ML20129J858
| ML20129J858 | |
| Person / Time | |
|---|---|
| Site: | Nuclear Energy Institute |
| Issue date: | 05/30/2020 |
| From: | Nuclear Energy Institute |
| To: | Office of Nuclear Reactor Regulation |
| Govan T, NRR/DRO, 415-6197 | |
| Shared Package | |
| ML20129J857 | List: |
| References | |
| NEI 96-07, Appendix D, Rev 1 | |
| Download: ML20129J858 (56) | |
Text
©NEI2020.Allrightsreserved.
nei.org SUPPLEMENTALGUIDANCEFORAPPLICATIONOF 10CFR50.59TODIGITALMODIFICATIONS PreparedbytheNuclearEnergyInstitute FebruaryMay2020 NEI9607 AppendixD,Rev1 DRAFTM
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org1 Acknowledgements NEIwouldliketothanktheNEI0101FocusTeamfordevelopingthisdocument.Althougheveryone contributedtothedevelopmentofthisdocument,NEIwouldliketogivespecialrecognitiontoDavid Ramendick,whowasinstrumentalinpreparingthisdocument.
NOTICE NeitherNEI,noranyofitsemployees,members,supportingorganizations,contractors,orconsultants makeanywarranty,expressedorimplied,orassumeanylegalresponsibilityfortheaccuracyor completenessof,orassumeanyliabilityfordamagesresultingfromanyuseof,anyinformation apparatus,methods,orprocessdisclosedinthisreportorthatsuchmaynotinfringeprivatelyowned rights.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org2 ExecutiveSummary NEI9607,AppendixD,SupplementalGuidanceforApplicationof10CFR50.59toDigitalModifications, providesfocusedapplicationofthe10CFR50.59guidancecontainedinNEI9607,Revision1,to activitiesinvolvingdigitalmodifications.
Themainobjectiveofthisguidanceistoprovideallstakeholdersacommonframeworkand understandingofhowtoapplythe10CFR50.59processtoactivitiesinvolvingdigitalmodifications.
Theguidanceinthisappendixsupersedesthe10CFR50.59relatedguidancecontainedinNEI0101/
EPRITR102348,GuidelineonLicensingofDigitalUpgrades,andincorporatesthe10CFR50.59related guidancecontainedinRegulatoryIssueSummary(RIS)200222,Supplement1,Clarificationon EndorsementofNuclearEnergyInstituteGuidanceinDesigningDigitalUpgradesinInstrumentationand ControlSystems.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org3 TableofContents 1
Introduction.....................................................................................................................................4 1.1 Background.........................................................................................................................4 1.2 Purpose...............................................................................................................................5 1.3 10CFR50.59ProcessSummary..........................................................................................5 1.4 Applicabilityto10CFR72.48..............................................................................................5 1.5 ContentofthisGuidanceDocument..................................................................................5 2
DefenseInDepthDesignPhilosophyand10CFR50.59..................................................................6 3
DefinitionsandApplicabilityofTerms.............................................................................................6 4
ImplementationGuidance...............................................................................................................7 4.1 Applicability........................................................................................................................7 4.2 Screening............................................................................................................................7 4.2.1 IstheActivityaChangetotheFacilityorProceduresasDescribedintheUFSAR?
...............................................................................................................................8 4.2.1.1 ScreeningofChangestotheFacilityasDescribedintheUFSAR..............9 4.2.1.2 ScreeningofChangestoProceduresasDescribedintheUFSAR...........15 4.2.1.3 ScreeningChangestoUFSARMethodsofEvaluation............................22 4.2.2 IstheActivityaTestorExperimentNotDescribedintheUFSAR?.....................22 4.3 Evaluation.........................................................................................................................23 4.3.1 DoestheActivityResultinMoreThanaMinimalIncreaseintheFrequencyof OccurrenceofanAccident?.................................................................................23 4.3.2 DoestheActivityResultinMoreThanaMinimalIncreaseintheLikelihoodof OccurrenceofaMalfunctionofanSSCImportanttoSafety?.............................26 4.3.3 DoestheActivityResultinMoreThanaMinimalIncreaseintheConsequences ofanAccident?....................................................................................................30 4.3.4 DoestheActivityResultinMoreThanaMinimalIncreaseintheConsequences ofaMalfunction?.................................................................................................30 4.3.5 DoestheActivityCreateaPossibilityforanAccidentofaDifferentType?........31 4.3.6 DoestheActivityCreateaPossibilityforaMalfunctionofanSSCImportantto SafetywithaDifferentResult?............................................................................34 4.3.7 DoestheActivityResultinaDesignBasisLimitforaFissionProductBarrier BeingExceededorAltered?.................................................................................55 4.3.8 DoestheActivityResultinaDeparturefromaMethodofEvaluationDescribed intheUFSARUsedinEstablishingtheDesignBasesorintheSafetyAnalyses?.55
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org4 1 INTRODUCTION Therearespecificconsiderationsthatshouldbeaddressedaspartofthe10CFR50.59processwhen performing10CFR50.59reviewsfordigitalmodifications.Thesespecificconsiderationsinclude differentpotentialfailuremodesofdigitalequipmentasopposedtotheequipmentbeingreplaced,the effectofcombiningfunctionsofpreviouslyseparatedevices(atthecomponentlevel,atthesystem level,oratthe"multisystem"level)intofewerdevicesoronedevice,andthepotentialforsoftware commoncausefailure(softwareCCF).
TheformatofthisAppendixwasalignedwithNEI9607,Rev.1textforeaseofuse.Assuch,therewill besectionswherenoadditionalguidanceisprovided.
1.1 Background
Licenseeshaveaneedtomodifyexistingsystemsandcomponentsduetothegrowingproblemsof obsolescence,difficultyinobtainingreplacementparts,andincreasedmaintenancecosts.Also,thereis greatincentivetotakeadvantageofmoderndigitaltechnologiesthatofferpotentialperformanceand reliabilityimprovements.
In2002,ajointeffortbetweentheElectricPowerResearchInstitute(EPRI)andtheNuclearEnergy Institute(NEI)producedNEI0101,Revision0(alsoknownasEPRITR102348,Revision1),Guidelineon LicensingDigitalUpgrades:ARevisionofEPRITR102348toReflectChangestothe10CFR50.59Rule, whichwasendorsed(withqualifications)bytheNuclearRegulatoryCommission(NRC)inRegulatory IssueSummary(RIS)200222.
SincetheissuanceofNEI0101in2002,digitalmodificationshavebecomemoreprevalent.Application ofthe10CFR50.59guidancecontainedinNEI0101hasnotbeenconsistentorthoroughacrossthe industry,leadingtoNRCconcernsregardinguncertaintyastotheeffectivenessofNEI0101andthe needforclaritytoensureanappropriatelevelofrigorisbeingappliedtoawidevarietyofactivities involvingdigitalmodifications.
NEI0101containedguidanceforboththetechnicaldevelopmentanddesignofdigitalmodifications,as wellastheapplicationof10CFR50.59tothosedigitalmodifications.TheNRCalsoidentifiedthis "mixtureofguidance"asanissueandstatedthatNEIshouldseparatethetechnicalguidancefromthe 10CFR50.59guidance.
In2018,Supplement1toRIS200222wasissuedtoclarifytheNRCstaffsendorsementoftheguidance pertainingtoNEI0101,Sections4and5andAppendicesAandB.Specifically,theRISsupplement clarifiedtheguidanceforpreparinganddocumentingqualitativeassessmentsthatmaybeusedto evaluatethelikelihoodoffailureofaproposeddigitalmodification,includingthelikelihoodoffailure duetoasoftwarecommoncausefailure(softwareCCF).
Supplement1toRIS200222identifiedthataqualitativeassessmentmaybeusedtosupporta conclusionthataproposeddigitalI&Cmodificationwillnotresultinmorethanaminimalincreaseinthe frequencyofoccurrenceofaccidentsorinthelikelihoodofoccurrenceofmalfunctions(10CFR 50.59(c)(2)(i)and(ii)).Aqualitativeassessmentmayalsobeusedtosupportaconclusionthatthe proposedmodificationdoesnotcreatethepossibilityofanaccidentofadifferenttypeoramalfunction
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org5 withadifferentresultthanpreviouslyevaluatedintheupdatedfinalsafetyanalysisreport(10CFR 50.59(c)(2)(v)and(vi)).
1.2 Purpose AppendixDisintendedtoassistlicenseesintheperformanceof10CFR50.59reviewsofactivities involvingdigitalmodificationsinaconsistentandcomprehensivemanner.Thisassistanceincludes guidanceforperforming10CFR50.59Screensand10CFR50.59Evaluations.AppendixDdoesnotalter and,unlessexplicitlynoted,shouldnotbeinterpreteddifferentlythantheguidancecontainedinNEI96 07,Rev.1.Rather,AppendixDprovidesfocusedguidancefortheapplicationof10CFR50.59to activitiesinvolvingdigitalmodifications.
Theguidanceinthisappendixappliesto10CFR50.59reviewsforbothsmallscaleandlargescaledigital modifications;fromthesimplereplacementofanindividualanalogmeterwithamicroprocessorbased instrument,toacompletereplacementofananalogreactorprotectionsystemwithanintegrateddigital system.Examplesofactivitiesconsideredtoinvolveadigitalmodificationincludecomputers,computer programs,data(anditspresentation),embeddeddigitaldevices,software,firmware,hardware,the humansysteminterface,microprocessorsandprogrammabledigitaldevices(e.g.,ProgrammableLogic ControllersandFieldProgrammableGateArrays).
Thisguidanceisnotlimitedto"standalone"instrumentationandcontrolsystems.Thisguidancecan alsobeappliedtothedigitalaspectsofmodificationsorreplacementsofmechanicalorelectrical equipmentifthenewequipmentmakesuseofdigitaltechnology(e.g.,anewHVACdesignthatincludes embeddedmicroprocessorsforcontrol).
Finally,thisguidanceisapplicabletodigitalmodificationsinvolvingsafetyrelatedandnonsafety relatedsystemsandcomponentsandalsocoversdigitaltodigitalactivities(i.e.,modificationsor replacementsofdigitalbasedsystems).
1.3 10CFR50.59ProcessSummary Noadditionalguidanceisprovided.
1.4 Applicabilityto10CFR72.48 Noadditionalguidanceisprovided.
1.5 ContentofthisGuidanceDocument RelationshipofAppendixDtoNEI9607,Revision1 Insections3and4ofthisappendix,referencestothemainbodyofNEI9607,Revision1willbe abbreviatedas"NEI9607."
GuidanceFocus InSections4.2(Screening)and4.3(Evaluation),eachsectionandsubsectionaddressesonlyaspecific aspect,sometimesatthedeliberateexclusionofotherpertinentand/orrelatedaspects.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org6 Thisfocusedapproachisintendedtoconcentratetheguidanceontheparticularaspectofinterestand doesnotimplythattheotheraspectsdonotapplyorcouldnotberelatedtotheaspectbeing addressed.Initially,allaspectsneedtobeconsidered,withtheknowledgethatsomeofthemmaybe abletobeexcludedbasedontheactualscopeofthedigitalmodificationbeingreviewed.
ExampleFocus Unlessstatedotherwise,agivenexampleaddressesONLYtheaspectwithinthesection/subsectionin whichitisincluded,sometimesatthedeliberateexclusionofotherpertinentand/orrelatedaspects which,ifconsidered,couldpotentiallychangetheScreenand/orEvaluationconclusion(s).
2 DEFENSEINDEPTHDESIGNPHILOSOPHYAND10CFR50.59 Noadditionalguidanceisprovided.
3 DEFINITIONSANDAPPLICABILITYOFTERMS Definitions3.1through3.14arethesameasthoseprovidedinNEI9607.
Definitionsspecifictothisappendixaredefinedbelow.
3.15 QualitativeAssessment Definition:
Aqualitativeassessmentisaspecifictypeoftechnicalbasedengineeringevaluationusefulto10CFR 50.59EvaluationswhenrespondingtoEvaluationcriteria10CFR50.59(c)(2(i),(ii),(v)and(vi).
Discussion:
Thepurposeofaqualitativeassessmentistodeterminethe"magnitude"ofthelikelihoodofasoftware CCF.ThemagnitudeofthelikelihoodofasoftwareCCFcanbeeithersufficientlylow(seethedefinition inSection3.16)ornotsufficientlylow.Therefore,theonlypartofthequalitativeassessmentneeded forrespondingtothefour10CFR50.59(c)(2)criterialistedaboveistheoutcome(i.e.,sufficientlylowor notsufficientlylow).
Althoughaqualitativeassessmentcouldbeperformedaspartofdevelopingtheresponsestothefour 10CFR50.59(c)(2)criterialistedabove,thistechnicalbasedengineeringevaluationistypically performed"priorto"or"inparallelwith"thecompletionofthe10CFR50.59Evaluation.
Generally,reasonableassuranceofthelowlikelihoodoffailureduetoasoftwareCCFisderivedfrom thequalitativeassessmentoffactorsinvolving(1)thedesignattributesofthemodifiedSSC,(2)the qualityofthedesignprocesses,and(3)theoperatingexperienceofthesoftwareandhardwareused (i.e.,productmaturityandinserviceexperience).
Thequalitativeassessmentisusedtorecordthefactorsandrationaleformakingadeterminationofthe likelihoodoffailure(i.e.,sufficientlylowornotsufficientlylow)duetoasoftwareCCFthatadigitalI&C modificationwillexhibit.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org7 Thedeterminationofthelikelihoodoffailuremayconsidertheaggregateofallthefactorsdescribed above.Namely,someofthefactorsmaycompensateforweaknessesinotherareasorotherfactors.For example,thoroughtestingcoupledwithananalysisdemonstratinguntestedstatesareaccountedforin theproposedapplicationmayprovideadditionalassuranceofasufficientlylowlikelihoodoffailureto compensateforalackofoperatingexperience.
AqualitativeassessmentshouldnotbeusedfordigitalI&Creplacementsofthereactorprotection system(RPS),theengineeredsafetyfeaturesactuationsystem(ESFAS),ormodification/replacementof theinternallogicportionsofthesesystems(e.g.,votinglogic,bistableinputs,andsignal conditioning/processing).
3.16 SufficientlyLow Definition:
SufficientlylowmeansmuchlowerthanthelikelihoodoffailuresthatareconsideredintheUFSAR(e.g.,
singlefailures)andcomparabletoothercommoncausefailuresthatarenotconsideredintheUFSAR (e.g.,designflaws,maintenanceerrorsandcalibrationerrors).
Discussion:
Thissufficientlylowthresholdisnotinterchangeablewiththatusedfordistinguishingbetweenevents thatarecredibleornotcredible.Thethresholdfordeterminingifaneventiscredibleusesthe criterionofaslikelyas(i.e.,notmuchlowerthan)themalfunctionsalreadyassumedintheUFSAR.
4 IMPLEMENTATIONGUIDANCE 4.1 Applicability Noadditionalguidanceisprovided.
4.2 Screening CAUTION TheguidancecontainedinthissectionoftheappendixisintendedtosupplementthegenericScreen guidancecontainedinthemainbodyinNEI9607,Section4.2.Namely,thegenericScreenguidance providedinthemainbodyofNEI9607andthemorefocusedScreenguidanceinthisappendix BOTHapplytodigitalmodifications.
Introduction AsstatedinNEI9607,Section4.2.1,thedeterminationoftheimpactofaproposedactivity(i.e.,
adverseornotadverse)isbasedontheimpactoftheproposedactivityonUFSARdescribeddesign functions.ToassistindeterminingtheimpactofadigitalmodificationonaUFSARdescribeddesign
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org8 function,thegeneralguidancefromNEI9607willbesupplementedwiththedigitalspecificguidancein thetopicareasidentifiedbelow.
DigitaltoDigitalReplacementsand"Equivalency" InNEI9607,Section4.2.1.1,equivalentreplacementsarediscussed.However,digitaltodigitalchanges maynotnecessarilybeequivalentbecausethecomponent/systembehaviors,responsetimes,failure modes,etc.forthenewcomponent/systemmaybedifferentfromtheoldcomponent/system.Allnon equivalentdigitaltodigitalreplacementsshouldutilizetheguidanceprovidedinthisAppendix.
HumanSystemInterfaceConsiderations Similartoothertechnicalevaluations(performedaspartofthedesignmodificationpackage),ahuman factorsengineering(HFE)evaluationdeterminestheimpactsandoutcomesofthechange(e.g.,
personnelactsoromissions,aswellastheirlikelihoodsandeffects).Thelicensingbasedreviews (ScreensandEvaluations)performedinaccordancewith10CFR50.59comparetheimpactsandnew outcomes(i.e.,postmodification)totheinitialconditionsandcurrentoutcomes(i.e.,premodification) inordertodeterminetheeffectondesignfunctions(intheScreenphase)andtheneedforalicense amendmentrequest(intheEvaluationphase).
4.2.1 IstheActivityaChangetotheFacilityorProceduresasDescribedintheUFSAR?
Introduction Thereisnoregulatoryrequirementforaproposedactivityinvolvingadigitalmodificationtodefault(i.e.,
bemandatorily"forced")toanadverseconclusion.
AlthoughtheremaybeadverseimpactsonUFSARdescribeddesignfunctionsduetothefollowingtypes ofactivitiesinvolvingadigitalmodification,thesetypicalactivitiesdonotdefaulttoanadverse conclusionsimplybecauseoftheactivitiesthemselves.
Theintroductionofsoftwareordigitaldevices.
Thereplacementofsoftwareand/ordigitaldeviceswithothersoftwareand/ordigitaldevices.
Theuseofadigitalprocessorto"calculate"anumericalvalueor"generate"acontrolsignal usingsoftwareinplaceofusinganalogcomponents.
Replacementofhardcontrols(i.e.,pushbuttons,knobs,switches,etc.)withatouchscreento operateorcontrolplantequipment.
Engineering/technicalinformationshouldbedocumented(aspartofthedesignprocess)torecordthe impactsfromdigitalmodifications.Thisengineering/technicalinformationwillbeusedasthe basis/justificationfortheconclusionofadverseornotadverse.
ScopeofDigitalModifications Generally,adigitalmodificationmayconsistofthreeareasofactivities:(1)softwarerelatedactivities, (2)hardwarerelatedactivitiesand(3)HumanSystemInterfacerelatedactivities.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org9 NEI9607,Section4.2.1.1providesguidanceforactivitiesthatinvolve"...anSSCdesignfunction..."ora
"...methodofperformingorcontrollingadesignfunction..."andSection4.2.1.2providesguidancefor activitiesthatinvolve"...howSSCdesignfunctionsareperformedorcontrolled(includingchangesto UFSARdescribedprocedures,assumedoperatoractionsandresponsetimes)."
Basedonthissegmentationofactivities,thesoftwareandhardwareportionswillbeassessedwithinthe "facility"ScreenconsiderationsincetheseaspectsinvolveSSCs,SSCdesignfunctions,orthemethodof performingorcontrollingadesignfunctionandtheHumanSystemInterface(HSI)portionwillbe assessedwithinthe"procedures"ScreenconsiderationsincethisportioninvolveshowSSCsare operatedandcontrolled.
4.2.1.1 ScreeningofChangestotheFacilityasDescribedintheUFSAR SCOPE Inthedeterminationofpotentialadverseimpacts,thefollowingaspectsshouldbeaddressedinthe responsetothisScreenconsideration:
- a. UseofSoftwareandDigitalDevices
- b. CombinationofComponents/Systemsand/orFunctions USEOFSOFTWAREANDDIGITALDEVICES Discussion ForapplicationsinvolvingSSCswithdesignfunctions,anadverseeffectmaybecreatedduetothe potentialmarginalincreaseinthelikelihoodofSSCfailureduetotheintroductionofsoftware.Thisdoes notmeanthatalldigitalmodificationsthatintroducesoftwarewillautomaticallyscreenin.
Forredundantsafetysystems,thismarginalincreaseinlikelihoodcreatesasimilarmarginalincreasein thelikelihoodofacommonfailureintheredundantsafetysystems.Onthisbasis,mostdigital modificationstoredundantsafetysystemsareadverse.
However,forsomedigitalmodifications,theengineering/technicalinformationsupportingthechange mayshowthatthedigitalmodificationcontainsdesignattributestoeliminateconsiderationofa softwarecommoncausefailure.Insuchcases,evenwhenadigitalmodificationinvolvesredundant systems,thedigitalmodificationwouldnotbeadverse.
Forrelativelysimpledigitalmodifications,engineering/technicalinformationsupportingthechangemay beusedtoshowthatthedigitalmodificationwouldnotadverselyaffectdesignfunctions;evenfor digitalmodificationsthatinvolveredundantcomponents/systemsbecauseasoftwareCCFisnot introduced.
Toreachascreenconclusionofnotadverseforrelativelysimpledigitalmodifications,thedegreeof assuranceneededtomakethatconclusionisbasedonconsiderationssuchasthefollowing:
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org10 PhysicalCharacteristicsoftheDigitalModification o Thechangehasalimitedscope(e.g.,replaceanalogtransmitterwithadigital transmitterthatdrivesanexistinginstrumentloop) o Usesarelativelysimpledigitalarchitectureinternally(e.g.,simpleprocessofacquiring oneinputsignal,settingoneoutput,andperformingsomesimplediagnosticchecks) o Haslimitedfunctionality(e.g.,transmittersusedtodrivesignalsforparameters monitored) o Canbecomprehensivelytested(butnotnecessarily100percentofallcombinations)
EngineeringEvaluationAssessments o Thequalityofthedesignprocessesemployed o Singlefailuresofthedigitaldeviceareencompassedbyexistingfailuresoftheanalog device(e.g.,nonewdigitalcommunicationsamongdevicesthatintroducepossiblenew failuremodesinvolvingseparatedevices) o Hasextensiveapplicableoperatinghistory Theuseofdifferentsoftwareintwoormorechannels,trainsorloopsofSSCsisnotadverseduetoa softwareCCFbecausethereisnomechanismtocreateanewmalfunctionduetotheintroductionofthe software.
Somespecificexamplesofactivitiesthathavethepotentialtocauseanadverseeffectincludethe followingactivities:
Additionorremovalofadeadband,or Replacementofinstantaneousreadingswithtimeaveragedreadings(orviceversa).
Ineachofthesespecificexamples,theimpactonadesignfunctionassociatedwiththestatedcondition needstobeassessedtodeterminetheScreenconclusion(i.e.,adverseornotadverse).
EXAMPLES Example41illustratestheapplicationoftheguidanceforarelativelysimpledigitalmodification.
Example41.NOADVERSEIMPACTonaDesignFunctionforaRelativelySimpleDigitalModification ProposedActivityDescription TransmittersareusedtodrivesignalsforparametersmonitoredbyredundantESFASchannels.The originalanalogtransmittersaretobereplacedwithmicroprocessorbasedtransmitters.Thechangeisof limitedscopesincetheexisting420mAinstrumentloopismaintainedforeachchannelwithoutany changesotherthanreplacingthetransmitteritself.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org11 Thedigitaltransmittersareusedtodrivesignalsofmonitoredparametersandthushavelimited functionalitywithrespecttotheESFASdesignfunction.
DesignFunctionIdentification TheESFASdesignfunctionistheabilitytorespondtoplantaccidents.
ScreenResponse Thedigitaltransmittersusearelativelysimpledigitalarchitectureinternally.
Failuresofthenewdigitaldeviceareencompassedbythefailuresoftheexistinganalogdevice.The engineering/technicalinformationsupportingthechangeconcludedthatthedigitalsystemisatleastas reliableastheprevioussystem,theconclusionofwhichisbasedonthequalityofthedesignprocesses employed,andtheoperatinghistoryofthesoftwareandhardwareused.Inaddition,basedonthe simplicityofthedevice,itwascomprehensivelytested.Further,substantialoperatinghistoryhas demonstratedhighreliabilityinapplicationssimilartotheESFASapplication.
Therefore,theproposeddigitalmodificationisnotadverse(fortheaspectbeingillustratedinthis example)becausethedigitalmodificationisrelativelysimpleandtheassessmentoftheconsiderations identifiedabovehasdeterminedthatthereliabilityofperformingthedesignfunctionisnotreducedand asoftwareCCFisnotintroduced.
Example42illustratestheapplicationoftheUseofSoftwareandDigitalDevicesaspect.
Example42.ADVERSEIMPACTonaDesignFunctionrelatedtouseofSoftwareandDigitalDevices ProposedActivityDescription Twononsafetyrelatedmainfeedwaterpumps(MFWPs)exist.Therearetwoanalogcontrolsystems (oneperMFWP)thatarephysicallyandfunctionallythesame.
Thetwoanalogcontrolsystemswillbereplacedwithtwodigitalcontrolsystems.Thehardware platformforeachdigitalcontrolsystemisfromthesamesupplierandthesoftwareineachdigital controlsystemisexactlythesame.
Nocombinationofcomponents/systemsand/orfunctionsoccursaspartofthisdigitalmodification.
DesignFunctionIdentification Thedesignfunctionofthefeedwatercontrolsystemsistoautomaticallycontrolandregulatefeedwater flowtothesteamgenerators.
ScreenResponse Thedigitalmodificationassociatedwiththisproposedactivityisnotrelativelysimple,sotheprocessfor assessingrelativelysimpledigitalmodificationscouldnotbeused.
Thereisanadverseimpact(fortheaspectbeingillustratedinthisexample)onthedesignfunctionof themainfeedwatercontrolsystembecausetheuseoftheexactsamesoftwareinbothdigitalcontrol systemscreatesapotentialsoftwareCCFthatdidnotpreviouslyexist.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org12 COMBINATIONOFCOMPONENTS/SYSTEMSAND/ORFUNCTIONS Discussion TheUFSARmayidentifythenumberofcomponents/systems,howthecomponents/systemsare arrangedand/orhowfunctionsareallocatedtothosecomponents/systems.
WhenreplacinganalogSSCswithdigitalSSCs,itispotentiallyadvantageoustocombinemultiple components/systemsand/orfunctionsintoasingledeviceorcontrolsystem.However,asaresultof thiscombination,thefailureofthesingledeviceorcontrolsystemhasthepotentialtoadverselyaffect designfunctions.
Themereactofcombiningpreviouslyseparatecomponents/systemsand/orfunctionsdoesnotmake theScreenconclusionadverse.However,ifcombiningthepreviouslyseparatecomponents/systems and/orfunctionscausesanadverseimpactonadesignfunction(e.g.,bycausingthelossofmultiple designfunctionswhenthedigitaldevicefails),thenthecombinationaspectofthedigitalmodification willhaveanadverseimpactonadesignfunction(i.e.,screenin).
Whencomparingtheexistingandproposedconfigurations,considerhowtheproposedconfiguration affectsthenumberand/orarrangementofcomponents/systemsandthepotentialimpactsofthe proposedarrangementondesignfunctions.
Furthermore,digitalmodificationsthatinvolvenetworking;combiningdesignfunctionsfromdifferent systems;interconnectivityacrosschannels,systems,anddivisions;orsharedresources,meritcareful reviewtodetermineifsuchmodificationscausereductionsintheredundancy,diversity,separation,or independenceofUFSARdescribeddesignfunctions.
Combiningdifferentfunctionsduetodigitalmodificationscanresultincombiningdesignfunctionsof differentsystems;eitherdirectlyinthesamedigitaldevice,orindirectlythroughsharedresources.
Sharedresources(e.g.,bidirectionalcommunications,powersupplies,controllers,andmultifunction displayandcontrolstations)introducedbydigitalmodificationsmayreducetheredundancy,diversity, separation,orindependenceofUFSARdescribeddesignfunctions.
Reductionsintheredundancy,diversity,separation,orindependenceofaUFSARdescribeddesign functionhaveanadverseimpactonthatdesignfunction.
EXAMPLES Examples43through45illustratetheapplicationoftheCombinationofComponents/Systemsand/or Functionsaspect.
Example43.CombiningComponentsandFunctionswithNOADVERSEIMPACT(Option#1)andan ADVERSEIMPACT(Option#2)onaDesignFunction ProposedActivityDescription Twononsafetyrelatedmainfeedwaterpumps(MFWPs)exist.Therearetwoanalogcontrolsystems (oneperMFWP)thatarephysicallyandfunctionallythesame.Eachanalogcontrolsystemhasmany subcomponents.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org13 Option#1:Withineachcontrolsystem,alloftheanalogsubcomponentswillbereplacedwithasingle digitaldevicethatconsolidatesallofthecomponents,subcomponentsandthefunctionsassociated witheachcomponentandsubcomponent.Thecomponentsandsubcomponentsineachanalog controlsystemwillbereplacedwiththeirowndigitalcontrolsystem,retainingtwodiscreet, unconnectedcontrolsystems.
Option#2:Insteadoftwodiscreet,unconnecteddigitalcontrolsystemsbeingusedforthefeedwater controlsystems(asoutlinedinOption#1),onlyonedigitaldeviceisproposedtobeusedthatwill combineALLcomponents,subcomponentsandfunctionsofbothcontrolsystems.
DesignFunctionIdentification AlthoughthecontrolsystemsandthemajorcomponentsaredescribedintheUFSAR,onlyadesign functionforthefeedwatercontrolsystemsisidentified.Thedesignfunctionofthefeedwatercontrol systemsistoautomaticallycontrolandregulatefeedwaterflowtothesteamgenerators.
ScreenResponse Option#1:Thereisnoadverseimpact(fortheaspectbeingillustratedinthisexample)onthedesign functionofthemainfeedwatercontrolsystemstoautomaticallycontrolandregulatefeedwatertothe steamgeneratorsduetothecombinationofcomponentsineachofthetwochannelsbecausetwo feedwatercontrolsystemsaremaintained.
Option#2:Thereisanadverseimpact(fortheaspectbeingillustratedinthisexample)onthedesign functionofthemainfeedwatercontrolsystemstoautomaticallycontrolandregulatefeedwatertothe steamgeneratorsduetothecombinationofcomponentsineachofthetwochannelsbecauselossof theonedigitaldevicewouldcausemultipledesignfunctions(oneeachfromthetwooriginalfeedwater controlsystems)toNOTbeperformed.
Example44.CombiningComponentsandFunctionswithNOADVERSEIMPACTonaDesignFunction ProposedActivityDescription Atemperaturemonitor/controllerinaroomcontaininganemergencyroomcoolerprovidesaninputto anairdampercontroller.Iftemperaturegetstoohigh,thetemperaturecontrollersendsasignaltothe airdampertoopen(ifclosed)toapredeterminedinitialpositionor,ifalreadyopen,adjuststheposition ofthedampertoallowincreasedairflowintotheroom.
Bothanalogcontrollerswillbereplacedwithasingledigitaldevicethatwillperforminaccordancewith theoriginaldesignrequirementsprovidingbothtemperaturemonitoring/controlandairdamper control.
DesignFunctionIdentification Thetemperaturemonitor/controllerperformsadesignfunctiontocontrolthetemperatureintheroom bycontinuouslymonitoringthetemperatureintheroomtoensuretheinitialconditionsaremetshould theemergencyroomcoolerbeneeded.
Theairdampercontrollerperformsadesignfunctiontocontrolthetemperatureintheroomby continuouslyprovidingtheappropriateairflowtotheroomtoensuretheinitialconditionsaremet shouldtheemergencyroomcoolerbeneeded.
Thereisnolowerlimitontheacceptabletemperatureintheroom.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org14 ScreenResponse Inthecurrentdesign,afailureofthetemperaturemonitor/controllerortheairdampercontroller causesthelossoftheabilitytocontrolthetemperatureintheroom.Intheproposeddesign,thefailure ofthedigitaldevicecausesmultiplefailures,butstillonlythelossoftheabilitytocontrolthe temperatureintheroom.Withthelossofabilitytocontroltemperatureintheroombeingthesamein thecurrentdesignandintheproposeddesign,thereisnoadverseimpact(fortheaspectbeing illustratedinthisexample)onthedesignfunction.
Thecombiningofcomponents/systemsand/orfunctionsthatwerepreviouslycompletelyphysically and/orelectricallydiscrete(i.e.,notcoupled)areofparticularinterestwhendeterminingtheimpact ondesignfunctions.
Example45illustratesthecombiningofcontrolsystemsfromdifferent,originallydiscretesystems.
Example45.CombiningSystemsandFunctionswithanADVERSEIMPACTonaDesignFunction ProposedActivityDescription OnenonsafetyrelatedanalogSteamBypassControlSystem(SBCS)andonenonsafetyrelatedmain turbinesteaminletvalvesanalogcontrolsystemexist.
BothanalogcontrolsystemswillbereplacedwithonedigitalcontrolsystemthatwillcombinetheSBCS andthemainturbinesteaminletvalvescontrolsystemintoasingledigitaldevice.
DesignFunctionIdentification ThedesignfunctionoftheSBCSistomaximizeplantavailabilitybymakingfullutilizationoftheturbine bypassvalvecapacitytoremoveNuclearSteamSupplySystem(NSSS)thermalenergytoaccommodate loadrejections,unittrips,andotherconditionsthatresultinthegenerationofexcessiveenergybythe NSSS.Thisobjectiveisachievedbytheselectiveuseofturbinebypassvalvestoavoidunnecessary reactortripsandpreventtheopeningofsecondarysidesafetyvalveswhenevertheseoccurrencescan beavertedbythecontrolledreleaseofsteam.
Thedesignfunctionofthemainturbineinletvalvescontrolsystemistoautomaticallycontroland regulatesteamflowtothemainturbine.
ScreenResponse Becausethefailureofthenew,singledigitaldevicewillcausethelossofmultipledesignfunctions,the digitalmodificationhasanadverseimpact(fortheaspectbeingillustratedinthisexample)onthe designfunctionoftheSBCSandthedesignfunctionofthemainturbinesteaminletvalvescontrol system.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org15 4.2.1.2 ScreeningofChangestoProceduresasDescribedintheUFSAR SCOPE IfthedigitalmodificationdoesnotincludeoraffectanHSIelement(e.g.,thereplacementofastand aloneanalogrelaywithadigitalrelaythathasnofeaturesinvolvingpersonnelinteractionanddoesnot feedsignalsintoanyotheranalogordigitaldevice),thenthissectiondoesnotapplyandmaybe excludedfromtheScreenassessment.
InNEI9607,Section3.11definesproceduresasfollows:
"...ProceduresincludeUFSARdescriptionsofhowactionsrelatedtosystemoperationaretobe performedandcontrolsovertheperformanceofdesignfunctions.ThisincludesUFSAR descriptionsofoperatoractionsequencingorresponsetimes,certaindescriptions...ofSSC operationandoperatingmodes,operational...controls,andsimilarinformation."
AlthoughUFSARsdonottypicallydescribethedetailsofaspecificHSI,UFSARsmaydescribedesign functionsassociatedwiththeHSI.
BecausetheHSIinvolvessystem/componentoperation,thisportionofadigitalmodificationisassessed inthisScreenconsideration.ThefocusoftheScreenassessmentisonpotentialadverseeffectsdueto modificationsoftheinterfacebetweenthehumanuserandthetechnicaldevice.
Notethatthe"humanuser"couldinvolveControlRoomOperators,otherplantoperators,maintenance personnel,engineeringpersonnel,technicians,etc.
HUMANFACTORSENGINEERING(HFE)EVALUATION Therearethree"basicHSIelements"ofanHSI(
Reference:
Displays:thevisualrepresentationoftheinformationpersonnelneedtomonitorandcontrol theplant.
Controls:thedevicesthroughwhichpersonnelinteractwiththeHSIandtheplant.
Userinterfaceinteractionandmanagement:themeansbywhichpersonnelprovideinputsto aninterface,receiveinformationfromit,andmanagethetasksassociatedwithaccessand controlofinformation.
AnyuseroftheHSImustbeabletoaccuratelyperceive,comprehendandrespondtosystem informationviatheHSItosuccessfullycompletetheirtasks.Specifically,nuclearpowerplantpersonnel perform"fourgenericprimarytasks"(
Reference:
- 1. Monitoringanddetection(extractinginformationfromtheenvironmentandrecognizingwhen somethingchanges),
- 2. Situationassessment(evaluationofconditions),
- 3. Responseplanning(decidinguponactionstoresolvethesituation),and
- 4. Responseimplementation(performinganaction).
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org16 Table1containsexamplesofmodificationstoeachofthethreebasicHSIelementsapplicabletothisScreenconsideration.
Table1ExampleHumanSystemInterfaceModifications HSIElement TypicalModification Description/Example Displays NumberofParameters Increase/decreaseintheamountofinformationdisplayedbyand/or availablefromtheHSI(e.g.,combiningmultipleparametersintoasingle integratedparameter,addingadditionalinformationregarding component/systemperformance)
TypeofParameters Changetothetypeofinformationdisplayedand/oravailablefromtheHSI (e.g.,removinginformationthatwaspreviouslyavailableoradding informationthatwaspreviouslyunavailable)
InformationPresentation Changetovisualrepresentationofinformation(e.g.incrementof presentationmodified)
InformationOrganization Changetostructuralarrangementofdata/information(e.g.,information noworganizedbychannel/trainratherthanbyflowpath)
Controls ControlInput Changetothetype/functionalityofinputdevice(e.g.,replacementofa pushbuttonwithatouchscreen)
ControlFeedback Changetotheinformationsentbacktotheindividualinresponsetoan action (e.g.,changingfeedbackfromtactiletoauditory)
UserInterface Interactionand Management ActionSequences Changeinnumberand/ortypeofdecisionsmadeand/oractionstaken (e.g.,replacingananalogcontrollerthatcanbemanipulatedinonestep withadigitalcontrollerthatmustbecalledupontheinterfaceandthen manipulated)
Information/Data Acquisition Changesthataffecthowanindividualretrievesinformation/data(e.g.,
informationthatwascontinuouslydisplayedviaananalogmeternow requiresinterfaceinteractiontoretrievedatafromamultipurpose displaypanel)
FunctionAllocation Changesfrommanualtoautomaticinitiation(orviceversa)offunctions (e.g.,manualpumpactuationtoautomaticpumpactuation)
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org17 TodeterminepotentialadverseimpactsofHSImodificationsondesignfunctions,atwostepHFE evaluationmustbeperformed,asfollows:
StepOneIdentifythegenericprimarytasksthatareinvolvedwith(i.e.,potentiallyimpacted by)theproposedactivity.
StepTwoForallprimarytasksinvolved,assessifthemodificationnegativelyimpactsan individual'sabilitytoperformthegenericprimarytask.
Examplesofimpactsonanindividual'sperformancethatresultinadverseeffectsonadesign functioninclude,butarenotlimitedto:
o increasedpossibilityofmisoperation, o increaseddifficultyinevaluatingconditions, o increaseddifficultyinperforminganaction, o increasedtimetorespond,and o creationofnewpotentialfailuremodes.
GUIDANCE AfterthetwostepHFEevaluation,thenextstepisapplicationofthestandardScreenprocess.
SimpleHumanSystemInterfaceExample Example46illustrateshowadigitalmodificationwithHSIconsiderationswouldbeaddressed.
Example46:AssessmentofModificationwithNOADVERSEIMPACTonaUFSARDescribedDesign Function ProposedActivityDescription Currently,aknobisrotatedclockwisetoopenaflowcontrolvalvein1%incrementsandcounterclock wisetocloseaflowcontrolvalvein1%increments.Thisknobwillbereplacedwithatouchscreenthat hastwoseparatearrows,eachinitsownfunctionblock.Usingthetouchscreen,touchingthe"up" arrowwillopentheflowcontrolvalvein1%incrementsandtouchingthe"down"arrowwillclosethe flowcontrolvalvein1%increments.
HFEEvaluation STEP1.IdentificationoftheGenericPrimaryTasksInvolved:
- 1. Monitoringanddetection(extractinginformationfromtheenvironmentandrecognizingwhen somethingchanges)NOTINVOLVED
- 2. Situationassessment(evaluationofconditions)NOTINVOLVED
- 3. Responseplanning(decidinguponactionstoresolvethesituation)NOTINVOLVED
- 4. Responseimplementation(performinganaction)INVOLVED
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org18 STEP2.AssessmentofModificationImpactsontheInvolvedGenericPrimaryTasks:
Tasks1,2and3werenotinvolved,sothesetasksarenotimpactedbythemodification.
Task4isinvolved.TheHFEevaluationdeterminedthatthechangefromknobtotouchscreenwouldnot impacttheoperatorsabilitytoperformtheresponseimplementationtask.
IdentificationandAssessmentofDesignFunctions DesignFunctionIdentification TheUFSARstatestheoperatorcan"openandclosetheflowcontrolvalveusingmanualcontrolslocated intheMainControlRoom."Thus,thedesignfunctionistheabilityoftheoperatortomanuallyadjust thepositionoftheflowcontrolvalveandtheUFSARdescriptionimplicitlyidentifiestheSSC(i.e.,the knob).
ScreenResponse Usingtheresultsfromtheengineering/technicalinformationsupportingthechange,includingtheHFE evaluation,andexaminingthereplacementofthe"knob"witha"touchscreen,"themodificationisnot adverse(fortheaspectbeingillustratedinthisexample)becauseitdoesnotimpacttheabilityofthe operatorto"openandclosetheflowcontrolvalveusingmanualcontrolslocatedintheMainControl Room,"maintainingsatisfactionofhowtheUFSARdescribeddesignfunctionisperformedor controlled.
ComprehensiveHumanSystemInterfaceExamples Examples47and48illustratehowadigitalmodificationwithHSIconsiderationswouldbeaddressed.
Althoughbothexamplesusethesamebasicdigitalmodification,Example47illustratesanoadverse impactcaseandExample48illustratesanadverseimpactcasebycomplicatingtheHSIportionofthe modificationandmodifyingtheapplicablelicensingbasis.
Example47.DigitalModificationInvolvingHSIConsiderationswithNOADVERSEIMPACTonaDesign Function ProposedActivityDescription Analogcomponentsandcontrolsforaredundantsafetyrelatedsystemaretobereplacedwithdigital componentsandcontrols,includingnewdigitalbasedHSI.
Currently,tworedundantchannels/trainsofinformationandcontrolsareprovidedtotheoperatorsin theMainControlRoomfortheredundantsystems.Foreachchannel/train,severaldifferentanalog instrumentspresentinformationregardingtheperformanceofthesystem.Theanalogdisplaysare arrangedbysystem"flowpath"tofacilitatetheoperator'sabilitytomonitorthesystemasawhole.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org19 TheexistingHSIforthesecomponentsismadeupofredundanthardwiredswitches,indicatorlights andanalogmeters.ThenewHSIconsolidatestheinformationandcontrolsontotwoflatpaneldisplays (onepertrain)withtouchscreensoftcontrols.Theinformationavailableontheflatpanelsis equivalenttothatprovidedonthecurrentanalogHSI.Eachflatpaneldisplaycontainsonlyonescreen thatdisplaystheinformationandthecontrolsforonlythattrain,replicatingtheinformationand controlsarrangementastheyareintheexistingHSI.
TheexistingHSIrequiresoperatorstomanipulateanalogswitchestoimplementacontrolaction.To takeacontrolactionusingthenewHSI,theoperatormust(viathetouchscreen)selecttheappropriate activity(e.g.,starting/initiatingthesystemorchangingthesystemlineup),selectthecomponenttobe controlled(e.g.,pumporvalve),selectthecontrolaction(e.g.,start/stoporopen/close)andexecute theaction.
HFEEvaluation Step1.IdentificationofWhichFourGenericPrimaryTasksareInvolved:
- 1. Monitoringanddetection(extractinginformationfromtheenvironmentandrecognizingwhen somethingchanges)-INVOLVED
- 2. Situationassessment(evaluationofconditions)-NOTINVOLVED
- 3. Responseplanning(decidinguponactionstoresolvethesituation)-NOTINVOLVED
- 4. Responseimplementation(performinganaction)-INVOLVED
Step2.AssessmentoftheModificationImpactsontheInvolvedGenericPrimaryTasks:
Task1isinvolved.Anychangetoinformationpresentationhasthepotentialtoimpacttheoperators abilitytomonitoranddetectchangesinplantparameters.Eventhoughthemodificationwillresultin informationbeingpresentedonflatpanels,theinformationavailableandtheorganizationofthat information(i.e.,bytrain)willbeequivalenttotheexistingHSI.Duetothisequivalenceandadditional favorablefactors(e.g.,appropriatelysizedflatpanels,appropriatedisplaybrightness,clearlyidentified functionbuttons,etc.),asdocumentedintheHFEevaluation,thereisnoimpactontheoperators abilitytomonitoranddetectchangesinplantparameters.
Tasks2and3werenotinvolved,sothesetasksarenotimpactedbythemodification.
Task4isinvolved.Themodificationwillrequiretheoperatortoperformfouractionsinorderto manipulateacontrol(i.e.,1.selecttheappropriateactivity,2.selectthespecificcomponenttobe controlled,3.selectthecontrolactiontobeinitiated,and4.executetheaction).Currently,the operatorisabletomanipulateacontrolinoneaction(e.g.,turnaswitchtoon/off).TheHFEevaluation determinedthatthemodificationimpactstheoperatorsabilitytorespondbyrequiringfouractions insteadofoneactionandtheadditionalactionsresultinanincreaseintheoperatorstimetorespond.
However,theHFEevaluationconcludedthattheoperatoractionscontinuetotakeplaceandcanbe performedinatimelyandcomparablemanner.
IdentificationandAssessmentofDesignFunctions DesignFunctionIdentification
- a. Statusindicationsarecontinuouslyavailabletotheoperator.
- b. Theoperatorcontrolsthesystemcomponentsmanually.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org20 Inthiscase,thereviewoftheUFSAR,includingtheassumptionsdescribedinthesafetyanalyses, determinedthattherewerenoadditionaldesignfunctionsrelatedtohowdesignfunction(b)was performedorcontrolled.Namely,therewerenodesignfunctionsrelatedtothenumberofsteps necessarytoperformthedesignfunction(i.e.,complexity)orthedurationinwhichthestepsweretobe performed(i.e.,timeresponse).
ScreenResponse SincetheinformationavailableandtheorganizationofthatinformationusingthenewHSIisequivalent totheexistingHSI,thedesignfunctionforcontinuousavailabilityofstatusindicationsismetandthere isnoadverseimpact(fortheaspectbeingillustratedinthisexample)ondesignfunction(a).
Usingthetouchscreen,theoperatorisstillabletoperformdesignfunction(b)tomanipulatethe controlforthesystemscomponents.Therefore,thereisnoadverseimpact(fortheaspectbeing illustratedinthisexample)onhowdesignfunction(b)isperformedorcontrolledbecausetheHFE evaluationconcludedthattheoperatoractionscontinuetotakeplaceandcouldbeperformedina timelyandcomparablemanner.
Example48.DigitalModificationInvolvingHSIConsiderationswithanADVERSEIMPACTonaDesign Function ProposedActivityDescription Analogcomponentsandcontrolsforaredundantsafetyrelatedsystemaretobereplacedwithdigital componentsandcontrols,includingnewdigitalbasedHSI.
Currently,tworedundantchannels/trainsofinformationandcontrolsareprovidedtotheoperatorsin theMainControlRoomfortheredundantsystems.Foreachchannel/train,severaldifferentanalog instrumentspresentinformationregardingtheperformanceofthesystem.Theanalogdisplaysare arrangedbysystem"flowpath"tofacilitatetheoperator'sabilitytomonitorthesystemasawhole.
TheexistingHSIforthesecomponentsismadeupofredundanthardwiredswitches,indicatorlights andanalogmeters.ThenewHSIconsolidatestheinformationandcontrolsontotwoflatpaneldisplays (onepertrain)withtouchscreensoftcontrols.Theinformationavailableontheflatpanelsis equivalenttothatprovidedonthecurrentanalogHSI.Eachflatpaneldisplaycontainsonlyonescreen, whichcandisplaytheinformationforonlyonetrainandthecontrolsforonlythattrain,replicatingthe informationandcontrolsarrangementastheyareintheexistingHSI.Eachflatpaneldisplaycanbe customizedtodisplaytheparametersand/ortheconfiguration(e.g.bytrain,byflowpathoronly portionsofatrainorflowpath)preferredbytheoperators.Inaddition,theflatpaneldisplaysprovide manyotherdisplayoptionstotheuser(e.g.,individualcomponentstatusandcomponent/system alarms).
TheexistingHSIrequiresoperatorstomanipulateanalogswitchestoimplementacontrolaction.To takeacontrolactionusingthenewHSI,theoperatormust(viathetouchscreen)selecttheappropriate activity(e.g.,starting/initiatingthesystemorchangingthesystemlineup),selectthecomponenttobe controlled(e.g.,pumporvalve),selectthecontrolaction(e.g.,start/stoporopen/close),andexecute theaction.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org21 HFEEvaluation Step1.IdentificationofWhichFourGenericPrimaryTasksareInvolved:
- 1. Monitoringanddetection(extractinginformationfromtheenvironmentandrecognizingwhen somethingchanges)-INVOLVED
- 2. Situationassessment(evaluationofconditions)-INVOLVED
- 3. Responseplanning(decidinguponactionstoresolvethesituation)-INVOLVED
- 4. Responseimplementation(performinganaction)-INVOLVED
Step2.AssessmentoftheModificationImpactsontheInvolvedGenericPrimaryTasks:
Tasks1,2and3areinvolved(emphasizingthatthemodificationincludesachangetoinformation presentationandorganization,suchthattheindications/instrumentsarenowconsolidatedand presentedoncustomizableflatpaneldisplays,ratherthanstaticanalogcontrolboards).Withthenew displaysanddisplayoptionsavailabletotheoperators,theoperatorscanchoosewhichparametersto displayandtheorganizationofthatinformation(e.g.,bytrain/path).TheHFEevaluationconcludedthat thismodificationcouldresultintheoperatorchoosingnottohavecertainparametersdisplayed;thus impactingtheirabilitytomonitortheplantanddetectchanges.Inaddition,alteringtheinformation displayedandtheorganizationoftheinformationwillimpacttheoperatorsunderstandingofhowthe informationrelatestosystemperformance.Thisimpactonunderstandingwillalsoimpactthe operatorsabilitytoassessthesituationandplananappropriateresponse.
Task4isinvolved.Themodificationwillrequiretheoperatortoperformfouractionsinorderto manipulateacontrol(i.e.,1.selecttheappropriateactivity,2.selectthespecificcomponenttobe controlled,3.selectthecontrolactiontobeinitiated,and4.executetheaction).Currently,the operatorisabletomanipulateacontrolinoneaction(e.g.,turnaswitchtoon/off).TheHFEevaluation determinedthatthemodificationimpactstheoperatorsabilitytorespondbyrequiringfouractions insteadofoneactionandtheadditionalactionsresultinanincreaseintheoperatorstimetorespond.
However,theHFEevaluationconcludedthattheoperatoractionscontinuetotakeplaceandcanbe performedinatimelyandcomparablemanner.
IdentificationandAssessmentofDesignFunctions DesignFunctionIdentification
- a. Statusindicationsarecontinuouslyavailabletotheoperator.
- b. Theoperatorcontrolsthesystemcomponentsmanually.
ThereviewoftheUFSAR,includingtheassumptionsdescribedinthesafetyanalysis,determinedthatan additionaldesignfunctionrelatedtohowdesignfunction(b)wasperformedexists.Namely,inthe pertinentsafetyanalysis,aresponsetimerequirementoftheoperatorhadbeencredited.
ScreenResponse Theinformationavailableandtheorganizationofthatinformationinthenewdisplaysarecustomizable basedonoperatorpreference.Criticalstatusindicationsmaynotbecontinuouslyavailabletothe operator,thusthereisanadverseimpact(fortheaspectbeingillustratedinthisexample)ondesign function(a).
Usingthetouchscreen,theoperatorisstillabletoperformdesignfunction(b)tomanipulatethe
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org22 controlforthesystemscomponents.However,thereisnoadverseimpact(fortheaspectbeing illustratedinthisexample)onhowdesignfunction(b)isperformedduetotheincreasedresponsetime becausetheHFEevaluationconcludedthattheoperatoractionscontinuetotakeplaceandcouldbe performedinatimelyandcomparablemanner.
4.2.1.3 ScreeningChangestoUFSARMethodsofEvaluation Bydefinition,aproposedactivityinvolvingadigitalmodificationinvolvesSSCsandhowSSCsare operatedandcontrolled,notamethodofevaluationdescribedintheUFSAR(seeNEI9607,Section 3.10).
Methodsofevaluationareanalyticalornumericalcomputermodelsusedtodetermineand/orjustify conclusionsintheUFSAR(e.g.,accidentanalysesthatdemonstratetheabilitytosafelyshutdownthe reactororprevent/limitradiologicalreleases).Thesemodelsalsouse"software."However,thesoftware usedinthesemodelsisseparateanddistinctfromthesoftwareinstalledinthefacility.Theresponseto thisScreenconsiderationshouldreflectthisdistinction.
Anecessaryrevisionorreplacementofamethodofevaluation(seeNEI9607,Section3.10)resulting fromadigitalmodificationisseparatefromthedigitalmodificationitselfandtheguidanceinNEI9607, Section4.2.1.3applies.
4.2.2 IstheActivityaTestorExperimentNotDescribedintheUFSAR?
Bydefinition,aproposedactivityinvolvingadigitalmodificationinvolvesSSCsandhowSSCsare operatedandcontrolled,notatestorexperiment(seeNEI9607,Section4.2.2).Theresponsetothis Screenconsiderationshouldreflectthischaracterization.
Anecessarytestorexperiment(seeNEI9607,Section3.14)involvingadigitalmodificationisseparate fromthedigitalmodificationitselfandtheguidanceinNEI9607,Section4.2.2applies.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org23 4.3 Evaluation CAUTION Theguidancecontainedinthissectionoftheappendixisintendedtosupplement thegenericEvaluationguidancecontainedinthemainbodyinNEI9607,Section 4.3.Namely,thegenericEvaluationguidanceprovidedinthemainbodyofNEI9607 andthemorefocusedEvaluationguidanceinthisappendixBOTHapplytodigital modifications.
4.3.1 DoestheActivityResultinMoreThanaMinimalIncreaseintheFrequencyof OccurrenceofanAccident?
INTRODUCTION FromNEI9607,Section3.2:
"Theterm'accidents'referstotheanticipated(orabnormal)operationaltransientsand postulateddesignbasisaccidents..."
Therefore,forpurposesof10CFR50.59,bothAnticipatedOperationalOccurrences(AOOs)and PostulatedAccidents(PAs)fallwithinthedefinitionof"accident."
AfterapplyingthegenericguidanceinNEI9607,Section4.3.1toidentifyanyaccidentsaffectedbythe systems/componentsinvolvedwiththedigitalmodification,thechangeisexaminedtodetermineifthe frequencyoftheseaccidentscouldincreaseduetothechange.WhenaddressingthisEvaluation criterionfordigitalupgrades,thekeyissueisdeterminingifthedigitalequipmentcanincreasethe frequencyofinitiatingeventsthatleadtotheidentifiedaccidents.
Allinitiatingeventsfallintooneoftwocategories:equipmentrelatedorpersonnelrelated.Therefore, theassessmentoftheimpactofadigitalmodificationalsoneedstoconsiderbothequipmentrelated andpersonnelrelatedsources.
Foradigitalmodification,therangeofpossibleequipmentrelatedsourcesofinitiatingeventsincludes itemsuniquetodigitalanditemsnotuniquetodigital.Anexampleofanitemuniquetodigitalis considerationoftheimpactonaccidentfrequencyduetoasoftwareCCF,whichwillbeaddressedinthis guidance.Anexampleofapotentialsourceofcommoncausefailurethatisnotuniquetodigitalis considerationoftheimpactonaccidentfrequencyduetothedigitalsystem'scompatibilitywiththe environmentinwhichthesystemisbeinginstalled,whichwouldbeaddressedbyapplyingthegeneral guidanceinNEI9607,Section4.3.1.
Typically,numericalvaluesquantifyinganaccidentfrequencyarenotavailable,sothequalitative approachusingtheguidancefromNEI9607,Section4.3.1willbeappliedinthisguidance.
Thefrequencyofoccurrenceofanaccidentisdirectlyrelatedtothelikelihoodoffailureofequipment thatinitiatestheaccident(e.g.,anincreaseinthelikelihoodofasteamgeneratortubefailurehasa
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org24 correspondingincreaseinthefrequencyofasteamgeneratortuberuptureaccident).Thus,anincrease inthelikelihoodoffailureofthemodifiedequipmentcausesanincreaseinthefrequencyofthe accident.
GUIDANCE QualitativeAssessmentOutcome Ifthequalitativeassessmentoutcomeissufficientlylow,thenthereisNOTmorethanaminimal increaseinthefrequencyofoccurrenceofanaccidentpreviouslyevaluatedintheUFSAR.
Ifthequalitativeassessmentoutcomeisnotsufficientlylow,thentheremaybemorethanaminimal increaseinthefrequencyofoccurrenceofanaccidentpreviouslyevaluatedintheUFSAR.
Negligible Toachieveanegligibleconclusion,thechangeintheaccidentfrequency"...issosmallorthe uncertaintiesindeterminingwhetherachangeinfrequencyhasoccurredaresuchthatitcannotbe reasonablyconcludedthatthefrequencyhasactuallychanged(i.e.,thereisnocleartrendtoward increasingthefrequency)" 1[emphasisadded]
Discernable Ifacleartrendtowardsincreasingtheaccidentfrequencyexists,thenadiscernableincreaseinthe accidentfrequencywouldexist.Inthiscase,thesoftwareCCFlikelihoodwouldbenotsufficientlylow.
Inthiscase,theengineering/technicalinformationsupportingthechange(e.g.,aqualitativeassessment and/oranyothersupportinginformation)shouldbeusedtoassessthequalitativeincreaseinthe magnitudeoftheaccidentfrequencyanddetermineifthediscernableincreaseintheaccident frequencyis"morethanminimal"or"NOTmorethanminimal."
Aspartoftheassessmenttodeterminethequalitativeincreaseinthemagnitudeoftheaccident frequency,theconceptofinterdependencealsoneedstobeconsideredandapplied.Namely, interdependenceconsiderstheoverallimpactduetothechange.Forexample,the"negative"impact duetoasoftwareCCFlikelihoodbeingnotsufficientlylowcouldbepartiallyorwhollyoffsetbythe "positive"impactsduetothedigitalsystem/componentitselfand/oritsdesignfeatures.
Finally,toachieveaconclusionof"NOTmorethanminimal"basedontheengineering/technical informationsupportingthechange,theproposedactivitymustalsocontinuetomeetand/orsatisfyall applicableNRCrequirements,aswellasdesign,material,andconstructionstandards,towhichthe licenseeiscommitted.Applicablerequirementsandstandardsincludethoseselectedbythelicenseefor useinthedevelopmentoftheproposeddigitalmodificationanddocumentedwithinthedesign modificationpackage.
1RefertoNEI9607,Section4.3.1,Example1.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org25 EXAMPLES Example49illustratesacasewithnotmorethanaminimalincreaseintheaccidentfrequency.
Example49.NOTMORETHANAMINIMALIncreaseintheFrequencyofOccurrenceofanAccident ProposedActivityDescription Twononsafetyrelatedmainfeedwaterpumps(MFWPs)exist,eachwithitsownflowcontrolvalve.
Therearetwoanalogcontrolsystems(oneperMFWPandflowcontrolvalvecombination)thatare physicallyandfunctionallythesame.
Eachanalogcontrolsystemwillbereplacedwithaseparatedigitalcontrolsystem.Thehardware platformforeachdigitalcontrolsystemisfromthesamesupplierandthesoftwareineachdigitalcontrol systemisexactlythesame.
QualitativeAssessmentOutcome Aqualitativeassessmentwasincludedintheengineering/technicalinformationsupportingthechange.
Thequalitativeassessmentconsideredsystemdesignattributes,qualityofthedesignprocesses employed,andoperatingexperienceoftheproposedequipmentandconcludedthatthefailure likelihoodintroducedbythemodifiedSSCissufficientlylow.Forthespecificitemsthatwereconsidered withineachfactor,refertothequalitativeassessmentdocumentedindesignchangepackageX.
Conclusion WiththefailurelikelihoodintroducedbythemodifiedSSCbeingsufficientlylow,thereisnotmorethan aminimalincreaseinthefrequencyofoccurrenceofanaccidentpreviouslyevaluatedintheUFSAR(for theaspectbeingillustratedinthisexample).
Example410illustratesacasewithmorethanaminimalincreaseintheaccidentfrequency.
Example410.MORETHANAMINIMALIncreaseintheFrequencyofOccurrenceofanAccident ProposedActivityDescription SameasExample49.
QualitativeAssessmentOutcome Aqualitativeassessmentwasincludedintheengineering/technicalinformationsupportingthechange.
Thequalitativeassessmentconsideredsystemdesignattributes,qualityofthedesignprocesses employed,andoperatingexperienceoftheproposedequipmentandconcludedthatthefailure likelihoodintroducedbythemodifiedSSCisnotsufficientlylow.Forthespecificitemsthatwere consideredwithineachfactor,refertothequalitativeassessmentdocumentedindesignchangepackage X.
Conclusion Asdocumentedinthequalitativeassessment,thefeaturesofthedesignprocessandoperating experiencewereinsufficienttooffsetweaknessesinthedesignattributesthatwereavailabletoprevent
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org26 certainfailures.Forthespecificitemsthatwereconsideredwithineachfactor,refertothequalitative assessmentdocumentedindesignchangepackageX.
WiththefailurelikelihoodintroducedbythemodifiedSSCbeingnotsufficientlylowandtheinabilityto offsetweaknessesinthedesignattributes,thereismorethanaminimalincreaseinthefrequencyof occurrenceoftheaccidentpreviouslyevaluatedintheUFSAR(fortheaspectbeingillustratedinthis example).
4.3.2 DoestheActivityResultinMoreThanaMinimalIncreaseintheLikelihoodof OccurrenceofaMalfunctionofanSSCImportanttoSafety?
INTRODUCTION AfterapplyingthegenericguidanceinNEI9607,Section4.3.2toidentifyanymalfunctionsaffectedby thesystems/componentsinvolvedwiththedigitalmodification,thechangeisexaminedtodetermineif thelikelihoodofthesemalfunctionscouldincreaseduetothechange.WhenaddressingthisEvaluation criterionfordigitalupgrades,thekeyissueisdeterminingifthedigitalequipmentcanincreasethe likelihoodofinitiatingeventsthatleadtotheidentifiedmalfunctions.
Allinitiatingeventsfallintooneoftwocategories:equipmentrelatedorpersonnelrelated.Therefore, theassessmentoftheimpactofadigitalmodificationalsoneedstoconsiderbothequipmentrelated andpersonnelrelatedsources.
Foradigitalmodification,therangeofpossibleequipmentrelatedsourcesofinitiatingeventsincludes itemsuniquetodigitalanditemsnotuniquetodigital.Anexampleofanitemuniquetodigitalis considerationoftheimpactonmalfunctionlikelihoodduetoasoftwareCCF,whichwillbeaddressedin thisguidance.Anexampleofapotentialsourceofcommoncausefailurethatisnotuniquetodigitalis considerationoftheimpactonmalfunctionlikelihoodduetothedigitalsystem'scompatibilitywiththe environmentinwhichthesystemisbeinginstalled,whichwouldbeaddressedbyapplyingthegeneral guidanceinNEI9607,Section4.3.2.
Typically,numericalvaluesquantifyingamalfunctionlikelihoodarenotavailable,sothequalitative approachusingtheguidancefromNEI9607,Section4.3.2willbeappliedinthisguidance.
ThelikelihoodofoccurrenceofamalfunctionofanSSCimportanttosafetyisdirectlyrelatedtothe likelihoodoffailureofequipmentthatcausesafailureofSSCstoperformtheirintendeddesign functions[e.g.,anincreaseinthelikelihoodoffailureofanauxiliaryfeedwater(AFW)pumphasa correspondingincreaseinthelikelihoodofoccurrenceofamalfunctionofSSCs(i.e.,theAFWpumpand theAFWsystem)].Thus,anincreaseinthelikelihoodoffailureofthemodifiedequipmentthatcauses thefailureofanSSCtoperformitsintendeddesignfunctionsisdirectlyrelatedtothelikelihoodofthe occurrenceofamalfunctionofanSSCimportanttosafety.
Digitalmodificationsthatinvolvenetworking;combiningdesignfunctionsfromdifferentsystems; interconnectivityacrosschannels,systems,anddivisions;orsharedresources,meritcarefulreviewto determineifsuchmodificationscausereductionsintheredundancy,diversity,separation,or independenceofUFSARdescribeddesignfunctions.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org27 Combiningdifferentfunctionsduetodigitalmodificationscanresultincombiningdesignfunctionsof differentsystems;eitherdirectlyinthesamedigitaldevice,orindirectlythroughsharedresources.
Sharedresources(e.g.,bidirectionalcommunications,powersupplies,controllers,andmultifunction displayandcontrolstations)introducedbydigitalmodificationsmayreducetheredundancy,diversity, separation,orindependenceofUFSARdescribeddesignfunctions.
GUIDANCE AsdiscussedinNEI9607,Section4.3.2,Example6,aproposedactivitythatreducesredundancy, diversity,separationorindependenceofthedesignfunction(s)isconsideredmorethanaminimal increaseinthelikelihoodofamalfunctionandrequirespriorNRCapproval.However,licenseesmay reduceexcessredundancy,diversity,separationorindependence(ifany)tothelevelcreditedinthe UFSARwithoutpriorNRCapproval.
Thepossibilityexiststhataproposedactivitycancauseapreviouslyincredibleeventtobecome credible.
Example411illustratesacaseinwhichapreviouslyincredibleeventhasbecomecredibleduetoa digitalmodification.
Example411.ImpactontheLikelihoodofOccurrenceofaMalfunction ProposedActivityDescription Twosafetyrelatedcontainmentchillersexist.Therearetwoanalogcontrolsystems(oneperchiller) thatarephysicallyandfunctionallythesame.
Eachanalogcontrolsystemwillbereplacedwithaseparatedigitalcontrolsystem.Thehardware platformforeachdigitalcontrolsystemisfromthesamesupplierandthesoftwareineachdigital controlsystemisexactlythesame.
AffectedMalfunctionsandInitiatingEvents Theaffectedmalfunctionisthefailureofasafetyrelatedcontainmentchillertoprovideitscooling designfunction.TheUFSARidentifiesthreespecificequipmentrelatedinitiatingeventsofa containmentchillermalfunction:(1)failureoftheEmergencyDieselGenerator(EDG)tostart (preventingtheEDGfromsupplyingelectricalpowertothecontainmentchilleritpowers),(2)an electricalfailureassociatedwiththechillersystem(e.g.,feederbreakerfailure),and(3)amechanical failurewithinthechilleritself(e.g.,flowblockage).TheUFSARalsostatesthatthesinglefailurecriteria weresatisfiedbecausetwochillerswereprovidedandtherewerenocommonmalfunctionsources.
ImpactonMalfunctionLikelihood Althoughthesafetyrelatedchillercontrolsystemisnotoneofthethreeinitiatingeventsidentifiedin theUFSAR,anewcommonmalfunctionsourcehasbeenintroducedduetothepotentialforasoftware commoncausefailurefromtheexactsamesoftwarebeingusedinbothdigitalcontrolsystems.A commoninitiatingeventwaspreviouslyconsidered,butwasconcludedtobenonexistent.However, thisconclusionisnolongervalid.Therefore,animpactonthelikelihoodofoccurrenceofthe malfunctionduetothedigitalmodificationhasoccurred.(NOTE:Themagnitudeoftheimpactwould thenneedtobeassessedusingtheengineering/technicalinformationsupportingthechangeandthe
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org28 conceptsofinterdependencedescribedinNEI9607,Section4.3.)
QualitativeAssessmentOutcome Ifthequalitativeassessmentoutcomeissufficientlylow,thenthereisNOTmorethanaminimal increaseinthelikelihoodofoccurrenceofamalfunctionofanSSCimportanttosafetypreviously evaluatedintheUFSAR.
Ifthequalitativeassessmentoutcomeisnotsufficientlylow,thentheremaybemorethanaminimal increaseinthelikelihoodofoccurrenceofamalfunctionofanSSCimportanttosafetypreviously evaluatedintheUFSAR.
Negligible Toachieveanegligibleconclusion,thechangeinthemalfunctionlikelihood"...issosmallorthe uncertaintiesindeterminingwhetherachangeinlikelihoodhasoccurredaresuchthatitcannotbe reasonablyconcludedthatthelikelihoodhasactuallychanged(i.e.,thereisnocleartrendtoward increasingthelikelihood)" 2[emphasisadded]andthequalitativeassessmentoutcomeforasoftware CCFwillbesufficientlylow.
Discernable Ifacleartrendtowardsincreasingthemalfunctionlikelihoodexists,thenadiscernableincreaseinthe malfunctionlikelihoodwouldexist.Inthiscase,thesoftwareCCFlikelihoodwouldbenotsufficiently low.
Inthiscase,theengineering/technicalinformationsupportingthechange (e.g.,aqualitativeassessment and/oranyothersupportinginformation)shouldbeusedtoassessthequalitativeincreaseinthe magnitudeofthemalfunctionlikelihoodanddetermineifthediscernableincreaseinthemalfunction likelihoodis"morethanminimal"or"NOTmorethanminimal."
Aspartoftheassessmenttodeterminethequalitativeincreaseinthemagnitudeofthemalfunction likelihood,theconceptofinterdependencealsoneedstobeconsideredandapplied.Namely, interdependenceconsiderstheoverallimpactduetothechange.Forexample,the"negative"impact duetoasoftwareCCFlikelihoodbeingnotsufficientlylowcouldbepartiallyorwhollyoffsetbythe "positive"impactsduetothedigitalsystem/componentitselfand/oritsdesignfeatures.
Finally,toachieveaconclusionof"NOTmorethanminimal"basedontheengineering/technical informationsupportingthechange,theproposedactivitymustalsocontinuetomeetand/orsatisfyall applicableNRCrequirements,aswellasdesign,material,andconstructionstandards,towhichthe licenseeiscommitted.Applicablerequirementsandstandardsincludethoseselectedbythelicenseefor useinthedevelopmentoftheproposeddigitalI&Cdesignmodificationanddocumentedwithinthe designmodificationpackage.
2RefertoNEI9607,Section4.3.2,4thparagraph.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org29 EXAMPLES Example412illustratesacasewithnotmorethanaminimalincreaseinthemalfunctionlikelihood.
Example412.NOTMORETHANAMINIMALIncreaseintheLikelihoodofOccurrenceofaMalfunction ProposedActivityDescription Twononsafetyrelatedmainfeedwaterpumps(MFWPs)exist,eachwithitsownflowcontrolvalve.
Therearetwoanalogcontrolsystems(oneperMFWPandflowcontrolvalvecombination)thatare physicallyandfunctionallythesame.
Eachanalogcontrolsystemwillbereplacedwithaseparatedigitalcontrolsystem.Thehardware platformforeachdigitalcontrolsystemisfromthesamesupplierandthesoftwareineachdigital controlsystemisexactlythesame.
QualitativeAssessmentOutcome Aqualitativeassessmentwasincludedintheengineering/technicalinformationsupportingthechange.
Thequalitativeassessmentconsideredsystemdesignattributes,qualityofthedesignprocesses employed,andoperatingexperienceoftheproposedequipmentandconcludedthatthefailure likelihoodintroducedbythemodifiedSSCissufficientlylow.Forthespecificitemsthatwere consideredwithineachfactor,refertothequalitativeassessmentdocumentedindesignchange packageX.
Allapplicablerequirementsandotheracceptancecriteriatowhichthelicenseeiscommitted,aswellas applicabledesign,materialandconstructionstandards,continuetobemet.
Conclusion WiththefailurelikelihoodintroducedbythemodifiedSSCbeingsufficientlylow,thereisnotmorethan aminimalincreaseinthelikelihoodofoccurrenceofamalfunctionofanSSCimportanttosafety previouslyevaluatedintheUFSAR(fortheaspectbeingillustratedinthisexample).
Example413illustratesacasewithmorethanaminimalincreaseinthemalfunctionlikelihood.
Example413.MORETHANAMINIMALIncreaseintheLikelihoodofOccurrenceofaMalfunction ProposedActivityDescription Twosafetyrelatedmaincontrolroomchillersexist.Therearetwoanalogcontrolsystems(oneper chiller)thatarephysicallyandfunctionallythesame.
Eachanalogcontrolsystemwillbereplacedwithaseparatedigitalcontrolsystem.Thehardware platformforeachdigitalcontrolsystemisfromthesamesupplierandthesoftwareineachdigital controlsystemisexactlythesame.
Thelogiccomponents/systemandcontrolsforthestartingandoperationofthesafetyinjectionpumps arelocatedwithinthemaincontrolroomboundary.Theenvironmentalrequirementsassociatedwith thelogiccomponents/systemandcontrolsaremaintainedwithintheirallowablelimitsbythemain controlroomcoolingsystem,whichincludesthechillersinvolvedwiththisdigitalmodification.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org30 AffectedMalfunction ThereviewoftheUFSARaccidentanalysesidentifiedseveraleventsforwhichthesafetyinjection pumpsareassumedtostartandoperate(asreflectedintheinputsandassumptionsfortheaccident analyses).
Ineachoftheseevents,theUFSARstatesthefollowing:"Tosatisfysinglefailurerequirements,theloss ofonlyonechillercontrolsystemanditsworstcaseeffectontheeventduetothelossofonechiller hasbeenconsideredintheaccidentanalysis."
QualitativeAssessmentOutcome Aqualitativeassessmentwasincludedintheengineering/technicalinformationsupportingthechange.
Thequalitativeassessmentconsideredsystemdesignattributes,qualityofthedesignprocesses employed,andoperatingexperienceoftheproposedequipmentandconcludedthatthefailure likelihoodintroducedbythemodifiedSSCisnotsufficientlylow.Forthespecificitemsthatwere consideredwithineachfactor,refertothequalitativeassessmentdocumentedindesignchange packageX.
Anincreaseinthelikelihoodofoccurrenceofthemalfunctionofbothsafetyinjectionpumpsoccurs sincethesinglefailurecriteriaarenolongermet.
Conclusion Withthefailuretosatisfysinglefailurecriteria,thereismorethanaminimalincreaseinthelikelihood ofoccurrenceofthemalfunctionofthesafetyinjectionpumpsduetothedigitalmodification.As documentedinthequalitativeassessment,thefeaturesofthedesignprocessandoperatingexperience wereinsufficienttooffsetweaknessesinthedesignattributesthatwereavailabletopreventcertain failures.Forthespecificitemsthatwereconsideredwithineachfactor,refertothequalitative assessmentdocumentedindesignchangepackageX.
WiththefailurelikelihoodintroducedbythemodifiedSSCbeingnotsufficientlylowandtheinabilityto offsetweaknessesinthedesignattributes,thereismorethanaminimalincreaseinthelikelihoodof occurrenceofamalfunctionpreviouslyevaluatedintheUFSAR(fortheaspectbeingillustratedinthis example).
4.3.3 DoestheActivityResultinMoreThanaMinimalIncreaseintheConsequencesofan Accident?
ThereisnouniqueguidanceapplicabletodigitalmodificationsforrespondingtothisEvaluation criterionbecausetheidentificationofaffectedaccidentsanddoseanalysisinputsand/orassumptions arenotuniqueforadigitalmodification.TheguidanceinNEI9607,Section4.3.3applies.
4.3.4 DoestheActivityResultinMoreThanaMinimalIncreaseintheConsequencesofa Malfunction?
ThereisnouniqueguidanceapplicabletodigitalmodificationsforrespondingtothisEvaluation criterionbecausetheidentificationoftheaffectedmalfunctionsanddoseanalysisinputsand/or assumptionsarenotuniqueforadigitalmodification.TheguidanceinNEI9607,Section4.3.4applies.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org31 4.3.5 DoestheActivityCreateaPossibilityforanAccidentofaDifferentType?
INTRODUCTION FromNEI9607,Section3.2:
"Theterm'accidents'referstotheanticipated(orabnormal)operationaltransientsand postulateddesignbasisaccidents..."
Therefore,forpurposesof10CFR50.59,bothAnticipatedOperationalOccurrences(AOOs)and PostulatedAccidents(PAs)fallwithinthedefinitionof"accident."
GUIDANCE FromNEI9607,Section4.3.5,thetwoconsiderationsthatneedtobeassessedwhenansweringthis Evaluationquestionareaslikelytohappenasandaccidentofadifferenttype.
Determinationof"AsLikelyToHappenAs" FromNEI9607,Section4.3.5:
"Thepossibleaccidentsofadifferenttypearelimitedtothosethatareaslikelytohappenas thosepreviouslyevaluatedintheUFSAR.Theaccidentmustbecredibleinthesenseofhaving beencreatedwithintherangeofassumptionspreviouslyconsideredinthelicensingbasis(e.g.,
randomsinglefailure,lossofoffsitepower,etc.)."
Iftheoutcomeofthequalitativeassessmentissufficientlylow,thentheactivitydoesnotintroduceany failuresthatareaslikelytohappenasthoseintheUFSARthatcaninitiateanaccidentofadifferent type.Therefore,theactivitydoesnotcreateapossibilityforanaccidentofadifferenttypethanany previouslyevaluatedintheUFSAR.
Iftheoutcomeofthequalitativeassessmentisnotsufficientlylow,thentheactivitymayintroduce failuresthatareaslikelytohappenasthoseintheUFSARthatcaninitiateanaccidentofadifferent type,i.e.,theactivitycreatedapossibility.Forthesecases,thisEvaluationcriterionalsoneedsto consideranaccidentofadifferenttype.
Determinationof"AccidentofaDifferentType" Forcasesinwhichtheoutcomeofthequalitativeassessmentisnotsufficientlylow,anaccidentofa differenttypeneedstobedetermined,asfollows:
Ifarevisiontoanexistingaccidentanalysisistobeperformed,thentheproposedactivitydoesNOT createthepossibilityofanaccidentofadifferenttype.
Ifanewaccidentanalysisisneeded,thentheproposedactivityDOEScreatethepossibilityofan accidentofadifferenttype.
EXAMPLES Example414illustratestheNOCREATIONofthepossibilityofanaccidentofadifferenttypecase.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org32 Example414.NOCREATIONofthePossibilityofanAccidentofaDifferentType ProposedActivity Twononsafetyrelatedmainfeedwaterpumps(MFWPs)exist,eachwithitsownflowcontrolvalve.
Therearetwoanalogcontrolsystems(oneperMFWPandflowcontrolvalvecombination)thatare physicallyandfunctionallythesame.
Eachanalogcontrolsystemwillbereplacedwithaseparatedigitalcontrolsystem.Thehardware platformforeachdigitalcontrolsystemisfromthesamesupplierandthesoftwareineachdigital controlsystemisexactlythesame.
QualitativeAssessmentOutcome Aqualitativeassessmentwasincludedintheengineering/technicalinformationsupportingthechange.
Thequalitativeassessmentconsideredsystemdesignattributes,qualityofthedesignprocesses employed,andoperatingexperienceoftheproposedequipmentandconcludedthatthefailure likelihoodintroducedbythemodifiedSSCissufficientlylow.Forthespecificitemsthatwere consideredwithineachfactor,refertothequalitativeassessmentdocumentedindesignchange packageX.
Conclusion WiththefailurelikelihoodintroducedbythemodifiedSSCbeingsufficientlylow,theactivitydoesnot introduceanyfailuresthatareaslikelytohappenasthoseintheUFSARthatcaninitiateanaccidentof adifferenttype.Therefore,theactivitydoesnotcreateapossibilityforanaccidentofadifferenttype thananypreviouslyevaluatedintheUFSAR(fortheaspectbeingillustratedinthisexample).
Example415illustratestheCREATIONofthepossibilityofanaccidentofadifferenttypecase.
Example415.CREATIONofthePossibilityofanAccidentofaDifferentType ProposedActivity Twononsafetyrelatedanalogfeedwatercontrolsystemsandonenonsafetyrelatedmainturbine steaminletvalvesanalogcontrolsystemexist.
Thetwofeedwatercontrolsystemsandtheonemainturbinesteaminletvalvescontrolsystemwillbe combinedintoasingledigitalcontrolsystem.
QualitativeAssessmentOutcome Aqualitativeassessmentwasincludedintheengineering/technicalinformationsupportingthechange.
Thequalitativeassessmentconsideredsystemdesignattributes,qualityofthedesignprocesses employed,andoperatingexperienceoftheproposedequipmentandconcludedthatthefailure likelihoodintroducedbythemodifiedSSCisnotsufficientlylow.Forthespecificitemsthatwere consideredwithineachfactor,refertothequalitativeassessmentdocumentedindesignchange packageX.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org33 Malfunction/AccidentIdentification TheUFSARdescribesthefollowingfeedwatercontrolsystemmalfunctions:(a)failurescausingtheloss ofallfeedwatertothesteamgenerators,whichisevaluatedintheLossofFeedwaterevent,and(b) failurescausinganincreaseinmainfeedwaterflowtothemaximumoutputfrombothMFWPs,whichis evaluatedintheExcessFeedwaterevent.
TheUFSARdescribesthefollowingmainturbinesteaminletvalvescontrolsystemmalfunctions:(a)all valvesgoingfullyclosedcausingnosteamtobeadmittedintotheturbine,whichisevaluatedinthe TurbineTripevent,and(b)allvalvesgoingfullyopencausingexcesssteamtobeadmittedintothe turbine,whichisevaluatedintheExcessSteamDemandevent.
Therefore,theimpactofthefailuresthatareaslikelytohappenasthoseintheUFSARthatcaninitiate anaccidentofadifferenttypewillbeassessedforthefollowingaccidentanalyses:
- 1. LossofFeedwater
- 2. ExcessFeedwater
- 3. TurbineTrip
- 4. ExcessSteamDemand AccidentofaDifferentTypeAssessment Thefollowingeventsandcombinationofeventswillbeassessed:
- a. LossofbothfeedwaterpumpsintheLossofFeedwateraccidentanalysis
- b. IncreaseinmainfeedwaterflowtothemaximumoutputfrombothMFWPsintheExcess Feedwateraccidentanalysis
- c. AllmainturbinesteaminletvalvesgoingfullyclosedintheTurbineTripaccidentanalysis
- d. AllmainturbinesteaminletvalvesgoingfullyopenintheExcessSteamDemandaccident analysis
- e. CombinationofaLossofFeedwatereventandaTurbineTripevent
- f.
CombinationofaLossofFeedwatereventandanExcessSteamDemandevent
- g. CombinationofanExcessFeedwatereventandaTurbineTripevent
- h. CombinationofanExcessFeedwatereventandanExcessSteamDemandevent Events(A)though(D)arealreadyconsideredintheaccidentanalysesandrevisionstoexistingaccident analysesarepossible.Thus,events(A)through(D)doNOTcreatethepossibilityofanaccidentofa differenttype(fortheaspectbeingillustratedinthisexample).
Thecurrentsetofaccidentsidentifiedintheaccidentanalysesdonotconsiderthesimultaneous eventsrepresentedbyevents(E)through(H).
Therefore,events(E)though(H)willneednewaccidentanalysestobeperformed,creatingthe possibilityofaccidentsofadifferenttype(fortheaspectbeingillustratedinthisexample).
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org34 4.3.6 DoestheActivityCreateaPossibilityforaMalfunctionofanSSCImportanttoSafety withaDifferentResult?
INTRODUCTION NOTE:Duetotheuniquenatureofdigitalmodificationsandtheinherentcomplexitiestherein,the applicationofthiscriterionisespeciallyimportant.Specifically,theuniqueaspectofconcernis thepotentialforasoftwareCCFtocreatethepossibilityforamalfunctionwithadifferentresult.
Therefore,ratherthanprovidingsimplisticsupplementalguidancetothatalreadyincludedinNEI 9607,Section4.3.6,moredetailedguidancewillbeprovidedinthissection.
Review Toensuretheuniqueaspectsofdigitalmodificationsareaddressedcorrectlyandadequately,areview ofselecteddiscussionsandexcerptsfromNEI9607,includingmalfunctions,designfunctions,andsafety analyses,ispresentedfirst.
CAUTION:Thefollowingreviewsummariesareintendedforgeneralunderstandingonly.Forcomplete discussionsofeachterm,seethereferencesidentifiedforeachterm.
FromNEI9607,Section3.9:
MalfunctionofSSCsimportanttosafetymeansthefailureofSSCstoperformtheirintended designfunctionsdescribedintheUFSAR(whetherornotclassifiedassafetyrelatedin accordancewith10CFR50,AppendixB).[emphasisadded]
FromNEI9607,Section3.3:
DesignfunctionsareUFSARdescribeddesignbasesfunctionsandotherSSCfunctionsdescribed intheUFSARthatsupportorimpactdesignbasesfunctions...[emphasisadded]
- Also, Designbasesfunctionsarefunctionsperformedbysystems,structuresandcomponents(SSCs) thatare(1)requiredby,orotherwisenecessarytocomplywith,regulations,licenseconditions, ordersortechnicalspecifications,or(2)creditedinlicenseesafetyanalysestomeetNRC requirements.[emphasisadded]
Furthermore, Designfunctions...includefunctionsthat,ifnotperformed,wouldinitiateatransientor accidentthattheplantisrequiredtowithstand.[emphasisadded]
- Finally, Asusedabove,creditedinthesafetyanalysesmeansthat,iftheSSCwerenottoperformits designbasesfunctioninthemannerdescribed,theassumedinitialconditions,mitigativeactions orotherinformationintheanalyseswouldnolongerbewithintherangeevaluated(i.e.,the analysisresultswouldbecalledintoquestion).Thephrasesupportorimpactdesignbases
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org35 functionsrefersbothtothoseSSCsneededtosupportdesignbasesfunctions(cooling,power, environmentalcontrol,etc.)andtoSSCswhoseoperationormalfunctioncouldadverselyaffect theperformanceofdesignbasesfunctions(forinstance,controlsystemsandphysical arrangements).Thus,bothsafetyrelatedandnonsafetyrelatedSSCsmayperformdesign functions.[emphasisadded]
Thisdefinitionisorientedaroundthedefinitionofdesignbasesfunction,whichitselfisdefinedinNEI 9704,AppendixB,GuidelinesandExamplesforIdentifying10CFR50.2DesignBases,endorsedby RegulatoryGuide1.186,andhighlightedinboldabove.
Amorecompleteunderstandingofthemeaningofadesignbasesfunctionscanbeobtainedby examinationofNEI9704,AppendixB.FromNEI9704,AppendixB,thethreecharacteristicsofdesign basesfunctionsaresummarizedasfollows:
- 1. DesignbasesfunctionsareperformedbySSCsthatarerequiredby,orotherwisenecessaryto complywithNRCrequirements,orcreditedinthesafetyanalyses.
- 2. ThefunctionsofanyindividualSSCarefunctionallybelowthatofdesignbasesfunctions.
- 3. DesignbasesfunctionsarederivedprimarilyfromtheGeneralDesignCriteria.
Repeatingaportionfromabovetohighlighttheimportanceofidentifyingthedesignbasesfunctionand itsconnectiontoasafetyanalysisresult,wehavethefollowing:
Asusedabove,creditedinthesafetyanalysesmeansthat,iftheSSCwerenottoperformits designbasesfunctioninthemannerdescribed,theassumedinitialconditions,mitigativeactions orotherinformationintheanalyseswouldnolongerbewithintherangeevaluated(i.e.,the analysisresultswouldbecalledintoquestion).[emphasisadded]
Then,fromNEI9607,Section3.12:
SafetyanalysesareanalysesperformedpursuanttoNRCrequirementstodemonstratethe integrityofthereactorcoolantpressureboundary,thecapabilitytoshutdownthereactorand maintainitinasafeshutdowncondition,orthecapabilitytopreventormitigatethe consequencesofaccidentsthatcouldresultinpotentialoffsiteexposurescomparabletothe guidelinesin10CFR50.34(a)(1)or10CFR100.11...andinclude,butarenotlimitedto,the accidentanalysestypicallypresentedinChapter15oftheUFSAR.[emphasisadded]
Andfromthefirstsentenceoftheassociateddiscussion:
Safetyanalysesarethoseanalysesorevaluationsthatdemonstratethatacceptancecriteria forthefacilityscapabilitytowithstandorrespondtopostulatedeventsaremet.[emphasis added]
AlsoincludedinthedefinitionofsafetyanalysesaresupportingUFSARanalysesthatdemonstratethat SSCdesignfunctionswillbeaccomplishedascreditedintheaccidentanalyses.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org36 FailureModesandEffectsAnalysis(FMEA)
NEI9607,Section4.3.6recognizesthattheeffectofaproposedmodificationmustbeassessed.This assessmentmayrequiretheuseofafailuremodesandeffectsanalysis(FMEA),includingthepossible creationofanewFMEA.
FromNEI9607,Section4.3.6:
Inevaluatingaproposedactivityagainstthiscriterion,thetypesandresultsoffailuremodesof SSCsthathavepreviouslybeenevaluatedintheUFSARandthatareaffectedbytheproposed activityshouldbeidentified.Thisevaluationshouldbeperformedconsistentwithanyfailure modesandeffectsanalysis(FMEA)describedintheUFSAR,recognizingthatcertainproposed activitiesmayrequireanewFMEAtobeperformed.[emphasisadded]
Ifanew/revisedFMEAisdeterminedtobeneeded,othereffectsofadigitalmodificationcouldcreate newfailuremodesinadditiontofailurescausedbysoftware(e.g.,combiningfunctions,creatingnew interactionswithothersystems,changingresponsetime).Forexample,ifpreviouslyseparatefunctions arecombinedinasingledigitaldevice,thefailureassessmentshouldconsiderwhethersinglefailures thatcouldpreviouslyhaveaffectedonlyindividualdesignfunctionscannowaffectmultipledesign functions.
OverallPerspective NEI9607,Section4.3.6providestheoverallperspectiveonthisEvaluationcriterionwithitsfirst sentence,whichstates:
MalfunctionsofSSCsaregenerallypostulatedaspotentialsinglefailurestoevaluateplantperformance withthefocusbeingontheresultofthemalfunctionratherthanthecauseortypeofmalfunction.
GUIDANCE FromNEI9607,Section4.3.6,thetwoconsiderationsthatneedtobeassessedwhenansweringthis Evaluationquestionareaslikelytohappenasandtheimpactonthemalfunctionresult.
Determinationof"AsLikelytoHappenAs" FromNEI9607,Section4.3.6:
Thepossiblemalfunctionswithadifferentresultarelimitedtothosethatareaslikelyto happenasthosedescribedintheUFSARaproposedchangeoractivitythatincreasesthe likelihoodofamalfunctionpreviouslythoughttobeincredibletothepointwhereitbecomesas likelyasthemalfunctionsassumedintheUFSARcouldcreateapossiblemalfunctionwitha differentresult.[emphasisadded]
Iftheoutcomeofthequalitativeassessmentissufficientlylow,thentheactivitydoesnotintroduceany failuresthatareaslikelytohappenasthoseintheUFSAR.Therefore,theactivitydoesnotcreatea possibilityforamalfunctionofanSSCimportanttosafetywithadifferentresultfromanypreviously evaluatedintheUFSAR.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org37 Iftheoutcomeofthequalitativeassessmentisnotsufficientlylow,thentheactivitymayintroduce failuresthatareaslikelytohappenasthoseintheUFSARthatcancreateapossibilityforamalfunction ofanSSCimportanttosafetywithadifferentresultfromanypreviouslyevaluatedintheUFSAR.For thesecases,thisEvaluationcriterionalsoneedstoconsidertheimpactofthispotentialfailureonthe safetyanalysisresultusingassumptionsconsistentwiththeplantsUFSAR.
EXAMPLE Example416illustratestheNOCREATIONofthepossibilityforamalfunctionwithadifferentresult case.
Example416.NOCREATIONofthePossibilityforaMalfunctionwithaDifferentResult ProposedActivity Alargenumberofanalogtransmittersinseveraldifferentsystemsandusesarebeingreplaced withdigitaltransmitters.Thesetransmittersperformavarietyoffunctions,includingcontrolling theautomaticactuationofdevices(e.g.,valvestroking)thatarecreditedinasafetyanalysis.
QualitativeAssessmentOutcome Aqualitativeassessmentwasincludedintheengineering/technicalinformationsupportingthechange.
Thequalitativeassessmentconsideredsystemdesignattributes,qualityofthedesignprocesses employed,andoperatingexperienceoftheproposedequipmentandconcludedthatthefailure likelihoodintroducedbythemodifiedSSCsissufficientlylow.Forthespecificitemsthatwere consideredwithineachfactor,refertothequalitativeassessmentdocumentedindesignchange packageX.
Conclusion WiththefailurelikelihoodintroducedbythemodifiedSSCsbeingsufficientlylow,theactivitydoesnot introduceanyfailuresthatareaslikelytohappenasthoseintheUFSARthatcaninitiateamalfunction ofanSSCimportanttosafety.Therefore,theactivitydoesnotcreateapossibilityforamalfunctionof anSSCimportanttosafetywithadifferentresultfromanypreviouslyevaluatedintheUFSAR(forthe aspectbeingillustratedinthisexample).
DeterminationofImpactonMalfunctionResult Forcasesinwhichthequalitativeassessmentoutcomeisafailurelikelihoodofnotsufficientlylow,the impactontheresultofamalfunctionofanSSCimportanttosafetyneedstobeassessedtodetermineif theresultisdifferent.
ThegenericprocesstodeterminetheimpactontheresultofamalfunctionofanSSCimportantto safety(i.e.,acomparisonofthemalfunctionresultstoidentifyanydifferentresults),consistsofmultiple steps,assummarizednext.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org38 Step1:Identifythefunctionsdirectlyorindirectlyrelatedtotheproposedmodification.
Consideringthescopeoftheproposeddigitalmodification,identifythefunctionsthataredirectlyor indirectlyrelatedtotheproposedactivity.
ThefunctionsidentifiedaspartofthisstepwillbefurtherclassifiedinStep2.
AsareminderoftheguidanceprovidedinNEI9607,thefollowingadditionalguidanceisprovidedto assistintheidentificationandconsiderationoftheproperscopeofSSCsandtheirfunctions:
- 1. IdentificationandconsiderationoftheproperscopeofSSCsisconcernedwiththefunctional involvementofanSSC,notnecessarilyonlyitslevelofdirectdescriptionintheUFSAR.
- 2. Incasesinwhichaproposedactivityinvolvesasubcomponent/componentthatisnotdirectly describedintheUFSAR,theeffectoftheproposedactivityinvolvingthesub component/componentneedstoconsidertheimpactonthesysteminwhichthesub component/componentisapart.
- 3. Incasesinwhichaproposedactivityinvolvesasubcomponent/componentthatisnot describedintheUFSAR,theeffectoftheproposedactivityinvolvingthesub component/componentneedstoconsidertheimpactonthesystemthatthe subcomponent/componentsupports.
Regardlessofthelevelofdescription,theassessmentoftheimpactalsoneedstoconsidertheelements ofadesignfunctionasdescribedinNEI9607,Section3.3,whicharerepeatedbelow:
Implicitlyincludedwithinthemeaningofdesignfunctionaretheconditionsunderwhich intendedfunctionsarerequiredtobeperformed,suchasequipmentresponsetimes,process conditions,equipmentqualificationandsinglefailure.
DesignfunctionsmaybeperformedbysafetyrelatedSSCsornonsafetyrelatedSSCsand includefunctionsthat,ifnotperformed,wouldinitiateatransientoraccidentthattheplantis requiredtowithstand.
Step2:IdentifywhichofthefunctionsfromStep1areDesignFunctionsand/orDesignBases Functions.
UtilizingNEI9607,Section3.3,classifyeachofthefunctionsfromStep1aseitherNOTadesignfunction orasadesignfunction.
Ifnodesignfunctionsareidentified,thentheproposedactivitydoesNOTcreatethepossibilityfora malfunctionofanSSCimportanttosafetywithadifferentresultbecausemalfunctions(andtheresults thereof)refersONLYtothefailureofanSSCtoperformitsintendeddesignfunctions.
Foreachdesignfunctionidentifiedabove,utilizeNEI9607,Section3.3(alongwithAppendixBtoNEI 9704,asneeded)toseparatethefunctionsintothefollowingcategories:
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org39
- 1) designbasesfunctionsbecause:
- a. theyarerequiredby,orotherwisenecessarytocomplywith,regulations,license conditions,ordersortechnicalspecifications
- b. theyarecreditedinlicenseesafetyanalysestomeetNRCrequirements
- 2) designfunctionsbecause:
- a. theysupportorimpactdesignbasesfunctionscategorizedas1.aabove
- b. theysupportorimpactdesignbasesfunctionscategorizedas1.babove
- 3) designfunctionsthatarenotinvolvedwithdesignbasesfunctions,butarefunctionsthatifnot performedwouldinitiateatransientoraccidentthattheplantisrequiredtowithstand.
Ifmultipledesignfunctionsareidentified,eachdesignfunctionistobeconsideredindividuallyinthis multistepprocess.
Onemeanstodetermineifadesignfunctionisadesignbasesfunctionduetocategory1.aor1.babove wouldbebyidentifyingtherequirement(e.g.,regulation,licensecondition,order,ortechnical specification)orassociatedGeneralDesignCriteria(GDC)towhichadesignbasesfunctionappliesor, morespecifically,theassociatedprincipaldesigncriteria(PDC)foranindividualfacility,theminimum standardsforwhicharesetby10CFRPart50AppendixA(orperhapstheir1967precursors).Each designfunctionmaythenberelatedto,forexample,therequirementsdiscussedwithintheGDCto determineifthatdesignfunctionisdirectlyinvolvedwiththedesignbasesfunctionitselforifthedesign functionsupportsorimpactstherelateddesignbasesfunction.Ifthedesignfunctionisfoundto directlyinvolvetheGDCrequirement,thenthatdesignfunctionisadesignbasesfunction.Ifthedesign functionsupportsorimpactstheGDCrequirement,thenitisnotadesignbasesfunction,butisstill creditedinthesafetyanalysis.
AsdescribedinNEI9607,Section4.3.2(butequallyapplicablehere),safetyanalysestypicallyassume certainSSCsperformcertaindesignfunctionsaspartofdemonstratingtheadequacyofthedesign.The processofdeterminingifadesignfunctionisadesignbasesfunctionshouldincludebothdirectand indirecteffectsonthedesignfunctions.
However,safetyanalysesdonottypicallyidentifyalloftheSSCsthatarereliedupontoperformtheir designfunctions.Thus,certaindesignfunctions,whilenotspecificallyidentifiedinthesafetyanalyses, arecreditedinanindirectsense.Therefore,thereviewshouldnotbelimitedtoonlytheSSCsdiscussed inthesafetyanalyses.Forexample,performingadesignchangeonavalvecontrollerinahighpressure safetyinjectionsystemwouldbeconsideredtoinvolveanSSCcreditedinthesafetyanalyseseven thoughthevalveitselfmaynotbementionedinthesafetyanalyses.
Finally,asdescribedinNEI9607,definition3.3,anSSCsclassificationassafetyrelatedor nonsafetyrelatedisnotadeterminingfactorinidentifyingdesignfunctions.Forexample,a givencontrolsystemmaybenonsafetyrelatedbutisstillconsideredtobecreditedinthe safetyanalysisandcategorizedas2.b.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org40 Ifnodesignbasesfunctionsareinvolved,proceedtoStep5sinceneithertheperformanceof designbasesfunctionsnorthesupportorimpactofdesignbasesfunctionsareinvolved.
(NOTE:ThepotentialformoresevereaccidentinitiationisaddressedinStep5.Thesedesign functionsshouldhavebeencategorizedas3.)
Step3:DetermineifanewFMEAneedstobegenerated.
Iftheimpactonthedesignbasesfunctioninvolvedisreadilyapparent,nonewFMEAneedstobe generated.GotoStep4.
Forexample,thereisnoreasontocontemplatethegenerationofanewFMEAiftheimpactofthe failureonthedesignbasesfunctionsisrecognizedasbeingimmediate.Otherwise,generatethenew FMEAtodescribetheconnectionoftheproposedactivity,orfailuresduetotheproposedactivity,toan impactonthedesignbasesfunctions.
AspartoftheprocessforgeneratingthenewFMEA,presumecompliancewithpre existing/interdependent,modificationrelatedproceduresandutilizationofexistingequipmentto determineifadequateSSCdesignand/oroperational(i.e.,procedural)optionsexisttomitigate potentialdetrimentalimpactsondesignfunctions.
InterdependenceisdiscussedinNEI9607,Sections4.2and4.3(whichisdistinctfromcompensatory actionsdiscussedinNEI9607,Section4.4).Anexampleofaninterdependentprocedurechangewould bethemodificationstoanexistingproceduretoreflectoperationofthenewdigitalequipmentand controls,includinganynewfeaturessuchasacontrolsystemrestartoption.(NOTE:NEI9607,Section 4.3.2,Example4providesguidanceonassessingnewoperatoractions.)
Step4:Determineifeachdesignbasesfunctioncontinuestobeperformed/satisfied.
Ifalldesignbasesfunctionscontinuetobeperformed/satisfied,andtherearenootherdesignfunctions involved,thentheproposedactivitydoesNOTcreatethepossibilityforamalfunctionofanSSC importanttosafetywithadifferentresultbecausenomalfunctionoccurs.Withnomalfunction occurring,therecannotbeadifferentresult.
Foranydesignbasesfunctionsthatdonotcontinuetobeperformed/satisfied,orotherdesignfunctions thatareinvolved,continuetoStep5.
Step5:IdentifyallinvolvedmalfunctionsofanSSCimportanttosafetypreviouslyevaluatedinthe UFSAR.
Consideringthescopeofdesignfunctionsanddesignbasesfunctionsplacedintocategories1.aor2.a fromStep2,identifyallpreexistingUFSARevaluationsassociatedwiththesedesignfunctions.In addition,forthosedesignfunctionsplacedintocategory1.aor2.a,reconsiderearlierconclusionsmade aspartofthe10CFR50.59applicabilitydeterminationbecausetheremaybeotherrequirements associatedwiththeinvolveddesignfunctions(e.g.,amorespecificchangeregulation,changeto TechnicalSpecifications,orchangetotheOperatingLicenseitself).
Consideringthescopeofdesignfunctionsanddesignbasesfunctionsplacedintocategories1.band2.b fromStep2,identifyallinvolvedmalfunctionsofanSSCimportanttosafetypreviouslyevaluatedinthe
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org41 UFSARbyidentifyingallsafetyanalyses3thatrelydirectlyorindirectlyonthedesignbasesfunctions performance/satisfaction.
Identifyallsafetyanalysesrelatedtoanyotherdesignfunctionthatcouldimpacteithertheaccidents initiationortheeventsinitialconditions(i.e.,designfunctionsthat,ifnotperformed,wouldinitiatea transientoraccidentthattheplantisrequiredtowithstand).Thesedesignfunctionsshouldhavebeen categorizedaseither2.bor3aspartofStep2.
Step6:ForeachinvolvedmalfunctionofanSSCimportanttosafety,comparethe projected/postulatedresultswiththepreviouslyevaluatedresults.
FromNEI9607,Section4.3.6:
MalfunctionsofSSCsaregenerallypostulatedaspotentialsinglefailurestoevaluateplant performancewiththefocusbeingontheresultofthemalfunctionratherthanthecauseortype ofmalfunction.Amalfunctionthatinvolvesaninitiatororfailurewhoseeffectsarenotbounded bythoseexplicitlydescribedintheUFSARisamalfunctionwithadifferentresult.Anewfailure mechanismisnotamalfunctionwithadifferentresultiftheresultoreffectisthesameas,oris boundedby,thatpreviouslyevaluatedintheUFSAR.
NEI9607,Section4.3.6providesthefollowingguidanceregardingtheidentificationoffailuremodes andeffects:
OncethemalfunctionspreviouslyevaluatedintheUFSARandtheresultsofthesemalfunctions havebeendetermined,thenthetypesandresultsoffailuremodesthattheproposedactivity couldcreateareidentified.
Forthosedesignfunctionsonlyplacedintocategories1.aor2.a(i.e.,not1.b,or2.b,or3),assessthe resultsofallpreexistingUFSARevaluationsandthepotentialforanyrevisiontopreviouslydescribed results.Iftheresultsofrevisedevaluationsareinconsistentwiththeregulations,licenseconditions, ordersortechnicalspecificationsthatwereidentifiedaspartofStep2,thentheproposedactivity createsthepossibilityforamalfunctionofanSSCimportanttosafetywithadifferentresult.(The responsetocriterion2mayhavealreadyidentifiedthisinconsistencywithregulations,etc.)
Forthosedesignfunctionsplacedintoanyothercategoryorcombinationofcategories,ifanyofthe previousevaluationsofinvolvedmalfunctionsofanSSCimportanttosafetyhavebecomeinvaliddueto theirbasicassumptionsnolongerbeingvalid(e.g.,singlefailureassumptionisnotmaintained),orifthe numericalresult(s)ofanyexistingsafetyanalysiswouldisnolongersatisfytheacceptance criteriabounding(i.e.g.,therevisedsafetyanalysisnolongersatisfiestheacceptancecriteriaidentifiedin theassociatedsafetyanalysisisnolongerbounded),thentheproposedactivitycreatesthepossibilityfor amalfunctionofanSSCimportanttosafetywithadifferentresult.Iftheacceptancecriteriaarestill satisfiedandthebasicassumptionsremainvalid,thereisnodifferentresultevenifthemalfunctionof anSSCimportanttosafetywouldotherwisecausechangestoinputparametersdescribedintheUFSAR.
Aspartoftheresponseanddeterminingifthemalfunctionresultscontinuetobebounded,includethe impactontheseverityoftheinitiatingconditionsandtheimpactontheinitialconditionsassumedin 3 NEI9607,Section3.12,SafetyAnalysis
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org42 theassociatedsafetyanalysis.Specifically,consideranydesignfunctionsthat,ifnotperformed,would initiateatransientoraccidentthattheplantisrequiredtowithstand.(Category3fromStep2.)
EXAMPLES Examples417through421illustratesomecasesofNOCREATIONofamalfunctionwithadifferent resultbyapplyingthemultistepprocessoutlinedabove.
Example417.NOCREATIONofaMalfunctionwithaDifferentResult ProposedActivity Afeedwatercontrolsystemisbeingupgradedfromananalogsystemtoadigitalsystem.
Currently,onlyonefeedwaterflowcontrolvalve(outoffour)couldfailclosedduetoafailure oftheanalogcontrolsystem.Intheproposeddesign,allfourfeedwaterflowcontrolvalves couldsimultaneouslyfailclosedduetoasoftwareCCFinthedigitalcontrolsystem.
ImpactonMalfunctionResult Step1:
Thepertinentfunctionofthefeedwatercontrolsystemistoestablishandmaintainsteam generatorwaterlevelwithinpredeterminedphysicallimitsduringnormaloperatingconditions.
Step2:
Thefunctionofthefeedwatercontrolsystemisclassifiedasadesignfunctionduetoitsabilityto initiateatransientoraccidentthattheplantisrequiredtowithstand.Thisisacategory3design function.Sincenodesignbasesfunctionsareinvolved,proceedtoStep5.
Step3:
Notapplicable Step4:
Notapplicable Step5:
Thedesignfunctioninvolvedwasidentifiedascategory3.Thepertinentsafetyanalysisisthe accidentanalysisforLossofFeedwater.Thefeedwatercontrolsystemhasadirectimpacton theaccidentanalysisassumptionsandmodeling.
Step6:
PreviouslyCurrently,onlyonefeedwaterflowcontrolvalve(outoffour)couldfailcloseddueto afailureoftheanalogcontrolsystem.Intheproposeddesign,allfourfeedwaterflowcontrol valvescouldsimultaneouslyfailclosedduetoasoftwareCCFinthedigitalcontrolsystem.
Althoughonlyonefeedwaterflowcontrolvalvecouldfailduetoafailureoftheanalogcontrol system,theLossofFeedwateraccidentanalysisassumedtheclosureofallfourflowcontrol valves.TheseverityoftheinitiatingfailureassumedintheLossofFeedwateraccidentanalysis (fourvalvesaffected)isunchangedsincetheanalysiscurrentlyassumesatotallossof feedwaterflow.Thefailuremode(valveclosure)isdeterminedtohavenoeffectonthis
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org43 assumption.Themechanismbywhichfeedwaterflowislost(lossofcontrolsignal)hasno impactontheinitialconditionsoftheevent.
Conclusion AlthoughthesoftwareCCFlikelihoodwasdeterminedtobenotsufficientlylow,theinitiationseverity assumedintheLossofFeedwateraccidentanalysis(fourvalvesaffected),thefailuremode(valve closure)andthemechanismbywhichfeedwaterflowwaslost(lossofcontrolsignal)remainbounded.
Furthermore,theresultsoftheexistingsafetyanalysisremainsboundingas,includingthetypeofevent (increasingpressure)andallacceptancecriteriathatmustberemainsatisfied(maximumallowedpeak RCSpressureandmaximumallowedsecondarypressure)remainbounded.
Thus,theproposedactivitydoesNOTcreatethepossibilityforamalfunctionofanSSCimportantto safetywithadifferentresult(fortheaspectbeingillustratedinthisexample).
Example418.NOCREATIONofaMalfunctionwithaDifferentResult ProposedActivity Afeedwatercontrolsystemisbeingupgradedfromananalogsystemtoadigitalsystem.
PreviouslyCurrently,onlyoneoffourfeedwaterflowcontrolvalveswasassumedtofailsopen aspartoftheinitiationoftheExcessFeedwaterevent.Now,asaresultofthischangeInthe proposeddesign,allfourfeedwaterflowcontrolvalvescouldsimultaneouslyfailopenfollowing asoftwareCCF.
ImpactonMalfunctionResult Step1:
Theidentifiedfunctionistoestablishandmaintainsteamgeneratorwaterlevelwithin predeterminedphysicallimitsduringnormaloperatingconditions.
Step2:
Thefunctionisclassifiedasadesignfunctionduetoitsabilitytoinitiateatransientoraccidentthatthe plantisrequiredtowithstand.Thisisacategory3designfunction.Sincenodesignbasesfunctionsare involved,proceedtoStep5.
Step3:
Notapplicable Step4:
Notapplicable Step5:
Thedesignfunctioninvolvedwasidentifiedascategory3.Thepertinentsafetyanalysisisthe accidentanalysisforExcessFeedwater.Thefeedwatercontrolsystemhasadirectimpacton theaccidentanalysisassumptionsandmodeling.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org44 Step6:
Currently,onlyoneoffourfeedwaterflowcontrolvalvesfailsopenaspartoftheinitiationof theExcessFeedwaterevent.Intheproposeddesign,allfourfeedwaterflowcontrolvalves couldsimultaneouslyfailopenfollowingasoftwareCCF.Theseverityoftheinitiatingfailure hasincreasedduetofourvalvessupplyingflowascomparedtoonevalvepriortothechange.
Theminimumacceptabledeparturefromnucleateboilingratio(DNBR),i.e.,theinthe associatedsafetyanalysisresult,asstatedintheUFSAR=is1.30.(note:thisisthe acceptancecriteria)
ThecurrentsafetyanalysisresultisacalculatedminimumDNBRvalueequaltoforthe currentdesign=1.42.
Afterusingtheincreasedvalueforthenewfeedwaterflow(torepresenttheincreasein feedwaterflowcausedbytheopeningofthefourfeedwaterflowcontrolvalves)ina revisiontotheExcessFeedwateraccidentanalysis,Thenewsafetyanalysisresultisa minimumDNBRvalueequaltocalculatedfortheproposeddesign=1.33.
ThenewminimumDNBR(1.33)isboundedbytheacceptancecriteria(1.30)
Note:thevaluesusedinthisexampleareforillustrativepurposesonly,astheDNBRistypically avendor/stationspecificvalue.
Conclusion AlthoughthesoftwareCCFlikelihoodwasdeterminedtobenotsufficientlylowandtheseverityofthe initiatingfailurehasincreased,acomparisonofthesafetyanalysisresultsoftheminimumDNBRvalues showsthatthenewminimumDNBRvaluesafetyanalysisremainsboundingedastheassociated acceptancecriteriaaresatisfied.Therefore,theproposedactivitydoesNOTcreatethepossibilityfora malfunctionofanSSCimportanttosafetywithadifferentresult.
Example419.NOCREATIONofaMalfunctionwithaDifferentResult ProposedActivity Acompleteupgradeofthearearadiationmonitorsthatmonitoravarietyofareas(e.g.,rooms, cubicles,pipechases,hallways)forhighradiationisproposed.Theoutdatedanalogbased radiationmonitorsarebeingreplacedbydigitalbasedmonitors.Thehardwareplatformfor eacharearadiationmonitorisfromthesamesupplierandthesoftwareineacharearadiation monitorisexactlythesame.
ImpactonMalfunctionResult Step1:
Thepertinentfunctionofeachradiationmonitoristomonitorthevariouscompartments, roomsandareasthatmaybesubjecttoanincreaseinradiation.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org45 Step2:
Inthiscase,whetherthefunctionisadesignbasesfunctionisnotreadilyapparentobvious,sothe associatedGDCwillbeidentifiedandexamined.
Criterion64Monitoringradioactivityreleases.Meansshallbeprovidedformonitoringthe reactorcontainmentatmosphere,spacescontainingcomponentsforrecirculationoflossof coolantaccidentfluids,effluentdischargepaths,andtheplantenvironsforradioactivitythat maybereleasedfromnormaloperations,includinganticipatedoperationaloccurrences,and frompostulatedaccidents.[emphasisadded]
Thearearadiationmonitorsperformafunctionthatisnecessarytocomplywitharequirement specifiedinGDC64.Thisisacategory1.adesignbasesfunction.Noneoftheotherfourcategoriesare applicabletothisfunction,sincetheradiationmonitorsarenotcrediteddirectlyorindirectlyinasafety analysisandarenotfunctionsthatifnotperformedwouldinitiateatransientoraccidentthattheplant isrequiredtowithstand.
Step3:
NonewFMEAneedstobegenerated.TheeffectofapostulatedsoftwareCCFonthedesign basesfunctionisreadilyapparent.
Step4:
IfasoftwareCCFoccurs,thearearadiationmonitorswillnotperformtheirdesignbases function.Thus,thedesignbasesfunctionwillnotbeperformed/satisfied.
Step5:
Thedesignbasesfunctioninvolvedwasonlyidentifiedascategory1.a.Therefore,allpre existingUFSARdescribedevaluationsassociatedwiththeseradiationmonitorswillbe identified.Althoughtherearenoevaluationsofthefailureoftheseradiationmonitorsinthe existingUFSAR,theexistingUFSARstatesthatthemonitoringofradioactivityisconsistentwith GDC64.Inaddition,therearenosafetyanalysesthatdirectlyorindirectlycreditthisdesign basesfunction.Namely,therearenoconsiderationsofmalfunctionsofsingleormultiple radiationmonitors,noexpectedplantresponsetotheradiationmonitors,andnoorexpected responsesoftheradiationmonitorsthemselves,inanysafetyanalysis.Therefore,allpre existingUFSARdescribedevaluationsassociatedwiththeseradiationmonitorswillbe identified.
Step6:
Intheproposeddesign,thearearadiationmonitorscouldsimultaneouslyfailfollowinga softwareCCF.Thedesignbasesfunctioninvolvedwasonlyidentifiedascategory1.a.The licenseereviewedpreexistingUFSARdescribedevaluationsassociatedwithGDC64compliance arereviewedtoanddeterminedwhethertherevisionisremainsconsistentwiththe requirementsofGDC64andthereisnochangeinanymalfunctionresultintheexistingUFSAR.
Inthisinstance,theevaluationintheexistingUFSARstatedthatthelicenseefollowed RegulatoryGuide1.97toimplementtherequirementsofGDC64byimposingtherequirements ofaTypeEvariableontheseradiationmonitors.Theradiationmonitorsintheproposed designcontinuetosatisfytheserequirements,withtherevisedevaluationresultsshowingthe monitoringofradioactivityremainsingconsistentwithbothGDC64andtherequirements
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org46 imposedbyRegulatoryGuide1.97.Theproposeddesignalsodoesnotaffectotheraspectsof GDC64compliancesuchasroutineradiologicalenvironmentalmonitoringandsampling.In boththecurrentandproposeddesigns,failureoftheradiationmonitorswouldbehandled throughexistingstationprocesses,procedures,andcorrectiveactionprograms.
Conclusion AlthoughthesoftwareCCFlikelihoodwasdeterminedtobenotsufficientlylow,therevised evaluationoftheradiationmonitorsindicatesthattheresultsremainconsistentwithbothGDC 64andtherequirementsimposedbyRegulatoryGuide1.97andthatthefailureoftheradiation monitorsdoesnotcreatethepossibilityforamalfunctionofanSSCimportanttosafetywitha differentresultthananypreviouslyevaluatedintheexistingUFSAR.
Inaddition,consistentwiththedesignbasesfunctionsinvolvedonlybelongingtocategory1.a, therearenosafetyanalysesthatdirectlyorindirectlycreditthedesignbasisfunction,or containexpectedresponsesoftheradiationmonitorsorexpectedplantresponsetothe radiationmonitors.
Therefore,theproposedactivitydoesNOTcreatethepossibilityofamalfunctionofanSSCimportantto safetywithadifferentresult.
NOTE:Theacceptabilityofthesenewarearadiationmonitorswillalsobedictatedbytheir reliability,whichisassessedaspartofCriterion(ii),notCriterion(vi).
Example420.NOCREATIONofaMalfunctionwithaDifferentResult ProposedActivity TwochillersthatcooltheMainControlRoomVentilationSystem(MCRVS)arebeingupgraded.
TheMCRVSprovidescoolingtotheMainControlRoomandtheadjacentRelayRoom.TheRelay RoomcontainsmultipleinstrumentracksthatcontrolboththeReactorProtectionSystem(RPS) andEngineeringSafetyFeaturesActuationSystem(ESFAS)signals.
Aspartoftheupgrade,eachofthechiller'sanalogcontrolsystemswillbereplacedwitha digitalcontrolsystem.Eachdigitalcontrolsystemmaintainsalloftheoperationalfeatures(e.g.,
auto/manualstart/stop,setpointsandalarms)astheanalogcontrolsystems.Thehardware platformforeachchillercontrolsystemisfromthesamesupplierandthesoftwareineach chillercontrolsystemisexactlythesame.
ImpactonMalfunctionResult Step1:
ThepertinentfunctionsoftheMCRVSinvolvetheairflowpathfromtheMainControlRoomtothe RelayRoom(whichisdescribedintheUFSAR)andafunctiontomaintaintheRelayRoomstemperature lessthanorequalto120°F.
Step2:
Thefunctioninvolvingthe"airflowpath"isnotaffectedandcanbeeliminatedfromconsiderationsince theScreenphasedeterminedthattherewasnoadverseimpact.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org47 Inthiscase,whetherthe"maintaintemperature"functionisadesignbasesfunctionisnotreadily apparentobvious,sotheassociatedGDCwillbeidentifiedandexamined.
Criterion20Protectionsystemfunctions.Theprotectionsystemshallbedesigned(1)to initiateautomaticallytheoperationofappropriatesystemsincludingthereactivitycontrol systems,toassurethatspecifiedacceptablefueldesignlimitsarenotexceededasaresultof anticipatedoperationaloccurrencesand(2)tosenseaccidentconditionsandtoinitiatethe operationofsystemsandcomponentsimportanttosafety.[emphasisadded]
Thechillercontrolsystemperformsamaintaintemperaturefunctionthatsupportsorimpactsthe designbasesfunctionspecifiedinGDC20.Therefore,thefunctionofthechillercontrolsystemisa designfunctioncreditedinthesafetyanalysis.Thisisacategory2.bdesignfunction.
Inaddition,themaintaintemperaturefunctionalsoperformsasupportorimpactdesignfunction fortheOperabilityoftheRPSandESFASrequiredpertheTechnicalSpecifications(i.e.,performsa requiredandnecessarysupportfunctionperthedefinitionofOperability).Thus,thisisalsoa category2.adesignfunction.
Step3:
TheimpactofasoftwareCCFonthedesignbasesfunctioncreditedinthesafetyanalysisisnot readilyapparent,soanewFMEAwasgenerated.
Step4:
ThenewFMEAconcludedthatcompliancewithpreexistingprocedureswillresultinthe restorationofatleastonechillerwellbeforetheRelayRoomcoolingbecomesinadequateand temperatureexceeds120°F.Specifically,compliancewithexistingprocedureswillleadto recognitionoftheproblemand,usingcurrentlyproceduralizedalternatemethodsforoperating thesystem(i.e.,NOTcompensatoryactionsforaddressingdegradedornonconforming conditions),restorethechillercontrolsystemfunctionpriortotheimpairmentofthe associateddesignbasesfunctions.Inaddition,aninterdependentprocedurechange(satisfying thefourbulletsinNEI9607,Section4.3.2,Example4)willleadtotheuseofanewdigital controlsystemrestartfeaturetoreinitializethecontrolsystemandclearanysoftwarefaults, allowingthechillercontrolsystemfunctionstoberestoredwellbeforetheRelayRoomcooling becomesinadequateandtemperatureexceeds120°F.
Step5:
Thedesignfunctioninvolvedwasidentifiedascategories2.aand2.b.Althoughnoneofthe safetyanalysesspecificallyidentifyassumptionsorinputsrelatedtotheMCRVS,theRelay Roomorthecomponentstherein,severalaccidentanalysesassumecorrectandtimely actuationoftheRPSand/ortheESFASsignals.AsdeterminedinStep2above,acategory2.b designfunctionindicatesthattheoperationofthechillercontrolsystemisconsideredtobe creditedinthesafetyanalysissincetheysupportorimpactthedesignbasesfunctions associatedwithGDC20.AsdemonstratedaspartofStep4,alldesignbasesfunctionsare preserved.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org48 Step6:
AsdeterminedinStep4,alldesignbasesfunctionsarepreserved.Therefore,alloftheexisting safetyanalysesidentifiedinStep5remainvalidbounding,theassociatedacceptancecriteria remainsatisfied,andthereisnochangeinanymalfunctionresult.
Conclusion AlthoughthesoftwareCCFlikelihoodwasdeterminedtobenotsufficientlylow,thedesign basesfunctionswillcontinuetobeperformed/satisfiedandthesafetyanalyses(andallofthe resultssatisfactionofacceptancecriteriafromtheseanalyses)areunaffected.Therefore,the proposedactivitydoesNOTcreatethepossibilityofamalfunctionofanSSCimportanttosafety withadifferentresult(fortheaspectbeingillustratedinthisexample).
Example421.NOCREATIONofaMalfunctionwithaDifferentResult ProposedActivity Currently,thenonsafetyrelatedSteamBypassControlSystem(SBCS)andthenonsafety relatedpressurizerpressurecontrolsystemareseparateanalogcontrolsystems.
TheSBCSisbeingupgradedfromananalogtoadigitalsystem.
Thepressurizerpressurecontrolsystemisbeingupgradedfromananalogcontrolsystemtoa digitalcontrolsystem.
Aspartofthismodification,thetwopreviouslyseparatecontrolsystems(steambypassand pressurizerpressure)willbecombinedwithinthesamedigitalcontrollerinadistributedcontrol system(DCS)withthesamesoftwarecontrollingallsteambypassandpressurizerpressure functions.
ImpactonMalfunctionResult Step1:
SteamBypassThepertinentfunctionoftheSBCSistomaximizeplantavailabilitybymakingfull utilizationoftheturbinebypassvalvecapacitytoremoveNSSSthermalenergytoaccommodateload rejections,unittrips,andotherconditionsthatresultinthegenerationofexcessiveenergybytheNSSS.
Thisobjectiveisachievedbytheselectiveuseofturbinebypassvalvestoavoidunnecessaryreactor tripsandpreventtheopeningofsecondarysidesafetyvalveswhenevertheseoccurrencescanbe avertedbythecontrolledreleaseofsteam.
PressurizerThepertinentfunctioniscontrolofthepressurizerspraysandheaterstomaintain RCSpressurewithintheestablishedlimits.
Step2:
SteamBypassThefunctionoftheSBCSisclassifiedasadesignfunctionduetoitsabilitytoinitiatea transientoraccidentthattheplantisrequiredtowithstand.Thisisacategory3designfunctionwhich willproceedtoStep5.
PressurizerInthiscase,determiningifwhetherthefunctionisadesignbasesfunctionisnotreadily apparentobvious,sotheassociatedGDCwillbeidentifiedandexamined.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org49 Criterion10Reactordesign.Thereactorcoreandassociatedcoolant,control,and protectionsystemsshallbedesignedwithappropriatemargintoassurethatspecified acceptablefueldesignlimitsarenotexceededduringanyconditionofnormal operation,includingtheeffectsofanticipatedoperationaloccurrences.[emphasis added]
Thepressurizercontrolsystemperformsafunctionthatsupportsorimpactsadesignbasesfunction specifiedinGDC10.Therefore,thepressurizercontrolsystemfunctionisadesignfunctioncreditedin thesafetyanalysis.Thisisacategory2.bdesignfunction.
Step3:
Theeffectonthepressurizerpressurecontrolsystemsisclearandunderstood,havingadirect impactontheaccidentanalysisassumptionsandmodeling.Thereisnoreasontogeneratea newFMEAsincetheimpactofthesoftwareCCFontheaccidentanalysisisreadilyapparent (i.e.,clearandunderstood).
Step4:
IfasoftwareCCFoccurs,thepressurizerpressurecontrolfunction,whichsupportsorimpacts theGDC10designbasesfunction,willnotbeperformed.
Step5:
Thedesignfunctionsinvolvedwereidentifiedascategories2.band3.Thepertinentsafety analysisistheaccidentanalysisforIncreasedMainSteamFlow.Typically,inChapter15accident analyses,controlsystemactionisconsideredonlyifthatactionresultsinmoresevereaccident results.Thesteambypassandpressurizerpressurecontrolsystemshaveadirectimpactonthe accidentanalysisassumptionsandmodeling.
Step6:
Previously,allfourSBCSturbinebypassvalveswereassumedtofailopenaspartofthe initiationoftheIncreasedMainSteamFlowevent.Intheproposeddesign,allfourSBCSturbine bypassvalvescouldalsofailopenconcurrentlywiththefailureofthepressurizerpressure controlsystem duetoasoftwareCCFinthedigitalcontrolsystem.
IntheIncreasedMainSteamFlowaccidentanalysis,thepressurizerpressurecontrolsystemis assumedtobeinautomaticandwouldattempttomitigatetheresultsoftheaccident.Initial conditionsassumeabnormallylowpressureandthesequenceofeventsfortheaccident identifiesthatthepressurizeremptiesduringtheevent.Therefore,regardlessoftheoperation (ormisoperation)ofthepressurizerpressurecontrolsystemduringtheevent,themalfunction ofthepressurizerpressurecontrolsystemwouldhavenoeffectonthiseventandnoeffecton thesafetyanalysisresultsatisfactionofassociatedacceptancecriteria.
TheseverityoftheinitiatingfailureassumedintheIncreasedMainSteamFlowaccident analysis(fourvalvesaffected)isunchangedsincethecurrentanalysisassumesthemaximum possibleincreasedsteamflow.Furthermore,thefailuremode(valveclosure)isdeterminedto havenoeffectandthemechanism(controlsignalerror)thatallowsthevalvestoopen,allowing thesteamflowtoincrease,hasnoimpactontheinitialconditionsoftheevent.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org50 Theassumptionregardingthe"status"ofthepressurizerpressurecontrolsystem(i.e.,
automaticvs.failed)bothleadtoemptyingofthepressurizer,havingnoimpactontheoutcome oftheevent.
Therefore,therearenoimpactsduetothecombinationofthetwocontrolsystems.
Conclusion AlthoughthesoftwareCCFlikelihoodwasdeterminedtobenotsufficientlylow,theinitiationseverity assumedintheIncreasedMainSteamFlowaccidentanalysis(fourvalvesaffected),thefailuremodes (valveclosure)andthemechanismbywhichsteamflowincreases(controlsignalerror)remain bounded.Furthermore,theresultsoftheexistingsafetyanalysisremainsboundingas,includingthe typeofevent(decreasingpressure)andallacceptancecriteriathatmustbearesatisfied(maximumpeak RCSpressure,maximumsecondarypressure,minimumDNBR,maximumpeaklinearheatrateandthe doseconsequences)remainbounded.
Therefore,theproposedactivitydoesNOTcreatethepossibilityforamalfunctionofanSSCimportant tosafetywithadifferentresult(fortheaspectbeingillustratedinthisexample).
Examples422through424illustratesomecasesinwhichthereistheCREATIONofamalfunctionwith adifferentresult.
Example422.CREATIONofaMalfunctionwithaDifferentResult ProposedActivity Anupgradetotheanalogbasedreactorprotectionsystemwithadigitalbasedreactor protectionsystemisproposed.Thisproposedmodificationinvolvesreplacementofallthesolid statecardsthatcontrolthedetectionofanticipatedoperationaloccurrencesandtheactuation oftherequiredreactortripsignals.Redundantchannelscontainthesecardsinsatisfactionof singlefailurecriteria.
ImpactonMalfunctionResult Step1:
Thenumberofinvolvedfunctionsislarge,allofwhichinvolvethedetectionofanticipated operationaloccurrences,theprocessingofthosesignals,andthegenerationoftheappropriate reactortripsignals.
Step2:
Inthiscase,whetherthefunctionsaredesignbasesfunctionsisnotreadilyapparentobvious,sothe associatedGDCswillbeidentifiedandexamined.
Criterion20Protectionsystemfunctions.Theprotectionsystemshallbedesigned(1)to initiateautomaticallytheoperationofappropriatesystemsincludingthereactivitycontrol systems,toassurethatspecifiedacceptablefueldesignlimitsarenotexceededasaresultof
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org51 anticipatedoperationaloccurrencesand(2)tosenseaccidentconditionsandtoinitiatethe operationofsystemsandcomponentsimportanttosafety.[emphasisadded]
Criterion21Protectionsystemreliabilityandtestability.Theprotectionsystemshallbe designedforhighfunctionalreliabilityandinservicetestabilitycommensuratewiththesafety functionstobeperformed.Redundancyandindependencedesignedintotheprotectionsystem shallbesufficienttoassurethat(1)nosinglefailureresultsinlossoftheprotectionfunction and(2)removalfromserviceofanycomponentorchanneldoesnotresultinlossoftherequired minimumredundancyunlesstheacceptablereliabilityofoperationoftheprotectionsystemcan beotherwisedemonstrated.Theprotectionsystemshallbedesignedtopermitperiodictesting ofitsfunctioningwhenthereactorisinoperation,includingacapabilitytotestchannels independentlytodeterminefailuresandlossesofredundancythatmayhaveoccurred.
[emphasisadded]
Criterion22Protectionsystemindependence.Theprotectionsystemshallbedesignedto assurethattheeffectsofnaturalphenomena,andofnormaloperating,maintenance,testing, andpostulatedaccidentconditionsonredundantchannelsdonotresultinlossofthe protectionfunction,orshallbedemonstratedtobeacceptableonsomeotherdefinedbasis.
Designtechniques,suchasfunctionaldiversityordiversityincomponentdesignandprinciplesof operation,shallbeusedtotheextentpracticaltopreventlossoftheprotectionfunction.
[emphasisadded]
Thecomponentssolidstatecardsinvolvedperformfunctionsthatsupportorimpactdesignbases functionsspecifiedinGDCs20,21,and22.Thus,thesefunctionsaredesignfunctionscreditedinthe safetyanalysis.Thesearecategory2.bdesignfunctions.
Inaddition,thesefunctionsalsoperformasupportorimpactfunctionfortheOperabilityoftheRPS pertheTechnicalSpecifications(i.e.,performarequiredandnecessarysupportfunctionperthe definitionofOperability).Thus,thesearealsocategory2.adesignfunctions.
Step3:
Theeffectonthedetection,processingandgenerationofsignalsisclearandunderstood, havingadirectimpactonthesafetyanalysisassumptions.Thereisnoreasontogenerateanew FMEAsincetheimpactofthesoftwareCCFonthedesignbasesfunctionsisreadilyapparent (i.e.,clearandunderstood).
Step4:
ThedesignbasesfunctionsrelatedtotheGDC21and22requirementsregardingsinglefailure criteriaandredundantchannelswillnotbeperformed.
Step5:
Thedesignfunctionsinvolvedwereidentifiedascategories2.aand2.b.Numeroussafety analysescontainimplicitassumptionsregardingtheperformanceand/orexpectationofthe minimumnumberofsystem/componentsand/ortrains/channelsthatareexpectedtoperform theirfunction,whichsatisfytheapplicableredundancyrequirementsand/orsinglefailure criteria.
Step6:
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org52 Inallcases,foreachsafetyanalysis,theinabilitytosatisfytheperformanceand/orexpectation oftheminimumnumberofsystems/componentsand/ortrains/channelsviolatesanthesingle failureassumptionuponwhichthesafetyanalysisresultsarebased.
Intheseinstances,areviewofthesafetyanalysesandtheirstructurewillquicklyconcludethat theresultstheywillnolongerbeboundedvalid.
Conclusion WiththesoftwareCCFlikelihooddeterminedtobenotsufficientlylow,thebasicassumptions regardingsatisfactionofsinglefailurecriteriaareinvalidatedandtheexistingsafetyanalysesresultsare nolongervalidbounded.Therefore,theproposedactivityCREATESthepossibilityofamalfunctionofan SSCimportanttosafetywithadifferentresult(fortheaspectbeingillustratedinthisexample).
Example423.CREATIONofaMalfunctionwithaDifferentResult ProposedActivity TheanalogvoltageregulatorsonbothtrainsofEmergencyDieselGenerators(EDGs)arebeing replacedwithdigitalvoltageregulators.
ImpactonMalfunctionResult Step1:
ThevoltageregulatorisrequiredtofunctionproperlytosupportEDGoperation.Failureofthe voltageregulatorwillresultinfailureoftheassociatedEDG.
Step2:
Inthiscase,whetherthe"voltageregulation"functionisadesignbasesfunctionisnotreadily apparentobvious,sotheassociatedGDCwillbeidentifiedandexamined.
FromGDC17:
Criterion17Electricpowersystems.Anonsiteelectricpowersystemandanoffsiteelectric powersystemshallbeprovidedtopermitfunctioningofstructures,systems,andcomponents importanttosafety.Thesafetyfunctionforeachsystem(assumingtheothersystemisnot functioning)shallbetoprovidesufficientcapacityandcapabilitytoassurethat(1)specified acceptablefueldesignlimitsanddesignconditionsofthereactorcoolantpressureboundaryare notexceededasaresultofanticipatedoperationaloccurrencesand(2)thecoreiscooledand containmentintegrityandothervitalfunctionsaremaintainedintheeventofpostulated accidents.[emphasisadded]
Thefunctionofthevoltageregulatorisclassifiedasadesignfunctionbecauseitsupportsorimpactsa designbasesfunctionspecifiedinGDC17.Therefore,thevoltageregulatorsfunctionisadesign functioncreditedinthesafetyanalysis.Thisisacategory2.bdesignfunction.
Inaddition,thevoltageregulationfunctionalsoperformsasupportorimpactfunctionforthe OperabilityoftheEDGpertheTechnicalSpecifications(i.e.,performsarequiredandnecessarysupport functionperthedefinitionofOperability).Thus,thisisalsoacategory2.adesignfunction.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org53 Step3:
Theeffectonthevoltageregulator,andtheEDGsoperation,isclearandunderstood,havinga directimpactontheaccidentanalysisassumptionsandmodeling.Thereisnoreasonto generateanewFMEAsincetheimpactofthesoftwareCCFonthedesignbasisfunctionis readilyapparent(i.e.,clearandunderstood).
Step4:
IfasoftwareCCFoccurs,thevoltageregulatorscontrolfunction,whichsupportsorimpactsthe GDC17designbasesfunction,willnotbeperformed.
Step5:
Thedesignfunctioninvolvedwasidentifiedascategories2.aand2.b.Numeroussafetyanalyses directlycreditfunctionsthatareassumedtoremainpoweredbyasingleEDG,whichis commonlyassumedtobethelimitingsinglefailure.
Step6:
Inthisinstance,thebasicassumptionofsinglefailureisnolongervalid.ThusInaddition,ifthe safetyanalysesinquestionwerererun,theassociatedacceptancecriteriawouldlikelynotbe metwithsuchabasicassumptionnotbeingmaintained.
Conclusion WiththesoftwareCCFlikelihooddeterminedtobenotsufficientlylow,theassumptionsregarding satisfactionofsinglefailurecriteriaareinvalidated,theassociatedacceptancecriteriaarenotsatisfied.
andtheexistingsafetyanalysesresultsarenolongerboundinged.Therefore,theproposedactivity CREATESthepossibilityforamalfunctionofanSSCimportanttosafetywithadifferentresult.
Example424.CREATIONofaMalfunctionwithaDifferentResult ProposedActivity TheanalogpressurizerpressuretransmittersandassociatedcircuitryusedtocontroltheLow TemperatureOverpressureProtectionopeningsignalforthepressurizerPowerOperatedRelief Valve(PORV)arebeingreplacedwithdigitalequipment.
ImpactonMalfunctionResult Step1:
ThePORVsarerequiredtoopentopreventanoverpressurizationoftheReactorCoolant System(RCS)whentheRCSisbeingoperatedinawatersolidcondition.Thepressuresensing circuitryisessentialtothatfunction.
Step2:
Inthiscase,whetherthe"overpressureprotection"functionisadesignbasesfunctionisnotreadily apparentobvious,sotheassociatedGDCwillbeidentifiedandexamined.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org54 FromGDC14:
Criterion14Reactorcoolantpressureboundary.Thereactorcoolantpressureboundaryshall bedesigned,fabricated,erected,andtestedsoastohaveanextremelylowprobabilityof abnormalleakage,ofrapidlypropagatingfailure,andofgrossrupture.[emphasisadded]
ThedesignbasesfunctionidentifiedinGDC14aboveappliesduringcold,watersolidconditions.This protectioniscommonlyreferredtoasLowTemperatureOverpressureProtection,orLTOP.Thefunction ofthePORVisclassifiedasadesignfunctionduetoperformingafunctionthatsupportsorimpactsa designbasesfunctionspecifiedinGDC14.Further,thegenerationofanappropriateopeningsignal uponahighpressureconditionalsosupportsthatfunction.Therefore,boththePORVandthepressure sensingcircuitryperformdesignfunctionscreditedinthesafetyanalysis.Thesearecategory2.bdesign functions.
Inaddition,boththePORVandthepressuresensingcircuitryperformasupportorimpactdesign functionthatisalsoacriticalportionoftheRCSOverpressureProtectionSystemrequiredbythe TechnicalSpecifications.Thisisacategory2.adesignfunction.
Step3:
Theeffectonthepressuresensingcircuitry,andthePORVsoperation,isclearandunderstood, havingadirectimpactonthesafetyanalysisassumptionsandmodeling.Thereisnoreasonto generateanewFMEAsincetheimpactofthesoftwareCCFonthesafetyanalysisisreadily apparent(i.e.,clearandunderstood).
Step4:
IfasoftwareCCFoccurs,thepressuresensingcircuitry,andthePORVsoperation,whichboth supportorimpacttheGDC14designbasesfunction,willnotbeperformed.
Step5:
Thedesignfunctionsinvolvedwereidentifiedascategories2.aand2.b.Thepertinentsafety analysisistypicallypartofthePressureTemperatureLimitsReport(PTLR).Thatreportis controlledbyaTechnicalSpecificationinsection5.6.ThePTLRitselfiseithersummarizedas partoftheUFSARorisincorporatedbyreference.
ContainedwithinthePTLRisadescriptionofananalysisthatdemonstratestheselectedLow TemperaturePORVSetpointwillensureRCSpressuredoesnotexceedthelimitsspecifiedin10 CFR50,AppendixGduringacoldwatersolidpressureexcursion.Thisexcursionistypicallythe resultofanuncontrolledinjectionofwaterintotheRCSviaahighpressureEmergencyCore CoolingSystem(ECCSpump).
TheanalysiscontainedwithinthePTLRisasafetyanalysisbecauseitdemonstratesthatthe limitscontainedwithin10CFR50,AppendixG(theacceptancecriteria)forthefacilitys capabilitytowithstandorrespondtotheLTOPexcursion(postulatedevent(s))aremet.
Step6:
Inthisinstance,thebasicassumptionofaPORVthatdoesnotopenisunabletorelievetheRCS pressureoperationisnolongervalid.Thus,ifthesafetyanalysesinquestionwerererun,the associatedacceptancecriteriawouldlikelynotbemetwithnopressurereliefcapability availabletomitigatethecold,overpressuretransient.
FebruaryMay2020
©NEI2020.Allrightsreserved.
nei.org55 Conclusion WiththesoftwareCCFlikelihooddeterminedtobenotsufficientlylow,theassumptionsregarding PORVsdonotoperateionareinvalidatedandtheexistingsafetyanalysesresultsarenolonger boundingedbecausetheassociatedacceptancecriteriaarenotsatisfied.Therefore,theproposed activityCREATESthepossibilityforamalfunctionofanSSCimportanttosafetywithadifferentresult.
4.3.7 DoestheActivityResultinaDesignBasisLimitforaFissionProductBarrierBeing ExceededorAltered?
ThereisnouniqueguidanceapplicabletodigitalmodificationsforrespondingtothisEvaluation questionbecausetheidentificationofpossibledesignbasislimitsforfissionproductbarriersandthe processfordeterminationof"exceeded"or"altered"arenotuniqueforadigitalmodification.The guidanceinNEI9607,Section4.3.7applies.
4.3.8 DoestheActivityResultinaDeparturefromaMethodofEvaluationDescribedinthe UFSARUsedinEstablishingtheDesignBasesorintheSafetyAnalyses?
ThereisnouniqueguidanceapplicabletodigitalmodificationsforrespondingtothisEvaluation criterionbecauseactivitiesinvolvingmethodsofevaluationdonotinvolveSSCs.TheguidanceinNEI96 07,Section4.3.8applies.