ML20177A495
| ML20177A495 | |
| Person / Time | |
|---|---|
| Site: | Nuclear Energy Institute |
| Issue date: | 06/23/2020 |
| From: | Vaughn S Nuclear Energy Institute |
| To: | Tekia Govan, Wendell Morton NRC/NRR/DEX/EICA, NRC/NRR/DRO/IRSB |
| Govan T, 415-6197 | |
| References | |
| Download: ML20177A495 (9) | |
Text
From: VAUGHN, Stephen To: Govan, Tekia; Morton, Wendell
Subject:
[External_Sender] NEI Comments on Draft BTP 7-19 Revision 8 (May 2020 version)
Date: Tuesday, June 23, 2020 11:09:42 AM Attachments: NEI Comments on BTP 7-19 Revision 8 23-2020.docx Tekia and Wendell, Please find the NEI DI&C working group updated comment table regarding the May 2020 draft BTP 7-19, Revision 8. These comments are an update to the feedback NEI provided in March 2020 and are based on the discussions and presentations at the June 2nd ACRS DI&C Subcommittee meeting.
If you have any questions or concerns, please let me know.
- Regards, Steve STEPHEN J. VAUGHN l SENIOR PROJECT MANAGER, ENGINEERING AND RISK 1201 F Street, NW, Suite 1100 l Washington, DC 20004 P: 202.739.8163 M: 202.256.5393 sjv@nei.org This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.
Sent through www.intermedia.com
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 Topic and Comment/Basis Recommendation Affected Section(s)
- 1. Spurious Operations Perspectives on SRM-SECY 93-087 Because SRM-SECY 93-087, GDC 24, 25, and SRP Section A Section 7.7 do not provide a licensing basis Regulatory Basis SRM-SECY 93-087 refers to DI&C CCF events as a loss of requirement to analyze for spurious operations Section 5 more than one echelon of defense-in-depth. A spurious caused by a latent design defect:
operation should not be considered a loss of defense-in-depth nor a loss of the safety function. 1. Move the spurious operation guidance from the draft Revision 8 of BTP 7-19 to another The current draft of BTP 7-19 does not equate "loss" with NRC guidance document. NEI is very "spurious operation". Position 2 in SECY-93-087 states, interested in continuing the technical "analyze each postulated common-mode failure for each discussion on DI&C and spurious event that is evaluated in the accident analysis section of operations. The NRC and the NEI DI&C the safety analysis report (SAR) using best estimate working group should schedule a public methods."; whereas BTP 7-19 states, "The spurious meeting in the near future to clarify the operation should be considered as an initiating event only, technical details and the appropriate without a concurrent DBE" As stated in the draft, guidance to document the results. Because spurious operations are not analyzed the same way that a highly integrated NSR systems are of latent design defect that could cause a loss of function is greater concern to the staff (as described analyzed. on page 31-32 of the BTP), the focus of the discussions should be on NSR SSCs that The Concept of Spurious Operations was not introduced could directly or indirectly affect reactivity.
until 2012 (i.e., Rev 6 of BTP 7-19)
Earlier revisions of BTP 7-19 (i.e., Revisions 1 thru 5) did not have the spurious operations guidance and it is not clear what prompted the addition. Because the SRM-SECY 93-087 was issued in 1993, about 19 years prior to Revision 6 of BTP 7-19, it does not seem appropriate to be the basis for the spurious operations guidance. In other regulatory areas (e.g., fire protection) the concept of spurious operations has a clear licensing basis 1
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 Topic and Comment/Basis Recommendation Affected Section(s) requirement. For example, 10 CFR Part 50, Appendix R, Section III.G.2 describes how fire damage to cabling could prevent operation or cause maloperation due to hot shorts, open circuits, or shorts to ground These maloperations are described as multiple spurious operations (MSOs) in NEI 00-01, Guidance for Post-Fire Safe Shutdown Circuit Analysis, which was endorsed in part by RG 1.189, Fire Protection for Nuclear Power Plants. However, because spurious operations caused by latent design defects in DI&C systems does not have a clear tie to a licensing basis requirement, making a like-for-like comparison to fire protection, as described above, is not justified. Likewise, GDC 24, 25, and SRP Section 7.7 do not provide a regulatory basis for requiring a spurious operations assessment.
- 2. DI&C Categorization Vertical Category Descriptions Section B.2.1 1. Incorporate the second paragraph after Table 2-1 The labels of Safety Significant and Not Safety Table 2-1 (starts off with Risk insights in Significant are not appropriate given the deterministic terms of) into Table 2-1 such that it is and qualitative definitions provided in each of the four clearly part of the categorization process.
categories. The qualitative definitions may describe This change would justify the vertical labels varying levels of safety from a DI&C deterministic of Safety Significant and Not Safety perspective, but they do not describe safety significance Significant; otherwise the labels would be from a risk-informed (i.e., RG 1.174) perspective. misleading because the deterministic definitions do not effectively characterize If the labels of Safety Significant and Not Safety safety significance.
Significant remain, it will cause confusion in the categorization process and challenge current efforts to NOTE: In the text, change system to embrace a more risk-informed approach to licensing and SSCs because Table 2-1 categorizes by oversight functions. SSCs, not just systems.
2
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 Topic and Comment/Basis Recommendation Affected Section(s)
Use of General Design Criteria (GDC) to Categorize an A1 2. If the 1st option is not pursued, either and B1 remove the far-left column of the table or The GDCs are very high-level and it would be challenging Change the Safety Significant and Not for a user to determine the appropriate level (i.e., to the Safety Significant labels to read High extent practical) of diversity required for a particular Impact on Safety and Low Impact on DI&C SSC. Furthermore, not all of the GDCs mention Safety respectively.
diversity and some use similar terms that may (or may not) be construed as diversity. 3. Delete the criterion from the A1 and B1 categories that states Equipment required The GDCs, in and of themselves, do not distinguish to have diversity to the extent practical, per whether a DI&C SSC is safety significant. As such, the the GDCs GDCs criterion is not an effective tool to identify A1 and B1 SSCs.
The technical criterion in A1 and B1, including the risk-insights from site-specific PRAs, effectively captures the set of DI&C SSCs; therefore, the GDCs criterion does not add any additional value.
- 3. Software vs. The addition of a beyond design basis CCF caused by a 1. Everywhere in the guidance where the term Hardware CCF latent defect in hardware to the May 2020 version of the latent defect is used, replace it with Section A.1 draft BTP 7-19 needs to be clarified. latent design defect
Background
Section A.4 1. The term latent defect is not well defined and 2. Provide a working definition of latent Purpose should be limited to only latent defects in design design defect as Undetected errors in Various and should not include downstream processes like hardware and software functional fabrication. requirements and design
- 2. First sentence in second paragraph in Section A.1 3. Revise the first two paragraphs of Section Background states DI&C systems are composed A.4 Purpose to read:
of both hardware components and logic elements (e.g., software). This statement is ambiguous 3
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 Topic and Comment/Basis Recommendation Affected Section(s) because the interface between hardware and This document provides guidance for evaluating software can create the logic elements of the any D3 means credited to address vulnerabilities to DI&C system. CCF caused by latent design defects in the DI&C system that can adversely impact the system logic,
- 3. The following sentence states Regarding the logic as well as, the effects of any unmitigated CCF portion, DI&C systems or components can also be outcomes on plant safety. This BTP also provides vulnerable to a CCF due to latent defects in staff guidance for reviewing a licensee or hardware, software, or software-based logic. applicants graded approach, if used, to address seems to include hardware, software, and CCF vulnerabilities in systems of differing safety software-based logic in determining the logic classification.
portion of the DI&C system which contradicts the prior sentence that limits logic elements to just In this guidance, software includes software, software. firmware, and logic developed from software-based development systems (e.g., hardware description
- 4. In the Types of Failure Considerations portion of language programmed devices) and hardware the Background section, the description of the includes components that interface with software to Failures to be considered as Beyond Design Basis support the functional logic of the system. As CCF and the first sub-bullet CCFs resulting from described above, events associated with this type latent hardware or software defects leading to loss of CCF vulnerability are considered beyond DBE, in of function needs more detail. It is not clear accordance with Commission direction in SRM to what a latent defect in hardware is. In Section SECY 93-087.
A.4 Purpose in the second paragraph states In this guidance, software includes software, In addition, move the above revised wording to the firmware, and logic developed from software- Background section under the beyond design based development systems (e.g., hardware basis discussion in the Type of Failure description language programmed devices). A Considerations portion.
similar description needs to be provided to clarify how the term hardware should be considered in 4. Change the first sentence in the second the guidance so it is clear what a latent design paragraph of Section A.1 Background to read:
defect in hardware is (and what it is not).
DI&C system logic is composed of both hardware and software 4
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 Topic and Comment/Basis Recommendation Affected Section(s)
- 5. BTP 7-19, since 1997, was focused on Computer-Based Instrumentation and Control Systems. In other words, this BTP was focused on digital I&C systems, where hardware and software are integrated. This draft now isolates hardware from software causing industry confusion.
- 5. Crediting Existing The last sentence in the second paragraph states The Modify the phrase using independent sensors and Systems ATWS system to be credited should (1) be diverse from actuators as the proposed DI&C system.
Section B.3.2.1 the proposed DI&C system, (2) has been demonstrated to be highly reliable and of sufficient quality, and (3) be To read and is independent (from sensor output responsive to the AOO or PA sequences using independent to the final actuation device) from the proposed sensors and actuators as the proposed DI&C system. DI&C system.
The phrase using independent sensors and actuators is not consistent with 10 CFR 50.62(c)(1) through 10 CFR 50.62(c)(3). The independence requirement starts at the sensor output and ends at the actuating device, as such an independent sensor is not required.
- 6. Testing The guidance in Section 3.1.2.a-c does not align with Revise Section 3.1.2.a-c to read:
Section 3.1.2.a-c current industry guidance. Having very similar, yet slightly different language, will cause confusion. a) A PDD is not considered susceptible to CCF if the PDD is shown to be deterministic in performance, has documentation of all functional states and all transitions between the functional states, and is testable based on the following criteria:
Testing every possible combination of inputs, 5
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 Topic and Comment/Basis Recommendation Affected Section(s)
For PDDs that include analog inputs, the testing of every combination of inputs shall include the whole operational range of the analog inputs.
Testing every possible executable logic path (this includes non-sequential logic paths).
Testing every functional state transition, and Test monitoring for correctness of all outputs for every case.
b) This testing shall be conducted on the PDD integrated with test hardware representing the target hardware.
c)It is possible that PDDs include unused inputs. If those inputs are forced by the module circuitry to a particular known state, those inputs can be excluded from the all possible combinations criterion.
- 7. Independent and Throughout the BTP the phrase independent and diverse Throughout the BTP where the phrase Diverse is used in the context of manual system actuations. The independent and diverse is used in the context of Various sections term independent can have multiple interpretations, manual system level actuations, replace it with which can cause confusion. functionally independent and diverse NEI believes that it is functional independence, not electrical isolation independence as described in IEEE 603, that is the intended meaning of the term independent when used in the context manual system actuations.
- 8. NUREG/CR-6303 and Listing NUREG/CR-7007 as an acceptance criterion is Modify the first sentence of Section 3.1.1.b to read:
7007 inconsistent with the statement made in Section A.2 that states: "While this NUREG describes a method for quantitatively assessing the amount of diversity in a 6
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 Topic and Comment/Basis Recommendation Affected Section(s)
Section 3.1.1.b system, this method has not been benchmarked and An analysis demonstrates that adequate diversity Under Acceptance should not be used as the sole basis for justifying has been achieved between the diverse portions of Criteria adequate diversity." To date, the NRC has not required the system or component (e.g. NUREG/CR-6303.)
applicants to demonstrate compliance to NUREG-CR-7007.
7
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 Recommended Edits to Table 2-1 Safety-Related Non-Safety-Related Safety Significant* A1 DI&C SSCs B1 DI&C SSCs A significant contributor to Equipment relied upon to initiate and complete Equipment that is capable of directly changing plant safety control actions essential to maintain plant the reactivity or power level of the reactor in a parameters within acceptable limits established manner whose failure could initiate an accident for a DBE or that maintains the plant in a safe sequence, or in a manner that adversely state after it has reached safe shutdown state.5 affects the integrity of the safety barriers (fuel or cladding, reactor vessel, or containment).
Failure could directly lead to accident or conditions that may cause unacceptable An analysis demonstrates that a failure may consequences (e.g., exceeds siting dose result in possible adverse impact on plant guidelines for a DBE) if a) no other automatic safety due to integration of multiple control A1 systems are available to provide the safety functions into a single system. If adverse safety function or b) no pre-planned manual operator consequences are possible, the failure may actions have been validated and credited to need to be considered a new AOO and provide the required safety function. included in the D3 assessment or addressed or by other means.
Equipment required to have diversity to the or extent practical, per the GDCs Equipment required to have diversity to the extent practical, per the GDCs Application should include a D3 Application should include a qualitative assessment as described in Section B.3 assessment as described in Section B.4 Not Safety A2 DI&C SSCs B2 DI&C SSCs Significant*
Not a significant Provides an auxiliary or indirect function in the Equipment does not have a direct effect on contributor to achievement or maintenance of plant safety. reactivity or power level of the reactor or affect plant safety the integrity of the safety barriers (fuel Application should include a qualitative cladding, reactor vessel, or containment).
assessment as described in Section B.4 Ex: An analysis demonstrates the failure does not have adverse impact on plant safety or can be detected and mitigated with significant safety margin.
Application may need to include a qualitative assessment as described in Section B.4
- Risk insights in terms of safety consequences from site-specific probabilistic risk assessments (PRAs) can be used to support the safety-significance determination in categorizing the DI&C SSC system. Use of such risk insights should be an input to an integrated decision-making process for categorizing the proposed DI&C SSC system. The application should document the basis for categorizing the proposed DI&C SSC system, including any use of risk insights.
8