC important to safety2 previously evaluated in the UFSAR?
Sufficiently Low Threshold. The likelihood of occurrence of a malfunction of an SSC
important to safety is directly related to the likelihood of failure of equipment that causes
a failure of SSCs to perform their intended design functions3 (e.g., an increase in the
likelihood of failure of an auxiliary feedwater (AFW) pump has a corresponding increase
in the likelihood of occurrence of a malfunction of SSCsthe AFW pump and AFW
system). Thus, the likelihood of failure of modified equipment that causes the failure of
SSCs to perform their intended design functions is directly related to the likelihood of the
occurrence of a malfunction of an SSC important to safety. Therefore, if the qualitative
assessment outcome is sufficiently low, the activity does not result in more than a
minimal increase in the likelihood of occurrence of a malfunction of an SSC important to
safety previously evaluated in the UFSAR.
Does the activity create a possibility for an accident of a different type than any previously
evaluated in the UFSAR?
Sufficiently Low Threshold. NEI 96-07, Revision 1, Section 4.3.5, states, Accidents of
a different type are limited to those that are as likely to happen as those previously
evaluated in the UFSAR. Accidents of a different type are caused by failures of
equipment that initiate an accident of a different type. If the outcome of the qualitative
assessment of the proposed change is that the likelihood of failure associated with the
proposed activity is sufficiently low, the activity does not introduce any failures that are
as likely to happen as those in the UFSAR that can initiate an accident of a different
type. Therefore, the activity does not create a possibility for an accident of a different
type than any previously evaluated in the UFSAR. If the qualitative assessment
determines that a potential failure (e.g., software CCF) does not have a sufficiently low
likelihood, the 10 CFR 50.59 evaluation needs to consider the effects of this failure.
Does the activity create a possibility for a malfunction of an SSC that is important to safety with
a different result than any previously evaluated in the UFSAR?
Sufficiently Low Threshold. NEI 96-07, Section 4.3.6, states that malfunctions with a
different result are limited to those that are as likely to happen as those in the UFSAR.
A malfunction of an SSC that is important to safety is an equipment failure that causes
the failure of SSCs to perform their intended design functions. If the outcome of the
qualitative assessment of the proposed change is that the likelihood of failure associated
2 NEI 96-07, Revision 1, Section 3.9, states, Malfunction of SSCs important to safety means the failure of SSCs to
perform their intended design functions described in the UFSAR (whether or not classified as safety-related in
accordance with 10 CFR [Part] 50, Appendix B).
3 The term design functions, as used in this RIS supplement, conforms to the definition of design functions in
NEI 96-07, Revision 1.
RIS 2002-22, Supplement 1, Attachment
Page 5 of 16
with the proposed activity is sufficiently low, the activity does not introduce any failures
that are as likely to happen as those in the UFSAR. Therefore, the activity does not
create a possibility for a malfunction of an SSC important to safety with a different result
from any other previously evaluated in the UFSAR. If the qualitative assessment
determines that a potential failure (e.g., software CCF) does not have a sufficiently low
likelihood, the 10 CFR 50.59 evaluation needs to consider the effects of this failure using
methods consistent with the plants UFSAR.
In some cases, the effects of a possible software CCF may not create a different result than any
previously evaluated in the UFSAR.
3. Qualitative Assessments
The activities listed below are examples of digital I&C modifications that licensees can likely
implement without prior NRC approval using properly documented qualitative assessments.
- replacement of analog relays (including timing relays) with digital relays
- replacement of analog controls for safety-related support systems such as chiller
(heating, ventilation, and air conditioning) systems and lubricating oil coolers
- replacement of analog controls for emergency diesel generator supporting systems and
auxiliary systems such as voltage regulation
- installation of circuit breakers that contain embedded digital devices
- replacement of analog recorders and indicators with digital recorders and indicators
- digital upgrades to non-safety related control systems
The evaluation of these proposed modifications is expected to be straightforward if they have no
interconnectivity across channels, systems, and divisions; and they do not reduce the
redundancy, diversity, separation, or independence4 of their UFSAR-described design functions.
However, digital modifications that involve networking, combining design functions from different
systems; interconnectivity across channels, systems, and divisions; or shared resources merit
careful review to ensure that such modifications incorporate appropriate design attributes so
that reductions in the redundancy, diversity, separation, or independence of UFSAR-described
design functions are not introduced.
Combining different design functions within digital modifications can result in combining design
functions of different systems either directly in the same digital device or indirectly through
shared resources, such as implementation of bidirectional digital communications or networks,
common controllers, power supplies, or a multifunction display and control station. Shared
resources (such as bidirectional communications, power supplies, controllers, and multifunction
display and control stations) introduced by digital modifications may also reduce the
redundancy, diversity, separation, or independence of UFSAR-described design functions.
4 NEI 96-07, Section 4.3.2, explains that a change that reduces system/equipment redundancy, diversity,
separation, or independence requires prior NRC approval because it would result in more than a minimal
increase in the likelihood of occurrences of a malfunction of a SSC important to safety.
RIS 2002-22, Supplement 1, Attachment
Page 6 of 16
3.1 Qualitative Assessment Factors
Consistent with the guidance in NEI 01-01, this attachment specifies three general factors:
(1) design attributes, (2) quality of the design process, and (3) operating experience.
Qualitatively assessing and documenting these factors separately, and in the aggregate, will
enable licensees to document qualitative assessments in sufficient detail that an independent
third party can verify the judgements. Note that design attributes and the quality of the design
process are interrelated (i.e., the quality of the design process assures the proper
implementation of design attributes). As a result, these two factors will always be essential
elements of a qualitative assessment. Operating experience in most cases can serve to
compensate for weakness in the other two factors. This guidance applies to modifications of
safety-related systems or components but may also be applied to modifications of non-safety
related systems or components at the discretion of the licensee.
Table 1 provides acceptable examples of design attributes, quality of the design process, and
documentation of operating experience. This listing is not all inclusive nor does the qualitative
assessment need to address each specific item.
3.1.1 Design Attributes
NEI 01-01, Section 5.3.1, states the following:
To determine whether a digital system is sufficiently dependable, and therefore
that the likelihood of failure is sufficiently low, there are some important
characteristics that should be evaluated These characteristics, discussed in
more detail in the following sections, include: Hardware and software design
features that contribute to high dependability (See Section 5.3.4). Such
[hardware and software design] features include built-in fault detection and failure
management schemes, internal redundancy and diagnostics, and use of software
and hardware architectures designed to minimize failure consequences and
facilitate problem diagnosis.
Design attributes of a proposed modification can prevent or limit failures from occurring.
Design attributes focus primarily on built-in features such as fault detection and failure
management schemes, internal redundancy, and diagnostics within the integrated software and
hardware architecture. However, design features external to the proposed modification
(e.g., mechanical stops on valves or pump speed limiters) may also be considered.
Many system design attributes, procedures, and practices can contribute to significantly
reducing the likelihood of failure (e.g., CCF). A licensee can account for this by assessing the
specific vulnerabilities through postulated failure modes (e.g., software CCF) within a proposed
modification and applying specific design attributes to address those vulnerabilities (see
Table 1). An adequate qualitative assessment of the likelihood of failure of a proposed
modification would describe the potential failures that the proposed modification could introduce
and the specific design attributes incorporated to resolve the identified potential failures. It
would also explain how the chosen design attributes and features resolve the identified potential
failures.
RIS 2002-22, Supplement 1, Attachment
Page 7 of 16
Diversity is one example of a design attribute that licensees can use to demonstrate that an
SSC modified with digital technology is protected from a loss of design function caused by a
potential CCF. In some cases, a plants design basis may specify diversity as part of the
design. In other cases, licensees do not need to consider the use of diversity in evaluating a
proposed modification. Diversity within the proposed design can be a powerful means for
significantly reducing the occurrence of failures that affect the accomplishment of design
functions.
3.1.2 Quality of the Design Process
NEI 01-01, Section 5.3.3, states the following:
For digital equipment incorporating software, it is well recognized that
prerequisites for quality and dependability are experienced software engineering
professionals combined with well-defined processes for project management,
software design, development, implementation, verification, validation, software
safety analysis, change control, and configuration control.
Such processes include software development, hardware and software integration processes,
system design, and validation and testing processes that have been incorporated into
development. For safety-related digital equipment composed of integrated hardware and
software, this development process would be documented and available for referencing in the
qualitative assessment for proposed modifications. However, for commercial-grade-dedicated
or non-safety related digital equipment comprising integrated hardware and software,
documentation of the development process may not be as extensive. In such cases, the
qualitative assessment may place greater emphasis on the design attributes included and the
extent of successful operating experience for the equipment proposed.
The quality of the design process is a key element in determining the dependability of the
proposed modifications. When possible, the use of applicable industry consensus standards
contributes to a quality design process and provides a previously established acceptable
approach (e.g., Institute of Electrical and Electronics Engineers (IEEE) Standard (Std.)
1074-2006, IEEE Standard for Developing a Software Project Life Cycle Process, which is
endorsed in Regulatory Guide 1.173, Developing Software Life Cycle Processes for Digital
Computer Software Used in Safety Systems of Nuclear Power Plant). In some cases, other
nuclear or nonnuclear standards can also provide technically justifiable approaches for use if
they apply to the specific application.
Quality standards should not be confused with quality assurance programs or procedures.
Quality standards are those standards that describe the benchmarks that are specified to be
achieved in a design. Quality standards should be documents that are established by
consensus and approved by an accredited standards development organization. For example,
IEEE is a recognized standards development organization that publishes consensus-based
quality standards that are relevant to digital I&C modifications. Quality standards used to
ensure that a quality design process was used to develop the proposed change need not be
limited to those endorsed by the NRC staff. The qualitative assessment document should
demonstrate that the standard being applied is valid under the circumstances for which it is
being used.
RIS 2002-22, Supplement 1, Attachment
Page 8 of 16
For non-safety related SSCs, adherence to generally accepted commercial standards may be
sufficient. The qualitative assessment should list the generally accepted commercial industry
standards used in development of the equipment. If NRC-endorsed industry standards were
applied during the design or manufacturing process, or both, for non-safety related equipment,
these standards may be documented in the qualitative assessment to provide additional
evidence of quality.
3.1.3 Operating Experience
NEI 01-01, Section 5.3.1, states, Substantial applicable operating history reduces uncertainty in
demonstrating adequate dependability.
Relevant operating experience can be used to help evaluate and demonstrate that integrated
software and hardware equipment employed in a proposed modification has adequate
dependability. The licensee may document information showing that the proposed system or
component modification uses equipment with significant operating experience in nuclear power
plant applications or in nonnuclear applications with comparable performance standards and
operating environment. The licensee may also consider whether the suppliers of such
equipment incorporate quality processes such as continual process improvement and
incorporation of lessons learned and document how that information demonstrates adequate
equipment dependability.
Differences may exist in the specific digital I&C application between the proposed digital I&C
modification and that of the integrated hardware and software whose operating experience is
being credited. In all cases, however, the architecture of the referenced equipment and
software should be substantially similar to that of the proposed system.
Further, the design conditions and modes of operation of the equipment whose operating
experience is being referenced also need to be substantially similar to that of the proposed
digital I&C modification. For example, analysts need to understand the operating conditions
(e.g., ambient environment, continuous duty) experienced by the referenced equipment and
software. In addition when crediting operating experience from other facilities, it is important to
understand which design features were present in the design whose operating experience is
being credited. Design features that serve to prevent or limit possible CCFs in a design that is
referenced as relevant operating experience should be documented and considered for
inclusion in the proposed design. Doing so would provide additional support for a determination
that the dependability of the proposed design will be similar to the referenced application.
RIS 2002-22, Supplement 1, Attachment
Page 9 of 16
Table 1 Qualitative Assessment Factors Examples
Factors Examples for Each Factor
Design * Defense-in-depth, diversity, independence, and redundancy (if applicable)
Attributes
- Inherent design features for integrated software and hardware or
architectural/network (e.g., watchdog timers that operate independent of
software, isolation devices, segmentation of distributed networks,
self-testing, and self-diagnostic features)
- Nonconcurrent triggers
- Sufficiently simple (see NEI 01-01, Section 5.3.1)
- Testability (e.g., highly testable)
- Resolution of the possible failures identified in the failure analysis
Quality of Safety-Related Equipment:
the Design
Process * Use of industry consensus standards shown to be applicable
- Use of other standards shown to be applicable
- Use of Appendix B vendors
If an Appendix B vendor is not used, the analysis can state which generally
accepted industrial quality program was applied.
- Use of commercial-grade dedication processes in accordance with the
guidance in EPRI TR-106439, Guideline on Evaluation and Acceptance of
Commercial-Grade Digital Equipment for Nuclear Safety Applications,
dated October 1, 1996.
- Use of commercial-grade dedication processes in accordance with the
guidance in Annex D to IEEE Std. 7-4.3.2, IEEE Standard Criteria for Digital
Computers in Safety Systems of Nuclear Power Generating Stations, and
with the examples in EPRI TR-107330, Generic Requirements
Specification for Qualifying a Commercially Available PLC for
Safety-Related Applications in Nuclear Power Plants
- Documented capability through qualification testing or analysis, or both, to
withstand environmental conditions within which the SSC is credited to
perform its design function (e.g., electromagnetic interference,
radio-frequency interference, seismic activity)
- Demonstrated dependability of custom software code for application
software through extensive evaluation or testing
Non-safety Related Equipment:
- Adherence to generally accepted applicable commercial standards
- Procurement or manufacturer documentation, or both, showing that design
specifications are met or exceeded for equipment being replaced
RIS 2002-22, Supplement 1, Attachment
Page 10 of 16
- Verification of design requirements and specifications
Operating * Operating experience in similar applications, operating environments, duty
Experience cycles, loading, and comparable configurations to that of the proposed
modification
- History of lessons learned from field experience addressed in the design
- Referenced relevant operating experience should be equipment similar to
that being proposed in the digital I&C modification.
- Architecture of the referenced equipment and software (operating
system and application)
- Design conditions and modes of operation
- Widely used high-quality commercial products with relevant operating
experience used in other applications
For software, limited use, custom, or user-configurable software
applications can be challenging.
- Experience with software development tools used to create configuration
files
3.2 Qualitative Assessment Documentation
NEI 96-07, Revision 1, Section 5.0, and NEI 01-01, Appendix B, provide NRC-endorsed
guidance for documenting 10 CFR 50.59 evaluations to meet the requirements of 10 CFR 50.59(d). Both of these documents reiterate the principles that documentation should
include an explanation providing adequate basis for the conclusion so that a knowledgeable
reviewer could draw the same conclusion.
Considerations and conclusions reached while performing qualitative assessments that support
the 10 CFR 50.59 evaluation are subject to the aforementioned principles. For a knowledgeable
reviewer to draw the same conclusion regarding qualitative assessments, the 10 CFR 50.59
evaluation documentation needs to include and clearly reference details of the considerations
made and their separate and aggregate effects on any qualitative assessments. References to
other documents should include the document name and location of the information within any
referenced document (e.g., section or page numbers or both).
If qualitative assessment factors are used, the documentation would discuss each factor,
including the positive and negative aspects considered, consistent with the examples provided
in Table 1. In addition, the documentation would discuss the degree to which each of the
categories was relied upon to reach the qualitative assessment conclusion.
4.0 Engineering Evaluations: Failure Analysis
Consistent with NEI 01-01, Sections 4.4.2 and 5.1, the failure analysis provides insights needed
to determine whether the proposed change could reduce redundancy, diversity, separation, or
independence, any of which is considered to result in more than a minimal increase in the
likelihood of the occurrence of malfunctions. In addition to failures caused by software, it is
RIS 2002-22, Supplement 1, Attachment
Page 11 of 16
important to note that other effects of a digital modification could create new results of
malfunctions (e.g., combining functions, creating new interactions with other systems, changing
response time). The design should address these other effects. For example, if previously
separate functions are combined in a single digital device, the failure analysis should consider
whether single failures that could previously have affected only individual design functions can
now affect multiple design functions. Where potential interconnectivity hazards are identified,
the incorporation of appropriate design attributes should address these hazards. It is important
to carefully document the analysis and resolution of potential hazards to ensure that future plant
design changes appropriately address these hazards.
Section 4 of this RIS supplement is intended to emphasize key areas of consideration for
identifying CCF vulnerabilities in the failure analysis to be addressed and documented in the
final design and to support a qualitative assessment.
4.1 Failure Analysis
Failure analysis can be used to identify possible CCF vulnerabilities and assess the need to
further modify the design. In some cases, design features and attributes could be used to
preclude potential failures from further consideration. Modifications that use design attributes
and features such as internal diversity or segmentation help to minimize the potential for CCFs.
Similarly, backup capabilities offered by other systems can address identified failures. Sources
of CCF vulnerabilities could include the introduction of identical software into redundant
channels, the use of shared resources, or the use of common hardware and software across
interconnected systems that perform different design functions. Another key consideration is
that undesirable behaviors may not necessarily constitute an SSC failure but rather a
misoperation (e.g., spurious actuation, erroneous control). Therefore, identifying sources of
CCF to the extent practicable and addressing them during the design process is essential and
constitutes an acceptable method for supporting the technical basis for the proposed
modification.
Digital designs that have sources of CCF that could affect more than one SSC need to be
closely reviewed to ensure that an accident of a different type or a malfunction with a different
result from those previously evaluated in the UFSAR has not been created. This is particularly
the case when such common sources of CCF also are subject to common triggers. For
example, the interface of the modified SSCs with other SSCs that use identical hardware and
software, power supplies, or human-machine interfaces needs to be closely reviewed to ensure
that possible common triggers have been addressed.
Unless the licensees UFSAR already incorporates best estimate methods, it cannot use such
methods to evaluate different results than those previously evaluated in the UFSAR. Use of
best estimate methods in 10 CFR 50.59 evaluations is limited to the subject of the previous
use of such methods in the UFSAR.
The failure analysis can also reveal potential sources of CCF introduced through software
development and configuration tools. Careful consideration should also be given to individual
programmable logic devices or user-configurable devices as potential sources of CCFs.
RIS 2002-22, Supplement 1, Attachment
Page 12 of 16
Digital Communications
Careful consideration should be given to digital communications to preclude effects on SSC
independence within the failure analysis. Digital communications may introduce interactions
resulting in new types of failure modes. Digital modifications that introduce digital networks, or
interconnectivity across channels and divisions or between different systems should incorporate
appropriate design attributes so that reductions in redundancy, diversity, separation, or
independence of UFSAR-described design functions are not introduced. Adherence to
applicable industry consensus standards (e.g., IEEE 7-4.3.2, IEEE Standard Criteria for Digital
Computers in Safety Systems of Nuclear Power Generating Stations) can provide technically
justifiable design attributes to address potential failure modes of modifications with digital
communications, including modifications to non-safety related SSCs.
Combining Design Functions and Shared Resources
Failure analysis may address the combination of design functions for different safety-related or
non-safety related SSCs in a manner not previously evaluated or described in the UFSAR
because such combinations could introduce new interdependencies and interactions that make
identifying new potential failure modes more difficult. Of significant concern is the failure of
combined design functions or within shared resources that (1) can affect malfunctions of SSCs
or accidents evaluated in the UFSAR or (2) involve different defense-in-depth echelons.
Combining previously separate component functions can result in more dependable system
performance because of the tightly coupled nature of the components and the reduction in
complexity. If a licensee proposes to combine previously separate design functions or introduce
shared resources in a safety-related or non-safety related digital I&C modification, it needs to
carefully weigh possible new failures. Failure analysis and control system segmentation
analysis can help identify potential issues. A segmentation analysis is particularly helpful for the
evaluation of the design of non-safety related distributed networks.
Defense-in-Depth Analysis
The use of defense-in-depth design principles provides a means for addressing identified CCF
vulnerabilities. NEI 01-01 describes the need for a defense-in-depth analysis as limited to
substantial digital replacements of the reactor protection system and engineered safety features
actuation system. However, a defense-in-depth analysis may be used to evaluate the
capabilities of any digital modifications to reveal the impact of any new potential CCFs caused
by the introduction of shared resources, common hardware and software, or the combination of
design functions of systems that were previously considered to be independent of one another.
Additionally, a defense-in-depth analysis may reveal direct or indirect impacts on interfaces with
existing plant SSCs. This type of analysis may show that existing SSCs or procedures could
serve to mitigate effects of possible CCF vulnerabilities introduced through the proposed
modification.
RIS 2002-22, Supplement 1, Attachment
Page 13 of 16
4.2 Failure Analysis Resolution and Documentation
The licensee must develop and retain documentation for a proposed digital I&C modification in
accordance with its NRC-approved quality assurance program, including design engineering
procedures. The documentation of failure analysis identifies the possible vulnerabilities
introduced in the design and the effects of failures resulting from such vulnerabilities. In
addition, the documentation identifies the design features and procedures that resolve identified
failures, as described in NEI 01-01, Section 5.1.4. The level of detail used should be
commensurate with the safety significance and complexity of the modification in accordance
with licensee procedures.
Licensees may, but need not, use the table below in developing and documenting the failure
analysis. Documentation should explain how adequate bases preclude or limit failures so that
a knowledgeable reviewer could reach the same conclusion.
Table 2 Example: Failure Analysis Resolution and Documentation
Topical Area Description
Step 1 * Describe the scope and boundaries of the proposed activity, including
Identification interconnections and commonalities with other SSCs.
- List the UFSAR-described design function(s) affected by the
proposed change.
- Describe any new design functions performed by the modified design
that were not part of the original design.
- Describe any design functions eliminated from the modified design
that were part of the original design.
- Describe any previously separate design functions that were
combined as part of the activity.
- Describe any automatic actions to be transferred to manual control.
- Describe any manual actions that are to be transferred to automatic
control.
- Describe the expected modes of operation and transitions from one
mode of operation to another.
Step 2Failure Mode * Provide a comparison between the failure modes of the new digital
Comparison equipment and the failure modes of the equipment being replaced.
- If the failure modes are different, describe the resulting effect of
equipment failure on the affected UFSAR-described design
function(s). Consider the possibility that the proposed modification
may have introduced potential failures:
- Describe the effects of identified potential failure modes or
undesirable behaviors, including, but not limited to, failure
modes associated with hardware, software, combining
RIS 2002-22, Supplement 1, Attachment
Page 14 of 16
Table 2 Example: Failure Analysis Resolution and Documentation
Topical Area Description
functions, use of shared resources, software tools,
programmable logic devices, or common hardware/software.
- Describe the potential sources of CCFs being introduced that
are also subject to common triggering mechanisms with those
of other SSCs that are not being modified.
- Explain how identified potential failures are being resolved (see
NEI 01-01, Section 5.1.4.).
Step 3 Based on the qualitative assessment factors provided in Table 1, is the new
Determination of digital equipment at least as reliable as the equipment being replaced?
Equipment
Dependability and
CCF Likelihood
Step 4 IF the results of Step 3 indicate that the new digital equipment is at least as
Assessment of dependable as the equipment being replaced or that the level of
Equipment dependability is determined acceptable:
Dependability and
CCF Likelihood * Document the bases for the conclusion.
Results * Continue to Step 5.
IF not, consider modifying the design or rely on existing design function
backup capabilities.
Step 5 Summarize the results and overall conclusions reached. Discuss the effect
Documentation of the proposed activity, if any, on applicable UFSAR-described design
functions. Discuss the differences in equipment failure modes and the
associated effects of different failure modes on applicable UFSAR-described
design functions. Describe the incorporation of design attributes to resolve
potential CCF vulnerabilities.
Examples of supporting documents include the following:
- Applicable codes and standards applied in the design
- Equipment environmental conditions (e.g., ambient temperature,
electromagnetic interference, radio-frequency interference, seismic
activity)
- Quality design processes used (e.g., Subpart 2.7 of Part II of
American National Standards Institute/American Society of
Mechanical Engineers NQA-1, Quality Assurance Program
Requirements for Nuclear Power Plants)
- Commercial-grade dedication documentation, such as described in
EPRI TR-106439 (if applicable)
- Failure modes and effects analysis (if applicable)
- Software hazard analysis (if applicable)
RIS 2002-22, Supplement 1, Attachment
Page 15 of 16
Table 2 Example: Failure Analysis Resolution and Documentation
Topical Area Description
- Critical digital reviews, such as described in EPRI TR-1011710,
Handbook for Evaluating Critical Digital Equipment and Systems (if
applicable)
- Documentation of equipment operating experience
Step 6Application Apply engineering conclusions to the 10 CFR 50.59 evaluation questions.
of Failure Analysis
Conclusions to the
Evaluation Criteria
Pkg: ML18151A176; RIS: ML18143B633; *concurred via email
CAC No.: MF9464; EPID: L-2017-CRS-0036
OFFICE NRR/DIRS/IRGB QTE NRR/PMDA OE/EB
NAME TGovan JDougherty* LHill* JPeralta* w/comments
DATE 04/20/2018 04/25/2018 04/24/2018 04/26 /2018
OFFICE OCIO NRR/DE/EICB NRR/DE/EICB NRR/DE/EICB/BC
NAME DCullison* DRahn* WMorton* MWaters*
DATE 05/14/2018 05/03/2018 05/15/2018 05/23/2018
OFFICE NRO/DEI/ICE/BC RES/DE/ICEEB/BC OGC NRR/DE/ EICB
BWeisman*
NAME IJung* w/comments RJenkins* w/comments NCarte*
w/comments
DATE 04/25 /2018 04/26/2018 05/17 /2018 05/03/2018
OFFICE NRR/DIRS/IRGB NRO/DEI/D RES/DE/D NRR/DE/D
NAME DBeaulieu* RCaldwell* BThomas* EBenner*
DATE 05/14/2018 05/24/2018 05/24/2018 05/24/2018
OFFICE NRR/DIRS/IRGB/LA NRR/DIRS/IRGB/BC NRO/DCIP/D NRR/DIRS/D
NAME ELee HChernoff TMcGinty (PKrohn for) CMiller
DATE 05/31/2018 05/24/2018 05/24/2018 05/31/2018