Text

Enclosure 2: Centrus Digital I&C IROFS Amendment 17-SER
	ML21350A101
Person / Time
Site:	07007004
Issue date:	04/28/2022
From:	; Office of Nuclear Material Safety and Safeguards
To:	; American Centrifuge Operating
	J Tobin, NMSS/MSST
Shared Package
ML21292A281	List: ML21292A285; ML21350A101;
References
	EPID L-2020-LLA-0125
	Download: ML21350A101 (25)
	v • d • e

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION SAFETY EVALUATION REPORT DOCKET NO.: 70-7004 LICENSE NO.: SNM-2011 LICENSEE: AMERICAN CENTRIFUGE OPERATING, LLC

SUBJECT:

REQUEST TO MODIFY LICENSE APPLICATION FOR INTEGRATED SAFETY ANALYSIS, AND LICENSE CONDITION 19 FOR THE AMERICAN CENTRIFUGE PLANT IN PIKETON, OHIO

1.0 INTRODUCTION

1.1 License Application and Review Documents By letter dated June 30, 2021 (Reference 1), American Centrifuge Operating, LLC (ACO)

(licensee), a wholly owned indirect subsidiary of Centrus Energy Corp., submitted a license amendment request (LAR) for approval to modify its Materials License SNM-2011 and Supporting Documents for the American Centrifuge Plant (ACP) in Piketon, Ohio. The licensees letter requested the Nuclear Regulatory Commission (NRC) to review and approve proposed changes to LA-3605-0001, License Application for the American Centrifuge Plant, LA-3605-0003, Integrated Safety Analysis Summary for the American Centrifuge Plant, and Condition 19 of NRCs Materials License SNM-2011. The LAR would permit Centrus to implement embedded digital technology to four items relied on for safety (IROFS) for the High Assay, Low-Enriched Uranium (HALEU) Demonstration Program.

1.2 Supporting Information The NRC staffs letter of August 27, 2021 (Reference 2) to ACO requested additional information (RAI) to support the LAR. ACO responded to the staffs RAI by letter dated September 21, 2021 (Reference 3). As part of the staffs evaluation of the licensees LAR, the staff held two teleconferences with the licensee. The first teleconference was held August 3, 2021 to discuss the technical basis and methodology which the NRC staff planned to apply in its review of the LAR. The teleconference call summary for this meeting is Reference 4. In the second teleconference the NRC staff explained the basis for the RAIs and the licensee explained its proposed approach to address the RAIs. The teleconference call summary for the second meeting is in Reference 5. Additional telephone conferences between the NRC staff and the licensee were held in January 2022, and a summary of these conferences are in Reference 9. Subsequently, ACO submitted additional information in Supplement to American Centrifuge Operating, LLC's License Application and Supporting Documents for the American Centrifuge Plant, by letter dated February 3, 2022 (Reference 18).

To support the NRC staffs review, the licensee made available several documents, including IROFS boundary definition documents and vendor-supplied equipment specifications and manuals of appropriate technical significance for the staffs reference during its review of the LAR. These documents were made available to the staff using the licensees SharePoint portal.

Enclosure 2 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

1.3 Background

ACO possesses two gas centrifuge enrichment facility licenses from the NRC. The subject of this amendment, License (SNM-2011) (Reference 6) was issued on April 13, 2007 under Title 10 of the Code of Federal Regulations (10 CFR) Parts 30, 40, and 70 for a period of 30 years for the construction and operation of a commercial production facility known as the ACP.

The commercial ACP site lies within the southwest quadrant of the Department of Energys (DOE) Piketon, Ohio nuclear material enrichment facility. The NRCs safety and safeguards review conducted for the initial license application (LA) for the commercial ACP is documented in NUREG-1851 (Reference 7), which was issued in September 2006. License SNM-2011 was subsequently modified in 2014 to reflect USEC Inc.s change of name to Centrus.

On May 31, 2019, ACO signed a 3-year letter contract with the DOE to deploy a cascade of 16 operating uranium enrichment centrifuges to demonstrate production of HALEU fuel up to an enrichment of 19.75 percent uranium-235 (U-235). The contract terms were finalized on October 31, 2019. The contract states the ACP HALEU Demonstration Program has two primary objectives:

1. Deploy a 16-machine cascade producing 19.75 percent U-235 enriched HALEU product; and

2. Demonstrate the capability to produce HALEU with existing U.S.-origin enrichment technology and produce for DOE, by the end of the 3-year contract period, between 200 and 600 kilograms of HALEU in the form of uranium hexafluoride (UF6) for future use in DOEs research and development activities and other programmatic missions.

On April 22, 2020, ACO submitted a license amendment application (Reference 8) to operate the HALEU cascade under the ACP license until its 3-year contract period with DOE ends on May 31, 2022. The license amendment application contained an enclosure consisting of a marked license application indicating that the current design of the ACP does not include any items relied on for safety (IROFS) that use software, firmware, microcode, Programmable Logic Controllers, and/or any digital device, including hardware devices that implement data communication protocols. The license amendment application also contained a marked Integrated Safety Assessment (ISA) Summary that identified the proposed use of engineered controls serving as IROFS to prevent and/or mitigate identified potential hazards that may arise through operation of the facility. On June 11, 2021, the NRC staff approved the license amendment application, and issued its safety evaluation report (SER) for the High Assay Low-Enriched Uranium Demonstration Program at the ACP Piketon, Ohio Facility (Reference 12).

During the development of the detailed design of the IROFS for the HALEU Demonstration Program at the ACP facility, ACO identified that analog versions of six instrumentation devices planned for use in four of the proposed facility IROFS are obsolete and no longer commercially available. The licensee has, therefore, proposed changes to the license application, the ISA Summary, and License Condition 19 (LC 19) to reflect the incorporation of instrumentation devices that are functionally similar to the six originally planned analog devices, but which contain embedded digital technology with limited configurability. These proposed new devices are currently commercially available with product support by their vendors and will perform the same required safety functions as their original analog equivalents.

2 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION 1.4 Licensees Requested Change to License SNM-2011, Condition 19 License Condition 19 requires the licensee to receive the NRCs approval prior to implementing digital electronic devices used in digital IROFS. The LAR requested approval to incorporate digital devices on four IROFS systems supporting nuclear criticality safety (NCS) under the HALEU Demonstration Program. There were no digital devices within IROFS systems when LC 19 was originally imposed. However, the NRC and the licensee included the condition to ensure prior approval of the introduction of digital devices involving systems that are relied upon for safety.

The LAR also requested approval of proposed changes to the ACP License Application and ISA Summary to reflect the licensees commitment to implement the applicable portions of the 2010 version of IEEE-336, Recommended Practice for Installation, Inspection, and Testing Requirements for Class IE Power, Instrumentation, and Control Equipment at Nuclear Facilities, and applicable portions of the 2003 version of IEEE 7-4.3.2, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations. These standards would be applicable as management measures appropriate for incorporation of digital technology into IROFS for the HALEU Demonstration Project at the ACP facility.

License SNM-2011 Condition 19 currently requires that digital IROFS meet specific design criteria to be approved by the NRC prior to being placed into service. In Enclosure 5 of Reference 1, the licensee states the proposed digital components (SSCs) are to be used in four separate IROFS systems and are limited to configurable alarm/trip controllers and pressure transmitters, each of which have only vendor-supplied firmware that is configurable, but not modifiable by the user.

In the current License SNM-2011, LC 19 states:

19. Currently, there are no IROFS that have been specified as using software, firmware, microcode, Programmable Logic Controllers, and/or any digital device, including hardware devices which implement data communication protocols (such as fieldbus devices and Local Area Network controllers), etc. Should the design of any IROFS be changed to include any of the preceding features, the licensee shall obtain Commission approval prior to implementing the change(s). The licensee design change(s) shall comply with accepted best practices in software and hardware engineering, including software quality assurance controls as discussed in the Quality Assurance Program Description throughout the development process and the applicable guidance of the following industry standards and regulatory guides:

a. American Society of Mechanical Engineers (ASME) NQA-1-2008 with the NQA-1a-2009 Addenda, Part I, Requirement 3, Design Control, Section 800, Requirement 11, Test Control, and Part II, Subpart 2.7, Quality Assurance Requirements for Computer Software for Nuclear Facility Applications.

b. Regulatory Guide 1.168, Verification, Validation, Reviews, and Audits for Digital Software Used in Safety Systems of Nuclear Power Plants, Revision 1, February 2004.

c. Regulatory Guide 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, September 1997.

d. Regulatory Guide 1.170, Software Test Documentation for Digital Computer 3

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION Software Used in Safety Systems of Nuclear Power Plants, September 1997.

e. Regulatory Guide 1.172, Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, September 1997.

f. Regulatory Guide 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, September 1997.

Within the LAR, the licensee proposed to modify the condition to state (Reference 1):

For any IROFS that have been specified as using software, firmware, microcode, Programmable Logic Controllers, and/or any digital device, including hardware devices which implement data communication protocols (such as fieldbus devices and Local Area Network controllers), the licensee shall obtain Commission approval prior to implementing the change(s).

In its LAR (Reference 1) the licensee did not propose other changes to LC 19. However, during telephone conferences between the NRC staff and the licensee held in January 2022 (Reference 9), the licensee agreed to incorporate applicable portions of newer versions of the standards and guidance listed in LC 19. ACO supplemented its LAR with a letter dated February 3, 2022 (Reference 18) in which ACO proposed to incorporate newer versions of the standards and guidance into LC 19, as its accepted best practices for software and hardware engineering for IROFS that implement digital technology.

In its February 3, 2022 letter, ACO proposed adopting the following versions of standards and NRC guidance into LC 19:

a. American Society of Mechanical Engineers (ASME) NQA-1-2008 with the NQA-la-2009 Addenda, Part I, Requirement 3, "Design Control," Section 800, Requirement 11, "Test Control," and Part II, Subpart 2.7, "Quality Assurance Requirements for Computer Software for Nuclear Facility Applications."

b. Regulatory Guide 1.168, Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 2, July 2013.

c. Regulatory Guide 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 1, July 2013.

d. Regulatory Guide 1.170, Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 1, July 2013.

e. Regulatory Guide 1.172, Software Requirements Specifications for Digital Computer Software and Complex Electronics Used in Safety Systems of Nuclear Power Plants, Revision 1, July 2013.

f. Regulatory Guide 1.173, Developing Software Life-Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 1, July 2013.

4 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

2.0 REGULATORY EVALUATION

2.1 Applicable Regulations Title 10 of the Code of Federal Regulations (10 CFR), Subpart H, Section 70.62, Safety program and integrated safety analysis requires that each licensee or applicant shall establish and maintain a safety program that demonstrates compliance with the performance requirements of Section 70.61. The safety program may be graded such that management measures applied are graded commensurate with the reduction of the risk attributable to that item. Pertinent to the review of this LAR, the following elements of this safety program must be addressed:

70.62 (c)(vi): Each item relied on for safety identified pursuant to Paragraph 70.61(e) of this subpart, the characteristics of its preventive, mitigative, or other safety function, and the assumptions and conditions under which the item is relied upon to support compliance with the performance requirements of Section 70.61.

70.62 (d) Management measures: Each applicant or licensee shall establish management measures to ensure compliance with the performance requirements of Section 70.61. The measures applied to a particular engineered or administrative control or control system may be graded commensurate with the reduction of the risk attributable to that control or control system. The management measures shall ensure that engineered and administrative controls and control systems that are identified as items relied on for safety pursuant to Paragraph 70.61(e) of this subpart are designed, implemented, and maintained, as necessary, to ensure they are available and reliable to perform their function when needed, to comply with the performance requirements of Section 70.61 of this subpart.

70.72 (a) requires the licensee to establish a configuration management system to evaluate, implement, and track each change to the site, structures, processes, systems, equipment, components, computer programs, and activities of personnel.

2.2 Applicable Guidance During its review of this license amendment request, the NRC staff considered the following guidance as applicable to its review:

NUREG-1520, Revision 2, Standard Review Plan/or Fuel Cycle Facilities License Applications, U. S. Nuclear Regulatory Commission, Office of Nuclear Material Safety and Safeguards, Washington, DC, June 2015 (Reference 13)

Digital Instrumentation and Control Interim Staff Guidance No. 7 (DI&C-ISG-07),

Revision 1, Digital Instrumentation and Control Systems in Safety Applications at Fuel Cycle Facilities, (Reference 14)

Regulatory Issue Summary 2016-05, Embedded Digital Devices in Safety-Related Systems, (Reference 15) 5 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION The staff found that the guidance documents listed above provide useful information regarding considerations for management measures for IROFS with digital devices, including approaches that would demonstrate the licensee has established management measures sufficient to address the requirements of 10 CFR 70.62 and LC 19.

In addition, the staff considered the following nuclear industry standard guidance to aid its evaluation of ACOs proposed management measures for establishing and maintaining setpoints for the proposed digital IROFS:

Regulatory Guide (RG) 1.105 Revision 4, Setpoints for Safety-Related Instrumentation.

This RG describes an approach that is acceptable to the NRC staff to meet regulatory requirements to ensure that: (a) setpoints for safety-related instrumentation are established to protect nuclear power plant safety and analytical limits, and (b) the maintenance of instrument channels implementing these setpoints ensures they are functioning as required, consistent with the plant technical specifications.

This RG endorses American National Standards Institute (ANSI)/International Society of Automation (ISA) Standard 67.04.01-2018, Setpoints for Nuclear Safety-Related Instrumentation. Among other things, the ANSI/ISA 67.04.01 standard provides criteria for assessing the performance of safety-related instrument channels to ensure they remain capable of achieving their required safety functions in a reliable manner. This performance monitoring process requires the establishment of acceptable As Found tolerance limits used to check whether an instrument channel is functioning as required, and the establishment of acceptable As Left tolerance limits used to establish the maximum allowed deviation from the desired setpoint of the instrument channel and still be considered as within calibration.

IEEE 7-4.3.2-2003 Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations. This standard specifies additional computer-specific requirements (incorporating hardware, software, firmware, and interfaces) to supplement the criteria and requirements of IEEE Std 603-1998. The staff recognizes that the NRC does not include IEEE Standard 603 as a requirement applicable to the design of fuel cycle facilities, such as enrichment facilities. However, the NRC staff notes that Sections 3 and 5 of IEEE 7-4.3.2-2003 provide definitions and criteria that are useful for ensuring the quality, integrity, and reliability of digital computers and devices used for the safety functions of such facilities.

TECHNICAL EVALUATION 3.1 Scope of the Staffs Evaluation of the LAR (Reference 1)

The licensee described the selection and design of the affected IROFS in the LAR (Reference

1) and also in its proposed changes for LA-3605-003A, Addendum 1 of the ISA Summary that was included as an enclosure to Reference 8. The current (analog) IROFS were identified in the HALEU Demonstration Program Integrated Safety Assessment as Active Engineered Controls for potential criticality safety hazards identified in the licensees process safety information program. This process safety information program was evaluated as part of the 6

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION NRC staffs June 11, 2021 approval (Reference 12), specifically, within Section A.3.1 and A.3.4 of the staffs integrated safety analysis evaluation, Appendix A. The affected IROFS were all classified as active engineered controls meeting the ACP QL-2 classification level applicable to the ACP facility design. As previously reviewed by the NRC staff, these affected IROFS incorporated analog technology devices to accomplish the required safety functions.

Regulations in 10 CFR 70.64(a)(9) require that that baseline design criteria for criticality control adhere to the double contingency principle (DCP). The performance requirements of 10 CFR 70.61(d) must be followed to reduce the risk of nuclear criticality accidents by assuring that under normal and abnormal conditions all nuclear processes are subcritical. The DCP is a mechanism designed to protect against the occurrence of at least two unlikely, independent, and concurrent changes that could result in a criticality accident. NUREG-1520, in Section 3.4.3.2 (9) and Section 5.4.3.1.4, describes examples of the DCP and how it may be used to meet the performance requirements of 10 CFR 70.61. Maintaining subcriticality is required by 10 CFR 70.61(d) and ACO has proposed to use the DCP to demonstrate that process conditions are maintained subcritical and IROFS are in place to protect against the occurrence of at least two unlikely, independent, and concurrent changes that could result in a criticality accident.

The IROFS that are affected by this LAR (Reference 1) were selected to function as one leg of a double contingency to prevent or mitigate an analyzed hazard for the ACP HALEU Demonstration Program. The adequacy of the selection and design of active engineered controls IROFS for achieving the facility performance requirements was evaluated by the NRC staff as part of its June 2021 approval Safety Evaluation Report for the High Assay Low-Enriched Uranium Demonstration Program at the ACP Piketon, Ohio Facility (Reference 12). Section A.3.4 of Appendix A of the staffs safety evaluation (Reference 12) states: The staff reviewed accident sequences associated with criticality, chemical, fire, and radiological safety. The staff found that for credible criticality, fire, and radiological accident sequences, ACO designated initiating event frequencies, failure frequencies, and consequences consistent with its ISA methodology. Appendix A of the staffs safety evaluation also states: The staff found that ACOs ISA program and methodology provides the mechanism for ACO to reasonably and systematically select and apply relevant facility processes, identify credible high and intermediate consequence accident sequences, determine accident sequence consequences and likelihoods and apply appropriate IROFS and supporting management measures.

The NRC staffs June 2021 safety evaluation found the selection and design of the affected IROFS to be adequate to satisfy the applicable baseline design criteria of 10 CFR Part 70.64 for nuclear criticality safety requirements and the guidance for adhering to the DCP as described in NUREG-1520 Rev. 2, Chapter 5 Appendix A. As part of the review of the licensees April 2020 LAR and ISA Summary (References 8, and 9), the staff performed a sampling (horizontal and vertical slice) review of the design of the proposed facility IROFS sufficient to become familiarized with the specific IROFS applications, their boundaries, and how they are credited for hazard mitigation as active engineered controls meeting the QL-2 categorization to ensure that none of the proposed IROFS are being relied on as a sole IROFS for mitigation of an identified hazard.

The purpose of this safety evaluation (i.e., for the licensees June 30, 2021 LAR and ISA Summary transmitted within Reference 1) is to determine whether the introduction of digital technology devices into previously approved analog IROFS and the licensees proposed 7

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION management measures to be applied to the IROFS which are now proposed to incorporate digital technology will allow the IROFS to remain adequate to satisfy the requirements of Subpart H of 10 CFR 70 Paragraph 70.62, and Condition 19 of the ACP facility license SNM-2011, with the incorporation of digital technology devices. The purpose is also to determine whether there is reasonable assurance that: (1) the licensee is qualified by reason of training and experience to use the nuclear material for the purpose requested in accordance with the regulations in this chapter, (2) the licensee's proposed equipment and facilities are adequate to protect health and minimize danger to life or property, and (3) the licensee's proposed procedures to protect health and to minimize danger to life or property are adequate.

In Enclosure 5 of Reference 1, the licensee states that the proposed digital components (SSCs) are to be used in four separate IROFS systems and are limited to configurable alarm/trip controllers and pressure transmitters, each of which have only vendor-supplied firmware that is configurable, but not modifiable by the user. Footnote 1 of Enclosure 5 to Reference 1 clarifies that The distinction here is that the embedded firmware provides the operator a limited set of pre-programmed configuration options, but that reprogramming of the embedded software cannot be accomplished through this user interface; changes to the set of options necessitates a firmware upgrade.

Sections 3.2 through 3.6 of this safety evaluation document the staffs evaluation of the management measures that have been applied by the licensee. These management measures are required to ensure that the affected IROFS are designed, implemented, and maintained to ensure they are available and reliable to perform their function when needed, to comply with the performance requirements of Section 70.61 of 10 CFR. Specifically, the staff focused on those management measures that affect the digital technology employed in the design, implementation, and maintenance of the affected IROFS.

3.2 Identification of the Specific IROFS Which Implement Digital Technology of Reference 1 identifies the specific IROFS that will incorporate digital devices as follows: (Note that information appearing in brackets [ Security Related Information Withheld under 10 CFR 2.390 ] is considered proprietary information that is removed from public versions of this document [Reference 19]).

8 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION Security Related Information Withheld under 10 CFR 2.390 Table 1 IROFS Incorporating Digital Devices According to Enclosure 5 of Reference 1, the four digital IROFS requiring NRC approval are limited to four different electronic component types:

o Two different configurations of alarm/trip controller modules, and o Two types of pressure transmitters: one absolute pressure (vacuum), and one differential pressure transmitter All four of the devices share the following common set of basic design criteria:

o Use of Embedded Software: The devices use only embedded (non-user-programmable) software, in the form of firmware that allows user configuration settings (e.g., setpoints) but not user programming. The devices are used within the constraints of the manufactured intended design.

9 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION o Stand-alone: Each device employs a stand-alone architecture, which enables circuit isolation capability to prevent failures in adjacent systems outside its IROFS boundary or prevents non-QL-2 SSCs from affecting the operability of the IROFS digital device.

o Fail-Safe: The IROFS devices are implemented to enable fail-safe SSCs and architectures - Components and loops are chosen and arranged such that the occurrence of a failure will result in a tripped state credited for nuclear safety.

o Go/No-Go Decision: The devices have limited functional complexity to enable simple Go/No-Go decisions, such as a simple trip based on a single parameter input and a simple logic decision. An example of this would be a valve trip closure based on exceeding a parameter input (like sensed process pressure) setpoint limit.

o Safety Function/Reliability: Management measures ensure initial reliability through modification acceptance testing and continued reliability through periodic surveillance and maintenance testing under quality-controlled programs and procedures, o Diversity: IROFS systems employ different SSCs and architecture to minimize the potential for a common-cause failure in both legs of a nuclear criticality safety (NCS) double contingency active engineered controls, to minimize the potential for a common cause failure.

In accordance with the ACP facility Quality Assurance Program Description (QAPD), a graded approach to quality is employed for facility IROFS. The IROFS that employ digital devices are part of a subset of IROFS classified as QL-2. Quality Level QL-2 defines the classification appropriate for the application of two or more IROFS that prevent or mitigate a high consequence event; or, one or more IROFS that prevents or mitigates an intermediate consequence event. Among the QAPD quality criteria appropriate for QL-2 IROFS are criteria specifically for devices developed with computer programs. These criteria include:

(1) Computer program verification includes appropriate testing and validation, and (2) Verification must be completed prior to relying on the program to perform its safety function.

Also, the identification of testing for modification acceptance is required by the plant modification process, and the completion of all design verification prior to implementation is a requirement of the plant modification process.

As stated above, each of the IROFS that are designed with digital devices is credited in the licensees ISA Summary (Reference 9) as a single leg of a double contingency evaluated in the nuclear criticality safety evaluation that defined the need for the IROFS. Each IROFS has been designed with sufficient diversity within the double contingency protection scheme such that no common cause failure of the affected IROFS can occur with the IROFS of the other leg of the double contingency. (Reference Attachment 2 of Enclosure 5 of Reference 1). Further, the licensee states in Attachment 2 that IROFS 7.3.6.4.2.1 and 7.3.6.4.2.2 both activate a set of two isolation valves which must both shut before temperature and/or pressure parameters that support the condensation of moderator exist. Together, these diverse controls each support 10 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION one leg of a double contingency protection scheme, because a valve failure can affect only one leg. The staffs review of the LAR and supporting materials identified that the IROFS are designed to act in a stand-alone manner, such that there is no connectivity among logic devices which could affect another leg of the double contingency, thus achieving a high level of independence among the control legs of the double contingency and minimizing the possibility of a common cause failure occurring that could result in a nuclear criticality event. The staff notes that the design of IROFS by incorporating diversity and high levels of independence, and the establishment of appropriate management measures (as described in Section 3.4 to demonstrate reliability and availability) provide a high confidence that these digital IROFS will function to perform their required safety actions when needed.

3.3 Suitability of Methods for Evaluation of Management Measures for IROFS with Limited User-Configurable Embedded Digital Devices Against the Criteria within License Condition 19 Listed Guidance and Standards. of the LAR incorporates the licensees Engineering Evaluation EE-3901-0077, Rev. 2. The staff notes the focus of ACOs LAR (Reference 1) was on demonstrating that the requirements in the specific wording of LC 19 were addressed adequately when introducing digital technology devices within IROFS. The licensee discusses the continuing requirement for ACO to obtain NRC approval prior to implementing IROFS that use software, firmware, microcode, Programmable Logic Controllers, and/or any digital device, including hardware devices which implement data communication protocols. Enclosure 5 evaluates the applicability of quality development, testing, validation, and verification processes used in the design of the proposed digital devices, that are to be incorporated into the affected IROFS, against criteria contained in the industry standards and regulatory guides listed in LC 19. The staff notes this evaluation is necessary to support the LAR. However, additional information was needed for the staff to evaluate whether the management measures are capable of demonstrating reliability and availability of the digital equipment to be used in the affected IROFS. This information was requested by the staff in a RAI (Reference 2) and was provided by ACO by letter (Reference 3).

The language of LC 19 of SNM-2011 reflects the NRC staffs longstanding concerns with inadequate evaluation by licensees and applicants of the quality and reliability aspects of the design and development of digital devices proposed for use in safety applications, and this language has been incorporated into other special nuclear materials licenses since the early mid-2000s. The staffs pre-2009 versions of digital I&C-related regulatory guides and standard review plans provided early guidance on the use of digital devices in regulated facilities. This early guidance addressed the use by licensees of programmable computer-based devices as safety controls for fuel cycle facilities. The guidance also focused on the potential use of programmable digital computers and microprocessor-based controls equipment as safety-related active engineered controls. This restrictive language, which was placed into license conditions, served to prohibit NRC-licensed fuel cycle facilities from incorporating safety controls into the facilitys normal distributed process control system without adequate prior evaluation. An adequate evaluation would consider such factors as high-quality development processes, and diversity or independence of the proposed digital safety control from non-safety controls. For these reasons, the NRC staff imposed the restrictive language in LC 19 of the ACP SNM-2011 license, when it was issued in 2007.

License Condition 19 requires that computer-based devices employed for facility design 11 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION change(s) shall comply with accepted best practices in software and hardware engineering, including software quality assurance controls as discussed in the Quality Assurance Program Description throughout the development process and the applicable guidance listed in the License Condition. In 2007 when SNM-2011 was issued, the standards and regulatory guidance in LC 19 were deemed appropriate for development of automated logic systems requiring significant user programming, including the integration of operating system software for microprocessor-based control systems hosting application-specific software. Such computer-based systems and software were anticipated to be developed with a significant degree of systems integration and user programming, resulting in large files of programming language commands and interfacing board-level commands for which it is difficult to demonstrate error-free performance. The quality standards and development, test, and validation and verification guidance documents listed in LC 19 provide a structured form of system design and development that was expected to result in a high quality of completed systems integration, test, and validation to result in significantly fewer performance errors or faults.

However, in the LAR of Reference 1, the licensee proposes to incorporate within a small set of facility IROFS digital devices of limited user configurability and variability, with no user programming capabilities. As noted in Section 3.2 above, the proposed devices use only embedded (non-user-programmable) software, in the form of firmware that allows user configuration settings (e.g., setpoints), but not user programming. The devices are also to be used within the constraints of the manufacturers intended design. The standards and guidance documents listed in LC 19 primarily apply to the development of computer and microprocessor-based systems, which have a high degree of programmability or user configurability. Therefore, only a limited set of design and development criteria within the industry standards and NRC guidance documents listed in LC 19 are applicable to such limited configurability devices.

Furthermore, because the devices within the IROFS containing embedded digital devices are fully developed and programmed by instrument vendors by the time the devices are purchased, ACO has no control over the digital development process used. However, the licensee can still ensure that its procurement process requires that a high-quality development process was employed by the vendor, and that the licensees management measures ensure that such devices are configured, installed, tested, and periodically maintained in accordance with high-quality standards throughout its in-plant lifecycle. The standards and regulatory guides identified in LC 19 include criteria that are applicable to the use of embedded digital technology.

The NRC staff evaluated the licensees Enclosure 5 of the LAR, containing Engineering Evaluation EE-3901-0077, Rev. 2 that provides the bases and conclusions that the proposed digital devices are embedded digital devices that meet the requirements of LC 19. The licensees engineering evaluation identified and presented the complete set of LC 19-applicable design characteristics to support its request for NRC approval of the affected digital IROFS.

The licensee analyzed the proposed design of the digital devices within IROFS against the codes and standard referenced in LC 19. ACO incorporated applicable best practices for software and hardware engineering, including necessary software quality assurance controls, beyond those already identified for management of IROFS that are a part of the facility QAPD or other facility programs.

The staff notes that Section 5 (Evaluation of the Designs) and Attachment 2 (Design Verification Matrix) of this engineering evaluation in Enclosure 5 of the LAR provides a basis to identify appropriate management controls that would be needed to satisfy the configuration, installation, 12 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION testing, and periodic maintenance requirements of LC 19. The staff finds the incorporation of the management measures described in Enclosure 5 is an acceptable means of ensuring that high quality digital IROFS are part of the facility design. The examples of management measures provided by ACO, include establishing configuration requirements and settings for each device within surveillance requirements, and incorporating the specific requirements for each digital IROFS into appropriate maintenance and surveillance procedures.

While the staff recognizes that identification and follow-up for implementation of quality measures appropriate to use of such embedded digital devices serve to enhance the proper implementation and operation of the devices, the staff believes that to assess the availability and reliability of such devices, additional information, such as data characterizing its expected reliability performance is needed. Because the purchased components are designed by vendors, with operations external to the licensee QAPD program, the staff requested additional evaluation information. Specifically, the staff sought information on how the licensee controls the reliability performance capability of digital devices when management measures are not within its control.

In its RAI (Reference 2), the staff requested the licensee provide information on applicable design quality, operating experience, and reliability estimates for the proposed IROFS that contain digital components. To facilitate the staffs understanding of the context in which the digital IROFS were to be used, the staff also requested the licensee to make available documents and drawings depicting the establishment of IROFS boundaries associated with the need for the IROFS. The staffs evaluation of the licensees response to these RAIs is discussed in Section 3.4 below.

3.4 Criteria for Evaluation of Management Measures Regarding the Reliability and Availability of IROFS Implementing Limited User-Configurable Embedded Digital Devices The staff notes that after the issuance of the ACP facility license in 2007 (Reference 6), the NRC staff met with representatives of the nuclear industry, public interest groups, external stakeholders, and members of the public from 2007-2010 to consider clarifications and enhancements to the NRC staff guidance for conducting reviews of license amendments and applications for the inclusion or upgrade of equipment using digital I&C technology. The guidance developed during this process is available on the NRC Public Web site at https://www.nrc.gov/reading-rm/doc-collections/isg/digital-instrumentation-ctrl.html.

The staff developed guidance specifically to address the review of digital I&C equipment used in safety applications at fuel cycle facilities, entitled: DI&C-ISG-07, Digital Instrumentation and Control Systems in Safety Applications at Fuel Cycle Facilities (Reference 14). Additionally, the NRC published a Regulatory Issue Summary regarding embedded digital devices, entitled RIS-2016-05, Embedded Digital Devices in Safety-Related Systems (Reference 15). These documents provide criteria for evaluating the reliability, quality, and operating experience of previously designed equipment containing digital components within them.

One section of DI&C-ISG-07, Independence of Controls used as IROFS, states that although not required by 10 CFR Part 70, licensees of fuel cycle facilities may use sensors, logic solvers, and actuators certified by third-party certifying organizations to achieve a specific risk reduction value through an analysis of their inherent design features and a thorough analysis of their 13 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION failure modes and effects. Such systems are considered acceptable for use in some IROFS applications, commensurate with the degree of risk reduction needed to prevent or mitigate an event sequence. The user of such devices should verify when implementing such systems within its facility, that the conditions described within the certification statement or safety manual for that equipment have been satisfied.

The staff guidance, DI&C-ISG-07, states that third-party certifying organizations should possess the capability for performing software and hardware failure analyses addressing the topical requirements of functional safety, as described in International Electrotechnical Commission (IEC) Standard IEC 61508 (Reference 16).

IEC 61508 is an international standard that provides key criteria for ensuring Functional Safety of Electrical/Electronic/ Programmable Electronic Safety Related Systems. Its aim is to provide design criteria and standards for safety instrumented systems to achieve acceptable levels of high reliability performance by following rigorous hardware and software safety life-cycle processes and procedures and to maintain detailed design and performance documentation.

IEC 61508 is the international standard used by safety equipment manufacturers to verify and document that their products are suitable for use in systems for which safety integrity level (SIL) performance has been defined. The appropriate SIL to be chosen for use of a particular device is selected commensurate with the degree of risk reduction sought for that application. The goal of IEC 61508, and of functional safety in general, is for automatic safety controls to perform their intended functions correctly or for the system to fail in a safe and predictable manner. The standard focuses attention on levels of risk-based safety-related system design and requires the attention to detail vital to safe system design.

Standard requirements within IEC 61508 focus on the elimination of potential systematic faults during the development process using best practice product design methods. Failure analyses should include both deterministic and probabilistic methodologies, to result in a higher probability of identifying both systematic and probabilistic hardware and software failures which could occur during use. The DI&C-ISG-07 (December 2010) section entitled Quality Design Process for Systems Development states: Product assessments performed to the requirements of IEC 61508 should include hardware probabilistic failure analyses, field failure analyses, and quality system development evaluation. In addition, it should include an assessment of the capability of the system for fault avoidance and an evaluation of fault control measures implemented during hardware and software development. The development process assessment evaluates the system development testing, modification, user documentation (Safety Manual) and manufacturing processes.

The NRC staff recognizes that the use of SIL-certified equipment does not, by itself, provide assurance that the equipment will be applied and integrated correctly. However, when SIL-certified equipment is properly evaluated for suitability in achieving the level of risk reduction needed for the specific hazard prevention or mitigation, and appropriate management measures are established to calibrate and periodically test and maintain this equipment, implementation of SIL-certified equipment has been shown to be effective at achieving the high reliability needed for accomplishing safety functions.

The staffs Regulatory Issue Summary RIS-2016-05 (Reference 15) further elaborates by stating the guidance provided in DI&C-ISG-07 is helpful when considering CCFs for digital controls and functions in safety-related applications. The criteria of independence, redundancy, and 14 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION diversity are addressed regarding the protection of digital I&C system channels and functions from potential common-cause failures.

3.4.1 Staff Evaluation of Reliability and Availability of Digital IROFS with Third-Party Certification against IEC Standard 61508 Criteria In the licensees response (Reference 3) to the staffs RAIs, the licensee stated that although IEC (61508) SIL-rated devices are not specifically required by the ACO design and modification processes, it will use the devices (when available) to reduce modification costs by crediting the vendors industry standard test and reliability documentation. The NRC staff finds the use of high quality, commercially available SIL-rated instrumentation and controls equipment designed for use in safety applications, is appropriate. The staff also finds it is acceptable to incorporate appropriate vendor-furnished and third-party evaluations of design lifecycle, validation, test, and reliability documentation into the licensee evaluation of expected safety performance when such vendor-furnished evaluation is based on third-party certification of that equipment to provisions within the IEC 61508 standard.

The licensees RAI response states that five of the six digital device types (see Table 1 above) implement third-party certified SIL-rated components. The sixth digital device type, a pressure manometer, was not available with IEC (61508) SIL ratings for usage in the HALEU Demonstration Program. The licensee states:

As part of the design process, instrument design, vendor testing and reliability as well as past experience with the product and specific vendor were considered in establishing the reliability of the instrument.

The licensee made available for staff review vendor documentation including device data sheets, summaries of vendor failure mode, effects and diagnostic analysis reports, and Safety Integrity Level Certificates for the digital device types which were procured for the facility and which were third-party SIL-certified devices. Specifically, this information was provided for Digital Device Types a., b., d., and e., of Table 1 above. The NRC staff observed that a third-party certifying organization had performed evaluations of these devices against the applicable criteria of IEC 61508, as well as performed evaluations of failure rates for these devices, including estimates of dangerous failure (both detected and undetected), safe failure undetected, and of safe failure fraction (%). The data indicated that the selected devices were deemed highly reliable components, capable of performing as up to SIL-3 level of risk reduction, if needed, provided that the devices were implemented and operated in accordance with the conditions outlined in the certifiers Safety Manual.

For device type f. the licensee included an IEC 61508-based Functional Safety Assessment and a Reference Manual for the staffs review. Independently, for device type f., the NRC staff verified that an IEC 61508 Certification Assessment had been performed by a highly qualified U.S. third-party certifying organization, which included an estimate of the probability of failure on demand and of safe failure fraction (%). The results of these evaluations indicated that this device was also deemed to be a high reliability and high availability device, capable of functioning as up to SIL-3 level of risk reduction as needed, provided it was implemented and operated in accordance with the 15 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION conditions outlined in the certifiers Safety Manual.

The licensee stated in Reference 3 that these devices are certified by accredited certification bodies as meeting SIL criteria or are otherwise SIL-compliant per IEC 61508 standards. ACO selected the units concluding they exhibit sufficient, vendor-sourced reliability for use in this modification. In addition, the licensee made available for NRC inspection operation and maintenance manuals for these devices, which include specific provisions for use in safety systems.

The NRC staff finds that for Digital Device Types a., b., d., e., and f. in Table 1 above, the combination of the following licensee actions serve to provide a high degree of assurance that the IROFS using these devices will be sufficiently reliable and available to perform their required safety functions, when needed, to meet the facility performance requirements:

a. Selection and implementation of high quality commercially available digital devices with limited user configurability and no user programmability, that have been evaluated by an accredited third-party certifying organization against the applicable criteria of IEC 61508 and found to have met the design criteria requirements necessary to achieve the level of risk reduction needed for the application, provided such devices are implemented and maintained in accordance with the conditions stated in the product and safety manuals; and

b. Evaluation of vendor operation and maintenance manuals and third-party certification manual documentation to identify appropriate configuration and surveillance requirements and to understand the conditions under which the digital device has been found to meet to achieve the devices estimated safety performance.

Incorporation of these settings, configuration requirements, and surveillance requirements into the facility surveillance evaluations, boundary definition documents, and facility maintenance procedures.

The NRC staffs review of the materials submitted with the LAR and the licensees response to the staffs RAIs shows that the licensee has achieved both actions above such that there is a high degree of assurance that the IROFS using these devices will be sufficiently reliable and available to perform their required safety functions, when needed.

3.4.2 Staff Evaluation of Reliability and Availability of Digital IROFS without Third-Party Certification against IEC Standard 61508 Criteria The licensee states in their response to the NRC staffs RAIs (Reference 3) that they were not able to procure a third-party SIL-rated component for the sixth digital device type (Digital Device Type c. in Table 1 above), because none are available. For this reason, estimates of failure performance, such as probability of failure on demand or safe failure fraction (%) from the vendor or a third-party certification organization could not be included within its evaluation as to the reliability or availability of the device. The device was [ Security Related Information Withheld under 10 CFR 2.390 ]

The licensee could not identify any IEC 61508 SIL-rated [ Security Related Information 16 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION Withheld under 10 CFR 2.390 ] which would meet all three of these requirements. The [

Security Related Information Withheld under 10 CFR 2.390 ] was chosen because:

a. [ Security Related Information Withheld under 10 CFR 2.390 ] Their devices have been used extensively by ACO in similar process applications.

b. [ Security Related Information Withheld under 10 CFR 2.390 ]

c. [ Security Related Information Withheld under 10 CFR 2.390 ]

Since no certification to the IEC-61508 standard is available for this device, the licensee performed a detailed analysis of the design of this digital device to assess its likelihood of failure during operations under the conditions expected for the application. A concern regarding the performance of this device, under expected process conditions could result in excessive instrument drift. The licensee noted that although the manufacturer established a calibration frequency of once per year, the manufacturers literature does not specify an expected drift value. A reasonable assumption adopted by ACO for expected drift is that the manufacturer sets the calibration interval based on the expected drift, so that the expected drift is not more than the reference accuracy over the course of the recommended calibration interval. The reference accuracy is 0.25 percent of reading and the recommended calibration interval is 1 year. The licensees setpoint and performance acceptance test criteria analysis used a very conservative, bounding approach to estimate the drift. The calibration interval was decreased from 1 year to once every 4 months, and the drift value was increased to 1 percent of reading.

The potential for change in [ Security Related Information Withheld under 10 CFR 2.390

] was accounted for by requiring a zero check of the [ Security Related Information Withheld under 10 CFR 2.390 ] once every 30 days. The [ Security Related Information Withheld under 10 CFR 2.390 ]

The NRC staff verified the actions of the licensee in incorporating these design and performance requirements into management measures. The NRC staff reviewed the licensees instrument setpoint calculation documents and examined the criteria used to establish the performance test acceptance criteria (i.e., the as found tolerance limit and as left setting tolerance limit) for this device. Specifically, the staff noted that the licensee followed the guidance of ANS/ISA 67.04.01-2018 Setpoints for Nuclear Safety-Related Instrumentation when establishing the as found and as left tolerance limits. The NRC staff endorses the use of ANSI/ISA 67.04.01-2018 without exceptions or clarifications in its Regulatory Guide 1.105, Revision 4. The NRC review of the licensees setpoint calculations and its plans for calibration of the device found that the licensee has appropriately implemented an as found tolerance limit that would not inadvertently mask an excessive drift of the device during its scheduled calibration checks.

The establishment of a required monthly zero check of the device, ensures that excessive drift of the device can be identified and eliminated, such that the device will remain more accurate than would have otherwise been indicated by the vendors defined drift. Also, the performance of a zero check every 30 days provides a significant number of opportunities throughout the year for licensee personnel to observe performance of the device, thereby enabling the possible early identification of other potential performance issues, if any, that may occur between successive 4-month interval surveillances.

17 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION The NRC staff finds that the licensee demonstrated extensive experience in using this type of device, and its actions to evaluate and address potential failure mechanisms of the device with appropriate management measures to enhance calibration and surveillance of the device, will provide reasonable assurance that the device will be reliable and available to perform its required safety actions when needed.

3.5 Summary of Staff Evaluation of Management Measures Applied to Digital IROFS For the reasons outlined in Section 3.4, the staff finds that the licensee will be implementing adequate management measures to ensure that the six digital device types identified in Table 1 above will be designed, implemented, and maintained, as necessary, to ensure they are available and reliable to perform their function when needed. In particular, the staff notes that the licensee will provide reasonable assurance of adequate protection through:

1. Selection, evaluation of suitability for use under the expected facility conditions, and implementation of high quality commercially available digital devices with limited user configurability and no user programmability, that have been evaluated by an accredited third-party certifying organization against the applicable criteria of IEC 61508 and found to have met the design criteria requirements necessary to achieve the level of risk reduction needed for the application, provided such devices are implemented and maintained in accordance with the conditions stated in the product and safety manuals; or Selection, evaluation of suitability for use under the expected facility conditions, and implementation of high quality commercially available digital devices with limited user configurability and no user programmability, for which the licensee does not have third-party certification but does have extensive previous operating experience with the device in similar applications, and for which the licensee performed a thorough analysis of the devices possible failure mechanisms, and addressed these possible failure mechanisms through the development of management measures which incorporate frequent checks on device drift, frequent calibration surveillance, and establishment of conservative performance acceptance test criteria.

2. Evaluation of vendor operation and maintenance manuals or third-party certification manual documentation to identify appropriate configuration and surveillance requirements and to understand the conditions under which the digital device has been found to meet to achieve the devices estimated safety performance. Incorporation of these settings, configuration requirements, and surveillance requirements into the facility surveillance evaluations, boundary definition documents, and facility maintenance procedures.

The NRC staffs review of the materials submitted with the LAR and in response to the RAIs, as well as the licensees commitment to use the management measures described above is the basis for the staffs finding the licensee has demonstrated a high degree of assurance that the use of these six digital devices will enable the four affected IROFS to be sufficiently reliable and available to perform their required safety functions, when needed.

18 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION Additionally, the staff notes that the licensee plans to comply with the 2010 version of IEEE-336, Recommended Practice for Installation, Inspection, and Testing Requirements for Class IE Power, Instrumentation, and Control Equipment at Nuclear Facilities. The staff found this recommended practice to be acceptable for installing and periodically inspecting and testing devices used in IROFS for fuel cycle facilities, including devices with embedded digital technology.

3.6 Programmatic Management Measures and Controls The staff evaluated the LAR to determine whether management measures and configuration management programs have been appropriately modified to address the current and possible future use of IROFS using digital technology components and their firmware or software. The programmatic areas of concern to the staff include the quality assurance program, the procurement/supply chain, incoming receipt inspection process, test program for identifying potential defects, suitability of commercial grade dedicated devices for the environment in which they will be installed, and the vendor quality inspection process.

The NRC staff used the applicable acceptance criteria in NUREG 1520, Revision 2 (Reference 13) to evaluate the current licensing basis documents, (i.e., current license (Reference 6)); revised license application for the HALEU Demonstration Program (Reference 8), and integrated safety analysis summaries for the commercial American Centrifuge Plant and HALEU Demonstration Program (Reference 9) and its Addendum 1 (Reference 10). The staff also reviewed the HALEU Demonstration Program SER, dated June 2021 (Reference 12),

engineering evaluations associated with the amendment request, the ACO Quality Assurance Program Description (Reference 11), and ACOs responses to the staffs RAIs, dated September 21, 2021 (Reference 3).

Section 11.0 of the license application, Management Measures, describes the program to maintain the availability and reliability of IROFS (Reference 8). In Section 11.0 of the license application, ACO commits to applying the management measures specified in the ISA to ensure the reliability and availability of each IROFS. In its responses to the staffs RAIs (Reference 3) for this LAR, ACO stated that it made revisions to its document control programs to include management measures for commercial off the shelf (COTS) digital components that are used as part of quality level 2 (QL-2) IROFS. Additionally, ACO stated that implementation of its current configuration management and quality assurance program also ensure management measures are developed for digital components in IROFS. The revised document control programs and the current configuration management and quality assurance program establish management measures and controls for procurement and design specifications. ACOs approach involves Failure Modes and Effects Analysis, receipt, inspection, pre-operational testing, consideration of the operating environment, and periodic surveillance of COTS components. ACOs RAI response indicates its existing configuration management and quality assurance programs are consistent with the current LC 19, which requires the NRCs approval prior to implementing IROFS that contain digital components. Moreover, ACOs existing programs will remain consistent with the proposed revision to LC 19, which requires NRC approval prior to implementing additional digital technology in IROFS or altering the characteristics of digital technology in previously approved applications in IROFS.

License Condition 19 will be revised as follows:

19 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION The licensee shall obtain Commission approval prior to implementing new digital technology within IROFS that use digital technology for previously approved process safety applications, or in any other IROFS of the facility. Such digital technology includes the use of software, firmware, microcode, Programmable Logic Controllers, and/or any digital device, including hardware devices which implement data communication protocols (such as fieldbus devices and Local Area Network controllers). The licensee shall also obtain Commission approval prior to implementing a change to Commission-approved IROFS that incorporate digital technology which adds new or alters the characteristics of existing digital technology as described above.

Proposed licensee digital technology change(s) shall comply with accepted best practices in software and hardware engineering, including software quality assurance controls as discussed in the Quality Assurance Program Description throughout the development process and the applicable guidance of the following industry standards and regulatory guides:

a. American Society of Mechanical Engineers (ASME) NQA-1-2008 with the NQA-la-2009 Addenda, Part I, Requirement 3, "Design Control," Section 800, Requirement 11, "Test Control," and Part II, Subpart 2.7, "Quality Assurance Requirements for Computer Software for Nuclear Facility Applications."

b. Regulatory Guide 1.168, Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 2, July 2013.

c. Regulatory Guide 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 1 July 2013.

d. Regulatory Guide 1.170, Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 1 July 2013.

e. Regulatory Guide 1.172, Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 1 July 2013.

f. Regulatory Guide 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 1 July 2013.

Altering the Characteristics of Existing Digital IROFS The final sentence of the first paragraph of the revised LC 19 states:

The licensee shall also obtain Commission approval prior to implementing a change to Commission-approved IROFS that incorporate digital technology which adds new or alters the characteristics of existing digital technology as described above.

20 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION The phrase or alters the characteristics of existing digital technology addresses potential future changes to digital devices within IROFS that have been approved by the NRC to incorporate digital devices. The intent of this phrase is to enable licensees to perform evaluations of upgraded digital devices using their approved change control processes to identify whether a device is simply undergoing a firmware upgrade that improves the reliability of the device while accomplishing the exact same functionality, or whether the firmware adds functionality that was not previously evaluated by the licensee. Changes to devices that are proposed by the original equipment vendor to improve device reliability without adding new functionality to the device, and which are reviewed by third-party certifying organization as meeting the appropriate safety integrity level criteria described in IEC 61508 and for which a new safety certificate is issued, do not need to be evaluated by the NRC staff prior to implementation within the previously approved IROFS. However, if the device is changed to another original equipment manufacturer or has received additional functionality that has not been previously evaluated for use in the NRC-approved IROFS are considered to meet the definition of alters the characteristics of and would need to have prior NRC approval before implementation.

Additionally, as stated in Chapter 3 of the SER for the HALEU Demonstration Program (Reference 12), process safety will be evaluated in an operational readiness review conducted before the introduction of UF6 under the existing License Condition 11. License Condition 11 states:

Introduction of UF6 into any module of the ACP, including the HALEU Demonstration cascade, shall not occur until the Commission completes an operational readiness and management measures verification review to verify that management measures that ensure compliance with the performance requirements of 10 CFR Section 70.61 have been implemented and confirms that the facility has been constructed and will be operated safely and in accordance with the requirements of the license. The licensee shall provide the Commission with 120 days advance notice of its plan to introduce UF6 in any module of the ACP, including the HALEU Demonstration cascade. (Reference 6)

The NRC staff will conduct an operational readiness review, which includes management measures verification, to confirm implementation of the program changes and approach that ACO described in its RAI response and to verify that the licensees management measures ensure:

The identification of embedded digital devices (EDDs) in purchased components early enough in equipment procurement process (even when specifications of the equipment may not identify such devices are part of the equipment),

The rigorous testing of devices containing EDDs, and their firmware, to identify potential defects in the EDDs and their firmware, and

The confirmation that the commercial grade dedication done for the devices covers the environment in which the licensee will use them.

The NRC staff finds that ACO has met the acceptance criteria for management measures as outlined in Sections 3.4.3.1 and 3.4.3.2 of NUREG-1520 (Reference 13). The staff bases its findings on its review of ACOs LAR and RAI response, and the imposition of License Conditions 11 and 19, as revised.

21 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

3.0 CONCLUSION

As outlined above, the staff evaluated the statements and commitments ACO made in its license amendment request to modify its License Application for the American Centrifuge Plant, (LA-3605-0001), its integrated safety analysis summary for the American Centrifuge Plant, (LA-3605-0003), and Condition 19 of Materials License SNM-2011. The staff confirmed statements made by ACO in these submitted application materials by reviewing significant applicable technical documents made available for NRC staff review. The staff finds reasonable assurance that the management measures ACO will apply to the design of digital technology used within IROFS for the ACP facility HALEU Demonstration Program are adequate because:

1. The licensee has identified and addressed within the license amendment request, the ISA Summary, and supporting documents, for each of the affected digital IROFS, the characteristics of preventive, mitigative, or other safety functions performed by these IROFS, and the assumptions and conditions under which the item is relied upon to support compliance with the performance requirements of Section 70.61 of 10 CFR.

2. The proposed management measures associated with these digital IROFS will ensure that these engineered controls and control systems, and associated administrative actions are designed, implemented, and maintained, as necessary, to ensure they will be available and reliable to perform their function when needed, to comply with the performance requirements of Section 70.61 of 10 CFR.

3. A configuration management system has been established to evaluate, implement, and track each change to the systems, equipment, components, computer programs, and activities of personnel, related to the proposed digital IROFS, pursuant to Paragraph 70.72 (a) of 10 CFR.

The documents supporting the license amendment request demonstrate ACOs compliance with the management measures requirements of 10 CFR 70.62(d) and contribute to reasonable assurance that: (1) the licensee is qualified by reason of training and experience to use the material for the purpose requested in accordance with the regulations in this chapter, (2) the licensees proposed equipment and facilities are adequate to protect health and minimize danger to life or property, and (3) the licensees proposed procedures to protect health and to minimize danger to life or property are adequate.

4.0 REFERENCES

1. Letter dated June 30, 2021, from Ms. Kelly L. Fitch, Regulatory Manager, American Centrifuge Operating, LLC to Mr. John W. Lubinski, Director, Office of Nuclear Material Safety and Safeguards, USNRC, transmitting American Centrifuge Plant License Amendment Request for ACOs License Application and Supporting Documents for the American Centrifuge Plant, Docket 70-7004, License SNM-2011. (Agencywide Documents Access and Management System (ADAMS) Accession Number ML21196A038)

2. Letter dated August 27, 2011, from Yawar H. Faraz, Senior Project Manager, USNRC 22 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION to Ms. Kelly L. Fitch, Regulatory Manager, American Centrifuge Operating, LLC, transmitting a request for additional information associated with ACOs License Amendment Application for High Assay Low-Enriched Uranium Demonstration Program Digitally Based Items Relied on For Safety. (ADAMS Accession Package Number ML21235A021 (Non-Public); Cover Letter for Transmittal (ADAMS Accession Number ML21235A022 (Public); Enclosure to Cover Letter (ADAMS Accession Number ML21235A023 (Non-public)

3. Letter dated September 21, 2021, from Ms. Kelly L. Fitch, Regulatory Manager, American Centrifuge Operating, LLC to Mr. John W. Lubinski, Director, Office of Nuclear Material Safety and Safeguards, USNRC, transmitting American Centrifuge Plant License Amendment Responses to the NRC staffs Request for Additional Information associated with ACOs License Amendment Application for High Assay Low-Enriched Uranium Demonstration Program Digitally Based Items Relied on For Safety. (ADAMS Accession Package Number ML21267A517) (Non-public)); Cover Letter for Transmittal (ADAMS Accession Number ML21267A501 (Public)); Enclosure to Cover Letter (ADAMS Accession Number ML21267A502 (Non-public))

4. Memorandum dated October 19, 2021 from Yawar H. Faraz, Senior Project Manager to Jacob I. Zimmerman, Chief, Fuel Facility Licensing Branch, Division of Fuel Management, Office of NMSS, transmitting a Meeting Summary for the August 3, 2021 teleconference between the NRC staff and representatives of ACO, LLC to discuss the technical basis and methodology the NRC staff planned to apply in its review the LAR.

(ADAMS Accession Package Number ML21237A140 (Non-public)); Telephone Call Summary Cover Memorandum ADAMS Accession Number ML21237A142 (Public));

Enclosure with Call Summary (ADAMS Accession Number ML21237A141 (Non-public))

5. Memorandum dated October 1, 2021 from Yawar H. Faraz, Senior Project Manager to Jacob I. Zimmerman, Chief, Fuel Facility Licensing Branch, Division of Fuel Management, Office of NMSS, transmitting a Meeting Summary for the September 8, 2021 teleconference between the NRC staff and representatives of ACO, LLC to discuss the NRC staffs Request for Additional Information, and the licensees proposed approach for addressing it. (ADAMS Accession Package Number ML21260A061 (Non-public); Telephone Call Summary (ADAMS Accession Number ML21260A062 (Non-public); Cover Letter for the Telephone Call Summary (ADAMS Accession Number ML21260A063 (Public))

6. Special Nuclear Materials License SNM-2011, issued May 24, 2007 under 10 CFR Parts 30, 40 and 70 for a period of 30 years for the construction and operation of a commercial production facility known as the American Centrifuge Plant (ACP).

(ADAMS Accession Number ML17136A379)

7. NUREG-1851, Safety Evaluation Report for the American Centrifuge Plant in Piketon, Ohio, Docket 70-7004, dated September 2006. (ADAMS Accession Number ML062700087)

8. ACOs Revised License Amendment (RLA) for the HALEU Demonstration Program at the American Centrifuge Project, dated April 22, 2020. (ADAMS Accession Package 23 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION Number ML20125A126 (Non-Public)); ACO Cover Transmittal Letter (ML20125A103 (Public)); Revised License Amendment Part 1 of 2 (ML20125A108 (Non-Public));

Revised License Amendment Part 2 of 2 (ML20125A116 (Non-Public)); Integrated Safety Analysis Summary (ML20125A109 (Non-Public)); Proposed Changes for LA-3605-0003A Addendum 1 of the Integrated Safety Analysis Summary Part 1 of 2 (ML20125A117 (Non-Public)); Proposed Changes for LA-3605-0003A Addendum 1 of the Integrated Safety Analysis Summary Part 2 of 2 (ML20125A106 (Non-Public))

9. Summary of January 4, 10 and 13, 2022, Teleconferences with Centrus-American Centrifuge Operating, LLC, Regarding Proposed License Condition 19 for the Digital Instrumentation and Control Items Relied on For Safety License Amendment Request, dated January 25, 2022. Cover Letter for Summary (ADAMS Accession Number ML22012A156 (Public)); Summary of January 4, 10 and 13, 2022, Teleconferences (ADAMS Accession Number ML22012A157 (Non-public)

10. Addendum 1 of ISA Summary for the American Centrifuge Plant - HALEU Demonstration, Proposed Changes for LA-3605-003A Marked Changes to Revision 19 (April 14, 2020). (ACO Cover Letter Transmittal Letter (ML20125A103 (Public));

Enclosure with Addendum 1 (ADAMS Accession Number ML20125A117 (Non-Public))

11. ACO Quality Assurance Program Description, Revision 23 (April 2020) (ADAMS Accession Number ML20125A105)

12. NRC Safety Evaluation Report for the High Assay Low-Enriched Uranium Demonstration Program at the ACP Piketon, Ohio Facility, dated June 2021 (ADAMS Accession Package Number ML21138A826; Cover Letter (ADAMS Accession Number ML21138A827 (Public)); Safety Evaluation Report, Encl 1, SER Ch 1-14 (ADAMS Accession Number ML21148A291 (Public)); License (ADAMS Accession Number ML21138A828 (Public))

13. NUREG-1520, Revision 2, Standard Review Plan/or Fuel Cycle Facilities License Applications, U. S. Nuclear Regulatory Commission, Office of Nuclear Material Safety and Safeguards, Washington, DC, June 2015 (ADAMS Accession Number ML15176A258)

14. Digital Instrumentation and Control Interim Staff Guidance No. 7 (ISG-07), Revision 1, Digital Instrumentation and Control Systems in Safety Applications at Fuel Cycle Facilities (ADAMS Accession Number ML101900316)

15. Regulatory Issue Summary 2016-05, Embedded Digital Devices in Safety-Related Systems, (ADAMS Accession Number ML15118A015)

16. International Electrotechnical Commission, IEC Standard IEC-61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems -

Parts 1 to 7 Edition 2.0, April 2010

17. Letter dated October 7, 2021, from Ms. Kelly L. Fitch, Regulatory Manager, American Centrifuge Operating, LLC to Mr. John W. Lubinski, Director, Office of Nuclear Material Safety and Safeguards, USNRC, transmitting Amendment 2 to the Appendix 1 Lease 24 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION Agreement Between the U.S. Department of Energy and United States Enrichment Corporation for the Gas Centrifuge Enrichment Plant. (ADAMS Accession Package Number ML21286A085 (Non-Public); Cover Letter for Transmittal (ADAMS Accession Number 21286A083 (Public); Enclosure (ADAMS Accession Number ML21286A084 (Non-Public))

18. Letter dated February 3, 2022, from Ms. Kelly L. Fitch, Regulatory Manager, American Centrifuge Operating, LLC to Mr. John W. Lubinski, Director, Office of Nuclear Material Safety and Safeguards, USNRC, transmitting a Supplement to American Centrifuge Operating, LLC's License Application and Supporting Documents for the American Centrifuge Plant (Enterprise Project Identification Number: L-2021-LLA-0125).

(ADAMS Accession Number ML22038A255)

19. U.S NRC Non-Public Version of Safety Evaluation Report for ACOs Request to Modify License Application for Integrated Safety Analysis, and License Condition 19 for the American Centrifuge Plant in Piketon, Ohio (ADAMS Accession Number ML21350A101), April 2022 5.0 PRINCIPAL CONTRIBUTORS:

David Rahn, NRR/DEX Michael Call, NMSS/DFM April Smith,NMSS/DFM Yawar Faraz, NMSS/DFM 25 OFFICIAL USE ONLY - SECURITY RELATED INFORMATION PROPRIETARY INFORMATION - EXPORT CONTROLLED INFORMATION

v t e Letter Sequence Other
EPID:L-2020-LLA-0125, License Amendment Request for Replacement of Engineered Safety Features Transformers with New Transformers That Have Active Automatic Load Tap Changers (Approved, Closed)
Initiation Request, Request, Request Acceptance Administration Questions Answers Results Approval Other: ML21350A101
MONTHYEAR2020-07-06 [Table View]

ML21350A101

Text

SUBJECT:

1.0 INTRODUCTION

1.3 Background

2.0 REGULATORY EVALUATION

3.0 CONCLUSION

4.0 REFERENCES

Navigation menu

Search