Presentation for ANS 2019 NPIC-HMIT Conference: New Ways to Address the Potential for CCF in 10 CFR 50.59 Digital I&C Plant Changes

ML19052A608
Person / Time
Issue date:	02/21/2019
From:	Wendell Morton, David Rahn NRC/NRR/DE/EICB
To:
David Rahn
References
Download: ML19052A608 (27)
v • d • e

Text

2018 International Congress on Advances in Nuclear Power Plants New Ways to Address the Potential for CCF in 10 CFR 50.59 Digital I&C Plant Changes David L. Rahn, P. E., Sr. Electronics Engineer Wendell Morton, Electronics Engineer Office of Nuclear Reactor Regulation US Nuclear Regulatory Commission

Disclosure Statement This presentation was prepared as an account of work sponsored by an agency of the U.S. Government. Neither the U.S. Government nor any agency thereof, nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third partys use, or the results of such use, of any information, apparatus, product, or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights. The views expressed in this presentation, although deemed accurate at the time of presentation, are not necessarily those of the U.S. Nuclear Regulatory Commission.

2

Agenda

• Issues of Concern for DI&C Plant Changes and Upgrades

• Applicable Regulations & Prior Endorsed Guidance

• Results of Use of Prior Guidance

• NRC Staff and Stakeholder Actions Taken to Resolve Issue

• Key Principles Introduced into New Guidance

• Implementation Steps 3

Digital I&C Plant Changes and Upgrades

• The use of digital I&C technology is a flexible and powerful solution for replacing aging and obsolete analog I&C technology. The continuous self-diagnostic capabilities of DI&C enable a more reliable operation of safety and non-safety systems than was available with older analog technologies that are surveilled only on a periodic basis, such as monthly, quarterly, or once/refueling outage.

• However, the installation of new digital technology or upgrades of equipment from one digital technology to another needs to be carefully evaluated.

4

Issues of Concern for DI&C Plant Changes

• Digital I&C technology enables the capability of combining the functions performed by, and the information produced from several older technology devices into fewer new devices, and enabling the sharing of resources, such as power supplies and operator control/display terminals.

• When designing plant safety system upgrades using digital technology to replace older equipment, it is tempting to use the power of this technology to:

- combine the design functions performed by individual equipment modules, the failure of which has been previously analyzed as individual modules or components, into new modules, subsystems or systems encompassing multiple different design functions.

- allow information and control signals from plant sensors and equipment to communicate over plant networks, thereby establishing linkage between and among systems that have previously been analyzed as independent, or stand-alone design functions.

5

Issues of Concern for DI&C Plant Changes

• Digital technology also introduces the use of programmable logic into the system design. The software development and systems integration processes supporting plant upgrades using digital I&C devices to perform safety related functions must result in a high assurance of adequate quality.

• The introduction of shared digital resources, new combinations of functions of previously analyzed systems, extended use of intersystem communications/networking, and identical versions of programmable logic in redundant safety channels can result in an increased vulnerability to failures of SSCs due to common causes, unless appropriately evaluated and addressed.

6

Issues of Concern for DI&C Plant Changes

• The configuration of digital technology can affect how the plant safety configuration is being maintained:

- The existing defense-in-depth approach to safety, and use of redundant, independent equipment channels may be affected

- Hardware: Likelihood of a possible CCF must remain acceptably low

• High quality standards must be applied in development and manufacture

• Physical separation of redundant equipment must be maintained

• Degradation methods should be slow to develop and be observable during surveillance

- Software: Special case of single-failure vulnerability

• Identical software resides in redundant channels of a multi-channel safety system

• A single undetected design error in software could lead to a CCF in all redundant channels 7

Applicable Regulations and Prior Endorsed Implementing Guidance

• 10 CFR 50.59 as Amended, Changes, tests, and experiments.

- Licensees must obtain a License Amendment pursuant to 10 CFR 50.90 prior to implementing a proposed change to the facility if the implementation of the change would not meet any one or more of eight criteria listed in 10 CFR 50.59 (c)(2).

- The criteria allow for changes that only minimally increase the probability or consequences of accidents.

- The criteria do not allow for changes that could result in accidents of a different type than previously evaluated, or for malfunctions of SSCs with different results than previously evaluated.

• NEI 96-07 Rev. 1, Guidelines for 10 CFR 50.59 Implementation is the implementing guidance for 10 CFR 50.59, as amended

• RG 1.187 Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments endorses NEI 96-07 Rev. 1 8

Existing Endorsed DI&C Guidance

• NEI 01-01, Guideline on Licensing Digital Upgrades:

EPRI TR-102348 Revision 1, A Revision of EPRI TR-102348 to Reflect Changes to the 10 CFR 50.59 Rule, March 2002

- Sections 4, 5, Appendix A, and Appendix B of NEI 01-01 identify characteristics of digital upgrades that contribute to a determination that a proposed plant design is sufficiently dependable, and therefore that the likelihood of failure is sufficiently low. (Examples: Built-in fault detection, failure management schemes, internal redundancy and diagnostics, use of software and hardware architectures designed to minimize failure consequences and facilitate problem diagnosis, etc.)

• NRC Regulatory Issue Summary RIS 2002-22 endorsed NEI 01-01 9

Results of Use of the Previous Endorsed Guidance

• Several NRC Inspection Findings associated with Digital I&C (DI&C) plant modifications performed under 10 CFR 50.59 include:

- Inadequate documentation of written evaluations performed to address the 50.59(c)(2) evaluation criteria (10 CFR 50.59 (d)1))

- Inadequate 50.59 screening performed of DI&C to identify whether full a evaluation needs to be performed (NEI 96-07, Rev. 1, Section 4.2)

- Inadequate 50.59 evaluation performed to identify whether there is more than a minimal increase in likelihood of occurrence of a malfunction of an SSC (10 CFR 50.59 (c)(2)(ii))

- Inadequate 50.59 evaluation performed to identify whether the modification can create the possibility for a malfunction of an SSC with a different result than previously evaluated (10 CFR 50.59 (c)(2)(vi))

10

NRC Staff and Stakeholder Activities

• In 2017 and 2018, NRC staff held several meetings with stakeholders and NEI to identify and resolve weaknesses in the NRC-endorsed industry guidance, and/or weaknesses in licensee execution of this guidance.

• Key areas of weakness in regulatory or industry guidance were identified:

- No clear definition as to what thresholds of likelihood would enable a conclusion that each of the 10 CFR 50.59(c)(2) criteria could be successfully passed.

- Unclear as to how sufficiently low likelihood (of SSC failure) can be demonstrated.

- Unclear as to what specific characteristics of proposed digital upgrades must be evaluated and addressed to demonstrate a sufficiently low SSC failure likelihood

• Key area of weakness in execution/implementation of the guidance was:

- Unclear as to what is considered to be an adequate way of documenting the basis of the conclusions reached for each 50.59(c)(2) criterion evaluation 11

Proposed Solution

• The NRC staff should prepare and issue supplemental guidance to the Staffs previous RIS 2002-22 endorsing NEI 01-01 to address weaknesses in the regulatory and industry implementing documents.

• RIS 2002-22 Supplement 1 (ADAMS ML18143B633) was developed, to describe how to stay below the thresholds that trigger 50.59 (c)(2) criteria, and provide guidance on the use of Qualitative Assessments to serve as a technical basis supporting 10 CFR 50.59 evaluation conclusions.

- This Supplemental Guidance is not intended to be used for Digital I&C replacements for:

Reactor Protection System (wholesale replacement)

Engineered Safety Features Actuation System (wholesale replacement)

Modification/Replacement of the Internal Logic Portions of These Systems 12

Key Principles Addressed within the New Guidance

• Thresholds of Sufficiently Low were defined for:

- The likelihood of failure of equipment that initiates an accident

- The likelihood of failures that cause a failure of an affected SSC to perform its required functions

- The likelihood of occurrence of accidents of a different type that are as likely to occur as those previously analyzed

- The likelihood of occurrence of malfunctions with different results that are as likely to occur as those previously analyzed

• The use of Qualitative Assessments:

- Concept was addressed in NEI 01-01, but needed further elaboration 13

Qualitative Assessments:

• May be used as a basis for determining that a proposed DI&C change involves a sufficiently low likelihood of failure, thereby enabling a conclusion that the evaluation criteria in 10 CFR 50.59(c)(2) (i), (ii), (v), and (vi) of 10 CFR 50.59(c)(2) can be answered No.

• Should be based on a consideration of the aggregate of the results of evaluating the following factors:

- Design Attributes

- Quality of the Design Process

- Operating Experience 14

Design Attributes

- Design features applied to prevent or limit failures from occurring.

- Focused primarily on built-in features, such as:

Fault detection Failure management schemes Internal redundancy Diagnostics within the integrated software and hardware architecture

- Can credit the incorporation of design features that are external to the components being changed:

For example: Mechanical stops on valves or speed limiters on variable speed pumps 15

Design Attribute Examples

• Typical Design Attributes

- Watchdog timers that function independent of software

- Self-testing and diagnostics capabilities

- Use of highly testable devices (i.e. breakers, relays)

- Elimination of concurrent triggers

- Segmentation analysis demonstrating no introduction of new SSC malfunctions or malfunctions with different results than previously analyzed

- Redundant networks

- Unidirectional communications

- Network switches with traffic control/data limiters

- Use of redundant controllers, I/O, power sources, or analog back-up, etc.

- Internal or external diversity

- Use of isolation devices

- Extensive testing (factory acceptance, receiving inspection, construction, pre-op, operational) 16

Quality of the Design Process

• Quality measures that are applied during the following design processes:

- Software development

- Hardware and software integration processes

- System design

- Validation and testing processes

- Adherence to generally-accepted design standards

• For Safety-Related, Appendix B items:

- Development and validation process is documented and available for referencing in the Qualitative Assessment

• Commercial grade items dedicated for use in safety related applications:

- Documentation may not be as extensive as for Appendix B items.

- Qualitative Assessment may place greater emphasis on Design Attributes and OE 17

Operating Experience (OE) Evaluation

• Relevant OE can be used to show that the integrated software and hardware proposed for use in a DI&C modification has a high degree of dependability

- OE from nuclear industrynumber of uses in similar applications Failure history Failure rate, if there is sufficient data supporting a meaningful number of similar uses Feedback from 10 CFR Part 21 reviews, manufacturers service bulletins

- Supplier uses quality processes that incorporate:

Continual process improvement Lessons learned from field into the design and manufacturing processes 18

Performance of a Failure Analysis for Proposed DI&C Installations/Upgrades

• A systematic failure analysis can be used to identify possible CCF vulnerabilities and to assess the need to further modify the design before implementation.

• Results of the failure analysis can provide valuable input/insights into the formation of conclusions made in the Qualitative Assessment

• Key Areas to Consider:

- All the various potential sources of CCF

- Designs that may have combined different design functions into a single digital device

- Digital communications/possible linkages to other plant systems performing different design functions

- Creating possible new interactions with other SSCs in which a concurrent propagated failure has not been previously analyzed

- Interconnectivity across channels, systems, and divisions

- Changing overall response times of the safety or non-safety system performancee.g.,

digital system cycle times must be compatible with the gain of the systems being controlled 19

Examples of Possible DI&C Modifications using the Guidance of RIS 2002-22 Supplement 1

- Replacement of analog relays (including timing relays) with digital relays

- Replacement of analog controls for safety-related support systems (i.e. main control room chillers)

- Replacement of analog controls for emergency diesel generator supporting systems and auxiliary systems, such as voltage regulation

- Installation of circuit breakers that contain embedded digital devices

- Replacement of analog recorders and indicators with digital ones

- Digital upgrades to non-safety related control systems 20

Example Qualitative Assessment Summary Design Attributes: The following design attributes were employed as part of the proposed design change to minimize failure likelihood:

- Use of a highly testable device

- No Microprocessor or complex instruction set

- Limited input combinations that provide limited outputs, each of which can be tested

- Performs a single function w/ limited configurability

- Testable before and after installation using simple test methods

- Application of a watchdog timer that functions independent of the software

- Diverse indication of failures

- Use of the following barriers to prevent CCF:

- environmental qualification

- physical separation of equipment

- absence of concurrent triggers

- simple architecture

- high quality internal software and highly testable operations 21

Example Qualitative Assessment Summary (continued)

Quality of the Design Process: The following quality measures were employed as part of the proposed design change to minimize failure likelihood:

Components are commercial grade-dedicated for use in safety-related applications using the guidance provided in EPRI TR-104369 (for digital) and EPRI 3002002982 (for commercial grade dedication)

Qualified for temperature, humidity, and seismic stressors using EPRI TR-107330 (endorsed by RG 1.209)

Qualified for electromagnetic compatibility in accordance with RG 1.180 22

Example Qualitative Assessment Summary (continued)

Operating Experience: The following operating experience was documented as part of the proposed design change:

There are limited users of the device for the exact application, but documentation demonstrates that those users have many operating-years of experience with it, with a significantly low failure rate.

The proposed device is a high-quality commercial-grade product consistent with quality equal to or exceeding other non-digital devices of its type.

The proposed device eliminates the existing hardware common cause failure vulnerabilities and is not subject to at least one of the failure/degradation modes of the previously-installed device.

23

Implementation

• Following Issuance of RIS 2002-22 Supplement 1 on May 31, 2018, NEI and Stakeholders organized and held licensee-sponsored workshops on the principles and expectations identified in the RIS. The NRC staff supported these workshops by attending and responding to questions received from licensee stakeholders.

• The NRC staff provided both informal and formal training on the use of the RIS for its regional Inspection Staff. (One NRC region inspection training still to be completed.)

• NEI is continuing to support the NRC staff in ensuring that non-NEI members receive the same guidance information base as that received by NEI members. Special thanks to Mr. Neil Archambo, Duke Energy for facilitating all of the licensee training.

24

Implementation (continued)

• Licensees are beginning to use the guidance provided in RIS 2002-22 Supplement 1 in preparing new digital I&C modification packages, to be rolled out in later 2019 and beyond. NEI is monitoring the implementation of these digital I&C plant modifications, with the possibility of enabling a sharing of lessons learned from such implementation.

• NRC Inspection Staff will begin to include the inspection of completed 10 CFR 50.59 modifications that use the principles of the RIS during their normal course of inspections.

25

Questions?

26

Acronyms

• CCF Common Cause Failure

• CFR Code of Federal Regulations

• DI&C Digital Instrumentation and Controls

• EPRI Electric Power Research Institute

• NEI Nuclear Energy Institute

• NRC Nuclear Regulatory Commission

• OE Operating Experience

• RG NRC Regulatory Guide

• RIS NRC Regulatory Issue Summary

• SSCs Structures, Systems, and Components 27