ML20046B395
| ML20046B395 | |
| Person / Time | |
|---|---|
| Issue date: | 07/16/1993 |
| From: | Wermiel J Office of Nuclear Reactor Regulation |
| To: | Bacon P ROLLS-ROYCE & ASSOCIATES, LTD. |
| References | |
| NUDOCS 9308040156 | |
| Download: ML20046B395 (1) | |
Text
e-3 July 16, 1993 Phil Bacon, Manager High Integrity System Design Rolls Royce and Associates Limited PO Box 31 Derby, DE24 BBJ United Kingdom
Dear Mr. Bacon:
As requested during our meeting on June 29, 1993, enclosed for your information is a copy of the Nuclear Management and Resources Council (NUMARC) document entitled, " Guideline for Licensing Digital I&C Upgrades" which has been annotated with the NRC staff comments.
I hope this document will be of-use to you. Our discussions with NUMARC on the contents of this document are continuing.
Mr. John Gallagher and I appreciate the opportunity to have discussed nuclear power plant digital instrument and control. systems with you.
If I can be of further assistance, please call me'at 301-504-2821.
Original signed by:
Jared S. Wermiel, Chief Instrumentation and Controls Branch Division of Reactor Controls and Human Factors
Enclosure:
As stated l
DISTRIBUTION PDR HICB R/F J. Wermiel BC:H(CB;DRCH JWerk:lsh 7//6 93
/
DOCUMENT NAME:
BACON.LTR 930804015h h h RC PDR REVG PDR
,. o*,
June 2,S53' Mr. Alex Harion, Manager Technical Division Nuclear Management and Resources Council Suite 300 1776 Eye Street, N.W.
Washington, D.C.
20006 t
Dear tir. Marion:
The purpose of this letter is to thank you for your cooperation with the NRC staff on issues regarding digital instrumentation and control system upgrades, and to transmit the NRC staff comments on the draft " Guideline for Licensing Digital I&C Upgrades." The enclosed comments are in the form of strikeouts and redline of the original draft.
The primary NRC staff concern, as discussed in our meeting on the 15th of April and as reflected in our comments, is the need to clearly establish a threshold for NRC staff review of certain digital I&C system upgrades, primarily based on the impact of software reliability and electromagnetic environment on the current plant safety analysis.
We.look forward to future interactions with NUMARC, and are prepared to meet with you as.necessary to discuss the proposed draft guideline at a mutually convenient time.
Please feel free to contact me at (301) 504-2821 or Paul Loeser at (301) 504-2825 should you have any questions or comments.
Jared S. Wermiel, Chief Instrumentation and Controls Branch Division of Reactor Controls and Human factors
Enclosure:
DISTRIBUTION As stated Central File HICB R/F PDR P. Loeser J. Mauck J. Wermiel B. Boger W. Russell HICB SC:A4Ki(l BC:MGH,
D:DRCH A. A rv Ploeser:lsh7k JWerN BBogerk 6/ 2./93 6b-/93 6/E[93 6/'v/93
/
Document Name: NRC-UPDT.LTR s
e TABLE OF CONTENTS SECTION PACE section 1 IN 1RODUCTION 1.*'........
1-1
1.1 BACKGROUND
1-1 1.2 PURPOSE 1-2 1.3 CONTENT OF THIS GUIDELINE............................
1-3 Section 2 DEFINITIONS AND TERMINOLOGY......
2-1 Section 3 THE EXISTING LICENSING PROCESS AND 10CFR50.59.
3-1 3.1 WHEN 10CFR50.59 APPLIES 3-1 3.2 REVIEW FOR POTENTIAL TECH SPEC CHANGES 3-1 3.3 PERFORMING THE 10CFR50.59 SAFETY EVALUATION 3-3 3.4 APPLICATION OF THE EXISTING LICENSING PROCESS TO DIGITAL UPGRADES......
3-4 Section 4 GUIDANCE ON ADDRESSING DIGITAL UPGRADE ISSUES.........
4-1 4.1 SOFTWARE.........
4-2 4.1.1 Software Design and Quality Assurance 4-2 4.1.2 Software Common Mode Failures and Defense in Depth....
4-3 4.2 EQUIPMENT QUALIFICATION INCLUDING EMI 4-6 4.3 MAN-MACHINE INTERFACE (MMI)........
4-9 4.4 COMMERCIAL GRADE ITEM DEDICATION.................... 4-10 4.5 DESIGN, SPECIFICATION. AND IMPLEMENTATION PROCESS.....
4-10 4.5.1 Definition of Systems. Interfaces and Design Requirements..
4-11 4.5.2 Plant-Specific Configurations and Optional Features.......
4-11 4.5.3 Design Specification................................
4-11 Section 5 SUPPLEMENTAL GUIDANCE FOR 10CFR50.59 EVALUATIONS OF DIGITAL UPGRADES.........
5-1 Section 6 REFERENCES 6-1
t 3
Section 1 INTRODUCTION t
1.1 BACKGROUND
Nn&ar utilities are nmv up;r7 ding their ~isting r.nalog instrumentation and contrp((l&C) systems.
He upgrades are being driven primarily by the growing problems of obsolescence, difficulty in obtaining parts, and increased maintenance costs of the analog electronic systems. Dere also is great incentive to take advantage of modern digital technologies which offer potential performance and reliability improvements.
To assist the utilities in these upgrades, the Electric Power Research Institute (EPRI) has undertaken a t
number of activities as part of an overall Integrated 1&C Upgrade Program. Preparation of this guideline is one of the activities. EPRI and the Nuclear Management and Resources Council (NUMARC) are coordinating industry interaction with the Nuclear Regulatory Commission (NRC) in providing guidance for licensing digital I&C upgrades. De goal of these activities is a well-defined, i
stable, and predictable regulatory framework which ensures that digital I&C system upgrades are accomplished in a safe and effective manner.
A number of issues have been identified related to the use of digital computer-based equipment in i
safety systems. These include the use of software and the potential for common mode failure resulting from software errors, the effect of electromagnetic interference on digital computer-based systems, the use and control of connguration equipment, and the commercial dedication of digital equipment including software. The most notable of these concerns is the use of software and potential software common mode failures.
The industry and NRC have recognized that it is important for digital I&C upgrades to go forward.
Analog systems are continuing to become obsolete and difficult to support as vendors are discontinuing their lines of analog electronic equipment. Modern digital systems offer the potential to provide greater system reliability through the use of reliable digital components and features such as automatic self-testing and diagnostics. Assessment of system reliability should consider the effects of both the reliability enhancing features and the potential failure modes. When properly implemented, digital I&C upgrades can improve the safety of operating plants.
1-1
1.2 PURPOSE The purpose of this document is to provide guidance that will assist utilities in accomplishing digital I&C upgrades within a stable licensing environment. He basic approach is to fe"cr $c c= ting lieming p:ccm governcJ by 0CFR50.59.' establish a threshold, above which the~ digital upgrade is expected to fail the criteria'of 10 CFR 50.59, therefore requiring prior Commission approval. For digital systems below the threshold, the utilities may determine,' using the criteria of 10 CFR 50.59, i
that there is no unreviewed safety question, and no prior Commission approval is required. Some concerns stem from the design characteristics of the digital electronics which collTresult in new failure modes and system malfunctions that are considered unreviewed safety questions. These concerns include but are not limited to the use of software, the effect of electromagnetic interferendel the use and control of configuration equipment, the effect that some digital designs have on diverse l
trip functions, failures specific to digital hardware, effective system integration, man-machine i
interface, and the commercial dedication of digital electronicseThe most notable of these, concerns'is the use of software in a safety-related system.
l The threshold concept does not alleviate the responsibilhy or huthority of the licensee ~ to perform an evaluation against 10 CFR'50.59 in every case of equipment upgrade or modification, nor does it predetermine the outcome. It is possible that in cases where one digital system is replacing another digital system. for example, that these issues have already been reviewed, and are therefore included in the licensing basis. It may also be that there is sufficient diversity in both hardware and software within a system that when a common mode software failure is assumed, diverse channels will cause the system to perform its intended function. in each case, it is the responsibility of the. licensee to perform the 50.59 evaluation, and take action as appropriate.
It sh6uld be noted that for those casefwhere a licensse is)toposing a niodification to a design previously approved by the Cemmission, or references a design previously approved by a topical report evaluation, the scope of the NRC staff review would most likely be significantly reduced.c In such cases, the NRC staff review would focus on plant specific issues (e.g. environmental effects, quality control plans, and any operating experience) and not reopen those generic concerns (e.g.
software quality) previously reviewed and approved.
H=cva. This supplemental guidance is provided to facilitate the safety evaluation process for upgrades that use digital computers and software. This document provides guidance for:
Performing and documenting 10CFR50.59 evaluations for digital upgrades, and Addressing the issues, noted above, that are associated with digital upgrades in safety systems.
The intent is that, if the utility follows the guidance provided in this document, the upgrade will satisfy licensing requirements with respect to the issues identified above, and the design will uhimately pmvide a safe and reliable system whether or not implemented with prior Commission approval is required.
1-2 i
1
i 1
I.3 CONTENT OF TIIIS GUIDELINE l
Section 2 provides definitions for key terms used in the guideline. Section 3 describes the existing licensing process which is followed when making plant modifications, including evaluation for changes to the plant Technical Specifications and performing safety evaluations required by 10CFR50.59.
Section 4 describes the special considerations that apply to the licensing process for digital upgrades in safety ystems. 't prTS:s g.:!Ance fer ddasing the hsu of softw. ire, clearomagnetic interference, man-machine interfaces, and commercial dedication. Section 5 provides supplemental guidance for performing a 10CFR50.59 safety evaluation for a digital upgrade.
Section 6 provides a list of documents which are referenced in this guideline and which provide supporting information and guidance. Appendix A provides additional background and examples in the form of case studies.
f i
1 1
P
}
p e
M L
e 1-3
Section 2 1
DEFINITIONS AND TERMINOLOGY This section gives definitions for key terms as they are used in this guideline. When the definition is tak-from vnrh-dace-t the mnrce 4 noted in hncke: !!
Commercial grade item. An item which:
i (a) is not subject to design or specification requirements that are unique to nuclear facilities; I
(b) is used in applications other than nuclear facilities; and, (c) is to be ordered from the manufacturer / supplier on the basis of specifications set forth in the manufacturer's published product description.
+
Commercial grade item dedication. A process of evaluating, including testing, and accepting commercial grade items to obtain adequate confidence in their suitability for safety application.
Computec. See programmable digital computer.
Computer program. A schedule or plan that specifies actions that may or may not be taken, expressed in a form suitable for execution by a programmable digital computer. [ ANSI /IEEE-ANS 7-4.3.2-1982)
Configuration control. An element of configuration management consisting of the evaluation, coordination, approval or disapproval, and implementation of changes to configuration items after formal establishment of their configuration identification. [ ANSI /IEEE 610.12-1990]
i Data. A representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by a programmable digital computer. [ ANSI /IEEE-ANS 7-4.3.2-1982) i i
Digital computer. See programmable digital computer.
Electromagnetic compatibility (EMC). The ability of equipment to function satisfactorily in its electromagnetic environment without introducing intolerable disturbances to that environment or to other equipment. [lEC 801-3-1984]
Electromagnetic interference (EMI). Electromagnetic disturbance which manifests itselfin j
performance degradation, malfunction, or failure of electrical or electronic equipment.
[lEC 801-3-1984]
nrmware. He combination of software and data that resides in read-only memory.
Integration tests. Tests performed during the hardware-software integration process prior to 2-1
t
~
i l
computer system validation to verify compatibility of the software and the computer system hardware.
[ ANSI /IEEE-ANS 74.3.2-1982]
i Microprocessors. See programmable digital computer.
i Programmable digital computer. A device that can store instructions and is capable of the execution of a systematic sequence of operations performed on data that is controlled by internally i
stored in<tructions. IANSI/IEEF-ANS 7 4 3.2-19821 l
.w-t Radio-frequency interference (RFT). A form of electromagnetic interference (EMI). EMI is a i
broader definition which includes the entire electromagnetic spectrum, whereas RFI is more restricted to the radio-frquency band, generally considered to be between 10 Khz and 50 Ghz. This term has
{
been superseded by the broader term EMI.
Safety related. See safety systems.
Safety systems. Those systems that are relied upon to remain functional during and following design basis events to ensure (i) the integrity of the reactor coolant pressure boundary, (ii) the capability to shut down the reactor and maintain it in a safe shutdown condition, or (iii) the capability to prevent or -
mitigate the consequences of accidents that could result in potential offsite exposures comparable to the.10 CFR Part 100 guidelines. [IEEE 603-1991]
Software. Computer programs and data. [ ANSI /IEEE-ANS 74.3.2-1982]
t Verification and Validation (V&V). The process of determining whether the requirements for a system or component are complete and correct, the products of each development phase fulfill the requirements or conditions imposed by the previous phase, and the final system or component complies with specified requirements. [lEEE 610.12-1990]
i I
l 1
i 1
)
i 2-2
Section 3 TIIE EXISTING LICENSING PROCESS AND 10CFR50.59 As pan of making a change to a nuclear power plant, the utility performs the necessary reviews and evaluations to ensure that the change is safe, verifies that the change meets the applicable regulations, determines the ca... cf the J..c.ge on the plant's hweing basis, and determines.wacther licensing l
review or approval of the change is needed from the NRC. An imponant regulation that governs changes to a licensed nuclear facility is 10CFR50.59. This regulation gives the utility the prerogative to make changes to the plant without prior NRC review or approval, as long as a safety evaluation is performed and several conditions are met as spelled out in the regulation.
Specifically, under the provisions of 10CFR50.59 the licensee is allowed to (a) make changes in the facility as described in the Safety Analysis Repon, (b) make changes in the procedures as described in the Safety Analysis Repon, and (c) conduct tests or experiments not described in the Safety Analysis i
Report without NRC review and approval prior to implementation, provided the proposed change, test, or experiment does not involve a change in the Technical Specifications or is an unreviewed safety question. A proposed change, test, or experiment is considered to involve an unreviewed safety question (1) if the probability of occurrence or the consequence of an accident or malfunction of equipment imponant to safety previously evaluated in the Safety Analysis Repon may be increased, or (2) if the possibility for an accident or malfunction of a different type than any previously evaluated in the Safety Analysis Report may be created, or (3) if the margin of safety as defmed in the basis for any Technical Specification is reduced.
Figure i shows the process that typically is followed in performing safety reviews and addressing the licensing aspects of a proposed change. The figure is taken from NSAC-125, " Guidelines for 10CFR50.59 Safety Evaluations.*'
3.1 WHEN 10CFR50.59 APPLIES NSAC-125 provides detailed guidance for determining if the subject system is included in those for which 10CFR50.59 is applicable. As discussed in NSAC-125,10CFR50.59 requires safety evaluations only for changes to the facility that affect the design, function, or method of performing the function of a structure, system, or component (SSC) described in the Safety Analysis Repon (SAR) either by text, drawing, or other information relied upon by the NRC in granting the license.
The intent is to require a safety evaluation for any modification that could affect the safety analysis.
NSAC-125 provides examples for this determination and discusses issues such as distinguishing between a maintenance activity and a design change.
3.2 REVIEW FOR POTENTIAL TECll SPEC CHANGES The determination of whether the upgrade involves a Technical Specification change can be made by a
'NSAC-125 is an industry guideline that has been used widely by utilities to develop their specific procedures for compliance with 10CFR50.59.
3-1 i
i I
r 4
t b
i s
This chart is unchanged, and will be used as in NSAC-125 I
i r
8 I
l-i i
c t
i Safety Review Process (From NSAC-125)
Figure 1 l
?
3-2 i
I 4
v
b t
review of the Technical Specifications relative to the planned upgrade. The review should cover the
{
items listed below:
Safety limits, limiting safety system serrings, and limiting control senings. These are limits upon important process variables that are found to be necessary to reasonably protect the integrity of certain of the physical barriers that guard against the 3
uncontrolled release of radioactivity.
'!miting conditionsfor operciL: nese m he functional capab,iLilies or performance levels of equipment required for safe operation of the facility.
j Surwillance requirements. These are requirements relating to test, calibration. or inspection to assure that the necessa y quality of systems and components is maintained, that facility operation will be within the safety limits, and that the limiting conditions of operation will be met.
Designfeatures. Design features to be included are those features of the facility such n
as time response and channel accuracy which, if altered or modified, could have a significant effect on safety.
Administrative controls. These provisions relate to orgamntion and management, procedures, record keeping, review and audit, and reponing necessary to assure operation of the facility in a safe manner.
The review should address the bases for the Technical Specifications and applicable plant Safety Evaluation Reports (SERs) to determine if any changes are needed. It should consider in particular any parameters or assumptions that may have been unique to the analog system and no longer apply with the digital upgrade. It should also incicde c6nsideration^of p&sineters or assumptions unique to digital systems that were not required for analog syst_emsEand;therefore need to,be addedq If the planned upgrade involves a change to the Technical Specifications, then the licensee must submit a request for amendment to the facility license in accordance with the provisions of 10CFR50.90. The NRC must approve the Technical Specification change prior to implementation of the plant modification, ne submittal should concentrate on those aspects of the modifiution that result m the Technical Specification change.
3.3 PERFORMING THE 10CFR50.59 SAFETY EVALUATION NSAC-125 provides general guidance for preparation of a safety evaluation when it is required by 10CFR50.59. See Figure 1. The three questions posed by 10CFR50.59 are broken down to seven questions in NSAC-125 that are more specific and somewhat easier to address. The seven questions are explained and guidance is given on how to address them and determine whether the change involves an unreviewed safety question.
~
The' possibility of a malfunctiorfnot previously evalsated hithe'finhl safetfinalysisifsport7and a possible reduction in the crrrent safety margin, calls into question the performance of an analog-tis digital modification of a safety system under the 10 CFR 50.59 rule.4Thereforec for digital upgrades involving the Reactor Protection System.(RPS), the Engineered Safety Features,(ESF) control and 3-3 B
l
actuation systems and' systems which' fall into the Post Accident Monitoring (PAMThategory' I items
~
as defined in Reguluory Guide 1.97, application of 10 CFR 50.59 would lead to an unreviewed safety question and thus prior Commission approval of the change is required 4This position is baied upon the understanding that with the possibility of common mode software failure and increased sensitivity to the electromagnetic environment, and the high degree of importance to_ safety of these systems, an evaluation based on the 10 CFR 50.59 rule will show that new failure' modes and thus a3 unreviewed safety question exists.i Modifications to systems other than those mentioned above are below the threshold because of their lesser safety significance, and'that after an evaluation against 10
~
CFR 25 p.L.!aes is done, it may be that w Comnuaiu appoval is required prior to implementation of the change. 'Dds determination will depend upon the outcome of the sp5cifi{10 CFR 50.59 eyaluation.
If the change is determined to involve an unreviewed safety question, the licensee must request review and approval from NRC prior to implementation. He submittal should concentrate on those aspects of the change that result in the unreviewed safety question.
3.4 APPLICATION OF TIIE EXISTING LICENSING PROCESS TO DIGITAL UPGRADES i
The process described above - determining when 10CFR50.59 applies, whether a modification involves a Technical Specification change, and whether it involves an unreviewed safety question based on the questions in 10CFR50.59 - applies to digital I&C upgrades as it does to other plant modifications. However, there are some additional special considerations that should be addressed when making digital I&C upgrades to safety systems. Rese special considerations address issues such as use of software and the potential for software common mode failures. De special considerations for digital upgrades are discussed in Section 4. Guidance for addressing them, within the context of the existing licensing process described above, is given in Sections 4 and 5.
In~ general; software cannot be~ thought of as"an electronifiordponent simitir to 6ther c6mpon'ents installed in redundant channels that are physically and electrically separated from each othe.r as was i
done with previously licensed analog design. Once a fmsl software package is developed; this~ exact same package (component) may be installed in each redundant channel including any errors and failure mechanisms that may be induced by the software itself.JWith the same software component installed in each redundant channel or train of a safety system,i he potential exists for'a simultaneous; t
failure in multiple safety trains. Such a failure would affect the ability of the safety system,to perform its intended safety function. His concern is compounded by the use of portable
^
configuration ' equipment that can alter the software in the field 4As a result, the. concern yields questions regartling the application of the single failure; independence; and separation' criteria that were inherent in the original safety analysis. Furtherinore, since some digital system ' esigns use d
common information highways or can handle muldple input functions, a single digital equipment failure in one train could affect a number of the available trip functions thereby reducing the availability and functional diversity of existing designs; 3-4
Section 4 GUIDANCE ON ADDRESSING DIGITAL UPGRADE ISSUES Section I listed several issues that have been identified with digital I&C upgrades in safety systems.
These issues should be given special consideration la the design, specification, evaluation, and i
implementation of saferv system digital ungrades. Specifically-a,..
The design and use of software should be given special attention, including verification and validation (V&V) and configuration management for software and the potential for software common mode failures.
Qualification of computer-based equipment and demonstration of its compatibility with the environment should include consideration of electromagnetic interference (EMI) susceptibilitj and emissions.
The potential for errors or inadvertent or unauthorized changes to be introduced via a man-machine interface (MMI) for computer-based equipment should be considered (e.g, via a configuration terminal, operator interface, or maintenance technician interface).
- 4 ~ ; Trainirig7 Persdnnelgualifications Commercial grade item dedication to qualify commercial grade digital equipment for use in safety systems should include consideration of software as well as hardware.
Functional Dipersity
- t
~Systesi DiVeisiti rsiuife~rHEndTI.EATWS)
This section describes how each of these issues can be addressed. Thi sistihidesigh bisis issiles from previous analog equipment which are applicableL(i.egQAs selsmie qualifications, reuundancy; etc.) also need to be addressed. In many cases it draws on existing standards, regulatory requirements, and other sources of technical guidance, providing a summary or roadmap to these sources of guidance and discussing options the utility has for addressing the issues. Section 5 t
provides guidance on answering the 10CFR50.59 questions regarding potential unreviewed safety questions. It supplements the guidance that already is provided in NSAC-125, providing detailed questions that should be considered to address specifically the issues associated with digital I&C upgrades.
)
Section 3 discussed briefly the submittals that are required when the licensee determines that a modification involves a Technical Specification change or an unreviewed safety question. Note that it can be beneficial to inform the NRC early in the process, prior to determining what formal submittals may be required, about the intention to make a digital upgrade to a safety system. This can be informal, and it can help avoid mis aderstandings and facilitate useful and timely interactions between the utility and NRC, potentially leading to a smoother licensing process for the upgrade.
i 4-1 j
i 1
4.1 SOFTWARE 4.1.1 Software Design and Quality Assurance The design of digital computer-based I&C upgrades should place a high importance on software reliability and should include a well-defined process for software development, quality assurance, and configuration control.
i Nute that there may be several different types or categories of software involvedirthe upgraded system, with different organizations responsible for each. For example, the computer-based system may include:
Base software delivered with the system (often as embedded firmware), developed by the vendor and sub-vendors - typically the vendor carries out the quality assurance, varification and validation of this software (e.g., for a programmable controller, the base software that implements the controller algorithms typically is unchanged from application to application);
Application-specific software, including configuration information - if the utility is responsible for developing this softwue, it has the responsibility for its verification and validation (e.g., contiguration data or software settings that configure selected algorithms of a programmable controller to implement the particular control application).
i ne repen9"h:es duties for development, V&V, and configuration control of the different portions of the software should be clearly specified. Also, required interactions between the utility and vendor in the development, review, and testing of the software should be specified. De utility should ensure j
that plant-specific or application-specific information needed by the vendor is adequately communicated and documented.2 Responsibility for the correct implementationLand 6peration'of the i
software rests on the licensee.
Standards, methods, and guidelines are available that allow th: utility and the vendor to assure 4
adequate software design, quality assurance, and verification and validation. Guidance for computer software development and integration of hardware and software for safety systems is provided in ANSI /IEEE-ANS 7-4.3.2. The 1982 revision of this standard was endorsed by Regulatory Guide 1.152, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants."
i De following additional standards also can be used for guidance:
ASME NQA-2a-1990 Part 2.7 Quality Assurance Requirements of Computer Software for Nuclear Facility Applications ANSI /IEEE 730-1989 IEEE Standard for Software Quality Assurance
[
Plans ANSI /IEEE 828-1990 IEEE Standard for Software Configuration Management Plans 4-2 i
^
)
l 1
ANSISEEE 830-1984 IEEE Guide to Software Requirements Specifications ANSISEEE 1012-1986 IEEE Standard for Software Verification and Validation Plans ANSISEEE 1016-1987 IEEE Recommended Practice for Software l
Design Descriptions l
.w -
ANSISEEE 1028-1988 IEEE Standard for Software Reviews and Audits i
ANSINEEE 1063-1987 IEEE Standard for Software User Documentation IEC 880-1986 Software for Computers in the Safety Systems of Nuclear Power Stations 4.1.2 Software Common Mode Failures and Defense in Depth Software reliability is a key element in the design of a digital computer-based I&C upgrade.
Rel;uirements and guidance provided in ANSISEEE-ANS 7-4.3.2 should be followed as discussed above to ensur'e that the software that is produced is of high quality and therefore reliable. Also, features such as automatic self-testing and diagnostics which are provided by modern software-based systems should be recognized for their potential to enhance system reliability. At the present time, however, there is a lack of consensus on methods for quantifying software reliability, particularly at the levels required of a safety system. As a result, there remain questions, particularly for relatively complex software-based systems, on the reliabilitfjflidisidiial~conputersl arid lthe potential for a software common mode failure to cause a situation that is detrimental to plant safety.
hettwer:id fer : Software failures, including common mode failures, shcu!d shall be considered in the context of the overall assessment of system failure modes and the consequences of failures.--Nele ob z;s me: cf f iluru rade should b condue:cd :: 10 ;y= r ! vd;.: n=d ac: bc ; de:d!cd evdu=cn af individud hadvc=: c =fber: =mpen=t fd!u:= = !cng = Sc ;yMem !:vd fdlun nss;m=: boend; 2 credib!: failur; mada fer S ;ys = = ; v^c!: (;.g., f 11 high, f I! Icv, er fail =. fer ;y=:= cutput;).
A process that can be used to address software common mode failures is outlined below. Figure 2 provides a flowchart illustrating this process.
For each software failure that is considered:
1.
Az = vheer oc Sinie it is' considered impossible'to prove that softWHE islsror free, software failure is deemed to be credible:
For simple systems which have extensive experience (both hardware and software),
the measures taken to ensure software quality combined with successful operating experience gained with the system may be such that a software common mode failure 4-3
O
'hh 11 V
W k
4 1
\\
1
.t)s
]s g
1 "j
II!!!i E
E
'h c
n lll'E Il' 11 I
tj
{!
11f II h{'a ik E*
b 5
i h
i l
sg n
sg s
j i
g j
g y
0 Figure 2 Addressing Software Common Mode Failure 4-4
i
?
i: no:==id=d =d:bk. less likely; but is stilljredible.^ Nc:: S=, fc: p:c:=!ca sy==:, S: penica cf i
R=
= = =itied : S: :y := ped Hng..: =fe:y fu=:ic= c =ud!y v=y :impk b== de S=:ic= :: ped== = d=pk l
(ec=p=:=; cf a signd :c : =pc!M, d=pk dgnd =ndi:!cn ng, =.).
j t
For more complex systems or systems that have not seen extensive operating experience, software common mode failure may be cc=!d=:d =dith more probable and, if so, should be given further evaluation (below).
i a..
2.
t=; S: p:chchili:y cf h =R v= Ei!=, =rF=d i$ p=bati!':!= cf cdr=== d=
d===:== (if =y) f= dc==q=n= cf i: Sibn :c b: dgn:C:=:
F===ph, if
$: ;y2= und
=vi : = ; b=kup :y== de==: ped =, c;'y h===in=== -
c==, d= ; =R = Sib = i, S: ;yz= i: ! pan =: en!y f 9 ru!d c== =i=!d=: aS i
i th= cS= v== p=d=ing S: n=d f= i: b= hup ;y== h i: impen=: :c== $:
=rF=d p:cbabi'i:!= :0 p!= 2: Sib = 5 i pp=pr!====: =d d=H= -heir ::
n =ingSh I'i: p=5:.h'i:!= = dgn'E:=: =d==: S-d===idacien, $= $:==qu== cf et m
~..a. !. f.... s..L..s.itA. L.,. _m,,. _-mA n.. u..\\.
f
/L s1
- 2.,
Assess the consequences of the software failure, assuming it does occur. Determine whether the consequences of the software failure represent =v :yp: cf:y== kvd Sib = de h=
ne: p=vic=!y h=n==Id= d.WaBeident br malliin& tion ^ofidiffeienitfpe'thanWhfulfid previously; It'should be reirieinbered that there is no guidance for quantitatively assessirig software failure probabilities at this time. If the system under review is a backup system that must perform only when.certain events occur, then a software failure in that system is important only if it could occur coincident with these other events. producingLthe nsed forLthe backup system.
If the consequences of i; bi!= = na:== =d d:=dy h=: b=n Odd:= d s'isftsiri failure of this" type ha(already been evaluated and documented in the' safety analysis report, then this particular failure need not be considered further. It would not represent an unreviewed safety question per 10CFR50.59.
However, if it is concluded that this is a new type of:y== kvd failure, then protection against the consequences of the failure deu!d shall be considered (below). Note that this typially would mean the change involves an unreviewed safety question per 10CFR50.59 and NRC review and approval would be required prior to implementation.
43.
Assess the defense in depth that is provided which would mitigate the effects of the plant design basis accidents-even if the upgraded system suffered the software common mode failure. There are several options for demonstrating adequate defense in depth:
Demonstrate that there is defense in depth with existing systems, procedures, and training which is adequate to mitigate the effects of the design basis accidents-even if (Fe upgraded system suffers the software common mode failure of concern - this may include taking credit for operator action under defined circumstances, and it may include the use of nonsafety-related equipment /prbviding in"either? case,yerator 4-5 I
m.
=.
i i
-l
?
action ~or nonsafety' equipment','the actions ~ meet the safety analysis response tims l
requirementsiand are independen.t a.nd d,iverse f. rom _the propo._sediy_ stem._ design; or,
~
I i
Provide diversity within the upgraded system itself(e.g., diverse hardware and i
software in redundant portions of the system); or, i
Provide a separate backup system that gives adequate protection in the event of software common mode failure in the upgraded system.
u.
Provide a diverse monitoring system which will 16[reas[tfie~11kjlihM6fyllekij identifying !&n ify the occurr m of the common mode failure of the upgraded system, and provida guidance ;
operators on their response to this failure.
4.2 EQUIPMENT QUALIFICATION IAA.UDING EMI i
10CFR50, Appendix A (GDC 2 and 4) requires that safety systems be designed to withstand the effects of natural phenomena and be qualified to operate in normal and postulated accident conditions.
Environmental conditions that should be considered include temperature, pressure, humidity, seismic conditions, radiation, and electromagnetic interference (EMI).
As,noted earlier, electromagnetic interference has been identified as an issue associated with digital I&C upgrades., The purpose of this section is to provide guidance and acceptable methods for r
addressing the EMI issue. It draws thigniiiniscEofjiubliiatiors[siichfaf!EEEjstd]050fMil-Std 461 and 462, and cn guid== :==:!y derdeped by EPRI c;d oc tin;d in EPRI TR-102323), *C;idc ::
i E!ce::cmagne::: Int =f==: (EM!) Su=p::E"!:y T=:ing fc: Dig;;d S fty Equip==: i N=!=
Pe = P!==."
The EMI environment should be considered as part of the design basis conditions for the upgraded safety system. It should be shown that the equipment installed with the digital I&C upgrade will operate satisfactorily in the environment in which it is to be located. Key aspects of this evaluation are (1) kn6wledge of the plant EMI envirshisentinyhichlthshidphient is cWedlt6 operat;EZ(2) the execution of an appropriate set of tests to assess the vulnerability or susceptibility of the new equipment to EMI, G3) the range of frequencies and test levels covered by the equipment susceptibility tests,-end (34) methods for demonstrating that the equipment is compatible with the EMI environment in which it will be installed /andj5)linstallationiising proper'gro6ndinj andfshieldi6g j
techniques. Each of these is discussed below.
t as a % 44 8
-r e
as e
9 g
e.1 v
s u
e raav w,
ehwiec! f=: ::=i=t, =d =g=, =pp!:===d by !c h;==y =nduced==pStili:y :::
=ch = MIL STD E!C, CS 01, ===id=d
==p::h=i= =: cf :st =d = :=pth!:
mt:hed fc: =.,ducing EMI==p;ibi!!:y :::ing. /.!:n== :== = !&n:Tod i; Tob!c !
H. =
.l ic = ce=idard =cepub!. R=ccm=&d,ignd !:=!: =d f:cqu=y :=;= fc: th: :st =
p=1&JinEPRITR 102223.
i 4-6 r
I 1
1 I
i l
e i
1 l
1 El f.f Cs..
m r.
.A t. o f. vu,. M....m.
m
.n.f n m-
. svw w
u.
w.
v....
uu.
D. af. w.. 4 0., m.m
. ! L. ! f !.. Tvs.
A C.mm4m.A.
a
.w
. n.vu m.
w w w.n g.
uny v.w.w w w a T.. mi t. s.rnn.i T. n
- 1. A9 9 9s%
vv y
r f, m.. -u.%.,... m afNm f'i*ftfW@
f D
k.,J C,..,.
. !. L
- t.i. s.. T..,, a wus.. u.
.,.s.u.
It i
m y.
u.
sj os w
kfM Nftdef@
.v t's..,*:m..._...,..L !,. L.. f., m m.. m.m.,,..
H.N_f.t.,.f.m. n f.t, I_m.
_m m.__m
. _.1
- y. f.fm PT. T.. afi _r* f.YT. M _CAS, l
s u3
..u.
j 9
.n A !m a..mt.,....,.r.-..,..,._u:
m,..
f' f..n,,, A. 7 ~3 -y u, m. u Em..:-_
.-u.v.
....u v u um
.u.
i m
u.
m.m11.. 1.m. y o v o.m.
Lm s a u.1.o t'.,s.. - 4 r,. 4 :1 !. : m,
.sm..,
u w,- v-m u.
u a.
ny vs wnw a u.m fr f' OA1 t
. v f, r r r, e., e.,
k*C1 f'.* 2
,A. - _
1, *'l i f'.. : A. A,
-u.
p.m.
.u
- f., vy.. m. u Dm......
A:,..:
f :,.
t' C At v~u.k...a.
_m,...-
- 11. T f. O.Y.*n A f i. f'.
.mm w.
y
. v-..
u-uv..
wy..u3 r
sa a.
l...... t k n e..,.. mm.
., m k f m,-
m.
m.m.-4, D C A9 Th ff I'1-en A1
.sruuu.im v.
wu w uv. w v.
b '.V " " " # *
-",.".'*!f',,'."."4 he
!f..,tm
,...mm,.""'b""""'""#
.. (n. 1..
Em.:
A..m s u u uw "
r"M ". !.! !."! m,.
m.
f rf* O A 1 I
'r ' ' ' ' '
"'V"""
m
.u..
uw, v.
. u. s v.
1 f'.-.-....,
f.. h f, a n.. m -s C., m !. m.. m m f mm m 4.,..m,
/ m.L f v.
lif f CTn A f i f' (90 A9 f*1me.
.L. ' b ' ' ' ' "M " * ' ' I sx un sus w a
*"r'""'
'v""*'v'"'*""*"
.m 1..
1 mp~w...
D.
.. r.
,a _u :.,.i s i v u 1 !. u w.,.
A.1.66 A.1 T'*m.".s..m-e.
/". m... 4 s w3 u iy u u
!.i
.s uw
,.m.
.vu no v.vu.
m.
.f I,. f.m m,..1 U.s m
- f !. : m,.
vwg ug..s o a ' 6 ""'
'"S*'"We v'm. I f Yf OTTT 4f1n A;41' E m. :.
"m' mmm,.,
.,,. - 1 A (' !-..m m.
f* O 114'
(*1me,
'A7 b '.' '..'4 L : -,'.", ": L u
'- -f'.",...4r""m*11."--.".."'*"*
"'- M
'F v...i.....69""
V'V""
V' c
f r r,'.
c ri t f /n,, f. \\
, frrr t
1,
. m A A' O f. I"'f 7 f f'.. ! I s
u u
- 1. '.1g v w.w.dy T, n
,.r C...me
/k !,. L T'..,L.,-,.,.....fr..1.
ifff PTN ( f t t'*
f'e fit' f*1m,.
. w un -.,
3 vu.6"'b"
"'b".,'~'*6v'-m.V '." 'I L.'.": k.'.. mu
-t
..f..m...
3 w -. s
.o ff..,.s w.u.vu. s
...,m..
, j, A.1, r.3 w.y o.. u.
T'
.. 4
~ :
w.
u
.uf w vu yv v vuuw
,o,.m.,
mA ftm U m.m.f t.
.m
..m 1 ff.f C T n.-
4rin
.m.DF
.,jos..
m.w
..w.y
.w..
. u u.w, t
(90.. 11 f, f' ?.n.a,,.A 7 as3 w. y u..m C~.-.
i u
w s
s a
- . r %.v,..
4 r,...:1: I. w.,.. v m
i v
u
.w u..
Y. C._ /'. OA1 C m.
T r. r.-. r s.
v.
q
.A A ' O f f' f. '.'T. 4 C.
T.,.m. m,..
..or.a. ~ _r. L,....._
t :.m.,.
..m
.:m _., !
_2...:.,..
- y. n.. eT.n 4fi.c ce rv
.~.
e
.... ~
..u..
m.
m c f : ~. y~.1..
.a
.r1....m.s. -. tyr
.3.t,..
t,.
-. 2 -.. c 1,. m D.c A9 nn
~
rs.
c_
a,
-1
('f rm, A2
...-v v..
(mW
....a..
_~ _.,..
- r.m : n.. !.
,. -. 11. n.
cT. n. A /1. n
.r~
_..:. c ~.
a.
_y.r......
. v w...
effeu..,.,. _. _m,. _z...r _a,
m
. rr v.
m s
.-.egeg
/* e 1 1..c, /* f _s,,.. A. 7, U~.....
.m..
.w.
v.
v.
. y.ru c.
....w
.. m.v
- r.._ m... _ v
. ~, m a
f r. f' O A 1 -
A m,. m. u.. m...._..m.:,
.a.. a. m _ <reni
,.-,u.I_,.n_~2.,.m...._...._
- w. _.. _.. :
t... _..
..v
~.-.
...r-...._.
. _mt..
1.,
..s.,...m...,,.s.....!I..,.1-.
fr r r 704., _m-. _ -.
i m.,
4 k.,...D,m.. /'.. ! 4.,
1 ** C
._L o.m._t* e n, ".,,._. m.
...~...
~.
rv.~
rm _ -
m
~,
, s,..L_t... _. 4.m.
. _. 1 :
_..um
- m A..m. a;. L., m
! !.,. m r e n. m.. :.,. ~,.
_m _.., : A.. m,.l.
~m,.
Lfm
....v f
. L m.
1 4 L.,,
-,.,. mt m
. ~
.u m
v.
ym.
v.
m : _ _ _..es..,.. u..
m. _.. m <... _. _ _ _u... _ a _m..
.m..m....,
, - _. _. ~.a. a. ~a.
.r~..s m.
m.
.v...
.m..~
..~.
.. c.v There are a number of standards and test methods, which if properly applied, v(iy provide satisfactory 47 t
+
resultsEAmong these se~the IEC 301 series'and MII~-STD #1'and MHi-STD'#2.?The MIDSTD 41C susceptibility requirements are shown in the table below.-In any of these,: care must be taken'td insure the entire frequency spectrum is covered.. Ideally, frequencies considered should cover from 30 Hz to 20 GHz' :30 Hz is the first subharmonic of both the 60, Hz generated power and the supply voltage for most of the plant equipment. : Wh!!c this has a very long wave length, on the order of 3000 miles, and as such there is a low incidence of coupling,60 Hz is the most commba frequency;;in the plant, and therefore even a small degree of coupling can cause problems? 60 cycle hum on ~
ground lines is not an unusual problemc-20 GHz is the opper end of the microwave spectmm, and may be med for point to' point communications systems, both on site and off sitQhe power levels in this frequency are usually much lower, but the short wavelengths may make even short wires a good antenna. The spectrum _between 10 GHz and 20 GHz need be considered only if microwave systems using these frequencies are in the proximity of the plantgirhere must b_e ajustification for any other frequencies.not considered; Applicable.MIUSTD-41C susceptibility reqsirements for~digitarequijiinent r
Requirement $
Description CS01 Cobducted ^ susceptibility 7powdleadi?30 Hs to 50 UIz CS.02 Conducted susceptibilitp7p6WEs6dfiiifer6onnecting control leads,50 kHz to 400 MHz CS06 C6Educted susceptibilit9lipik~6ip6sElMds RS01 Radiated ssceptibility,tisiinstic fisidl30 Hz to'50 kHz RS02 Radiited sdisptibilitpfisighitiEisd'elsdtriifieldfl spikes and power frequencies RS03 Radiated susceptibilitpf electric fieldbl4 kHz to 20 GHz
.C = conducted,'R =~ radiated, and S =. stisceptibilitp.
i Site specific problems sh6uld be considered. 'Iliese' map include the freiju'e6cy of anj microwave systems installed onisite; or which is offsite but geographically close.n Of specific interst is the handheld radio communications devices used b' plant personnel. L n addition, radar frequencies y
I should be considered, both from local airports and shipboard isdars for sites close to.large bodies of water. Sites close to mil.itary. bases should consider those radars.
1 In demonstrating that the equipment is compatible with the EMI environment in which it will be 4
installed, there are several options:
1.
U:ing Sc :=: meded: di;;=::J ;bove, qudify 0.0 cquipm=: :c==:re:::!v !:vels em: := be Scvr 10 b; g =::: &= ;<h:: i: :::dib!: for S: !=::11;d =v. cnm=:, ;
'ced d:: = xy i: r^
ee ed in $!: :=:
EPRI E 102222 := be c^ = u!: d :c eseb!!:' de 1 ve!: fe :c.amg D : di;em;;cn bekh j
4-8
I 2.
D; c=:a:: 1:: i; =b:ing equip==: b Irca :==p:ib!: i= i; n= equip =:
- c 5: !=:d!;d wid i: upg=&
mc :== =b:!ng =dcg !=:===^::!ca h
g:=:= :==p:!bi!!:y :c EM! i= i =c&= dighd equipm=: i: = !=:d!d in ha p!=:; =,
L 3.
Perform local tests or surveys to measure the actual environment in which the equipment will be installed, and compare this to the results of the vendor or i
laboratory tests of equipment susceptibility; show that the equipment testing envelopes l
the installed environment.
2/, fPerf6rin"an liialfsii bliid'dn pfe9165fl6Ealllistibifisf9sfiT~and tiii bidwn elmissi6%
of any' equipment added'since that test, and compare this to the results of the vendor or laboratory tests'of equipment suse)ptibility;,show that the equipment testing
]
~~~
envelopes the installed environment; e
'"h EPRI Cui&. TR 102323, een:d= qudm=:!cn :=: cp:S= =d :=: d;nd ch==:==:in,
. ~
i 4
Induding ft:yuency r=g: =d =gni:u&, b=:d c==Imum =p=:d h: d=== !=& &::-ind by =dyi =d :=:. H. EPRI Cuik een:d= upp bount f= S::d=== !=& f= d! i: 0.0 ec=== noted F Tab!: ! =d E app!!=bk :c =y nu&= pow = p!=:
Experience in previous upgrades has shown that wiring practices followed in installation of the equipment (e.g., routing, shielding, grounding, termination) are very important in minimizini %H susceptibility and should be addressed in the design and implementation of the upgrade. IEhE.1050-1989 provides guidance in this area.
4.3 MAN-M ACIIINE INTERFACE (MMI) 1 i
The man-machine interface includes all interfaces between the digital I&C system and plant personnel, i
including:
e operators - alarms, status displays, control interfaces, etc.
maintenance technicians - test and calibration interfaces, diagnostic information displays, data entry terminals for setpoints, etc.
engineering personnel-configuratic,n workstations or terminals, etc.
The principal concern related to the man-machine interface is the possibility of system failure due to human error, or due to unauthorized entries or alterations of the system through a maintenance, test, j
or configuration interface. Human factors considerations should be addressed in the design of all 1
man machine interfaces associated with the upgrade in order to minimize the possibility for human j
error in using the interface. IEEE 603-1991 discusses the application of human factors considerations in the design process for safety systems. General guidance for human factors considerations is provided in numerous IEEE, EPRI, and NUREG documents on this subject.
i Adequate cdministrative controls and security should be provided te gund :gd=: pfEisnt unauthorized changes being introduced through a man-machine interface. Note that this is similar to 4-9 l
i
the situation that is faced now with existing equipment and the associated administrative controls and security (e.g., authorization to open cabinets, use of keylock controls, restrictions on vital area access, etc.). IEEE 603-1991 provides Tuidance on access control and human interfaces.
Administrative controls and design features should specifically address software aa.ess in addition to typical equipment access provisions.
4.4 CO51MERCIAL GRADE ITEM DEDICATION The responsibilities for qualifying, or perfonning commercial dedication, of equi;fnEnt for use in a safety system should be specified. This includes software as well as hardware. Note that, depending on how the roles are defined, the utility may need access to the sorce code for the vendor software.
If so, this needs to be worked out up front (schedule, terms, etc.) so that the necessary reviews or dedication activities can be supported in a timely fashion.
The process used for commercial grade item dedication should identify the principal performance requirements necessary to provide adequate confidence that the safety function can be achieved. The hardware and software design should be compared to the applicable design criteria for nuclear qualified equipment, Ji==p:ic= ::k= -h=e due c: cdn =mp=u;=ing factem (e.g.,
dc===:+4 cpaa:!ng = peri== in : :,imi!= app!!=:!ca, cr addi:!c=' vrif =:!cn =d vedid :ica perfermed :c d=c!cp cdeq=:c add==).
While'dochnisnfsd dpe'ratififh[seriesEe~cali b'e'us'sdga factor in commercial grade dedication, it is in itself insufficient as proof of acceptability for applications important to safety; Acceptance typically will be based on adeq=:: alhigh degree ^6f confidence that the product will not'only perform its intended functions, but also~that no unintended
~
functions 'will Schur.T The^ degree of confidence 7equifsd Will IWE^ isitiensurateMith the safetv o
function the hardware and software is required to perform., Since for any reasonably large~ software package the number of input variables makes dedication by testing alone a very difficult p'ropositioni the only viable alternative is~to verify and valida:e the code f.tself, in addition to teiifn a propfietarf software product, the vendor may be reluctant to make the code listings available&For[this reason, commercial dedication of software remains a, limited option. Documentation and software required to maintain the commercial grade dedicatiorHAe4 shall be placed under configuration management.
EPRI NP-5652, " Utilization of Commercial Grade Items in Nuclear Safety Related Applications /
provides guidance on commercial grade item dedication.
4.5 DESIGN, SPECIFICATION, AND IMPLEMENTATION PROCESS For digital I&C system upgrades, it is panicularly important to establish early in the process the roles, responsibilities, and interfaces among the utility, equipment vendor, and other organizations that may be involved in the change. When the upgrade involves computers and software, responsibilities for verification and validation (V&V), testing, and configuration management for the different types of software (e.g., vendor-supplied firmware, software configuration data, etc., as discussed in 4.1.1 above) should be established up front. The ultimate responsibility for the correct operation of the system cannot,' of course', be delegated,fand as such, remains with the licensee.
Experience in previous digital upgrades and lessons learned from software development and use in general have shown that proper specification of the requirements for the software is a key element in assuring adequate performance of the system. Most problems with digital systems occur in specifying the system, not in implementing the system or the software. The process should be very thorough in 4-10
i I
establishing the requirements for the upgraded system, identifying all interfaces and all the applicable
[
design basis requirements, and the utility should ensure that it adequately communicates to the vendor
[
the plant-specific requirements and information needed to implement the system.
NSAC-105, ' Guidelines for Design and Procedure Changes in Nuclear Power Plants," provides
~
general guidance on design and implementation of plant modifications. IEEE'E30-1984l* Guide fd Software Requirements Specifications.* provides morejetailed guidance on the process of generating the software requirements specifications; Additional guidance related to specification of digital I&C i
- ppder 9 given below, supplementing the guidance contained in NSAC-105...
i t
4.5.1 Definition of Systems, Interface, and Design Requirements The systems that will be involved in the upgrade should be clearly defined. This includes defining:
i Obiective(s) of the modification. For example, is this a functionally equivalent replacement or is additional functionality to be provided as part of the modification?
His can have a significant impact on the safety evaluation.
System (s) to be modified. What systems will be modified to suppon the objectives?
Other systems affected. What are the effects from this modification on other systems?
What inte:rfaces are affected?
1 Systems desien basis and licensine basis. What are the design and licensing bases for the systems to be modified and for those that may be affected by the modification?
System design documentation, design basis requirements, applicable sections of the i
Safety Analysi.e Repon (SAR), Technical Specifications, and other design information should be used as appropriate.
4.5.2 Plant-Specific Configurations and Optional Features ne utility should specify the panicular options, features, and plant-specific configurations that are to be implemented for the particular design. The flexibility and power of computer-based systems allow a wide range of optional features and capabilities that the utility may or may not want in a panicular application. In some cases, it may be desirable to disable or remove unnecessary optional capabilities, panicularly if they open up the possibility of new types of malfunctions or misoperations i
that impact the safety evaluation.
Also, the utility should understand what actions it must take to properly implement the desired capabilities. An example is the area of self-testing, diagnostics, and fault detection. He equipment may suppon these features, but the vendor may rely on site-specific or customer-specific wiring or.
interfaces to fully implement them (e.g., the equipment provides a contact output that signals failure of a processor, and this contact must be wired to a separate system or other equipment to provide operator notification or maintenance action). Communication between the utility and the vendor is important in ensuring that these items are properly addressed in the design and installation.
4.5.3 Design Specification 4-11
t
- t f
Section 2 of NSAC 105 and IEEE 1016-1987A* Recommended Practice for;SoftwareLDesign Descriptions", provides guidance on preparation of a design specification. As noted above, the specification is a key element in ensuring adequate performance of the upgraded system. The specification should cover:
Design objectives Functional requirement:;
I Codes, standards, and other design basis documents Design requirements i
T Analysis and testing requirements 1
Acceptance criteria J
e P
)
P 4-12
t Section 5 SUPPLEMENTAL GUIDANCE FOR 10CFR50.59 EVALUATIONS OF DIGITAL UPGRADES NS AC-125 provides a set of seven questions commonly used to determine if a modification involves one or more unreviewed safety questions in accordance with 10CFR50.59. If tHdinodification involves an unreviewed safety question, NRC review and approval must be obtained prior to implementation.
It is important to remember that the 10CFR50.59 Safety Evaluation does not determine whether or not a proposed change is safe. A determination that a proposed change involves an unreviewed safety question does not mean that the change is unsafe. It simply means that NRC review and approval is necessary prior to implementation of the change.
De following provides items to consider in answering each of the seven questions referred to in NSAC-125. Rey are expressed in the form of supplemental questions. -!: a impen=: to kap in mind d= an arc ver c'"yd ': "nc" N :: giva qus::en dc= no::::cmmi=!!y me= 12 der: i: c:
nt: = unrev;cwed =f;;y qustica n=e cc i:=u :c cc=ider, ac: ab;clu:c. A!;c, not im for a panieu!= ;;'g cde, some cf de ::er= !!s:ed m:y b; nc:: app cprintly ;dd:==d under differ =:
t quc::c er r :evera! c'$ qu=::c=. If any of these questions is ant.weredNes] the change isin unreviewed safety question (Section 4.2 of NSAC-125). It is important to ensure that all items are addressed fully and that all valid potential unreviewed safety questions are identified.
(1)
May the proposed activity increase the probability of occurrence of an accident evaluated previously in the Safety Analysis Report (SAR)?
Areas that should be addressed in responding to this question include the following:
(a)
Does the replacement system exhibit performance characteristics, or have design features, that give an increased probability of a system malfunction resulting in an accident? The assessment of a change in probability may be made on a qualitative basis, particularly for systems or components which rely on software since there does not currenuy exist a consensus method for quantifying software reliability. C6mmon mode andl summon cause' failures 6f t,oftware shall be corssidered2 Section 3.4 of NSAC-125 provides guidance on the use of qualitative probability assessments.
(b)
Does the system exhibit performance characteristics that require additional operator intervention for continued normal operation (e.g., lockup, halt)? It should also be noted th::t lockup or halt may be new' types,of malfunctions, and should be addressed under item 6 of this section.
(c)
Is the system qualified'for the installed envir$nment (e.g., temperature, humidity, electromagnetic fields, airborne particulates) such that system performance will not be degraded compared to the original system?
5-1
~~
t i
(2)
May the proposed acrhity increase the consequences of an accident enluated previously in the SAR?
The following areas should be addressed in responding to this question to determine if the activity results in an increase in radiological releases above the licensing limit:
(a)
Does the replacement system exhibit a response time beyond current acceptance limits (e.g., because of sample period, increased filtering)?
(b)
Does the system pettorm adequately under high duty cycitrioading (e.g.,
computational burden during accident conditions)?
i (c)
Does the architecture of the system exhibit a single failure that results in more severe consequential effects (e.g., reduced segmentation due to combining previously separate functions, several input channels sharing an input board, central loop processor for many channels)?
(d)
Does the man-machine interface design introduce constraints on the operators' ability to adequately respond to an accident such that there are more severe consequential effects?
(3)
May the proposed activity increase the probability of occurrence of a malfunction of equipment important 16 safety evaluated previously in the SAR7 Areas that should be addressed in responding to this question include the following:
(a)
Does the modified system meet the required plant environmental and seismic envelopes?
(b) is the replacement system qualified for the electromagnetic fields at the installed location? What effect does plant equipment operation have on the system (e.g., walkie talkies, motors, switchgear, etc.)?
i (c)
Have potential interactions between safety-related and nonsafety-related systems been addressed?
(d)
Are the electrical loads associated with the replacement system addressed in the design?
(e)
Does the plant HVAC have adequate capacity for the thermal loads of the replacement system?
(f)
Does the replacement system meet applicable requirements for separation, independence, and grounding?
(g)
Does the microprocessor-based system have adequately qualified cabinet cooling?
5-2
4 (4)
May the proposed activity increase the consequences of a malfunction of equipment importantto safety evaluatedpreviously in the SAR?
Areas that should be addressed to determine if the activity could result in an increase in the radiological releases above the current licensing limit include the following:
)
t (a)
Does the replacement system exhibit the same failure modes affecting radiological releases as the analog systern (e.g., fai! k, fa!! high, fa!! r.: is, d!;gnume d!arcan J 6e failure mode is different, are.abe consequences increased beyond what was evaluated previously in the SAR?
(b) is Since a software common mode failure (CMF)is a credible failure mod:4 We, are the consequences mitigated by the hardware design or system architecture? If not, is the probability of a software CMF in conjunction with other concurrent events assumed in the safety analysis judged to be sufficiently high that the consequences of a malfunction previously evaluated are increased? Are the consequences bounded by other events evaluated in the SAR?
(c)
Does the replacement system have the same failure mode as the analog system on loss of power? If the failure mode is different, are the consequences increased beyond what was evaluated previously in the SAR?
(d) is the response of the replacement system on restoration of power different from that of the analog system being replaced?
(e)
Does the man-machine interface (MMI) introduce failure modes differen'. from those of the existing analog system? IstheWan equivalent to the MMI liithe; system being replaced,'or does the existence of a new type of. equipment t
create a new type of failure?
(5)
May the proposed activity create the possibility of an accident of a diferent type than any evaluatedpreviously in the S4R?
Areas that should be addressed in responding to this question include the following:
(a)
Have assessments of system-level failure modes and effects for the microprocessor-based system identified any new types of failure modes that could cause a different type of accident than presented in the plant SAR?
j (b)
B xftwe ecmmon made fa!!ure : erodih!; fa!!;re : ade? If m, Are the consequences of a software common mode failure mitigated by the hardware j
~
design or system architecture? Could the failure cause a different type of accident than presented in the SAR?
(c)
Plant SAR analyses were based on credible failure modes of analog equipment. Does the replacement system change the basis for the most i
2Cca:ideration; in de:crmining wheder c zftwrc common mcde failure is credib!:
include (1)-the comp!cxity of $c computer sy::cm design, (2) $c number, si= =d eemplesy of $c software programs ir c!ved, =d (3) experience ~$ $c computer sy :cm and-seftware-5-3
i i
l l
limiting scenario?
1 (6)
May the proposed activity create the possibility of a malfunction ofequipment imponant to safety ':: :4..:ikc, is of a diferent type than any evaluated previously in the SAR?
Re; = = ;heuld b; add =;;d ' :=pending :c de qu=::ca-(;
'hv =:,=;m=t ef sp:::- ! ve! fd!=e moda =d effeffer : a mincr c =;c: b=eJ ;p::= idennfied =y n v :yp= of fd!=: $3: /suuld
- =u!: i, effect r 1 p v c=ly ec=idned in S: S AR' (b) h a :,cfrvue commen node fai!=:: codib!: fai!w:: med;? !f sc, ccould it
- =uh i; cff== - : prev;c=!y==idacd i, S SAR'
(:)
Could de =" cam =: :- " hi h 60 ninopicc=;c b=ed equipm=: crer :=
== ; n v. :ype of fdL:: '.g., ;!cc: rem gne:!: :==p:Y"hy)? Ca !d $c ner :y;::= acme = =.renm=: /*ich advc;:!y aff=t ce= equipmat
=d auch; cea:= $2 p=',it!'hy of a diff==: ;ype of mdfun=ca' (4)
M e S e s p em d =ign, rific=en =d vdida:!ca, =d =dy;s m $cd ec= s =: 12 ir.d=: y n=d d:,?
This question is asking if the digital equipnisnt could lead to a falltiro'modd'bf a
. different type than the types evaluated in the SAR."In answering this' question, the types of failure modes of the analog system being replaced that have been previously evalanted in the SAR and that are affected by the replacement are identified.Jen types of faihe modes that the digital replacement system could create are identifiede Comparing the two lists can provide the answer to the, question (NSACJ25L6.4.2.6),
(7)
Does the proposed activity reduce the margin of safety as depned in the basisfor any technical specipcation?
A review of the bases and assumptions for the Technical Specifications and acceptance limits spelled out in the NRC SERs should be made to support this determination.
The areas to be addressed include the following:
(a)
Has the replacement I&C system decreased the channel trip accuracy beyond the acceptance limit?
(b)
Has the replacement I&C system increased the channel response time beyond the acceptance limit?
(c)
Has the replacement !&C system decreased the channel indicated accuracy beyond the acceptance limit?
(d)
Does the new control system cause a plant parameter for any analyzed event to fall outside of acceptance limits?
F 5-4
l Section 6 REFERENCES 9
The following lists standards, guidelines, and other documents that are referred to in this guideline.
% EPRI Instr" mentation & Control Requircments and Standards (ICRS) databas,e distributed by 7
EPRI's Electric Power Software Center, can be consulted for more information on standards, i
regulatory documents, and guidelines related to 1&C upgrades in nuclear power plants.
1.
ASME NQA-2a-1990, Part 2.7, " Quality Assurance Requirements of Computer Systems for Nuclear Facility Applications," American Society of Mechanical Engineers.
2.
ANSISEEE-ANS-7-4.3.2,
- Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations."
3.
ANSISEEE 384-1977, " Criteria for Independence of Class IE Equipment and Circuits."
- 4.
- ANSISEEE 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."
t i
5.
ANSISEEE 610.12-1990, " Glossary of Software Engineering Terminology."
6.
ANSISEEE 730-1989, " Software Quality Assurance Plans."
7.
ANSISEEE 828-1990, "IEEE Standard for Software Configuration Management Plans.*
8.
ANSISEEE 830-1984, 'IEEE Guide to Software Requirements Specification.'
9.
ANSISEEE 1012-1986, "IEEE Standard for Software Verification and Validation Plans.*
10.
ANSISEEE 1016-1987, *IEEE Recommended Practice for Software Design Descriptions."
11.
ANSISEEE 1028-1988, *IEEE Standard for Software Reviews and Audits."
12.
ANSISEEE 1050-1989, "IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations.'
13.
ANSISEEE 1%3-1987, "IEEE Standard for Software User Documentation."
14.
EPRI TR-102323, " Guide to Electromagnetic Interference (EMI) Susceptibility Testing for Digital Safety Equipment in Nuclear Power Plants." To be published by Electric Power Research Institute.
15.
IEC 801-3,1984. " Electromagnetic Compatibility for Industrial Process Measurement and 6-1 t
- 6 a
Control Equipment Part 3: Radiated Electromagnetic Field Requirements."
I 16.
IEC 801-4,1988,
- Electromagnetic Compatibility for Industrial Process Measurement and l
Control Equipment Part 4: Electrical Fast Transient / Burst Requirements."
17.
IEC 801-5, Draft, " Electromagnetic Compatibility for Industrial Process Measurement and Control Equipment Part 5: Surge Immunity Requirements."
18.
1EC 801-6, Draft, " Electromagnetic Compatibility for Industrial Process. Measurement and Control Equipment - Part 6: Immunity to Conducted Radio Frequency Disturbances Above 9 kHZ."
19.
IEC 880-1986, " Software for Computers in the Safety Systems of Nuclear Power Stations."
20.
IEEE 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations.*
21.
NSAC 105, " Guidelines for Design and Procedure Changes in Nuclear Power Plants."
22.
NSAC-125, ' Guidelines for 10CFR50.59 Safety Evaluations."
t 23.,
Regulatory Guide 1.152, ' Criteria for Programmable Digital Computer System Software in Safety,Related Systems of Nuclear Power Plants."
24.
Regulatory Guide 1.75, " Physical Independence of Electrical Systems.*
25.
Regulatory Guide 1.153, " Criteria for Power, Instrumentation and Control Portions of Safety l
Systems."
26.
Title 10 of the Code of Federal Regulations, Part 50.59,
- Changes, Tests, and Experiments."
27.
Title 10 of the Code of Federal Regulations, Part 50.90, " Application for Amendment of i
License or Construction Permit."
j i
i I
6-2
_ _ _, _.