Text

{{#Wiki_filter:h j 2 - / \\o UNITED STATES j g NUCLEAR REGULATORY COMMISSION J, ~ C j g g WASHINGTON, D. C. 20555 -{ October 26,1993 l Mr. Anthony R. Pietrangelo i Senior Project Manager, Technical Division Nuclear Management and Resources Council i Suite 300 Washington, DC 20006 - } 1776 Eye Street, N.W. j

Dear Mr. Pietrangelo:

This letter is to thank you for your September 17, 1993 letter providing f Draft 2 of EPRI TR-102348, " Guidelines on Licensing Digital Upgrades." This-version is considerably better than the previous version in that more' detailed i and useful information is provided to licensees for applying the requirements-of 10 CFR 50.59 to digital upgrades. The staff has reviewed this draft,.and I has two major observations and a number of less significant comments. i The first of the major observations concerns the concept of dealing with a 10 CFR 50.59 evaluation for a digital instrumentation and control system-retrofit by consideration of possible malfunctions only on a plant system.

i consequence level.

The staff feels this is not the intent of 10 CFR 50.59. 10 CFR 50.59, paragraph (a)(2) states that a proposed change shall be deemed to involve an unreviewed safety question (USQ) in the event "a possibility for j an accident or malfunctier of a different type than any evaluated previously i in the safety analysis report may be created." This does not refer to the plant system response or consequences of such an accident or malfunction, but merely the existence of such a case. However, in your submittal in Section 3.2.1, on page 3-6, you use the concept of a new type of malfunction correctly. As an example of why the staff feels a malfunction can not be considered purely at the plant " system level",.we'need look only at the 4 Reactor Protection System (RPS). A failure of the RPS has already been analyzed by all licensees in response to the ATWS rule,10 CFR 50.62. l Protective measures have been incorporated accordingly. It is surely not the intent of either the staff or NUMARC to indicate'that due to the existence-of the ATWS mitigating capability, any modification of the RPS system would automatically not result in an USQ under 10 CFR 50.59. 1. With this in mind, the information used to show that a digital upgrade would I pass a 10 CFR 50.59 review should be reconsidered. In general, the logic and reasoning used would show why the. proposed change would be approved by the staff after review, but is not adequate to justify a 50.59 evaluation - i indicating no USQ exists, and therefore a staff review is not warranted. An example is defense-in-depth. If an USQ exists, defense-in-depth may be justification for approval of the change. The need for review is determined by the existence of the USQ. Consequently, the staff recommends that the proposed digital upgrade guidance document be reviewed' for. internal consistency when licensees establish that a USQ does or does not exist, and-l further, that the document be compared to NSAC-125 for consistency since: NSAC-125 is referenced in numerous places. The staff suggests wording:similar j to the following based on safety significance of a proposed digital upgrade as t 0500'O h 0! 9311100324 931026 l PDR REVCP ERONUNRC I P.DR.

.= A. R. Pietrangelo. appropriate for assessing whether the digital upgrade constitutes a USQ: When making the determination of whether the proposed digital system retrofit-results in an unreviewed safety question, the licensee should perform a defense-in-depth evaluation of the impact of a failure in the proposed instrumentation and control (I&C) system modification on plant safety based on the I&C system safety significance as defined in the plant UFSAR. The licensee should demonstrate that primary protection functions and operator indications (e.g. reactor protection, engineered safety features and Category 1 post accident monitoring) are not lost from a postulated software common mode failure in the digital system upgrade in order to establish that no unreviewed safety question is presented by the proposed retrofit. The second major observation concerns section 5.3, Compatibility with the Environment including EMI. In this section, there are numerous references to draft EPRI Report TR-102323, " Guide to Electromagnetic Interference (EMI) Susceptibility Testing for Digital Safety Equipment in Nuclear Power Plants." This document has not been reviewed or agreed upon, and in the opinion of the staff, there is still a significant amount of work and research required before this document can be considered as an adequate reference. It has also not been determined that TR-102323 is a " conservative estimate" of the EMI environment. This is an editorial comment, and should also be removed. While there is little doubt that with sufficient data on actual plant conditions, a bounding limit can be agreed upon, this data and the resulting agreed-upon l limits do not yet exist. The staff feels, therefore, that the document should state that such a reference may be available at some date in the future, but -is not yet available. There should then be a discussion of how to proceed l once bounding limits are determined. For this purpose, the existing wording l would be adequate. The reference to EPRI TR-102323 should be remo'ed, as this gives the impression that reference to this document would be considered' acceptable by the staff at this time. There should also be an additional caution that it is still incumbent upon the licensee to determine that no unusual conditions exist which would make the bounding limits invalid. An example of this would be if the limits were based only on plant conditions in the control room area, and the site of the proposed installation was in areas of the plant not covered by the referenced study. It could also be that in a specific instance the plant equipment layout is such that there is the l possibility of high levels of EMI in an area normally considered benign. As 1 always, the final determination that the equipment will function as required is the responsibility of the licensee. I In addition to these observations, there are an number of less significant { comments which should be considered. In many areas it may be that the difference is a result of the staff not fully understanding the intent of the statement, and that the document is intended to say the equivalent of the modification the staff feels in necessary. If this is the case, it is also possible that future readers may also misunderstand, and therefore some mutually agreeable and more understandable wording may be appropriate.

p l A. R. Pietrangelo l t h i 1. Section 3.1.2, Failure Analysis, states that if a failure is judged to be significant, the resolution may be to require additional testing. The staff feels that inherently, quality can not be tested into a product. Testing only determines what the quality of the product is, and the nature and occurrence of a problem. The staff feels this should i be changed to state that if failure is judged to be significant, the design should be modified to reduce the significance of failure. 2. The same Failure Analysis Section, 3.1.2, raises the question of the definition of the term "significant". The meaning of significant is this section should be clarified in order to avoid future misunderstand 1ng. 3. Section 4.4 states that' if alternate means are available and demonstrated to adequately mitigate a failure, then the failure is not an USQ. Thr which constitutes " adequate mitigation" is not clearly stated. If protection against system level failure is considered adequate, then as was mentioned above, this may show that the change should be approved, but the mere existence of the possibility of a malfunction not previously analyzed constitutes an USQ. The primary protection function should be ensured following a postulated failure in order to demonstrate that no USQ exists. 4. The third paragraph of section 4.5 is somewhat confusing in the area of what a "yes" or "no" answer means. The paragraph should be modified to state that a yes answer to any of the seven basic questions determines the existence of a USQ. The paragraph could then go on to say that a "yes" or a "no" to any or the subsequent questions does not i automatically mean there is an USQ, due to the manner the questions are written. It should state that an unsatisfactory answer to any of the supplemental questions should, as a minimum, raise a warning flag, and unless there are some mitigating factors, there is a good possibility that an USQ exists. Page 4-6 of NSAC 125 provides adequate details. 5. It should be pointed out that when assessing the probability for a malfunction, while this may be done via engineering judgment in a qualitative manner, the logic and basis for that evaluation must be documented for possible future review and analysis. 6. In paragraph (1)(c) of section 4.5, when a determination is made if the system is compatible with the installed environment, the environment must either be known, or an endorsed standard should be referenced. 7. Section (4)(b) asks "Is a software failure a significant failure mode i based on systems failure analysis"? This is an inappropriate question to ask, and any answer would be misleading. If the failure has not previously been analyzed, it is significant with respect to the + - - - - - - - - -

r. 1 k A. R. Pietrangelo determination of an USQ. The effect on the system failure analysis is not important in this determination, 8. Section (4)(f) is similar in nature. If the HMI introduces a new type of failure, it is significant regardless of the effect of the failure. This is again a case where this is a good question to ask to determine if the change should be acceptable, but not if it should be reviewed. 9. All of Section (6) has the " system level failures" problem. In addition, in Section (6)(d), using normal industry standards is not sufficient. If industry standards are to be used, they must be specifically written and approved for high reliability, safety critical applications. 10. Section 4.2.6 of NSAC 125, page 4-10, the corresponding section of NSAC 125, specifically refers to analog to digital conversions as possibly being an USQ. 11. Section 5-2 on commercial grade item dedication is of limited value. It I may be preferable to refer to the new ANSI /IEEE 7.4.3.2, section 5.3.2 and Appendix D for information in this area. There is also a working j group of the Nuclear Utilities Software Management Group working on this I issue. Specifically, " appropriate" activities to develop a level of confidence in the commercial grade products is not defined. There should be an emphasis on the concept that use of any commercial grade product will need a positive indication that the item will do the required function, with documented basis for that determination. 12. Section 5.2.2 refers to an examination of the operating experience of commercial products. A note of caution should be added that some i commercial vendors do not maintain an error or problem record, and that i an indication of positive performance is required, as well as a lack of indication of negative performance. The third paragraph states acceptance should be based on " adequate confidence." Merely adequate is insufficient. Since this is software used in safety systems, a high level of confidence in the product should be required, with documented reasoning. 13. The examples need to be modified. Of the five examples, four indicate that there is no USQ, and the fifth leaves the question open. In order to be more useful, there should be examples where an USQ is present. The examples also need to be looked at in the light of a new malfunction in a safety significant system where a failure results in loss of a primary protective function, not of a different system level failure. Example 1 could have malfunctions not mentioned, such as a trip at a wrong value or at wrong time, multiple channel failures, difference between trip value and indications, or a self-test diagnostic success, but failure to operate. The evaluation should go beyond the level where

h, ) e A. R. Pietrangelo ] I system-level failure are identified, but to the level where a new type of malfunction may be identified. This example may pass a 50.59 evaluation and not present an USQ, but not for the reasons given. 14. In Example 5-3, on page 5-12, a reference is made that "no failures being reported that are attributable to software" is acceptable to find a sufficiently small likelihood of failure as to be acceptable.. A lack of failure reports may be due to poor record keeping. A positive l indication is required, not a lack of negative indication. In addition, 10 CFR 50.59 does not refer to the probability of a new malfunction, but only to the possibility of its existence to determine an USQ. l 15. Example 5-4 would indicate anything would pass. The argument, based upon system level backups and manual actions, is sufficiently broad that i it would be virtually impossible for any modification, regardless of J technology, to fail this test. This is a poor example. ] 16. Paragraph 4(a) of this section again speaks of the significance of the -isk, and section (b) refers to the defense in depth. Both of these are l l reasons for the staff review to approve the change, but if the 4 possibility of an unanalyzed malfunction exists, and can lead to loss of significant safety functions, there is an USQ and staff review is l required. j 17. Paragraph 4(c) on page 5-14 has a good comment on difficulty in demonstrating confidence. 18. The last paragraph on page 5-14 speaks of insuring there is sufficient backup or defense in depth to demonstrate a problem "would not result in i a non-coolable geometry of the core, violation of the integrity of the primary coolant pressure boundary, of violation of the integrity of the containment" This is a good comment, but is again a reasor for approval, not necessarily justifing no USQ. s 19. In section 5.6, Diversity Required by ATWS Rule, there is a comment that designs may be different in some or all these areas listed. The staff feels this section should say that the design should be different in these areas, however if they are not, the degree of diversity may still be sufficient for approval by the staff. At this point, determination of the sufficiency of the degree of diversity will usually require staff review. 20. Section 5.6 also states that simple components or modules that are widely used may be used in both the RPS and ATWS systems and not compromise diversity. This may very well be true, but there should be a y documented analysis to show this determination. Particularly in those J l

- - -. _ ~ _ A. R. Pietrangelo j 1 1 cases where the part is sufficiently generic that multiple sources are l available, there should be a justification for not using diverse vendors for 1 this item. ] 21. As a general comment, any time engineering judgement is used as justification for a decision, that judgment should be documented with basis or reason. This will allow future reviews or inspections. to understand the rational behind the decision. If the question involved j is dubious, or no rational for the decision is possible, the issue should be forwarded to NRC for review and approval. We look forward to future interactions with NUMARC, and intend to discuss the above issues with you at the October 28th, 1993 meeting and at such times as are necessary in the future to reach a mutual agreement. Please feel free to contact me at (301) 504-2821 or Paul Loeser at (301)504-2825 should you have any questions or comments. j Jared S. Wermiel, Chief Instrumentation and Controls Branch l Division of Reactor Controls and Human Factors i i Distribution PDR HICB R/F P. Loeser J. Wermiel i HICB BC:HICB:DRCH P. Loeser:lm [4) k J.WeNiY1 10/26/93-10/26/93 Name: NUMARC2. MOD}}