ML22152A271

From kanterella
Jump to navigation Jump to search
Digital Instrumentation and Control Common Cause Failure Policy Considerations, Revision 1
ML22152A271
Person / Time
Site: Nuclear Energy Institute
Issue date: 06/01/2022
From: Andy Campbell
Nuclear Energy Institute
To: Eric Benner
Document Control Desk, Office of Nuclear Reactor Regulation
References
Download: ML22152A271 (10)
v  d  e


Text

ALAN CAMPBELL Technical Advisor, Generation and Suppliers 1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202.739.8011 adc@nei.org nei.org June 1, 2022 Mr. Eric J. Benner Director, Division of Engineering and External Hazards Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

Digital Instrumentation and Control Common Cause Failure Policy Considerations, Revision 1 Project Number: 689

Dear Mr. Eric Benner,

On behalf of the Nuclear Energy Institutes (NEI) 1 members, we are providing the attached revision to the white paper that NEI submitted on April 8, 2022, titled Digital Common Cause Failure Policy Considerations, for NRC staff consideration while considering a potential expansion to the existing policy documented in SRM/SECY-93-087. On April 20, 2022, the NRC staff issued a publicly available draft outline to a SECY paper that would propose expanding the existing digital common cause failure policy. NEI revised the white paper to clarify the following topics based upon the information described in the draft outline of the SECY paper.

Uses of Risk-Insights The NRC describes multiple guiding principles in the SECY outline that invoke risk-informed standards (i.e.,

Regulatory Guides 1.174 and 1.200) or uses of risk insights that extend beyond NEIs intended use to address digital common cause failure. NEI previously used the term risk-informed to describe the industry input to the digital common cause failure policy based upon the risk-informed decision making definition provided by the NRC Glossary:

1 The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.

Mr. Eric Benner June 1, 2022 Page 2 An approach to regulatory decision making, in which insights from probabilistic risk assessment are considered with other engineering insights. 2 The NEI white paper uses the term risk-informed in a manner that is consistent with the NRCs definition of risk-informed decision-making. That is, the approach utilizes insights from probabilistic risk assessment (PRA) that are considered with other engineering insights. NRCs own research has shown that it is not possible to directly model digital I&C systems and in particular common cause failure modes of digital I&C systems in a PRA. Consequently, the traditional approach utilized in Reg. Guide 1.174 of using a PRA to compute a change in CDF/LERF is not possible. Therefore, the change in CDF/LERF for unique design techniques also cannot be computed. The industry proposes to instead use bounding sensitivity studies using an appropriate PRA model to help determine the level of rigor associated with the Defense-in-Depth analysis performed and the level of protection against loss of function in the design of the I&C system.

Diverse Main Control Room Displays and Controls SRM/SECY-93-087 Point 4 requires diverse, independent main control room displays and controls for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. The NRC SECY outline states the following:

  • Regulations appropriately require diverse and independent displays and controls

These regulations require manual initiation for protection functions and require diversity for specific Anticipated Transient Without SCRAM (ATWS) functions. Combining these design techniques (i.e., manual initiation and diversity) into a single policy statement expands the intended scope of each existing regulation. Manual initiation of protection functions and diversity are useful design techniques (individually and in combination) that should be applied when supported by engineering analysis unless required by 10 CFR 50.55a(h) or 10 CFR 50.62. The NRC staff should propose a new common cause failure policy that permits the use of risk insights without imposing prescriptive diversity requirements.

2 https://www.nrc.gov/reading-rm/basic-ref/glossary/risk-informed-decisionmaking.html

Mr. Eric Benner June 1, 2022 Page 3 Please contact me at adc@nei.org or (202) 439-3698 should you have any questions or concerns.

Sincerely, Alan Campbell

Attachment:

Digital Common Cause Failure Policy Considerations, Revision 1 c: Steve Wyman (NRR/DEX/ELTB)

Michael Waters (NRR/DEX/EICB)

Samir Darbali (NRR/DEX/ELTB)

NRC Document Control Desk

WHITE PAPER Digital Common Cause Failure Policy Considerations Revision 1 Prepared by the Nuclear Energy Institute June 1, 2022

© NEI 2022. All rights reserved. nei.org

June 1, 2022 Acknowledgements This document was developed by the Nuclear Energy Institute. NEI acknowledges and appreciates the contributions of NEI members and other organizations in providing input, reviewing, and commenting on the document.

NEI Project Lead: Alan Campbell Notice Neither NEI, nor any of its employees, members, supporting organizations, contractors, or consultants make any warranty, expressed or implied, or assume any legal responsibility for the accuracy or completeness of, or assume any liability for damages resulting from any use of, any information apparatus, methods, or process disclosed in this report or that such may not infringe privately owned rights.

© NEI 2022. All rights reserved. nei.org 1

June 1, 2022 Digital Common Cause Failure Policy Considerations Common cause failures (CCF) have the potential to introduce failure modes that defeat redundancy.

CCF can exist in all systems, including those using analog technology. Traditionally the potential for CCF is minimized through the application of special treatments, such as quality assurance and testing, maintenance, etc. NRCs current policy relative to CCF in digital systems, developed 30 years ago, is unique in that it requires that the applicant assume CCF to occur, and permits only diversity to be used to mitigate the failure. The purpose of this white paper is to provide the NRC with information related to a potential expanded policy for digital CCF. The policy considerations described within this document are intended to address digital common cause failure in both Light Water Reactor (LWR) designs, as well as non-LWR designs. Non-LWR designs use different terminology for terms such as safety function and safety-significant, and have different regulatory requirements.

SRM/SECY-93-087 provides the NRC policy on CCF in digital systems. Within this policy, the NRC provides guidance to:

  • assess the defense-in-depth and diversity of the proposed digital system,
  • demonstrate adequate diversity for each postulated common-mode failure (or common cause failure) for each event evaluated in the nuclear power plants accident analysis,
  • provide a diverse means of accomplishing safety functions, if the postulated common-mode failure (or common cause failure) could disable a safety function, and
  • provide diverse displays and controls in the main control room for manual, system-level actuation of critical safety functions.

The SRM/SECY-93-087 policy was influenced by the NRC staffs understanding of the state of digital instrumentation and control technology in the early 1990s. Specific concerns were provided in SECY 292 and reaffirmed in SECY-93-087 that led to the use of diversity as the sole means to overcome digital common cause failure. In these SECY papers, the NRC describes the following concerns:

  • Lack of digital I&C experience in nuclear applications
  • Absence of requirements and standards related to digital-specific design aspects; and
  • Lack of guidance and standards related to software development processes.

In the past 30 years, these concerns have been addressed by numerous industries resulting in mature design and software development practices and increased application of digital I&C technology. US and international standards organizations (e.g., Institute of Electrical and Electronics Engineers (IEEE),

International Electrotechnical Commission (IEC), and International Society of Automation (ISA)) have developed guidance for the full lifecycle of digital I&C technology and have created robust processes to update these standards. Many of these standards have been endorsed by the NRC for use in nuclear safety-related applications or accepted by NRC in project-specific reviews (e.g., Safety Evaluations for

© NEI 2022. All rights reserved. nei.org 2

June 1, 2022 Triconex 1, RadICS 2, and TXS 3). Digital I&C technology has been used in numerous nuclear non-safety applications and has been implemented in a limited way within safety-related applications. Many licensees have determined that digital non-safety control system upgrades have significantly decreased turbine-related initiating events. One utility reported that with BWR Digital Feedwater, BWR Turbine Controls, and PWR Turbine Controls upgrades the sites reduced the associated scram rates by 95%, 83%,

and 74%, respectively. Outside of the nuclear power generation industry, digital I&C technology is used extensively in safety applications in industries such as automotive, aviation, chemical processing, and defense. As such, risk and hazards analysis techniques have matured to support these safety critical applications. When applied appropriately, modern hazards analysis techniques have been proven effective by researchers and practitioners in identifying systematic failures (including common cause failures). In essence, the NRC concerns that contributed to the creation of the SRM/SECY-93-087 policy 30 years ago have been addressed rigorously in numerous industries and reliance on diversity alone as a means of protecting against common cause failure is no longer needed.

Beyond the SRM/SECY-93-087 policy, diverse protection systems are not required within 10 CFR Parts 50 and 52. The interpretation of General Design Criterion 22, Protection system independence, summarized in NUREG-0800 Branch Technical Position (BTP) 7-19 is too narrow. It states that for high safety significant safety-related SSCs, GDC 22 requires functional diversity, to the extent practical. In fact, GDC 22 states: Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function. GDC 22 requires design techniques to prevent the loss of the protection function, not functional diversity. Limiting design techniques to only functional diversity, as stated in BTP 7-19, or in component (i.e., equipment) design diversity does not fulfill the intent of GDC 22. As a result, no rulemaking would be needed to allow the use of other measures to protect against common cause failure.

10 CFR 50.55a(h), Codes and Standards, Protection and safety systems requires compliance with IEEE 603-1991 or IEEE 279-1971. Both IEEE standards require a means for manual initiation of protection actions, but neither standard requires these means to be diverse. 10 CFR 50.62, Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants, provides requirements for limited use cases of diversity (Pressurized Water Reactors: Auxiliary Feedwater, turbine trip, scram (vendor specific), Boiling Water Reactors: alternate rod injection).

Except for the specific functions listed in 10 CFR 50.62, diversity is not the benchmark against which design techniques should be compared. Additionally, neither GDC 22 nor 10 CFR 50.62 specify displays and controls in the main control room for system level, manual actuation of critical safety functions as described in SRM/SECY-93-087. SRM/SECY-93-087 Point 4 requires manual, system level actuation of critical safety functions and monitoring of parameters that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system []. Displays and controls (and the means of providing them) are design techniques that should be used where supported by appropriate engineering analysis unless defined within the scope of 10 CFR 50.62 or 10 CFR 1

Final Safety Evaluation for the Triconex Topical Report, April 20, 2012. ADAMS Accession Number ML120900899 2 Safety Evaluation by the Office of New Reactors and the Office of Nuclear Reactor Regulation AREVA NP Topical Report ANP-10272 Software Program Manual for Teleperm XS Safety Systems, July 5, 2011. ADAMS Accession Number ML111801119 3 RadICS Final NONPROPRIETARY SE and Transmittal Letter, July 31, 2019. ADAMS Accession Number ML19134A193

© NEI 2022. All rights reserved. nei.org 3

June 1, 2022 50.55a(h). The new CCF policy should not provide prescriptive requirements that exceed those required by existing regulations.

In addition, reliance on diversity alone would not reduce the likelihood of a malfunction in the I&C system in all cases. Research of nuclear power plant events concludes that the leading contributing factor to those events was system requirements errors (both I&C and non-I&C system requirements). 4 Implementing diversity may not always be effective in addressing system requirements errors. For example, if the same design requirements are used for the safety system and the diverse system, the same incorrect design functions will be designed into both systems and verified and validated as correct.

Additionally, aviation industry experts have identified that system complexity from diverse systems has contributed to errors leading to aircraft accidents. 5, 6 Alternatively, modern hazards analysis techniques (e.g., Systems-Theoretic Process Analysis) are effective in the identification of potential design errors that could lead to the failure of system functions. To determine their effectiveness, researchers have provided digital I&C system designs to engineering teams to implement modern hazards analysis techniques. 7 The engineering teams were unaware of defects in these system designs that either led to digital events or were identified in late project stages. Using these modern hazards analysis techniques, the engineering teams successfully identified the design errors earlier in the design process or sufficiently addressed the design errors when traditional defense-in-depth and diversity failed to address them effectively.

The use of diversity and modern hazards analysis techniques are not mutually exclusive concepts; rather, these tools are complementary to achieving safe utilization of digital I&C technology. Diversity is an important measure that may be used when implementing digital I&C technology; however, use of diversity should be based on an engineering approach that identifies where diversity is necessary.

Additionally, digital common cause failures should not be viewed without the context of the defense-in-depth posture of the plant. All defense-in-depth elements (i.e., plant systems and procedures) should be accounted for in preventing common cause failure and mitigating its effects.

Risk insights applied during digital I&C system development processes lead to better system function allocation between components, better understanding of the impacts of system architectural decisions, and can inform the use of measures to prevent or mitigate a potential common cause failure based upon the risk significance of the function. Design techniques to prevent or mitigate digital common cause failure can be informed by the risk significance allowing engineering, maintenance, and operation teams to improve decision-making based on potential impacts to the nuclear power plant.

The NEI white paper uses the term risk-informed in a manner that is consistent with the NRCs definition of risk-informed decision-making. That is, the approach utilizes insights from probabilistic risk assessment (PRA) that are considered with other engineering insights. NRCs own research has shown that it is not possible to directly model digital I&C systems and in particular common cause failure modes of digital I&C systems in a PRA. Consequently, the traditional approach utilized in Reg. Guide 1.174 of using a PRA to compute a change in CDF/LERF is not possible. Therefore, the change in CDF/LERF for unique design techniques also cannot be computed. The industry proposes to instead use 4 EPRI Report 3002005385, Severe Nuclear Accidents: Lessons Learned for Instrumentation, Control and Human Factors. December 2015 5 Malmquist, Shem, Nuclear Regulatory Commission Regulatory Information Conference, T7 - Hazard Analysis for Nuclear Automation:

Defeating Digital Demons March 8, 2022 6 Elias, Bart, Cockpit Automation, Flight Systems Complexity, and Aircraft Certification: Background and Issues for Congress October 3, 2019.

R45939 https://crsreports.congress.gov 7 Thomas, John, System Integration Approach to Safety-Security presented at IAEA Technical Meeting on Instrumentation and Control, and Computer Security for Small Modular Reactors and Microreactors, February 24, 2022.

© NEI 2022. All rights reserved. nei.org 4

June 1, 2022 bounding sensitivity studies using an appropriate PRA model to help determine the level of rigor associated with the Defense-in-Depth analysis performed and the level of protection against loss of function in the design of the I&C system.

Prescribing the use of diversity as the only solution for addressing potential digital common cause failure unnecessarily impedes the use of todays digital I&C technology that can improve safety in nuclear power plants. This technology is intended to replace obsolete instrumentation and control systems with highly reliable equipment offering improved system functional capabilities (e.g., increased accuracy, no setpoint drift, automation, self-testing and diagnostic capabilities, and data availability to plant staff).

The prescribed use of diversity introduces unnecessary system complexity as well as cost barriers to replacing the existing systems due to the additional equipment, engineering and maintenance costs associated with implementing diverse systems. Allowing other methods beyond diversity to address common cause failure will enable the deployment of this safer technology at an accelerated pace.

Based on the information described above, NEI members have developed the following recommendations to be considered in the expansion of common cause failure policy. The new, expanded policy should:

  • Allow for graded approaches based upon plant risk insights to ensure applicants focus on the most risk significant functions and to provide flexibility in meeting established system performance criteria.
  • Consider the full plant defense-in-depth strategy to prevent to the degree practicable, mitigate or respond to a digital common cause failure.
  • Allow for the use of modern hazards and/or reliability analysis techniques to examine the system for adverse conditions and identify appropriate system requirements to prevent systematic failures.
  • Expand the ability to use design techniques (in addition to diversity) to prevent to the degree practicable or mitigate a digital common cause failure in accordance with GDC 22.

The following is an example of an expanded policy based on the considerations detailed above:

1. The applicant shall assess the proposed digital I&C Reactor Protection System (RPS) and Engineered Safety Features Actuation System (ESFAS) on the facilitys defense-in-depth to demonstrate that vulnerabilities to digital common cause failures have been adequately addressed.
2. The applicant shall identify each digital common cause failure that could adversely impact safety functions supported by the proposed digital I&C Reactor Protection System (RPS) and Engineered Safety Features Actuation System (ESFAS) using risk insights, and hazards and/or reliability analysis techniques.
3. The applicant shall demonstrate commensurate with the risk significance of each identified digital common cause failure adequate measures to address the identified digital common cause failure that could adversely impact a safety function considering the facilitys defense-in-depth (including the plants systems and procedures).

© NEI 2022. All rights reserved. nei.org 5

June 1, 2022

4. The measures used to address identified digital common cause failures may include non-safety systems or components if they are of sufficient quality to reliably perform the necessary functions and with a documented basis that the measures are unlikely to be subject to the same common cause failure. The measures may also include monitoring and manual operator action to complete a function.

© NEI 2022. All rights reserved. nei.org 6

Retrieved from "https://kanterella.com/w/index.php?title=ML22152A271&oldid=3445112"