ML20044H497
| ML20044H497 | |
| Person / Time | |
|---|---|
| Issue date: | 06/02/1993 |
| From: | Wermiel J Office of Nuclear Reactor Regulation |
| To: | Marion A NUCLEAR ENERGY INSTITUTE (FORMERLY NUCLEAR MGMT & |
| References | |
| NUDOCS 9306090104 | |
| Download: ML20044H497 (30) | |
Text
_ _ _ _
June 2, 1993 Mr. Alex Marion, Manager Technical Division Nuclear Management and Resources Council Suite 300 1776 Eye Street, N.W.
Washington, D.C.
20006 f
Dear Mr. Marion:
The purpose of this letter is to thank you for your cooperation with the NRC l
staff on issues regarding digital instrumentation and control system upgrades, i
and to transmit the NRC staff comments on the draft " Guideline for Licensing
)
Digital I&C Upgrades." The enclosed comments are in the form of strikeouts and redline of the original draft. The primary NRC staff concern, as discussed in our meeting on the 15th of April and as reflected in our comments, is the need to clearly establish a threshold for NRC staff review of certain digital I&C system upgrades, primarily based on the impact of software reliability and electromagnetic environment on the current plant safety analysis.
We look forward to future interactions with NUMARC, and are prepared to meet with you as necessary to discuss the proposed draft guideline at a mutually convenient time.
Please feel free to contact me at (301) 504-2821 or Paul Loeser at (301) 504-2825 should you have any questions or comments.
Jared S. Wermiel, Chief Instrumentation and Controls Branch Division of Reactor Controls and Human Factors
Enclosure:
DISTRIBUTION As stated Central File HICB R/F PDR P. Loeser J. Mauck J. Wermiel B. Boger W. Russell HICB SC HIC /
BC:4I(H,
D:DRCH 4. A rv PLoeser:lsh7k d!4ad[#
JWerk BBoger[/
6/ 2./93 Sh93 6/ 2.f93 6/V/93
/
Document Name: NRC-UPDT.LTR PDR REVGP ERGNUMRC 03 9306090104 930602 PDR x
'\\
l &
(
l TABLE OF CONTENTS SECTION PAGE Section 1 INTRODUCTION 1-1
1.1 BACKGROUND
1-1 1.2 PURPOSE 1-2 1.3 CONTENT OF THIS GUIDELINE 1-3 Section 2 DEFINITIONS AND TERMINOLOGY 2-1 Section 3 THE EXISTING LICENSING PROCESS AND 10CFR50.59...
3-1 3.1 WHEN 10CFR50.59 APPLIES 3-1 3.2 REVIEW FOR POTENTIAL TECH SPEC CHANGES 3-1 3.3 PERFORMING THE 10CFR50.59 SAFETY EVALUATION 3-3 3.4 APPLICATION OF THE EXISTING LICENSING PROCESS TO DIGITAL U P G RA D ES........................
3-4 Section 4 GUIDANCE ON ADDRESSING DIGITAL UPGRADE ISSUES 4-1 4.1 SOFI' WARE...
4-2 4.1.1 Software Design and Quality Assurance 4-2 4.1.2 Software Common Mode Failures and Defense in Depth...............
4-3 4.2 EQUIPMENT QUALIFICATION INCLUDING EMI 44 4.3 MAN-M ACHINE INTERF ACE (MMI)...................
4-9 4.4 COMMERCIAL GRADE ITEM DEDICATION 4-10 4.5 DESIGN, SPECIFICATION, AND IMPLEMENTATION PROCESS 4-10 4.5.1 Definition of Systems, Interfaces, and Design Requirements...........
4-11 4.5.2 Plant-Specific Configurations and Optional Features.................. 4-11 4.5.3 Design Specification..................................
4-11 Section 5 SUPPLEMENTAL GUIDANCE FOR 10CFR50.59 EVALUATIONS OF DIGITAL U PG RA D ES............
5-1 Section 6 REFERENCES 6-1
J A.
a4 Section 1 INTRODUCTION
1.1 BACKGROUND
Nuclear utilities are now upgrading their existing analog instrumentation and control (l&C) systems.
The upgrades are being driven primarily by the growing problems of obsolescence, difficulty in obtaining parts, and increased maintenance costs of the analog electronic systems. There also is great incentive to take advantage of modern digital technologies which offer potential performance and reliability improvements.
To assist the utilities in these upgrades, the Electric Power Research Institute (EPRI) has undertaken a number of activities as part of an overall Integrated I&C Upgrade Program. Preparation of this guideline is one of the activities. EPRI and the Nuclear Management and Resources Council (NUMARC) are coordinating industry interaction with the Nuclear Regulatory Commission (NRC) in providing guidance for licensing digital I&C upgrades. The goal of these activities is a well-defined, stable, and predictable regulatory framework which ensures that digital I&C system upgrades are accomplished in a safe and effective manner.
A number of issues have been identified related to the use of digital computer-based equipment in safety systems. These include the use of software and the potential for common mode failure resulting from software errors, the effect of electromagnetic interference on digital computer-based systems, the use and control of configuration equipment, and the commercial dedication of digital equipment including software. The most notable of these concerns is the use of software and potential software common mode failures.
The industry and NRC have recognized that it is important for digital I&C upgrades to go forward.
Analog systems are continuing to become obsolete and difficult to support as vendors are discontinuing their lines of analog electronic equipment. Modern digital systems offer the potential to provide greater system reliability through the use of reliable digital components and features such as automatic self-testing and diagnostics. Assessment of system reliability should consider the effects of both the reliability enhancing features and the potential failure modes. When properly implemented, digital I&C upgrades can improve the safety of operating plants.
1-1 j
s 9
1.2 PURPOSE The purpose of this document is to provide guidance that will assist utilities in accomplishing digital j
I&C upgrades within a stable licensing environment. The basic approach is tc fc!!c= the aiming i
!!cring proc = goverad by 10CFR50.59.* establish a' threshold,'ab69e which'thsdigital Upgrads is espected to fail the'driteria of 10'CFR 50.59,'therefore requiring prior Commissio_n approvali For
~
digital systems below the threshold, the utilities may determine, using the criteria'of 10 CFR 50.59, that there is no unreviewed safety question, and no prior Commission approval is~ required. Some concerns stem from tne design characteristics of the digital electronics which cou.fd result in.new failure modes and system malfunctions that are considered unreviewed safety questions.T7hese concerns include but are not limited to the use of software, the effect of electromagnetic interference; the use and. control of configuration equipment l the effect that some dlgital. designs have on diverse
~
trip functions, failures specific to digital. hardware, effective system integration, man-machine interface, and the commercial dedication of digital electronics.aThe'most notable of these concbfiisI5
~
~ ~ ~ ~
~ ' ' ' ~ ~ - '
the use of software in a safety-related. system.
The threshold concept does not'allsViate the~feiponsibilityof^authoiitf~of the licen55s toTerf6tni?hn evaluation against 10 CFR150.59 in every case of equipment upgrade _ or modification; nor does.it predetermine the outcome. It is possible that in cases where one digital system is replacing another digital system, for example,' that these issues have already been reviewed, and are therefore included in the licensing basis. ~ 1t may also be that there is sufficient diversity in both hardware and ~ soft' ware
~
within a system that when a common mode software failure is assumed, diverse channels will cause the system to perform its intended function. <1n each case, it is the responsibili.ty of the licensee.to perform the 50.59 evaluation, and,take action as appropriate It'should bs noted that fofthosi'ciGFwhefe a licensesis pfbp6sindThi5dificatiditsa'disijd previously approved by the Commission, or references a ' design previoustp approved b'y a' topical report evaluation, the scope of the NRC staff review would most likely be significantly reduced. ;1n such cases, the NRC staff review would focus on plant specific issues (e.g. environmental effects, quality control plans, and any operating experience) and not reopen those generic concerns (e.g.
software quality) previously reviewed land approved.
However, This supplemental guidance is provided to facilitate the safety evaluation process for upgrades that use digital computers and software. This document provides guidance for:
Performing and documenting 10CFR50.59 evaluations for digital upgrades, and Addressing the issues, noted above, that are associated with digital upgrades in safety systems.
The intent is that, if the utility follows the guidance provided in this document, the upgrade will satisfy licensing requirements with respect to the issues identified above7a'nd thidesigh will bltimately provide ~a safe and reliabis system'whether~or not imp 1emented with prior Commissioii approval is required.
1-2
1.3 CONTENT OF tills GUIDELINE Section 2 provides definitions for key terms used in the guideline. Section 3 describes the existing i
licensing process which is followed when making plant modifications, including evaluation for changes to the plant Technical Specifications and performing safety evaluations required by 10CFR50.59.
j Section 4 describes the special considerations that apply to the licensing process for digital upgrades in safety systems. It provides guidance for addressing the issues of software, electromagnetic interference, man-machine interfaces, and commercial dedication. Section 5 provides supplemental guidance for performing a 10CFR50.59 safety evaluation for a digital upgrade.
Section 6 provides a list of documents which are referenced in this guideline and which provide supporting information and guidance. Appendix A provides additional background and examples in the form of case studies.
l l
l l-3
\\
~.
Section 2 DEFINITIONS AND TERMINOLOGY
'This section gives definitions for key terms as they are used in this guideline. When the definition is taken from another document, the source is noted in brackets [ ].
Commercial grade item. An item which:
(a) is not subject to design or specification requirements that are unique to nuclear facilities; (b) is used in applications other than nuclear facilities; and, (c) is to be ordered from the manufacturer / supplier on the basis of specifications set forth in the manufacturer's published product description.
Commercial grade item dedication. A process of evaluating, including testing, and accepting commercial grade items to obtain adequate confidence in their suitability for safety application.
Computer. See programmable digital computer.
Computer program. A schedule or plan that specifies actions that may or may not be taken, expressed in a form suitable for execution by a programmable digital computer. [ ANSI /IEEE-ANS 7-4.3.2-1982]
Configuration control. An element of configuration management consisting of the evaluation, coordination, approval or disapproval, and implementation of changes to configuration items after formal establishment of their configuration identification. [ ANSI /IEEE 610.12-1990]
Data. A representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by a programmable digital computer. [ ANSI /IEEE-ANS 7-4.3.2-1982]
Digital computer. See programmable digital computer.
Electromagnetic compatibility (EMC). The ability of equipment to function satisfactorily in its electromagnetic environment without introducing intolerable disturbances to that environment or to other equipment. [IEC 801-3-1984]
Electromagnetic interference (EMI). Electromagnetic disturbance which manifests itselfin performance degradation, malfunction, or failure of electrical or electronic equipment.
[lEC 801-3-1984]
Firmware. The combination of software and data that resides in read-only memory.
Integration tests. Tests performed during the hardware-software integration process prior to 2-1 l
J
computer system validation to verify compatibility of the software and the computer system hardware.
[ ANSI /IEEE-ANS 7-4.3.2-1982]
Microprocessors. See programmable digital computer.
Programmable digital computer. A device that can store instructions and is capable of the execution of a systematic sequence of operations performed on data that is controlled by internally stored instructions. [ ANSI /IEEE-ANS 7-4.3.2-1982]
Radio-frequency interference (RFI). A form of electromagnetic interference (EMI). EMI is a broader definition which includes the entire electromagnetic spectrum, whereas RFI is more restricted to the radio-frequency band, generally considered to be between 10 Khz and 50 Ghz. ' Ibis term has been superseded by the broader term EMI.
Safety related. See safety systems.
Safety systems. Those systems that are relied upon to remain functional during and following design basis events to ensure (i) the integrity of the reactor coolant pressure boundary, (ii) the capability to shut down the reactor and maintain it in a safe shutdown condition, or (iii) the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures comparable to the.10 CFR Part 100 guidelines. [IEEE 603-1991]
Software. Computer programs and data. [ ANSI /IEEE-ANS 7-4.3.2-1982]
Verification and Validation (V&V). The process of determining whether the requirements for a system or component are complete and correct, the products of each development phase fulfill the requirements or conditions imposed by the previous phase, and the final system or component complies with specified requirements. [IEEE 610.12-1990]
l i
2-2
Section 3 TIIE EXISTING LICENSING PROCESS AND 10CFR50.59 As part of making a change to a nuclear power plant, the utility performs the necessary reviews and evaluations to ensure that the change is safe, verifies that the change meets the applicable regulations, determines the ef fect of the change on the plant's licensing basis, and determines whether licensing review or approval of the change is needed from the NRC. An important regulation that governs changes to a licensed nuclear facility is 10CFR50.59. This regulation gives the utility the prerogative to make changes to the plant without prior NRC review or approval, as long as a safety evaluation is performed and several conditions are met as spelled out in the regulation.
Speci6cally, under the provisions of 10CFR50.59 the licensee is allowed to (a) make changes in the facility as described in the Safety Analysis Report, (b) make changes in the procedures as described in the Safety Analysis Report, and (c) conduct tests or experiments not described in the Safety Analysis Report without NRC review and approval prior to implementation, provided the proposed change, test, or experiment does not involve a change in the Technical Speci6 cations or is an unreviewed safety question. A proposed change, test, or experiment is considered to involve an unreviewed safety question (1) if the probability of occurrence or the consequence of an accident or malfunction of equipment itnportant to safety previously evaluated in the Safety Analysis Report may be increased, or (2) if the possibility for an accident or malfunction of a different type than any previously evaluated in the Safety Analysis Report may be created, or (3) if the margin of safety as defined in the basis for any Technical Speci6 cation is reduced.
Figure I shows the process that typically is followed in performing safety reviews and addressing the licensing aspects of a proposed change. The Ogure is taken from NSAC-125. " Guidelines for 10CFR50.59 Safety Evaluations."8 3.1 WIIEN 10CFR50.59 APPLIES NSAC-125 provides detailed guidance for determining if the subject system is included in those for which 10CFR50.59 is applicable. As discussed in NSAC-125,10CFR50.59 requires safety evaluations only for changes to the facility that affect the design, function, or method of performing the function of a structure, system, or component (SSC) described in the Safety Analysis Report (SAR) either by text, drawing, or other information relied upon by the NRC in granting the license.
The intent is to require a safety evaluation for any modification that could affect the safety analysis.
NSAC-125 provides examples for this determination and discusses issues such as distinguishing between a maintenance activity and a design change.
3.2 REVIEW FOR POTENTI AL TECil SPEC CIIANGES The determination of whether the upgrade involves a Technical Speci6 cation change can be made by a
'NSAC-125 is an industry guideline that has been used widely by utilities to develop their specine procedures for compliance with 10CFR50.59.
3-1
This chart is unchanged, and will be used as in NSAC-125 L
6 l
t Safety Rerlew Process (From NSAC-125)
Figure 1 3-2
- +
- _,____i_._______________. _ _ _ _ _ _ _-
review of the Technical Specifications relative to the planned upgrade. The review should cover the items listed below:
Safety limits, limiting safety system settings, and limiting control settings. nese are e
limits upon important process variables that are found to be necessary to reasonably protect the integrity of certain of the physical barriers that guard against the uncontrolled release of radioactivity.
Limiting conduionsfor operation. These are the functional capabilities or performance levels of equipment required for safe operation of the facility.
Surveillance requirements. These are requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within the safety limits, and that the limiting conditions of operation will be met.
Designfeatures. Design features to be included are those features of the facility such as time response and channel accuracy which, if altered or modified, could have a significant effect on safety.
Administratiw controls nese provisions relate to organization and management,
. procedures, record keeping, review and audit, and reporting necessary to assure operation of the facility in a safe manner.
The review should address the bases for the Technical Specifications and applicable plant Safety Evaluation Reports (SERs) to determine if any changes are needed. It should consider in particular any parameters or assumptions that may have been unique to the analog system and no longer apply with the digital upgrade. It lshould ;also include coruideratiori of parameters;or assuinptions unique..to digital systems that were not required for analog systems, and therefore need tofbe addedj If the planned upgrade involves a change to the Technical Specifications, then the licensee must submit a request for amendment to the facility license in accordance with the provisions of.
10CFR50.90. The NRC must approve the Technical Specification change prior to implementation of the plant modification. The submittal should concentrate on those aspects of the modification that result in the Technical Specification change.
3.3 PERFORMING TIIE 10CFR50.59 SAI'LTY EVALUATION NSAC-125 provides general guidance for preparation of a safety evaluation when it is required by 10CFR50.59. See Figure 1. The three questions posed by 10CFR50.59 are broken down to seven questions in NSAC-125 that are more specific and somewhat easier to address. The seven questions are explained and guidance is given on how to address them and determine whether the change involves an unreviewed safety question.
He pnssibility of a'malfuri'ction'n6t previousipya!Ualed'iritheifirialTafety"analpiisWp6rt7a6d.a po'ssible ieduction in' the current sa.ety margin, calls' into question the pe'rformince of an analog-to; digital modification of a safety ' ystem under the' 10 CFR 50.59 rule &Therefore, forfdigital upgrades s
involving the Reactor' Protection System (RPS), the Engineered Safet Feattires (ESP) control and 3-3
hetuation systimrand;s steiris which? fall ~intoithsPostW6cident Monitoring (PA.M)'categorpTitems as defined in Regulatory Guide 1.97, application of 10 CFR(50.59 ~ ould lead to an unreviewed
~
w safety question and thus prior Commission approval. of the change is required 3This position is bas 6d bpon the understanding that with the possibility of common mode software failure and increased sensitivity t'o the electromagnetic environment, and Lthle high degree ofimportance to safety of thes~e
~
systems, an evaluation based on the 10 CFR 50.59 rule will show that new failure modes and 'thus' an unreviewed safety question exists. Modifications to systems other than those mentioned above are below the threshold because of their lesser safety ' significance, and that after an evaluation'againstl10 CFR 50.59. guidelines is done, it may be that no Commission approval is required prior.to implementation of the change. LThis determination will depend upon;the outcome of the specifidl10 CFR 50.59 evaluat_ ion; If the change is determined to involve an unreviewed safety question, the licensee must request review and approval from NRC prior to implementation. The submittal should concentrate on those aspects of the change that result in ue unreviewed safety question.
3.4 APPLICATION OF THE EXISTING LICENSING PROCESS TO DIGITAL UPGRADES The process described above - determining when 10CFR50.59 applies, whether a modification involves a Technical Specification change, and whether it involves an unreviewed safety question based on the questions in 10CFR50.59 - applies to digital I&C upgrades as it does to other plant modifications. However, there are some additional special considerations that should be addressed when making digital 1&C upgrades to safety systems. These special considerations address issues such as use of software and the potential for software common mode failures. The special considerations for digital upgrades are discussed in Section 4. Guidance for addressing them, within the context of the existing licensing process described above, is given in Sections 4 and 5.
In general, software cannot be thought'of as~an eledtronic component similartd othd 60mponens
~
installed in redu.odant channels that are. physically and e' lectrically' separated fr6m ea6h other as was dane with previously licensed analog design.f Ones a final s6ftware package is developed [this exact same package (component) may be installed in each; redundant channel including any; errors and failure mechanisms that may be induced by the software itself.?With ths same software'componsht installed in each redundant channel or train of a safety system, the potential exists for a simultaneotis
~
~
failure in multiple safety trains.Q Such a failure would affect the' ability of ths safety system.to -
perform its intended safety function.TThis concern.is compounded by the use of portable configuration ~ equipment that can 'alkr the software in th' field? As'a result, the co'ncern fields e
questions regarding the application of the single failute, independence, and separation criteria thit were inherent in the original safetp analysis. - Furthermorel since some digital ~ system designs use common information highways or can handle' multiple input functions, a single digital equipment failure in one train could affect a number of the available trip functions therebyfreducing the availability and functional diversity of existing dssigns.
3-4
4 Section 4 GUIDANCE ON ADDRESSING DIGITAL UPGRADE ISSUES Section I listed several issues that have been identified with digital I&C upgrades in safety systems.
These issues should be given special consideration in the design, specification, evaluation, and implementation of safety system digital upgrades. Specifically:
The design and use of software should be given special attention, including verification and validation (V&V) and configuration management for software and the potential for software common mode failures.
Qualification of computer-based equipment and demonstration of its compatibility with the environment should include consideration of electromagnetic interference (EMI) inscsptibility}snd emission;s.
The potential for errors or inadvertent or unauthorized changes to be introduced via a man-machine interface (MMI) for computer-based equipment should be considered (e.g., via a configuration terminal, operator interface, or maintenance technician interface).
,?
' TraininglPersOnnellqbalifications Commercial grade item dedication to qualify commercial grade digital equipment for use in safety systems should include consideration of software as well as hardware.
iFurictional DissFsity
- ]L 5Sy(tem Divsrsity requirersnts]If6;fATWS)
This section describes how each of these issues can be addressed. Ths'distid5 dSlin hists"isius i
from previotis saalog equipment which arel' applicable 1(ii.[QAfseismie qualifications 3s#ndancf^
etc,) also need to be addressed. In many cases it draws on existing standards, regulatory j
requirements, and other sources of technical guidance, providing a summary or roadmap to these sources of guidance and discussing options the utility has for addressing the issues. Section 5 provides guidance on answering the 10CFR50.59 questions regarding potential unreviewed safety questions. It supplements the guidance that already is provided in NSAC-125, providing detailed questions that should be considered to address specifically the issues associated with digital I&C l
upgrades.
Section 3 discussed briefly the submittals that are required when the licensee determines that a modification involves a Technical Specification change or an unreviewed safety question. Note that it can be beneficial to inform the NRC early in the process, prior to determining what formal submittals may be required, about the intention to make a digital upgrade to a safety system. 'Ihis can be informal, and it can help avoid misunderstandings and facilitate useful and timely interactions between i
the utility and NRC, potentially leading to a smoother licensing process for the upgrade.
j 4-1
4.1 SOFTWARE 4.1.1 Software Design and Quality Assurance The design of digital computer-based I&C upgrades should place a high importance on software reliability and should include a well-defined process for software development, quality assurance, and configuration control.
Note that there may be several different types or categories of software involved in the upgraded system, with different organizations responsible for each. For example, the computer-based system may include:
Base software delivered with the system (often as embedded firmware), developed by the vendor snd snbsvendos - typically the vendor carries out the quality assurance, verification and validation of this software (e.g., for a programmable controller, the base software that implements the controller algorithms typically is unchanged from application to application);
Application-specific software, including configuration information - if the utility is responsible for developing this software, it has the responsibility for its verification and validation (e.g., configuration data or software settings that configure selected algorithms of a programmable controller to implement the particular control application).
The repe:riMi::es duties for development, V&V, and configuration centrol of the different portions of the software should be clearly specified. Also, required interactions between the utility and vendor in the development, review, and testing of the software should be specified. The utility should ensure that plant-specific or application-specific information needed by the vendor is adequately communicated and documentedf Responsibility for theierrect implementation;andiiperationyf the software rests on the liceisses, Standards, methods, and guidelines are available that allow the utility and the vendor to assure adequate software design, quality assurance, and verification and validation. Guidance for computer software development and integration of hardware and software for safety systems is provided in ANSl/IEEE-ANS 7-4.3.2. The 1982 revision of this standard was endorsed by Regulatory Guide 1.152, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants "
The following additional standards also can be used for guidance:
ASME NQA-2a-1990 Part 2.7 Quality Assurance Requirements of Computer Software for Nuclear Facility Applications ANSI /IEEE 730-1989 IEEE Standard for Software Quality Assurance Plans ANSI /IEEE 828-1990 IEEE Standard for Software Configuration Management Plans 4-2
ANSI /IEEE 8.10-1984 IEEE Guide to Software Requirements Specifications ANSI /IEEE 1012-1986 IEEE Standard for Software Verification and Validation Plans ANSI /IEEE 1016-1987 IEEE Recommended Practice for Software Design Descriptions ANSI /IEEE 1028-1988 IEEE Standard for Sohware Reviews and Audits ANSI /IEEE 1063-1987 IEEE Standard for Software User Documentation IEC 880-1986 Software for Computers in the Safety Systems of Nuclear Power Stations 4.1.2 Software Common Mode Failures and Defense in Depth Software reliability is a key element in the design of a digital computer-based I&C upgrade.
Requirements and guidance provided in ANSI /IEEE-ANS 7-4.3.2 should be followed as discussed above to ensure that the software that is produced is of high quality and therefore reliable. Also, features such as automatic self-testing and diagnostics which are provided by modern software-based systems should be recognized for their potential to enhance system reliability. At the present time, however, there is a lack of consensus on methods for quantifying software reliability, particularly at the levels required of a safety system. As a result, there remain questions, particularly for relatively complex software-based systems, on the feliability bfindividdal ho~mputers arid thy potential for a software common mode failure to cause a situation that is detrimental to plant safety.
'Be pe:en:ia! fer : Software failures, including common mode failures, should l; hall be considered in the context of the overall assessment of system failure modes and the consequences of failures.-Mwe di =;;zmen: cf failure mad = shculd 5: cenducted : i; ;ystem !;ve!; i: need no: b; : de::1!;d evaluetion of individu;! hr.rdware or sef: ware ecmpenen: Ei!urc = !cng = 10 y ::= 1 ve! failure azezment bouni; i :: dible-feitur =cds fer 1 sys::= = a whc!: (e.g., fail high, fai! !cw, er fai! = i; fer sys::= cu: pats).
A process that can be used to address software common mode failures is outlined below. Figure 2 provides a flowchart illustrating this process.
For each software failure that is considered:
1.
A~ =: " hehr-thSinde it' is sonsi.dered impossibis to'proVs_that s6ftpirfisyfforffr6e; software failure is deemed to be credible:
For simple systems which have extensive experience (both hardware and software),
the measures taken to ensure software quality combined with successful operating experience gained with the system may be such that a software common mode failure 4-3
O l
al 11 v
E f
U t
i l IlIll lj,I I,, IIIIIU 1
1[1111 s'
E 9
c n
II il 1
ll I1 ll
.llI jl
> j{
E lI s1-1 1 cj 1
e a
v g
Figure 2 Addressing Software Common Mode Failure 4-4
is ne: eccidsed seJibk. less likely, but is?still credible. Net i=, fa pro:ce:ien
- ,ys:en :;, ce por c : cf S =hwre ca: is nitied :o de ;y. tem pufc: ming it =re:y funetic= b cetuaRy v=y simpk be== 10 fune:!c=.: performfHtre a+mple (comparisen of a ;ig=! :c a. :pcini, simpk dg=1 :endi:lening, c::.).
For more complex systems or systems that have not seen extensive operating experience, software common mode failure may bc eccidsed credibk more probable and, if so, should be given further evaluation (below).
2.
Azen ie prob 2:!!:y of de =f:nze falk:, =mbined w!1 probabilitic cf c$c evat $3:
dn n=: cce= (if =y) f= Se==cquene= cf Se faibre tc b: :;ignif!:=: Fcr : = m p!c,if i :ys:cm unda rev!= :: a b=kup y;;;m 12==: puforn only wh= catain ev=u seeue then ; =Src fai!=c in Sa: :,y;:em b imper:=: caly if i: :auid ce=r =indda: wii r
$= cS= cvme produdng de =cJ fer de b=kup y;;;m !: E import =: :c=== Se ecmbi=J p cbabilit!= :c pkee 6 fa!!ure in $; approprbte =n =4-and de:=mi= -hcS= i:
- mcringful.
If de probdi'ities =c sign"k=: =d==r=: f=$= cc=idemien, S= 2==equ=:= cf thefeilure could b; =sezed (bi.v).
3.
Assess the consequences of the software failure, assuming it does occur. Determine whether the consequences of the software failure represent new type of sy;;cm kvd fai!=; Sat has no: previously been==idered ?En'secident orimalfunction^of'a different tfl e thanyi!Uafed
~
~
i previously. It should be remsmbered that there b no guidance for quantitatively assessing software failure probabilities ~at this time. fif the system under review is a backup system that must perform only when certain events. occur, then a software failure in that system is important only if it could occur coincident with these other events; producing the n'eed foi the backup system.
If the consequences of Se faikre cc ac: ne
=d i=dy have been addr==d iisdftWEs failurefof this type his" already bee 6 epaluatedjahdld.0cumented inithe safetp analysis report, then this particular failure need not be considered further. It would not represent an unreviewed safety question per 10CFR50.59.
However, if it is concluded that this is a new type of sy := kvd failure, then protection against the consequences of the failure,heuld phall be considered (below). Note that this tyneeny would mean the change involves an unreviewed safety question per 10CFR50.59 and NRC review and approval would be required prior to implementation.
43.
Assess the defense in depth that is provided which would mitigate the effects of the plant design basis accidents-even if the upgraded system suffered the software coamon mode failure. There are several options for demonstrating adequate defense in depth:
Demonstrate that there is defense in depth with existing systems, procedures, and training which is adequate to mitigate the effects of the design basis accidents-even if the upgraded system suffers the software common mode failure of concern - this may include taking credit for operator action under defined circumstances, and it may include the use of nonsafety-related equipment; providirig Jrfsither EsseTbjientor 4-5
action 6r nonsafety equipment,"the actions ineet the safety analfsis' response' time 1
requirements and are independent and diverse from the proposed system deslgn; or, Provide diversity within the upgraded system itself (e.g., diverse hardware and software in redundant portions of the system); or, Provide a separate backup system that gives adequate protection in the event of software common mode failure in the upgraded system.
l Provide a diverse monitoring system which willlji&Ess{thiilikelihb6dgqUlcklj identifying-identWy the occurrence of the common mode failure of the upgraded i
system, and provide guidance to the operators on their response to this failure.
i 4.2 EQUIPMENT QUALIFICATION INCLUDING EMI 10CFR50, Appendix A (GDC 2 and 4) requires that safety systems be designed to withstand the effects of natural phenomena and be qualified to operate in normal and postulated accident conditions.
Environmental conditions that should be considered include temperature, pressure, humidity, seismic 1
conditions, radiation, and electromagnetic interference (EMI).
As.noted earlier, electromagnetic interference has been identified as an issue associated with digital I&C upgrades, The purpose of this section is to provide guidance and acceptable methods for addressing the EMI issue. It draws bngnumbel(of publications liubliiiuiilEEE Stdfl050QfildStd;461 and 462, andl cn guid=c recen:!y d;ve! aped by EPR! =d =ntamed-+n EPRI TR-102323;, 'Ouide :c E!ce: a:nagnetie Interference (EMI) Susceptib"!:y Testing fer Digita! Safety Equ:pm=: in!aelc=
Pevse: P!=t^ "
The EMI environment should be considered as part of the design basis conditions for the upgraded safety system. It should be shown that the equipment installed with the digital I&C upgrade will operate satisfactorily in the environment in which it is to be located. Key aspects of this evaluation are (1) knowledge of the plant EMI enviromhentlin;whichith;e"equ;i;anEnt is'expedisd tFopsrats, (2) the execution of an appropriate set of tests to assess the vulnerability or susceptibility of the new 4
equipment to EMI, (23) the range of frequencies and test levels covered by the equipment i
susceptibility tests,-end (34) methods for demonstrating that the equipment is compatible with the EMI environment in which it will be installedfsdl(5) installstion tising pro;ief gro6ndingsd)hieldipg techniques. Each of these is discussed below.
The :e:: meiad: specified in IEC S0! 3, t, =d S vtich =v= =cep:!H!ity ic radiated 5:!d, eleetri=1 f=:::=s:ent:, =d surg =, =pplem=:ed by a !cv frequ=ey eendue:cd =eeptiH!!:y :est seeh = MIL STD 161C, CS 01, =c can'.idered a ecmprehem:ve ::: ef:st; =d = accep:ab!:
mdod fe condaeting EMI =ceptibility testing. A!: cree:: :=:: =: id=:iSed i; Tab!: 1. 71=
abr+ec=idered ceceptable. Reecmended s:g=' lev & =d f cqu=cy reng= for Se : : sere pra Aded in EPRI TR 102323.
4-6 l
l
Y. v v u
.m 0,m,
- . m U...,1. s n, D. v. <m D. 1 n - e e.. u. ww u
mu w.
.mn fif.,uA Dw.1. m,. e I C.., mos L ! lie., T. ve. Cen L
u.u 4 n,
uwassgnenny m e
.u w t23 u
If, m.m r n n f T. D. 1 A919.11 Irr v m
a.
eu
.v j
b^tf'Ofit#Kitt 6(4 ritt fft f'(ft(+
Rdekd S=;SMiity-Teu S % al Stamlaed
('
. e !.,.. m., L
,.ummm m.
M 'm,.10.s:.v o.us u citt'p n1L t m.
mun
.ea n1 f*M t CTN 4 f, i, f' r. N.
D C AS.,
1 em n..v.
.w3u.uwy 2
m mm u4 wu u u a t.
su av.
Fg
, n A.,. x1.
. m.,m: m.m.
e, n..- m. i. gg,
.uu.v etn,,
.A. S r,u. : m m m.m e :-
u..
m.~,
myu,y.m o
.o
_11. 1. m,., mLm
.m....,
f%. v... m.u Ar uw n.e : m.
m, n.iti rm u..
sw
.u s, gww w. nj v
u.
a u.s, v.
Yrf*OA1 S,v Yrrr m
wm mos ev A. M. O f. ('f 1 19 I/'.. I l m\\
1 s
s v.
gv u nu.y I'.e'm......m im. f m.
D,.m, A!
h 1:
m liff PTN A 41/'
('O At
. 3 u.m..m u hk,. :w..e.. sm m.
.nm..
u.b u
. uvua n j
ut s.
w v ug I*-
L..1 eb.,m u.
L.se. m,, m e nk t..,
m, g vunug 4,
De,A7, D m.,4 If, f'lne,
.A. 7
...m..m
.vu v
s..
- ue.s v.
3-v a u v.uao
- g. a f, m I m.
>* uu.g
....mm.
.L.s e (n m i e,,
root-m..e :- f%m J
""'b*"""'
9" 'r ' '* "'. ' T rf' O n"t
"*V""
rm !1:stm.
f m.
. u u. u vo,
s
,s.s
- rv 1 v bf
.syu...
r.m : e m e.. m - m f.._v
.4fiftftt.it tg t.,-
ti _
.uus.v. m.uv
.a k m,. o.
eTn A f i (*
c e n, c.;TOS$
.m...
. j i
unwnu.vu t sc 1-uu &
- v i t.
sa vu x OO' f D C e., w.., m. u *. s,,. 1 !.vo A.1. s, v
.A. O-w3 u.g.... e
. vivuou
.mm m
m C m..!m m f%... 4
,,,ue.u s t.
n
.o
_. 1!
m f
. ! - - r.1 rm Jffe m,.
m t fit CTn 4 fin
. v u g.. g.,. m o
v.n s ' 6 " "'
1,1. A ('.l n A. 7 r",..."m m.m.p.
'V' gtaftef g.,,. m t.,A. (s.*. I -.. m.,e.g
- ' C, m.u
.n..
s m u
- y.r..
.emL;
, m:
l m.
mm 1 m
v uw......og ag r 0neS
(%. v u. m. A r. u s :u :n i. vo,.
m,
.. v v.
f r f' O A 1 / fni n un ie m., Y t. t.. r
. n fe \\
sus v--
1 v
u v
.A U C T. T'41 1 '.'l IfL. !
i-s v.
i vu.
Omm.m m -...m e.
/L '.
n!-m m,
_ f m.1 ifff CTn A f i r' m.u.
(' O (V. T' t s,,
.udm
" "" d
.ma v u. 6 ' " \\"
'b v'
.. 3je mo.yum..m.
g' g,, 'm V
" vv r, m yv. m, u.a.ggg A. 7 E m. !.r-m..m e :. (%. v u.
,u A I, e A
m.m.m......
mm m o.. s m.
w.
,mrewo. mm 4.m., e m, m m11... N U..n.s.
- 1 : e i. m,.
i.f f f.s OT. n,A f i n gj o mm w,u m,
.u m nw.y s u ir u
v vite un
.o, v.
g
(' c. 1 1 f.,
(*fn,,
.A.1 cm..
y,I m m,..
m
.m
.. ~.,
r'-
- - r % m.m.ut r. ww i.t ;.
m,..
m, m
v a ru.
su
.u..g, v.
f rf' O A 1 C frrr v..
m.
atuv aus c
1 c,
Ti CY. ('f'.)..,A C AUv sv a
ga go,_. m.m.
ffigdpg.o, mme, I m A.. meWe li,ff CT. n A f 1, /*
('O fir 1,..m.
f.
L...,e,
. or u..mo m v u, gm
. mo,.uu u m c
~ u s.
sv
- v..
m r I m.1 ' " ' ' ' \\"
m.1 r II.. *'bb
.m
, m :1.
m, mm
- e. m..
m..
....1, t r. - m f r D C n't D 1
f' l e, A1
"'6""
Of
- OE e v.
" r ' *
""J r - ", '.s !. ' m.
- e.
_O.s s., f _m,,
E m.. m m..... e.: f %.v.atd. "
8'd k +-
f,m....-ei
,m
..u m.m, y.r.
...m eL(m urr
_n, mr A
m ~.,,...
u n..m..r A,
m N e* tt.;.m,.
m,
.i f. Y. Y.. MOT. n 4 f. i. n.,
mm.m
~
., v.
~.m.
m,
.:,.: fig i, t..t.,
(* f.n.~,,.A.1
/* C E m.. :m...
y.r
- s..e.
v.
f,.%.. e m, u4 r..n.,,i.t t e ; m,.,.
m.
1-.-
u.
f rf' O A 1 A U m.
. e u.._s
_1. m e, _ e.m.e. m. Aut_m
. frens u i_nt:u t
- r...
m _ _ m u m... m.
,_ _. _ e. m t...._.
u u v.m
.... u, e
...m.
m.
.v.__~
..x
. mr
.. ~ -..
L.
ra.
- m. t...
.- r. u.l.u, A m m, T. Err S O 4.,.m.uv.
mt. L,., Dm.m. I'.m*,u.m 1 ar e e k. m r e n I.,.,.m,me, l_
L.,
t m v
~
.m,u..
r
.~
v.
e
.m
,, u
... ~
s I
1:htm
,m.m... u.m. m. I m.m,m
_~.m...m.mm
..,_A m f.., : 1... m !..t e.. m e m,
r_e n e..m e : m. m
.L..m 1.uA km
,v.
._ u
~.v.
m,
, i. u m m.,.t n.
A mr mm.
.um.
~.
.. ~ r... v.
wpspm_m.e..
e :.~.,... u.., mpafet :. _.. t _.. ~.,. _2. m.m. m.e.,2,
.. e,..
m.
.m a.t a.
m.
..m
-.. m e m.. m..
u.
m. u. u.
r.s uv There are a number of standards and test methods, which if properly applied, Wil[ provide satisfactory 4*,/
1 resultsi Among these are the IEC 801~ssries'and MH;-STD 461~and MIDSTD 462.~Ihe MIL STD 461C susceptibility requirements are shown in the table below,Lin any of these; care must be takhn to insure the entire frequency spectrum is covered." Ideally, frequencies considered should c. over from 30 Hz to 20 GHz. 30 Hz is the first subharmonic of both the 60 Hz generated power and the supply voltage for most of the plant equipment. 'While this has a very long wave length, on the order of 3000 miles, and as such there is a low incidence of coupling,60 Hz is ths most common frequenefjn
~
the plant, and therefore even a small degree of coupling can cause problems.c 60 cycle hum on ground lines is not an' unusual problem. 20 GHz is the upper end of the' microwave spectrum, and may be used for point to point communications systems, both'on-site and off site. The power' levels in this frequency are usually much lower, but the short wavelengths may make even short wires a good antenna.L The spectrum between 10 GHz and 20 GHz need be considered'only if.microways systems using these frequencies are in the prox.imity of.the plant.iThere must be ajUstification foi any other frequencies no.t considered.
Applicable MIUSTD-461C' susceptibility' requifements foFdigital equi;idienf 4
Requirement :
Descripti6n CS01 ConductsdYdscsptibilitf7p0iW6ffeidiD0 Hz~t650 kHi CS02 Condsstedlusbeptibilit ;p6w&3hdjintsisudsectids control leads,50 kHz to 400 MHz CS06 Cbod5ctBdidiceptibilit9~1pikEp' Wifisidi o
RS01 Rsdiat'ed sdsseptibilityTmagnstis fieldT30 Hs (6'50 kHz
~
RS02 Radiatsdiusceptibilitp, isagseti6lEnd e16ctfisfis!dsj spikes and power frequencies RS03 Radiated susceptibilitpielectric fieldil4'kHz~ to 20 GHz LIC = conducted, R =l radiated {ahd SMsusd@tibilifjj Site specific probledis 'should bb sbiisidired.TDissi"diiif' include the freqbsns9lof siy bilcrowave systems installed on-site,'or which is offsite but geographic:uly closef Of specific intsfest is the handheld radio communications' devices used by plant personnel. gin addition, radar frequencies should be considered, both from local airports and shipboard radars for sites close to large bodies of water. Sites close to military bases should ' consider those. radars.
In demonstrating that the equipment is compatible with the EMI environment in which it will be installed, there are several options:
1.
Using de te:,: maheds di=uned ak ve, q=!!fy de equipmen to ec==va:!ve !cvels da: := be he n tc be greate S= v h : is credib!c fer de !=:d!cd envirenment; a
!=! ::e su vey L ne: rem ced in $1. er EPRITR 102323 := beem u!:cdae eMab!!sh Se !cveh fer : sting (see d!=u:c.icn belaw); c:,
4-8
2.
Demo =:::: 20: Se c;isting equipm=: is m.:;;:=cep:ib! S= Se ner equipma:
- o be installed-with-the upgrade
'n some :=esaisting =dag !=:rumenta:!c-h=
gr=:n ;=cep:ibility :c EMI i= de modern dig::d equip==: 6;: i !=:a!!ed in i::
place; cr, 3.
Perform local tests or surveys to measure the actual environment in which the equipment will be installed, and compare this to the results of the vendor or laboratory tests of equipment susceptibility; show that the equipment testing envelopes the installed environment.
2.
' Perform an' analysis based onyevious local tests 6r'surisysTind the EnbWh"einishidni of any equipment added since that test, and compare this to the results of the ' vendor br laboratory tests' of equipment susceptibility;jhow that the equipment testing ~~
havelopes the installed environmeny
'!h EPR! Guide, TR 102323, cen d= q=lif1= tic, :=: op:!cm =d :=: ;ignd chrae:mi;: ::,
ineluding frequency r=ge =d =cgnitude, b=ed en maimum = pee: d in:sf==ec !:vd; de:=#ned by-enalys:: =d :est. He EPRI Guide contaim upp= bo=d: for interfer=ce !cvd for d! Se EMI cencer= noted in Tab!c ! =d is applicable :c =y nuder pc== p!=:
Experience in previous upgrades has shown that wiring practices followed in installation of the equipment (e.g., routing, shielding, grounding, termination) are very important in minimizing EMI susceptibility and should be addressed in the design and implementation of the upgrade. IEEE 1050-1989 provides guidance in this area.
4.3 MAN-MACIIlNE INTERFACE (MMI) ne man-machine interface includes all interfaces between the digital I&C system and plant personnel, including:
operators - alarms, status displays, control interfaces, etc.
maintenance technicians - test and calibration interfaces, diagnostic information displays, data entry terminals for setpoints, etc.
engineering personnel - configuration workstations or terminals, etc.
The principal concern related to the man-machine interface is the possibility of system failure due to human error, or due to unauthorized entries or alterations of the system through a maintenance, test, or configuration interface. Human factors considerations should be addressed in the design of all man-machine interfaces associated with the upgrade in order to minimize the possibility for human error in using the interface. IEEE 603-1991 discusses the application of human factors considerations in the design process for safety systems. General guidance for human factors considerations is provided in numerous IEEE, EPRI, and NUREG documents on this subject.
Adequate administrative controls and security should be provided te gurd ;gd= prevent unauthorized changes being introduced through a man-machine interface. Note that this is similar to 4-9 v
v r-
t r
the situation that is faced now with existing equipment and the associated administrative controls and
~
security (e.g., authorization to open cabinets, use of keylock controls, restrictions on vital area access, etc.). IEEE 603-1991 provides guidance on access control and human interfaces.
Administrative controls and design features should specifically address software access in addition to typical equipment access provisions.
4.4 COMMERCIAL GRADE ITEM DEDICATION The responsibilities for qualifying, or performing commercial dedication, of equipment for use in a safety system should be specified. This includes software as well as hardware. Note that, depending l
on how the roles are defined, the utility may need access to the source code for the vendor software.
If so, this needs to be worked out up front (schedule, terms, etc.) so that the necessary reviews or dedication activities can be supported in a timely fashion.
The process used for commercial grade item dedication should identify the principal performance requirements necessary to provide adequate confidence that the safety function can be achieved. The hardware and software design should be compared to the applicable design criteria for nuclear qualified equipment, wii== pdc = ida v.ha in
- cia ecmpc=:! g f=:ce (;.g.,
docum=:cd cpanting spa!== in
!-i!= cpp!!=:!ca, cr addi::c=! vr!E=:!r; =d vrJid::!ca perfor,cd 'a d=c!cp Jequate car 5d==). Whilfd6Bndiehisd'6psistihisiipsrisnse'6siilWHisdWi facto? in'co'mmercial ~ grade dedicati6nljns iditself insuffijlentjsl proof of; acceptability'fd~~~
applications ijnportant to safety; Acceptance typically will be based on c.d;qua: p high'degise"of confidence that the product will 60fbnly perform its intended functionsibut als6 that no unintendal functionswillEc6rf' Dis"dsfrielof bon ^fidshes;iMuifsdWill66;~d6"rsininsuratssithLthesafetj ^
function the hardware and software is required to perform.$ 5ince for any reasbnably large softWais package the' number of inpet Variablehfmakes dedication bi testing al6ns a Verp!diffic61t pFop6sition;
~
+
the only viable lalternatise4.,30 verify; add validite.ths hode itself, in'a_dditidri to' test $ In a prdprietaij~
software product', the vendor ma'yL he ireluctant to tnake t!ib edds linings a'vailableNFof this feas66l '
commercial dediestion of soffwsrirem~ainsilimited bpdos.~65cussentation asTs56are requiied to maintain thi commercial grade" dedication-shwkl khall be placed under configuration management.
EPRI NP-5652, " Utilization of Commercial Grade Items in Nuclear Safety Related Applications,"
provides guidance on commercial grade item dedication.
4.5 DESIGN, SPECIFICATION, AND IMPLEMENTATION PROCESS For digital I&C system upgrades, it is particularly important to establish early in the process the roles, responsibilities, and interfaces among the utility, equipment vendor, and other organizations that may be involved in the change. When the upgrade involves computers and software, i
responsibilities for verification and validation (V&V), testing, and configuration management for the different types of software (e.g., vendor-supplied firmware, software configuration data, etc., as discussed in 4.1.1 above) should be established up front. Tlis ^ultimats;issp6hsibilitfLf6fDFsorie6t operation;of,thelysteni cannbi,%fid6urse[lfdelegated[and as:such; remainsjith theilicensee; Experience in previous digital upgrades and lessons learned from' software development and use in general have shown that proper specification of the requirements for the software is a key element in assuring adequate performance of the system. Most problems with digital systems occur in specifying the system, not in implementing the system or the software. The process should be very thorough in 4-10 i
establishing the requirements for the upgraded system, identifying all interfaces and all the applicable design basis requirements, and the utility should ensure that it adequately communicates to the vendor the plant-specific requirements and information needed to implement the system.
NSAC-105, " Guidelines for Design and Procedure Changes in Nuclear Power Plants," provides general guidance on design and implementation of plant modifications. IEEE 8301984T*Gtilde (c@
Softwire Requiremests Specifications? pFovides mois detailed guidanks on the process of generating the software req'uirements specifications. Additional guidance related to specification of digital I&C upgrades is given below, supplementing the guidance contained in NSAC-105.
4.5.1 Definition of Systems, Interfaces, and Design Requirements The systems that will be involved in the upgrade should be clearly defined. This includes defining:
Obiective(s) of the modification. For example, is this a functionally equivalent replacement or is additional functionality to be provided as pan of the modification?
This can have a significant impact on the safety evaluation.
System (s) to be modified. What systems will be modified to suppon the objectives?
Other systems affected. What are the effects from this modification on other systems?
e
. What interfaces are affected?
Systems desien basis and licensine basis. What are the design and licensing bases for the systems to be modified and for those that may be affected by the modification?
System design documentation, design basis requirements, applicable sections of the Safety Analysis Repon (SAR), Technical Specifications, and other design information should be used as appropriate.
4.5.2 Plant-Specific Configurations and Optional Features The utility should specify the particular options, features, and plant-specific configurations that are to be implemented for the particular design. The flexibility and power of computer-based systems allow a wide range of optional features and capabilities that the utility may or may not want in a particular application. In some cases, it may be desirable to disable or remove unnecessary optional capabilities, panicularly if they open up the possibility of new types of malfunctions or misoperations that impact the safety evaluation.
Also, the utility should understand what actions it must take to properly implement the desired capabilities. An example is the area of self-testing, diagnostics, and fault detection. The equipment may suppon these features, but the vendor may rely on site-specific or customer-specific wiring or interfaces to fully implement them (e.g., the equipment provides a contact output that signals failure of a processor, and this contact must be wired to a separate system or other equipment to provide operator notification or maintenance action). Communication between the utility and the vendor is important in ensuring that these items are properly addressed in the design and installation.
4.5.3 Design Specification 4-11
Section 2 of NSAC-105 and IEEE 1016-19872 Recommended Practice fgS.oftware. Design Dessilptions"; provides guidance on preparation of a design specification. As noted above, the specification i. > y Oment in ensuring adequate performance of the upgraded system. ' Die specification shch) c<r. :r:
Design objectives e
Functional requirements e
Codes, standards, and other design basis documents e
e Design requirements Analysis and testing requirements e
Acceptance criteria 4
t 4-12
Section 5 SUPPLEMENTAL GUIDANCE FOR 10CFR50.59 EVALUATIONS OF DIGITAL UPGRADES 1
1 NSAC-125 provides a set of seven questions commonly used to determine if a modification involves one or more unreviewed safety questions in accordance with 10CFR50.59. If the modification involves an unreviewed safety question, NRC review and approval must be obtained prior to i
implementation.
It is important to remember that the 10CFR50.59 Safety Evaluation does not determine whether or 1
l not a proposed change is safe. A determination that a proposed change involves an unreviewed safety question does not mean that the change is unsafe. It simply means that NRC review and approval is necessary prior to implementation of the change.
The following provides items to consider in answering each of the seven questions referred to in NSAC-125. They are expressed in the form of supplemental questions. I: :: import =: :c heep in mind $3: = =vser cf *y=" c: "ac" :c given qu=: c : dc= not eu:cmatien!!y me= da: Sere i c
- ne: = unrev:evsed safety quntie- ":sc :e items :c ecasider, not ;b;c!utes. Abe, act: S;: fer etarticular upgrade, some of $c.:cm; !!sted may bc =c app cpriately addressed under ; differen:
qus: cn er in several af de gustions:If any of these questionsisTanswered "yesyths change'is'an unreviewed safety question (Section 4.2 of NSAC-125). It is important to ensure that all items are addressed fully and that all valid potential unreviewed safety questions are identified.
(1)
May the proposed activity increase the probability of occurrence of an accident evaluatedpreviously in the Safety Analysis Report (SAR)?
Areas that should be addressed in responding to this question include the following:
(a)
Does the replacement system exhibit performance characteristics, or have design features, that give an increased probability of a system malfunction resulting in an accident? The assessment of a change in probability may be made on a qualitative basis, particularly for systems or components which rely on software since there does not currently exist a consensus method for quantifying software reliability. Comnion m6de.and common hause failures ^of poftware shall be[ considered; Section 3.4 of NSAC-125 provides guidance on the use of qualitative probability assessments.
(b)
Does the system exhibit performance characteristics that require additional operator intervention for continued normal operation (e.g., lockup, halt)? It should also be noted that lockup'or halt rnay be new types of malfunctions; and should be addressed under item 6 of this ' ection.
s (c)
Is the system qualified for the installed environment'~ e.g., temperature,
(
humidity, electromagnetic fields, airborne particulates) such that system performance will not be degraded compared to the original system?
5-1
.=
(2)
May the proposed activity increase the consequences of an accident evaluated previously in the SAR?
The following areas should be addressed in responding to this question to determine if the activity results in an increase in radiological releases above the licensing limit:
(a)
Does the replacement system exhibit a response time beyond current acceptance limits (e g., because of sample period, increased filtering)?
(b)
Does the system perform adequately under high duty cycle loading (e.g.,
computational burden during accident conditions)?
(c)
Does the architecture of the system exhibit a single failure that results in more severe consequential effects (e.g., reduced segmentation due to combining previously separate functions, several input channels sharing an input board, central loop processor for many channels)?
(d)
Does the man-machine interface design introduce constraints on the operators' ability to adequately respond to an accident such that there are more severe consequential effects?
I (3)
May the proposed activity increase the probability of occurrence of a malfunction of I
equipment important to'safet) evaluated previously in the SAR?
Areas that should be addressed in responding to this question include the following:
i (a)
Does the modified system meet the required plant environmental and seismic envelopes?
(b)
Is the replacement system qualified for the electromagnetic fields at the installed location? What effect does plant equipment operation have on the system (e.g., walkie talkies, motors, switchgear, etc.)?
(c)
Have potential interactions between safety-related and nonsafety-related systems been addressed?
(d)
Are the electrical loads associated with the replacement system addressed in the design?
(e)
Does the plant HVAC have adequate capacity for the thermal loads of the replacement system?
(f)
Does the replacement system meet applicable requirements for separation, independence, and grounding?
1 (g)
Does the microprocessor-based system have adequately qualified cabinet cooling?
i i
l 1
5-2
(4)
Afay the proposed acthiry increase the consequencn of a malfunction of equipment imponant to safety evaluatedpre iously in the SAR7 Areas that should be addressed to determine if the activity could result in an increase in the radiological releases above the current licensing limit include the following:
3 (a)
Does the replacement system exhibit the same failure modes affecting radiological relevet as the analog system te-g rWWow M0highrfa%
r diagn, tie failures)? If the failure mode is different, are the consequences increased beyond what was evaluated previously in the SAR?
(b) is Since a software common mode failure (ChiF) is a credible failure mode'?-
If-se, are the consequences mitigated by the hardware design or system architecture? If not, is the probability of a software ChiF in conjunction with other concurrent events assumed in the safety analysis judged to be sufficiently high that the consequences of a malfunction previously evaluated are increased? Are the consequences bounded by other events evaluated in the SAR7 (c)
Does the replacement system have the same failure mode as the analog system on loss of power? If the failure mode is different, are the consequences increased beyond what was evaluated previously in the SAR7 (d) is the response of the replacement system on restoration of power different from that of the analog system being replaced?
(e)
Does the man-machine interface (hihil) introduce failure modes different from those of the existing analog system? Is there an cquivalentsthe MMI in the system being repladed,^or does' the existence of a new type.of equ.ipment~
create a new type of failure?
(S)
Afay the proposed aethity create the possibility of an accident of a diferent type than any evaluated previously in the SAR?
i Areas that should be addressed in responding to this question include the following:
(a)
Have assessments of system-level failure modes and effects for the microprocessor-based system identified any new types of failure modes that could cause a different type of accident than presented in the plant SAR7 (b) 1*-a+oftware commen mode 4ci!ure e credible fa !are mode? If-so aAre the r
consequences of a softwareTeo_mmonlmode failure mitigated by the hirdware design or system architecture? Could the failure cause a different type of accident than presented in the SAR?
(c)
Plant SAR analyses were based on credible failure modes of analog equipment. Does the replacement system change the basis for the most 1
2Consideretions in de:ctmining whether a aftware common mode failure is credib!c include (1) :he complexity of the computer-system <lesign, (2) the number, " "
eomplexity-of-the-wftware programs involved, and (3) experience with-the computer system and-software:
5-3 4
limiting scenario?
(6)
May the proposed activity create the possibility of a malfunction of equipment important to safety "':r :h: =!)hndm4s of a diferent type than any evaluated previously in the SAR?
Thee rez Scu!d be addres=d in :=ponding :c i questke (e)
Have =x=mmts-of;y;:em !:ve! failure mod = =d effect fer Se mic cp ce =ct bred ;y; = id=:ified =y new typ= cf failu : $c esculd resu!: in efhe ne: prev.c=!y ec=ide:cd in $c SAR?
(b) h : sof:w=c ecmmen mode failurc : nedib!c failure med:? If =, weald it
- =u!: :n effeet; re: previc=!y ec=idered in Sc SAR?
(c)
Could de enviremert :n v hich $c mic cp c;=sc: bred equipm=: cpera:=
ec= a ner :ype of failure (e.g., !:e::cmagneti =xepiti!!:y)? Ccu!d $c ner system neate = =viren==: hich adverx!y ;ffect: c6= equipmen:
=d Sereby aca:= ic pazibinty of a differen: :ype cf m;!fu=:ica' (d)
Arc $; ;y;::= design-verifiec:i^n =d v;!!datica, =d = !y b m; Sods ec=b:=: wii indus::y 3:=dmi' This question is asking if the digital'equipmeht could 16ad tif a failtire^modiof a different type than the types' evaluated in the SARO in answering this' question, tfis types of failure modes of the analog' system being replaced that have been previously evaluated in the SAR and that_ are affected by the replacement are identified.3 hen types of failure modes that the digital replacement'. system.could create are identified?
Comparing the pvo lists can, provide the answer to,the questio'njNSAC;125 5.4.2.6);.
(7)
Does the proposed activity reduce the margin of safety as defined in the basisfor any technical specification?
A review of the bases and assumptions for the Technical Specifications and acceptance limits spelled out in the NRC SERs should be made to support this determination.
The areas to be addressed include the following:
(a)
Has the replacement I&C system decreased the channel trip accuracy beyond the acceptance limit?
(b)
Has the replacement I&C system increased the channel response time beyond the acceptance limit?
(c)
Has the replacement I&C system decreased the channel indicated accuracy beyond the acceptance limit?
(d)
Does the new control system cause a plant parameter for any analyzed event to fall outside of acceptance limits?
5-4
Section 6 REFERENCES The following lists standards, guidelines, and other documents that are referred to in this guideline.
The EPRI Instrumentation & Control Requirements and Standards (ICRS) database, distributed by EPRI's Electric Power Software Center, can be consulted for more information on standards, regulatory documents, and guidelines related to I&C upgrades in nuclear power plants.
f' l.
ASME NQA-2a-1990, Part 2.7, " Quality Assurance Requirements of Computer Systems for Nuclear Facility Applications," American Society of Mechanical Engineers.
2.
ANSISEEE-ANS-7-4.3.2, " Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations."
3.
ANSlHEEE 384-1977, " Criteria for Independence of Class IE Equipment and Circuits."
4.
ANSISEEE 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."
5.
ANSISEEE 610.12-1990, " Glossary of Software Engineering Terminology."
6.
ANSISEEE 730-1989, " Software Quality Assurance Plans."
7.
ANSISEEE 828-1990, "IEEE Standard for Software Configuration Management Plans."
8.
ANSISEEE 830-1984, "lEEE Guide to Software Requirements Specification."
9.
ANSlHEEE 1012-1986, "IEEE Standard for Software Verification and Validation Plans."
10.
ANSIAEEE 1016-1987, "IEEE Recommended Practice for Software Design Descriptions."
11.
ANSISEEE 1028-1988, "IEEE Standard for Software Reviews and Audits.*
12.
ANSIDEEE 1050-1989, "lEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations."
13.
ANSISEEE 1063-1987, *IEEE Standard for Software User Documentation."
14.
EPRI TR-102323, " Guide to Electromagnetic Interference (EMI) Susceptibility Testing for Digital Safety Equipment in Nuclear Power Plants." To be published by Electric Power Research Institute.
15.
IEC 801-3,1984, " Electromagnetic Compatibility for Industrial Process Measurement and 6-1
~
Control Equipment Part 3: Radiated Electromagnetic Field Requirements."
16.
IEC 801-4,1988, " Electromagnetic Compatibility for Industrial Process Measurement and Control Equipment Part 4: Electrical Fast Transient / Burst Requirements."
17.
IEC 801-5, Draft, " Electromagnetic Compatibility for Industrial Process Measurement and Control Equipment Part 5: Surge Immunity Requirements."
18.
IEC 801-6, Dratt, " Electromagnetic Compatibility for Industrial Process Measurement and Control Equipment - Part 6: Immunity to Conducted Radio Frequency Disturbances Above 9 kHZ."
19.
IEC 880-1986, " Software for Computers in the Safety Systems of Nuclear Power Stations."
20.
IEEE 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations."
21.
NSAC-105, " Guidelines for Design and Procedure Changes in Nuclear Power Plants."
22.
NSAC-125, " Guidelines for 10CFR50.59 Safety Evaluations."
23, Regulatory Guide 1.152, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants."
24.
Regulatory Guide 1.75, " Physical Independence of Electrical Systems."
25.
Regulatory Guide 1.153, " Criteria for Power, Instrumentation and Control Portions of Safety Systems."
26.
Title 10 of the Code of Federal Regulations, Part 50.59, " Changes, Tests, and Experiments."
27.
Title 10 of the Code of Federal Regulations, Part 50.90, " Application for Amendment of License or Construction Permit."
6-2