ML19056A537
| ML19056A537 | |
| Person / Time | |
|---|---|
| Issue date: | 02/27/2019 |
| From: | Philip Mckenna NRC/NRR/DIRS/IRGB |
| To: | |
| Govan T, 415-6197, NRR/DIRS | |
| References | |
| Download: ML19056A537 (35) | |
Text
Guidance for Performing 10 CFR 50.59 Evaluations for Digital Instrumentation and Controls Modifications Presented By: Philip McKenna Senior Reactor Systems Engineer NRR/DIRS/ROP Support and Generic Communications Branch February 27, 2019 1
Purpose
- Update Licensees and the Public on the process for evaluating and documenting digital I&C modifications using the 10 CFR 50.59 Rule
- Discuss the structure of RIS 2002-22, Supplement 1, Clarification on Endorsement of NEI Guidance in Designing Digital Upgrades in Instrumentation and Control Systems (Issued on 05/31/18).
- NEI conducted workshops for licensees on RIS 2002-22, Supplement 1 from September through November 2018.
- Discuss an example of a Qualitative Assessment.
- Briefly discuss NEI 96-07, Appendix D.
2
Digital I&C Integrated Action Plan 3
History of the 10 CFR 50.59 Rule
- First promulgated in 1962 and modified in 1968.
- Allows Licenses to make changes to the facility without prior NRC staff approval.
- Must maintain acceptable levels of safety as documented in the FSAR.
- Rule was reviewed in 1995; issued in 1999 which increased flexibility for licensees:
- Now allows changes that only minimally increase the probability or consequences of accidents
- Nov 2000: NRC issues RG 1.187
- Endorses NEI 96-07, Rev.1, Guidelines for 10 CFR 50.59 Implementation 4
- NEI 96-07 was originally NSAC-125, but not endorsed by NRC.
- Applicability
- Screening
- Evaluation Process
- Endorses NEI 96 Provides methods that are acceptable to the NRC staff for complying with the provisions of 10 CFR 50.59 5
50.59 Process Chart 6
Digital I&C 10 CFR 50.59 Guidance
- EPRI TR-102348
- Issued in 1993 to establish guidelines for digital upgrades in the context of 10 CFR 50.59.
- Endorsed by NRC GL 95-02
- Use of NUMARC/EPRI Report TR-102348, Guideline on Licensing Digital Upgrades, in Determining the Acceptability of Performing Analog-to-Digital Replacements under 10 CFR 50.59
- EPRI TR-102348, Revision 1 issued to address revised 10 CFR 50.59 rule in 1999
- Issued as NEI 01-01
- Endorsed by NRC RIS 2002-22 7
- Industry inconsistently applying guidance in NEI 01-01 in digital upgrades
- Lack of industry guidance on the technical evaluation of common cause failures
- NRC IN 2010-10: Implementation of a Digital Control System Under 10 CFR 50.59
- Harris 2013 violation: SSPS control circuit boards replaced with digital complex programmable logic device (CPLD)-based boards
- NRC Letter to NEI: Summary of Concerns with NEI 01-01, dated 11/05/13 (ADAMS Accession No. ML13298A787)
- NRC issues RIS 2002-22, Supplement 1 in May 2018 to clarify RIS 2002-22
- NRC continues to endorse NEI 01-01 8
Digital I&C Modifications
- What make these different?
- Common Cause Failure (CCF)
- Due to combined functions, shared communications, shared resources, and software error in redundant channels
- Safety Model of nuclear plant
- Defense in depth and redundant equipment
- Hardware: Likelihood of CCF acceptably low
- High quality standards in development and manufacture
- Physical separation of redundant equipment
- Degradation methods slow to develop (i.e. corrosion)
- Software: Special cause of single failure vulnerability
- Software resides in redundant channels of the system
RIS 2002-22, Supplement 1
- RIS 2002-22, Supplement 1, clarifies guidance for preparing and documenting Qualitative Assessments
- Not for Replacement of:
- Reactor Protection System (wholesale)
- Engineered Safety Features Actuation System (wholesale)
- Modification/Replacement of the Internal Logic Portions of These Systems 10
Qualitative Assessment
- Originally discussed in NEI 01-01, Sections 4 and 5 and Appendices A and B, but limited guidance on how to accomplish.
- RIS 2002-22, Supplement 1
- Evaluate the likelihood of failure of a proposed digital mod to accomplish designated safety function
- Evaluate the likelihood of common cause failure
- Used to support a conclusion that a proposed digital I&C modifications will not result in more than a minimal increase in:
- The frequency of occurrence of accidents (50.59(c)(2)(i)
- The likelihood of occurrence of malfunctions (50.59(c)(2)(ii)
- Create the possibility of an accident of a different type (50.59(c)(2)(v)
- Create the possibility for a malfunction of an SSC with a different result (50.59(c)(2)(vi) 11
Qualitative Assessment Factors
- Design Attributes
- Can prevent or limit failures from occurring.
- Focus primarily on built-in features
- Fault detection
- Failure management schemes
- Internal redundancy
- Diagnostics within the integrated software and hardware architecture
- Can be external
- For example: Mechanical stops or speed limiters 12
Qualitative Assessment Factors
- Typical Design Attributes
- Watchdog timers that function independent of software
- Self-testing and diagnostics capabilities
- Use of highly testable devices (i.e. breakers, relays)
- Elimination of concurrent triggers
- Segmentation
- Redundant networks
- Unidirectional communications
- Network switches with traffic control
- Use of redundant controllers, I/O, power sources, etc.
- Internal or external diversity
- Use of isolation devices
- Extensive testing 13
Qualitative Assessment Factors
- Quality of the Design Process
- Software development
- Hardware and software integration processes
- System design
- Validation and testing processes
- For Safety Related:
- Development process is documented and available for referencing in the Qualitative Assessment
- Commercial grade:
- Documentation may not be extensive
- Qualitative Assessment may place greater emphasis on Design Attributes and OE 14
Qualitative Assessment Factors
- Operating Experience (OE)
- Relevant OE: can be used to show that integrated software and hardware in a mod has adequate dependability
- OE from nuclear industry
- Supplier uses quality processes
- Continual process improvement
- Incorporation of lessons learned 15
Failure Analysis
- Can be used to identify possible CCF vulnerabilities and assess the need to further modify the design.
- It can provide a valuable input into the Qualitative Assessment
- Key Areas to Consider:
- Potential sources of CCF
- Combination of design functions into a single digital device
- Digital Communications
- Creating new interactions with other SSCs
- Interconnectivity across channels, systems, and divisions
- Changing response times 16
Digital Modification Examples
- Examples of digital modifications that can be done without prior NRC approval using a qualitative assessment:
- Replacement of analog relays (including timing relays) with digital relays
- Replacement of analog controls for safety-related support systems (i.e. main control room chillers)
- Replacement of analog controls for emergency diesel generator supporting systems and auxiliary systems such as voltage regulation
- Installation of circuit breakers that contain embedded digital devices
- Replacement of analog recorders and indicators w/ digital
- Digital upgrades to non-safety related control systems 17
Qualitative Assessment Example Replacement of the Existing Electric Diesel Generator (EDG) Voltage Regulator Analog Motor-Operated Potentiometer (MOP) with a Digital Reference Adjuster (DRA) 18
Qualitative Assessment Example Replacement of the Existing EDG Voltage Regulator Analog Motor-Operated Potentiometer (MOP) with a Digital Reference Adjuster (DRA)
Digital Reference Adjuster 19
Qualitative Assessment Example Replacement of the Existing EDG Voltage Regulator Analog Motor-Operated Potentiometer (MOP) with a Digital Reference Adjuster (DRA)
- DRA will perform the exact same function as the MOP
- Failure modes are the same
- Failure due to an internal defect
- Failure due to a loss of power
- Failure resulting from environmental factors
- Failure results in inoperability of the EDG 20
Qualitative Assessment Example Design Attributes: The following design attributes were employed as part of the proposed design change to minimize failure likelihood:
- Use of a highly testable device
- No Microprocessor
- Two discrete outputs
- Single input
- Performs a single function w/ limited configurability
- testable before and after installation using simple test methods
- Application of watchdog timers that function independent of the software
- Diverse indication of failure
- Use of the following barriers to prevent CCF:
- environmental qualification
- physical separation of equipment
- absence of concurrent triggers
- simple architecture
- software quality and testability 21
Qualitative Assessment Example Quality of the Design Process
- Commercial grade dedicated for use in safety-related applications using the guidance provided in EPRI TR-106439 (for digital) and EPTI 3002002982 (for commercial grade dedication)
- Qualified for temperature, humidity, and seismic stressors using EPRI TR-107330 (endorsed by RG 1.209)
- Qualified for electromagnetic compatibility IAW RG 1.180 22
Qualitative Assessment Example Operating Experience
- Limited users of the DRA for EDG, but those users had many operating-years of experience with the DRA
- DRA is a quality product consistent with quality equal to or exceeding other non-digital setpoint adjustment devices (MOP)
- DRA eliminates the existing hardware common cause failure vulnerabilities of variable resistor wear and wiper to resistor corrosion of the MOPs 23
NEI 96-07, Appendix D, Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications
- Submitted to NRC for endorsement in January 2019
- Gives greater detail to industry on how to conduct 50.59 screenings and evaluations for digital modifications.
- Provides examples.
- Complements NEI 96-07 guidance
- Will be endorsed by RG 1.187 revision
- Possible exceptions in the endorsement 24
Questions 25
Back-Up Slides 26
50.59 Revised Rule
- Meaning of old rule language not clear/staff and industry differing interpretations
- Established clear definitions to promote common understanding of the rules requirements.
- Clarified the criteria for determining when changes, test, experiments require prior NRC approval.
- Provide greater flexibility to licensees, primarily by allowing changes that have minimal safety impact.
- Clarified the threshold for screening out changes that do not require a full evaluation under 10 CFR 50.59 27
Qualitative Assessment Factors 28
Qualitative Assessment Factors 29
Qualitative Assessment Factors 30
Qualitative Assessment Factors 31
Failure Analysis Resolution and Documentation 32
Failure Analysis Resolution and Documentation 33
Failure Analysis Resolution and Documentation 34
Failure Analysis Resolution and Documentation 35