M190514: Scheduling Note and Slides - Briefing on Digital Instrumentation and Control (Public Meeting)

ML19133A101
Person / Time
Issue date:	05/14/2019
From:	NRC/SECY
To:
References
M190514
Download: ML19133A101 (1)
v • d • e

Text

Title:

SCHEDULING NOTE Briefing on Digital Instrumentation and Control (Public Meeting)

Purpose:

To discuss with the Commission the plans for implementing digital instrumentation and control (l&C) systems Scheduled:

May 14, 2019 9:00 am Duration:

Approx. 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> Location:

Commissioners' Conference Room, 151 Floor OWFN

Participants:

External Panel Doug True, Chief Nuclear Officer and Senior Vice President, Generation and Suppliers, Nuclear Energy Institute Dan Stoddard, Senior Vice President and Chief Nuclear Officer, Dominion Energy Neil Wilmshurst, Chief Nuclear Officer, Electric Power Research Institute Topics:

Current and future plans for digital l&C adoption Remaining digital l&C impediments and regulatory gaps Commission Q & A Break Presentation 30 mins.*

10 mins.*

10 mins.*

10 mins.*

40 mins.

5mins.

Staff Panel 30 mins.*

Margaret Doane, Executive Director for Operations Ho Nieh, Director, Office of Nuclear Reactor Regulation (NRR)

Eric Benner, Director, Division of Engineering, NRR Brian Thomas, Director, Division of Engineering, Office of Research Topics:

Recent accomplishments Staff priorities for 2019 o Strategic assessment of digital l&C regulatory infrastructure (e.g.,

Evaluation of a risk-informed regulatory framework based on higher level design principles) o Endorsement of International Electrotechnical Commission (IEC) standards Measuring success and determining when the digital l&C Integrated Action Plan is complete Commission Q & A Discussion - Wrap-Up 40 mins.

5mins.

2

CCF is Not Unique to Digital CCF should not be treated as design basis Analog systems are also subject to CCF Analog CCF is primarily addressed through Special Treatment Requirements Same approach should be applied to digital NEI

©2019 Nuclear Energy Institute 4

Digital l&C NRC Commission Briefing Dan Stoddard

• May14,2019

~

Dominion

~

Energy

Digital I&C Project Drivers

• Obsolescence

• Single point vulnerability elimination

• Equipment Reliability

• Operational Efficiency

• Innovation

• Cost reductions 2

~

Dominion

iiiiiii" Energy

Benefits

• Maintenance - dramatically improved reliability (MTBF) and reduced maintenance

• Engineering - equipment diagnostics, higher accuracy, and simplified fault detection

• Operations - greatly enhanced Operator interface and vision into the plant

• Commonality - Common platforms f9r Protection and Control minimize maintenance and training 3

iii Dominion

iiiiii" Energy*

Digital Upgrades-Tangible Performance Improvements Historical Performance BWR Digital Feedwater 0.300

"' 0.250 cu >

cu u

cu *-

0.200

~

"' cu a:: "'

E -

~ '2 0.150 u :,

V'l ':;" 0.100 C

~ 0.050 cu -

0.000

• Analog

• Digital Historical Performance PWR Turbine Controls 0.140

~

"' 0.120 cu >

8 0.100 cu*-

1u

~

a:: cu 0.080

E -

~ '2 0.060 u :,

V'l -"' 0.040 C

~ 0.020 0.000

• Analog

• Digital Historical Performance BWR Turbine Controls 0.140

~

"' 0.120 cu >

cu.~ 0.100 1u ~

a::

cu 0.080

E -

ct.~

a::

C 0.060 u :,

V'l -"' 0.040 C

cu > 0.020 cu -

0.000

• Analog

• Digital

• Exelon began installing digital upgrades in the early 90's beginning with the feedwater systems at Dresden, LaSalle, Quad Cities and Limerick

• Turbine controls were upgraded beginning in 2004 at Byron, Braidwood, Dresden, LaSalle, Quad Cities and Limerick and continue across the balance of the fleet

• 500+ "unit years" of operating experience conclusively demonstrates a significant reduction in initiating events 4

~

Dominion

=:;iii" Energy*

Ongoing Projects

• A number of Digital l&C replacement projects are ongoing across the industry.

• Issuance of RIS 2002-22 Supplement 1 has facilitated many of these projects

• Examples:

Emergency Diesel Generator Controls Radiation Monitors Rod Control Safety-related Chiller Controls

~

Dominion

iiiiiiiiii" Energy

Risks and Challenges

• No Large Safety-Related Dl&C Upgrades (RPS/ESFAS)

Currently Planned or In-Progress

• Why?

Regulatory uncertainty Cybersecurity Compliance Cost

~

Dominion

~

Energy

Needs/Next Steps

• NEI 96-07, Appendix D approval

• BTP 7-19 revision approval

• Implement Standard Digital Engineering Process and SOP interfacing procedure (NISP-EN-04)

• Collaboratively work with the staff on the IAP modernization plans A predictable regulatory path based on reasonable assurance of adequate protection.

er,. Dominion

~

Energy

EPRI Integrated Digital Systems Engineering US-NRC Commission Briefing on Digital Instrumentation. and Control Neil Wilmshurst Chief Nuclear Officer-EPRI May 14th, 2019 in f

WWW

• e p r i

• C O m

© 2019 Electrtc Power Research Institute. Inc. All nghts reserved E ~~, 1 ELECTRIC POWER

,-,~

RESEARCH INSTITUTE

2 EPRI 450+ participants in more than 30 countries EPRI members generate approximately 90% of the electricity in the United States International funding - nearly 25% of EPRl's research, development, and demonstrations www. epr1. co m t> 2019 Llectnc Power ~ese~rch Institute, Inc. t.'.! p1ghts reserJed.

E r-:!a~, 1 mcmc..,...,

,-1c:;

llSf.MCM 1N1n,un

3 EPRI Perspective On Digital Reliability Recent research using field failure data revealed no platform level Software Common Cause Failures (SCCF) over approx. 2 billion hours of operation for IEC-61508 SIL certified PLC's Application of existing SIL certifications, at the platform level, in place of existing design and review processes has proven to be effective.

• Additionally, cumulative nuclear OE from across the world (Korea, France, China, etc.) indicate that:

SCCF failures are no more problematic than other CCF contributors There have been no identified events where diverse platforms would have been effective in protecting against SCCF Several events confirmed effectiveness of signal and functional diversity in protecting against SCCF www. e pr l.com C) 2819 El... ctr*c Powl'>r Resear:h msn.ut~ ll"C. Alt rrgh::.s reservec Applications Integration Platform

---

, 1 IUCTI IC,own

&:;1-fc;;;

IUU,1:CH rNSJlfUTt

4 Integrated* Digital Systems Engineering Framework Architecture Hazard Analysis (STPA/FTA}-SPV/CCF Requirements Engineering Procurement Human Factors Engineering (HFE}

Cyber Security Data Communications Plant Integration Testing Configuration Management Life Cycle Management w w w. e pr l.co m Industry Standard....11111...

Engineering Process

--~~, 1 mcmc l'OWII l;;;.l-11; IUfAl CN f'NSTITUTf

EPRl's Digital Framework Elements EPRI has developed a comprehensive engineering process, utilizing modern methods and international standards used in other safety related industries.

Element 1-Use of Industrial Standards: Use the same supply chain and structures that non-nuclear safety related industries use (IEC-61508/61511) to harvest the economies-of-scale of other safety industries.

• Element 2 - Use of Systems Engineering: Use of a modern, high performance, single engineering process that leverages systems engineering in the transition to team-based engineering for conception, design, and implementation.

Element 3 - Risk Informed Engineering: Effective engineering decision-making via hazards and risk analysis to integrate all engineering topics (such as cyber security and SCCF) into a single engineering process.

www. epri. r o m

© ::Cl~ E.*ennr Power Re~ea,. :h "'St1t*1:P Ire.. AJI nghts reservPd.

,=~121 I "'cmc,own a=;.1-H Sl.&IOt INSnrun

6 Policy Level vs. Implementation Level Ac.tivities Objective Criteria SCCF Objective Criteria Cyber The Gap Objective Criteria EMC Objective Criteria HFE

~

Implementation Level

~

(DEG/ HAZCADS / DRAM / TAM / IEC-61508} via Industry Standard Procedures EPRI Products are Used at the Implementation Level (what you actually do)

Objective Criteria provides the Policy to Implementation connector and can be formatted like a safety case argument www. e pr,. c~ m

,=~-, 1 lltCII IC POWII a=,-,c::.

l(SUICH fNlnnnt

7 Acronyms

• CCF - Common Cause Failure

• DEG - Digital Engineering Guide (EPRI 3002011816, Oct 2018)

• DRAM - Digital Reliability Analysis Methodology (EPRI product in development, sch. Ql 2020)

• EMC - Electromagnetic Compatibility

• EPRI - Electric Power Research Institute

• FTA-Fault Tree Analysis

• IEC - International Electrotechnical Commission

• IEEE - Institute of Electrical and Electronics Engineers Standards Association

• HAZCADS - HAZCADS: Hazards.and Consequences Analysis for Digital Systems (EPRI 3002012755 Dec. 2018)

• HFE - Human Factors Engineering

• ISO - International Organization for Standardization

• OE - Operating Experience

• PLC-Programable Logic Controller 11 SCCF - Software Common Cause Failure

• SIL - Safety Integrity Level (based on IEC-61508)

• SPV - Single Point Vulnerability

• STPA-Systems Theoretic Process Analysis

• TAM - Cyber Security Technical Assessment Methodology (EPRI 3002012752, Nov. 2018) www. e pr,. co m Cl 201 o (1,,.ctr*c Power Rec;f:!a,.cli tns*nute Ina:. All 11ght.. reserved

,=~r.::s1 I ILICIIIC l'OWII

~1-K;;;;;

I HfAKH INSTIMl

8 Together... Shaping the Future of Electricity www.e p r 1.co m i=~~, 1 mcmc,own t=l-tc;;;

I UfAI.CH fNSnJUTf

T 7 U.S.NRC United States Nuclear Regulatory Commission Protecting People and the Environment BRIEFING ON DIGITAL INSTRUMENTATION AND CONTROL Commission Meeting May 14, 2019

On the Road to Digital Modernization 06

Speakers

• Margaret Doane, Executive Director for Operations (EDO)

• Ho Nieh, Director, Office of Nuclear Reactor Regulation (NRR)

• Eric Benner, Director, Division of.Engineering (DE), NRR

• Brian Thomas, Director, DE, Office of Nuclear Regulatory Research (RES) 3

N RC has Addressed High Priority Challenges ISG-06, Rev. 2 Explained ISG-06, Rev. 2 Alternative Review Process Traditional Review Process Concept and Initial NRC pre-system application design and meetings planning Licensee activities Detailed hardware &

software design and fabrication NRC vendor/regional inspection and oversight Implementation, software validation/verification, and factory testing Onsite installation and site acceptance testing 4

Current NRC Guidance is Enabling Safe Digital Upgrades via 50.59 Chiller Controls Diesel Generator Controls Feedwater/Turbine Control System 5

Evaluation of an Issue with NEI 96-07 Appendix D is in Progress SUPPLEMENTAL GUIDANCE FOR APPLICATION OF 10 CFR 50.59 TO DIGITAL MODIFICATIONS Prepared by the Nuclear Energy Institute, November 2018 10 CFR 50.59{c){2){vi)

A license amendment is required if the change would "create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated)."

6

Standards BTPs, and TRs Where else can we improve the regulatory framework?

Federal Regulations IEEE 603-1991 IEEE 279-1971

+--

Standard Criteria for Safety Systems i

10CFR 50 Appendix A 14-General Design Criteria i

10 CFR 50 Domestic l icensing ~

of Production and Utlllz.atlon Facllitles i

10 CFR 50 Appendix B Quality Assurance Criteria 10CFR 73.54 Protection of Digital Computer and Communication and Network Systems rl 1SG$

NUREG-0800 Reg Guide 1.118 Reg Guide 1.152 Periodic Testing of Criteria for Proaramable Standard Review Plan Reg Guide 1.153 1111..._UII Criteria for lnstrumentatio

.v-. !

RIS-2002*22 Use or NUMMARC EPRI TR-102348 (10 CFR SO.S9 Dl&C-ISG-01

~

Cybe:rsecurity Dl&C-ISG-02 Diversity and Defense In Depth Issues (BTP 7-19R6)

Dl&C-ISG-03 ft New Reactor Digital Probabllistk Risk Assessments Dl&C-ISG-04 Hiahtv* lntegrated Control Room Communications Dl&C-JSG-05

~

Highly Integrated Control Room Human Factors Dl&C-JSG-06

~

Digital l&C Licensing Process f

Electrical Power and

[);cftal Computer System!

and Control Positions of -*-...

ProtecUon Systems Safety Systems Dllltal--

I I llelGulde1.1H 1111 Gulde 1.110 1111 Gulde 1.111 IIIIGuldeUn 1111 Gulde 1.173

~ _,_

-UIIIIT_,.

_....,._ ~-

Dae1*111tmwcfar

~

Ufac,de-for-

~

Branch Technical IEEE-338 IEEE 7-4.3.2 IEEE-603 IEIE-10ZI Position 7-14 Criteria for Periodic Standard Criteria for Standard Criteria for --- -...

Digital Computers Guidance for Software Sorvelllance Testing Safety Systems and Review for Dl*ital

~

IEEE-828

&WZ9 IEEE-1008 IEEE,&90 IEEE-1074 I

J *-tor --~

~ --T-

..ir-..

--ll'oqdo 0DC119111llllltDI

~

• r i

o-EPRI TR-106439 Acceptance of Commercial

• O NUREG/CR-6101 Grade Dedication Software Rellablllty and

~

Safety In Protection Systems (life Cycle Models NURE/CR-6421 Where can we Acceptance Process for COTS Software consohdate?

EPRl=TR-102348 Guidance In llcensfnc D111tal Uperadn (NEI 01-01 Rev. l) 7

Proactively Addressing Additional Common Cause Failure Concerns Propose Risk-Informed Graded Approach for BTP 7-19 Safety-Related

~ -* -........

A1 D3 Analysis A2 Defense-in-Depth/Qualitative Assessment Not Safety-Related B1 Defense-in-Depth/Qual itative Assessment 82 Assessment May be Needed 8

Perceptions vs. Reality A diverse analog system is mandatory to backup all Dl&C safety systems 100% testing is required of the digital system to address CCF BTP 7-19 is applicable to Dl&C modifications under 10 CFR 50.59 Reality No. There are many options to accomplish the intended safety function, including ATWS and operator actions.

100% testing is NOT required to address CCF in digital systems and may not be practical.

No, a licensee is NOT required to follow BTP 7-19 for digital modifications under 10 CFR 50.59.

9

Pursuing Alternative Regulatory Approaches and Safety Standards

• Broader use of IEC standards as an alternative way to meet the requirements of IEEE 279 and 603-1991

• Ready to evaluate proposed industry guidance for commercial grade dedication 10

Research is Supporting the Success of Future Regulatory Modernization User Needs

• Embedded Digital Devices

• Common Cause Failure

• Risk-Informing

• Operational Exp*erience 11

N RC is Coordinating with other Domestic Research Activities Domestic research activities are focused on using digital technologies to improve safety and reliability 12

NRC's International Collaboration is Focused on Safe Use of Digital l&C IAEA

~

lntomatlonal Atomic Energy Agoncy 13

What does success look like?

Shippingport control room circa 1957 Typical control room today

> 60 yea rs from Shippingport Success is expanding the.

safe use of digital 14

We're Making Progress on Achieving an Efficient and Effective Digital l&C Framework

• Continue our efforts to:

- Modernize our decision making in the use of

• Dl&C systems

- Effectively communicate with all stakeholders to understand their challenges, priorities, and potential solutions

- Transform with risk-informed and innovative approaches 15

--- ___ _J

Acronyms BTP - Branch Technical Position IEC - International Electrotechnical CCF - Common Cause Failure Commission CFR - Code of Federal Regulations ISG - Interim Staff Guidance 03 - Diversity and Defense-in-Depth NEI - Nuclear Energy Institute Dl&C - Digital Instrumentation and RIS - R~gulatory Issue Summary Control NEA - Nuclear Energy Agency l&C - Instrumentation and Control SSC - Safety Systems, Structures, and IEEE - Institute of Electrical and Electronics Components Engineers EPRI - Electric Power Research Institute IAEA-International Atomic Energy TR - Topical Report Agency 16

Acronyms BTP - Branch Technical Position IEC - International Electrotechnical CCF - Common Cause Failure Commission CFR - Code of Federal Regulations ISG - Interim Staff Guidance 03 - Diversity and Defense-in-Depth NEI - Nuclear Energy Institute Dl&C-Digital Instrumentation and RIS - Regulatory Issue Summary Control NEA - Nuclear Energy Agency l&C - Instrumentation and Control SSC - Safety Systems, Structures, and IEEE - Institute of Electrical and Electronics Components Engineers EPRI - Electric Power Research Institute IAEA-International Atomic Energy TR - Topical Report Agency 16