ML20276A288
| ML20276A288 | |
| Person / Time | |
|---|---|
| Site: | 99902028, Nuclear Energy Institute |
| Issue date: | 10/02/2020 |
| From: | Geier S Nuclear Energy Institute |
| To: | Eric Benner Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| Download: ML20276A288 (11) | |
Text
STEPHEN E. GEIER Senior Director, Engineering and Risk 1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202.739.8111 seg@nei.org nei.org October 02, 2020 Mr. Eric Benner Director, Division of Engineering and External Hazards Office of Nuclear Reactor Regulation Mail Stop: O9E3 U.S. Nuclear Regulatory Commission Washington, DC 20555-0001
Subject:
Industry Comments on Draft Revision 8 to Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Common Cause Failure Due to Latent Defects in Digital Safety Systems Project Number: 689
Dear Mr. Eric Benner:
The Nuclear Energy Institute (NEI)1, on behalf of its members, submits the following comments on the draft Revision 8 to Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Common Cause Failure Due to Latent Defects in Digital Safety Systems. We are supportive of the continued effort to revise this BTP and appreciate the opportunity to provide additional comments on the draft revision.
The NEI Digital Instrumentation and Control (DI&C) working group has been actively engaged with the staff in the revision to BTP 7-19 over the past year. The public meetings held during 2019 and into 2020 have been great opportunities to share technical and regulatory perspectives. The NEI DI&C working group is pleased to see how this BTP revision has considered a graded approach in evaluating license amendment requests (LARs) commensurate with the safety characteristics associated with DI&C system or component and the addition of defensive measures as a method to prevent and limit common cause failures (CCFs).
However, there are still several technical and regulatory concerns we would like to highlight with the version of draft BTP 7-19 that was reviewed at the ACRS Subcommittee meeting on September 8, 2020. First, the guidance on spurious operations does not have a defendable regulatory basis to warrant inclusion within the scope of the BTP. In addition, there is not sufficient technical guidance and acceptance criteria regarding spurious operations to support a predictable and consistent review. Second, the scope of non-safety related 1 The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.
Mr. Eric Benner October 02, 2020 Page 2 systems and components that are applicable to the BTP guidance is not clear and will lead to inefficiencies in the review process. Third, the recent addition of active hardware components to the scope of latent design defects needs specificity to ensure that the BTP guidance focuses only digital systems and does not inappropriately introduce concerns that are beyond the scope of the BTP.
Please find the complete set of comments on the current draft Revision 8 to BTP 7-19 attached to this letter, including additional discussion on the concerns highlighted above. Our intention is to provide recommendations, with sound technical and regulatory bases, that seek to clarify the guidance to ensure both licensees and the NRC staff have a common understanding, and that regulatory uncertainty is minimized, when performing their responsibilities associated with a DI&C LAR. As stations continue plant modernization, we believe that this common understanding will allow future digital modifications that involve a license amendment to be reviewed, approved, and implemented in an efficient and predictable manner.
Please contact me at seg@nei.gov and (202) 739-8111 or Steve Vaughn at sjv@nei.org and (202) 739-8163 if you have any questions or concerns.
Sincerely, Stephen Geier cc:
Mr. Wendell Morton, NRR Ms. Tekia Govan, NRR Mr. Michael Waters, NRR NRC Document Control Desk
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 - October 02, 2020 1
Topic and Affected Section(s)
Comment/Basis Recommendation
- 1. Spurious Operations Section 3 Technical Concern:
- 1. The example of a partial actuation of an emergency core cooling system (i.e., spurious operation of a single division) with false indications stemming from postulated CCF is inconsistent with the evaluation guidance in NUREG/CR-6303.
NUREG/CR-6303 (Section 3.6) specifies concurrent failures of the same blocks in all redundant divisions, which precludes partial actuations.
NUREG/CR-6303 (Section 3.8) specifies that downstream blocks are assumed to function correctly in exact response to correct or incorrect inputs they receive, which precludes false indications.
- 2. The term spurious operations or spurious actuations are not used in NUREG/CR-6303; however, NUREG/CR-6303 does allude to the concept in Guidelines 3.5 and 3.6. Because NUREG/CR-6303 only applies to RPS, extrapolating the spurious operations concept to other non-protection DI&C systems (i.e., control systems) is not plausible because the system complexity is not conducive to the functional block analysis.
- 1. Until appropriate regulatory bases are identified, the concept of spurious operations caused by CCFs should be removed from the BTP.
- 2. Remove NUREG-0800, SRP Section 7.7, Control Systems, from the Relevant Guidance Section and any references to Section 7.7 in the BTP.
- 3. Remove the spurious operations example.
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 - October 02, 2020 2
Topic and Affected Section(s)
Comment/Basis Recommendation Regulatory Concern:
- 1. In the background section it states that A CCF occurs when multiple (usually identical) systems or components fail due to a shared cause3. And footnote 3 states, [underlined for emphasis], CCFs due to latent defects in DI&C SSCs are similar to but distinguishable from cascading failures due to single random failures. Single failures must be addressed by meeting the criteria described under 10 CFR 50.55a(h)
(i.e., they are required to address safety design criteria in IEEE Std 279-1971 or IEEE Std 603-1991).
Because such failures are likely to occur during the life of the plant, the design basis for the plant needs to consider the analysis of the possible effects (consequences) of such failures.
The premise that cascading effects caused by a single failure is similar to CCFs caused by latent defects in DI&C SSCs is not appropriate. Cascading effects caused by a single failure is within the stations design basis whereas CCFs caused by a latent defect is a beyond design basis event; therefore, the analogy inappropriately equates design basis and beyond design basis expectations.
In Section 3 the BTP states Spurious operations originating from CCFs are one within the scope of this BTP and points to footnote 11, which describes
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 - October 02, 2020 3
Topic and Affected Section(s)
Comment/Basis Recommendation spurious operations within the design basis (single failures to include cascading effects). The BTP then states As stated in the Background section of this BTP, CCF should be evaluated in a manner consistent with SRM-SECY 93-087. Therefore, the reviewer may consider the methodologies described in this BTP when evaluating spurious operations resulting from CCFs in a proposed system Footnote 3 and the three sentences above (to include footnote 11) attempt to claim that SRM-SECY 93-087 provides the regulatory basis to analyze for spurious operations caused by CCFs. However, regarding footnote 3 and the 1st sentence, the design basis spurious operations are not within the scope of this BTP, therefore the premise is not correct and makes the argument logically false.
In sum, footnotes 3 and 11 identify the regulatory basis for excluding cascading effects caused by a single failure from the scope of this BTP but they do not provide a regulatory justification as to why spurious operations caused by CCFs are in scope of the BTP.
- 2. In the Regulatory Guidance portion of the BTP, it states - NUREG-0800, SRP Section 7.7, Control Systems, provides review guidance for addressing the potential for inadvertent (i.e., spurious) operation signals from control systems. SRP Section 7.7, under
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 - October 02, 2020 4
Topic and Affected Section(s)
Comment/Basis Recommendation major design considerations that should be emphasized in the review states Potential for inadvertent actuation - The control systems design should limit the potential for inadvertent actuation and challenges to safety systems.
SRP Section 7.7 references SRM-SECY-93-087 (but does not reference BTP 7-19) as a connection to Position 4 of the SRM, which states A set of displays and controls located in the main control room shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system identified in [Positions] 1 and 3 above. As such, the potential for inadvertent actuation of control systems is not connected to the spurious operations caused by CCFs as described in BTP 7-19.
- 2. Spurious Operation and Integrated System Section 3 In this section it is stated that, The reviewer should consider whether a CCF of an integrated NSR DI&C system or platform (i.e., multiple NSR system functions controlled by the same platform) has the potential to result in spurious operation that would have unacceptable consequences. The reviewer should also consider the level of integration between safety and NSR systems as a potential vulnerability to be addressed in the application.
[Strikethrough and bolded for emphasis] Change to, The reviewer should consider whether a CCF of an integrated NSR DI&C system or platform (i.e., multiple NSR system functions controlled by the same platform) has the potential to result in spurious operation that would have unacceptable consequences (e.g., improper segmentation including multiple NSR system functions controlled by one controller).
The reviewer should also consider the level of integration between safety and NSR systems as a potential vulnerability to be addressed in the application.
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 - October 02, 2020 5
Topic and Affected Section(s)
Comment/Basis Recommendation An NSR DI&C system can use the same platform for multiple system functions as long as there is sufficient segmentation.
- 3. Safety vs Non-Safety Various
Background
The title and scope statement of the BTP focus on safety systems. Sections of the guidance still address non-safety systems and this inconsistency between the title/scope and review details creates confusion.
In the Background section it states [Underlined and bolded for emphasis] NUREG/CR-6303, Method for Performing Diversity and Defense in Depth Analyses of Reactor Protection Systems, issued December 1994, describes control system defense-in-depth for NPPs. For example, Section 2.2 of NUREG/CR-6303 identifies the normal reactor control systems, the reactor trip system, the ESF actuation system, and the reactor monitoring and indication systems as individual echelons of defense.
NUREG/CR-6303 only focuses on RPS (i.e., protection systems). As such, the D3 methodology in NUREG/CR-6303 is not appropriate for use with any non-protection DI&C systems, even if they are considered safety-related high safety significant or non-safety-related control systems.
The only link to non-safety systems should be system integration and interconnectivity as described in Section 2.1.
Non-safety-related DI&C SSCs that are not integrated or interconnected to safety systems should be evaluated under other Chapter 7 SRP guidance, not BTP 7-19.
Change the phrase in the Background section to read
[Underline, strikethrough, and bold added for emphasis]
describes control protection system defense-in-depth for NPPs
- 4. DI&C Categorization Section 2 The BTP states that The use of risk insights, such as from a site-specific PRA, to demonstrate that an SSC is less safety-significant than these characteristics would indicate should be reviewed on a case-by-case basis.
Risk-insights from a site-specific PRA to support a determination of safety significance for a particular Reword the sentence on risk-insights to state The use of risk insights, such as from a site-specific PRA, that are used to determine the safety-significance of a particular DI&C system or component should be reviewed on a case-by-case basis.
Instead of 4 sets of characteristics (i.e., (a) thru (d)), only use 2 sets of characteristics as described below:
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 - October 02, 2020 6
Topic and Affected Section(s)
Comment/Basis Recommendation DI&C system or component is independent from the deterministic criteria in (a) thru (d). The risk-insights could determine that a particular DI&C SSC is less (or more) safety significant than the deterministic characteristics would indicate.
The purpose of Section 2 is to adjust the rigor of the assessment (i.e., D3 or qualitative assessment) based on certain safety characteristics, as such there is no need to have four categories. In particular, the title of (b) Low Safety Significance: Non-safety-related SSCs that Perform Safety-Significant Functions creates logical inconsistencies in that an SSC that performs safety-significant functions should not be labeled Low Safety Significance.
The 1st set of characteristics is for high safety-significant safety-related SSCs (currently (a)). The characteristics under (a) should be limited to only the 2nd and 3rd criterion (i.e., remove the 1st and 4th criterion). For (a) a D3 is necessary.
The 2nd set is not a list of characteristics, rather the complement of (a) (i.e. not (a)). For SSCs that meet the not (a) case, a qualitative assessment is appropriate.
Based on the two bullets above, delete all of the (b),
(c), and (d) characteristics and state that any DI&C system or component that does not meet the characteristics of (a) will be evaluated with a qualitative assessment.
- 5. Software and Hardware Latent Defects Section A
Background
Paragraph two states DI&C systems or components are vulnerable to common cause failures (CCFs) due to latent defects in active hardware components, software, or software-based logic The term latent defects is too broad for the scope of the BTP. The focus should be on latent defects in Add the term design to the term latent defects to read latent design defects Delete the phrase active hardware components and replace it with hardware components programmed with software tools
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 - October 02, 2020 7
Topic and Affected Section(s)
Comment/Basis Recommendation design only and should not include latent defects in manufacturing and fabrication processes.
The phrase active hardware components is vague and could include hardware CCFs outside the scope of this BTP. The only hardware CCFs that should be considered with in scope are hardware components that have been programmed using software.
- 6. Crediting Existing Systems Section B.3.2.1 Second paragraph states [Bolded for emphasis]:
ATWS system to be credited demonstrates that the system (1) is not subject to the same CCF as the equipment performing the reactor trip function within the proposed DI&C system, (2) is capable of functioning under the event conditions expected and of sufficient quality, and (3) is responsive to the AOO or PA sequences using sensors and actuators other than those proposed for accomplishing the reactor trip function within the proposed DI&C system.
The text in bold is not congruent with 10 CFR 50.62.
[Strikethrough and bolded for emphasis] Change the sentence to read, ATWS system to be credited demonstrates that the system (1) is not subject to the same CCF as the equipment performing the reactor trip function within the proposed DI&C system, (2) is capable of functioning under the event conditions expected and of sufficient quality, and (3) is responsive to the AOO or PA sequences using sensors and actuators other than those proposed for accomplishing the reactor trip function within the proposed DI&C system.
- 7. Manual System Level Actuation and Indications to Address Position 4
[Underlined and bolded for emphasis] The section states The applicant may credit existing displays and controls in the MCR to satisfy Position 4. However, the reviewer should confirm that the applicant did not also credit the same digital platform or analog technology for Position 1 or 3 (e.g., for mitigating
[Underlined, strikethrough, and bolded for emphasis]
Position 4 specifies that the MCR displays and controls shall be independent and diverse from those credited for vulnerable to CCF in Position 1 and 3
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 - October 02, 2020 8
Topic and Affected Section(s)
Comment/Basis Recommendation Section 4 DBEs) because Position 4 specifies that the MCR displays and controls shall be independent and diverse from those credited for Position 1 and 3 Systems credited for Position 3 must be diverse from the digital system being replaced. However, it does not also have to be diverse from Position 4.
- 8. Best Estimates Various BTP states in several places consequences of CCFs are bounded by the acceptance criteria defined in the FSAR, with no mention of best estimates or realistic assumptions Ensure the guidance is clear that best estimates or realistic assumptions can be used to when assessing the consequences of CCFs, given that the CCFs are a beyond design basis event.
- 9. Independent and Diverse Various Use of the term independent can cause confusion because there are different definitions used by practitioners.
Add a clarification on independent that isolation is not required for safety-related manual controls that are connected downstream of the digital I&C safety system outputs in the same safety division.
- 10. Defensive Measures Section B.3.1.3 The BTP states NRC-approved defensive measures may be used to eliminate the CCF from further consideration. The NRC approval should include a supporting technical basis and acceptance criteria for the use of the defensive measure. The reviewer should confirm that the defensive measure is approved for the application described in the D3 assessment.
Section 3.1.3 creates an opportunity for an NEI solution to appropriately address CCFs caused by latent design defects.
However, the current language focusing on NRC-approved defensive measures is limiting. NEI does not plan to submit Change the 1st paragraph in Section 3.1.3 to read:
An NRC-approved performance-based methodology may be used to eliminate the CCF from further consideration. The reviewer should confirm that the defensive measure(s) used to meet the performance-based methodology includes a supporting technical basis and meets acceptance the criteria in this BTP.
Make necessary changes to the other paragraphs in Section 3.1.3 to align with the description above.
NEI DI&C Working Group Comments on BTP 7-19, Revision 8 - October 02, 2020 9
Topic and Affected Section(s)
Comment/Basis Recommendation a list of various defensive measures for approval, rather a performance-based methodology based on safe design objectives and various defensive measures can be used to meet those objectives.
- 11. Background Section A The last line on page 2, the NRC considers CCF in DI&C systems to be a beyond-design-basis event (BDBE) Only safety-related DI&C systems are BDBE.
[Bolded for emphasis] Change to the NRC considers CCF in safety-related DI&C systems to be a beyond-design-basis event (BDBE).
- 12. Review Responsibilities Title page Section 2 of the BTP discusses risk insights from Probabilistic Risk Analyses (PRAs), as such, the staff in the Division of Risk Analysis (DRA) in NRR should be listed as a secondary organization for review responsibilities.
Change the Secondary Review Responsibilities to read:
Secondary - Organizations responsible for the review of reactor and containment systems, human factors engineering (HFE), and risk analysis.