ML23135A774

From kanterella
Jump to navigation Jump to search
Guidance for 10 CFR 50.59 for Digital Instrumentation and Controls Modifications Update
ML23135A774
Person / Time
Issue date: 12/31/2020
From: Philip Mckenna
NRC/NRR/DRO/IRAB
To:
References
Download: ML23135A774 (53)
v  d  e


Text

1 Guidance for 10 CFR 50.59 for Digital Instrumentation and Controls Modifications Update Presented By: Phil McKenna Deputy Director (Acting)

NRR/DORL December 2020

Purpose

  • Update NRC Regional Inspectors on the Process for Digital I&C Modifications Using the 10 CFR 50.59 Rule

- Refresher on RIS 2002-22, Supplement 1, Clarification on Endorsement of NEI Guidance in Designing Digital Upgrades in Instrumentation and Control Systems (Issued on 05/31/18)

- Review NEI 96-07 Appendix D, Rev. 1, Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications, issued in May 2020

- Review RG 1.187, Rev. 2, Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments, issued in June 2020 2

IAP Modernization Plan #2

  • The Integrated Action Plan (IAP) established the following objectives:

o Ensure there is adequate guidance within NEI 96-07 for 10 CFR 50.59 evaluations of digital I&C upgrades to:

o Reduce licensee uncertainty o Clarify the regulatory process o Ensure common understanding for the use, interpretation, and application of guidance o Staff Requirements Memorandum (SRM) to SECY-15-0106:

direction to develop an integrated strategy to modernize the NRC's digital instrumentation and control (l&C) regulatory infrastructure 3

NEI 96-07, Appendix D From April 2016 through 2017, the NRC staff and industry participated in monthly public meetings to resolve NRC comments on draft NEI 96-07, Appendix D In December 2017, NEI and the NRC staff mutually agreed to place the review of NEI 96-07, Appendix D on hold to dedicate resources to the issuance of RIS 2002-22, Supplement 1 RIS 2002-22 Supplement 1 was issued on 05/31/18 July - November 2018, resolve comments on Appendix D and issue draft RG 1.187 Revision 2 in May 2019 Draft RG 1.187 had one exception and several clarifications. The exception involved how to evaluate 10 CFR 50.59 Criterion VI (Create the possibility for a malfunction of an SSC with a different result)

From July 2019 - May 2020 work on revising Appendix D so that exception could be removed from draft RG 1.187 Regional inspector training on RIS 2002-22, Supplement 1 occurred for Regions 1 and 4 in December 2018 and Regions 2 and 3 in June 2019 4

NEI 01-01 5

  • Industry inconsistently applying guidance in NEI 01-01 in digital upgrades

- Lack of industry guidance on the technical evaluation of common cause failures

- NRC IN 2010-10: Implementation of a Digital Control System Under 10 CFR 50.59

- Harris 2013 violation: SSPS control circuit boards replaced with digital complex programmable logic device (CPLD)-based boards

- NRC Letter to NEI: Summary of Concerns with NEI 01-01 dated 11/05/13 (ML13298A787)

- NRC continues to endorse NEI 01-01

Digital I&C Mods 6

  • What make these different?

- Common Cause Failure (CCF)

  • Safety model of nuclear plant

- Defense in depth and redundant equipment

- Hardware: Likelihood of CCF acceptably low

  • High quality standards in development and manufacture
  • Physical separation of redundant equipment
  • Degradation methods slow to develop (i.e. corrosion)

- Software: Special vulnerability

  • Software resides in redundant channels of the system
  • Single undetected design error in software could lead to CCF in all redundant channels

RIS 2002-22, Supplement 1 7

  • RIS 2002-22, Supplement 1, clarifies guidance for preparing and documenting Qualitative Assessments
  • Not for replacement of:

- Reactor Protection System (wholesale)

- Engineered Safety Features Actuation System (wholesale)

- Modification/Replacement of the Internal Logic Portions of These Systems

Qualitative Assessment 8

  • Originally discussed in NEI 01-01 (Section 4&5 and Appendices A&B), but limited guidance on how to accomplish.

- Evaluate the likelihood of failure of a proposed digital mod

- Evaluate the likelihood of common cause failure

  • Used to support a conclusion that a proposed digital I&C Mod will not result in more than a minimal increase in:

- The frequency of occurrence of accidents (50.59(c)(2)(i)

- The likelihood of occurrence of malfunctions (50.59(c)(2)(ii)

- Create the possibility of an accident of a different type (50.59(c)(2)(v)

- Create the possibility for a malfunction of an SSC with a different result (50.59(c)(2)(vi)

Qualitative Assessment Factors 9

Design Attributes

- Can prevent or limit failures from occurring.

- Focus primarily on built-in features:

  • Fault detection
  • Failure management schemes
  • Internal redundancy
  • Diagnostics within the integrated software and hardware architecture

- Can be external:

  • For example: Mechanical stops or speed limiters

Qualitative Assessment Factors 10 Quality of the Design Process

- Software development

- Hardware and software integration processes

- System design

- Validation and testing processes

  • For Safety Related:

- Development process is documented and available for referencing in the Qualitative Assessment

  • Commercial grade:

- Documentation may not be extensive

- Qualitative Assessment may place greater emphasis on Design Attributes and OE

Qualitative Assessment Factors 11 Operating Experience (OE)

- Relevant OE: can be used to show that integrated software and hardware in a mod has adequate dependability

- OE from nuclear industry

- Supplier uses quality processes

  • Continual process improvement
  • Incorporation of lessons learned

Digital Mod Examples 12

  • Examples of Digital Mods that can be done without prior NRC approval using a Qualitative Assessment:

- Replacement of analog relays (including timing relays) with digital relays

- Replacement of analog controls for safety-related support systems (i.e. main control room chillers)

- Replacement of analog controls for emergency diesel generator supporting systems and auxiliary systems such as voltage regulation

- Installation of circuit breakers that contain embedded digital devices

- Replacement of analog recorders and indicators w/ digital

- Digital upgrades to non-safety related control systems

13 NEI 96-07, Appendix D

NEI 96-07, Appendix D 14 Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications, Revision 1 (May 2020) (ML20135H168)

Endorsed by RG 1.187, Revision 2, Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments, 6/30/2020 RG 1.187 has 4 clarifications The format of Appendix D is aligned with NEI 96-07, Rev. 1 text for ease of use (and therefore there are some sections where no additional guidance is provided).

NEI 96-07, Appendix D 15 Appendix D does not alter and, unless explicitly noted, should not be interpreted differently than the guidance contained in NEI 96-07, Rev. 1. Rather, Appendix D provides focused guidance for the application of 10 CFR 50.59 to activities involving digital modifications. (Section 1.2)

Examples: Unless stated otherwise, a given example addresses ONLY the aspect within the section/sub-section in which it is included, sometimes at the deliberate exclusion of other pertinent and/or related aspects which, if considered, could potentially change the Screen and/or Evaluation conclusion(s).

(Section 1.5)

Appendix D provides the first screening guidance for digital modifications (NEI 01-01 did not have screening guidance).

Screening 16 NEI 96-07, Section 4.2: Screening determinations are made based on the engineering/technical information supporting the change.

Once it has been determined that 10 CFR 50.59 is applicable to a proposed activity, screening is performed to determine if the activity should be evaluated against the evaluation criteria of 10 CFR 50.59(c)(2).

A change must be adverse to screen in.

A 10 CFR 50.59 evaluation is required for changes that adversely affect design functions, methods used to perform or control design functions, or evaluations that demonstrate that intended design functions will be accomplished (i.e., adverse changes). Changes that have none of these effects, or have positive effects, may be screened out because only adverse changes have the potential to increase the likelihood of malfunctions, increase consequences, create new accidents or otherwise meet the 10 CFR 50.59 evaluation criteria. (Pages 31 and 32, NEI 96-07)

The screening process is not concerned with the magnitude of adverse effects that are identified. Any change that adversely affects a UFSAR - described design function The magnitude of the adverse effect (e.g., is the minimal increase standard met?) is the focus of the 10 CFR 50.59 evaluation process.

(Page 32, NEI 96-07)

Screening 17 Although there may be adverse impacts on UFSAR-described design functions due to the following types of activities involving a digital modification, these typical activities do not default to an adverse conclusion simply because of the activities themselves.

  • The introduction of software or digital devices.
  • The replacement of software and/or digital devices with other software and/or digital devices.
  • The use of a digital processor to "calculate" a numerical value or "generate" a control signal using software in place of using analog components.
  • Replacement of hard controls (i.e., pushbuttons, knobs, switches, etc.) with a touch-screen to operate or control plant equipment. (App D, Section 4.2.1)

Generally, a digital modification may consist of three areas of activities:

- (1) software-related activities,

- (2) hardware-related activities, and

- (3) Human-System Interface-related activities.

Screening 18 In the determination of potential adverse impacts, the following aspects should be addressed in the response to a Screen consideration:

Use of Software and Digital Devices Combination of Components/Systems and/or Functions For applications involving SSCs with design functions, an adverse effect may be created due to the potential marginal increase in the likelihood of SSC failure due to the introduction of software. This does not mean that all digital modifications that introduce software will automatically screen-in.

For redundant safety systems, this marginal increase in likelihood creates a similar marginal increase in the likelihood of a common failure in the redundant safety systems. On this basis, most digital modifications to redundant safety systems are adverse.

Screening 19 To reach a screen conclusion of not adverse for relatively simple digital modifications, the degree of assurance needed to make that conclusion is based on considerations such as the following:

Physical Characteristics of the Digital Modification The change has a limited scope (e.g., replace analog transmitter with a digital transmitter that drives an existing instrument loop)

Uses a relatively simple digital architecture internally (e.g., simple process of acquiring one input signal, setting one output, and performing some simple diagnostic checks)

Has limited functionality (e.g., transmitters used to drive signals for parameters monitored)

Can be comprehensively tested (but not necessarily 100 percent of all combinations)

Screening

  • Combination of functions is not always adverse.

However, possible loss of multiple design functions when the digital device fails is adverse

  • Reductions in the redundancy, diversity, separation, or independence of a UFSAR-described design function have an adverse impact on that design function 20

Human Factor Screening 21 Clarification #1 in RG 1.187:

NEI 96-07, Appendix D, Revision 1, includes screening guidance for the Human-System Interface (HSI). Under NEI 96-07, Revision 1, Section 4.2.1.2, changes to HSI (previously called manmachine interface) should automatically be screened in because such changes fundamentally alter (replace) the existing means of performing or controlling design functions. In RIS 2002-22, Supplement 1, the NRC endorsed guidance in NEI 01-01 that contradicts the guidance in NEI 96-07, Revision 1, Section 4.2.1.2, with the following statement, not all changes to the human-system interface fundamentally alter the means of performing or controlling design functions. Therefore NEI 01-01 advises that not all changes to HSI should automatically screen in. NEI included similar guidance on screening for HSI in NEI 96-07, Appendix D. The NRC staff acknowledges that aspect of Appendix D is thus not a change from existing guidance on digital interfaces but notes that it is a change from the guidance in NEI 96-07, Revision 1. The NRC staff agrees that changes to HSI may be screened as described in NEI 96-07, Appendix D, Revision 1.

Human Factors Screening 22

  • There are three "basic elements" of an human system interface (HSI) (

Reference:

NUREG-0700):

  • Displays: the visual representation of the information personnel need to monitor and control the plant.
  • Controls: the devices through which personnel interact with the HSI and the plant.
  • User-interface interaction and management: the means by which personnel provide inputs to an interface, receive information from it, and manage the tasks associated with access and control of information.

Human Factors Screening 23 To determine potential adverse impacts of HSI modifications on design functions, a two-step HFE evaluation must be performed, as follows:

Step One - Identify the generic primary tasks that are involved with (i.e., potentially impacted by) the proposed activity. (Note:

Appendix D describes these primary tasks: Monitoring and detection, Situation assessment, Response planning, and Response implementation)

Step Two - For all primary tasks involved, assess if the modification negatively impacts an individual's ability to perform the generic primary task.

After the two-step HFE evaluation, the next step is application of the standard Screening process.

Evaluation 24 Qualitative Assessment Outcome:

Used to support a conclusion that a proposed digital I&C Modification will not result in more than a minimal increase in:

  • The frequency of occurrence of accidents (50.59(c)(2)(i))
  • The likelihood of occurrence of malfunctions (50.59(c)(2)(ii))
  • Create the possibility of an accident of a different type (50.59(c)(2)(v))
  • Create the possibility for a malfunction of an SSC with a different result (50.59(c)(2)(vi))

These conclusions can be satisfied if a proposed digital I&C modification has a sufficiently low likelihood of failure.

Evaluation 25 From Appendix D, Section 3.16: Sufficiently Low Definition*:

Sufficiently low means much lower than the likelihood of failures that are considered in the UFSAR (e.g., single failures) and comparable to other common cause failures that are not considered in the UFSAR (e.g., design flaws, maintenance errors and calibration errors).

Discussion:

This sufficiently low threshold is not interchangeable with that used for distinguishing between events that are credible or not credible. The threshold for determining if an event is credible uses the criterion of as likely as (i.e., not much lower than) the malfunctions already assumed in the UFSAR.

Evaluation (Criterion VI) 26 Create the possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the FSAR (as updated)(50.59(c)(2)(vi))

Appendix D, Section 4.3.6 Introduction Note: Due to the unique nature of digital modifications and the inherent complexities therein, the application of this criterion is especially important. Specifically, the unique aspect of concern is the potential for a software CCF to create the possibility for a malfunction with a different result.

Therefore, rather than providing simplistic supplemental guidance to that already included in NEI 96-07, Section 4.3.6, more detailed guidance will be provided in this section.

Evaluation 27 From NEI 96-07, Section 4.3.6, the two considerations that need to be assessed when answering this Evaluation question are as likely to happen as and the impact on the malfunction result.

The possible malfunctions with a different result are limited to those that are as likely to happen as those described in the UFSARa proposed change or activity that increases the likelihood of a malfunction previously thought to be incredible to the point where it becomes as likely as the malfunctions assumed in the UFSAR could create a possible malfunction with a different result.

[emphasis added]

NEI 96-07 Appendix D, Section 4.3.6:

The generic process to determine the impact on the result of a malfunction of an SSC important to safety (i.e., a comparison of the malfunction results to identify any different results), consists of multiple steps, as summarized next.

The Six-Step Process

Evaluation 28 SIX-STEP PROCESS:

Step 1: Identify the functions directly or indirectly related to the proposed modification.

Step 2: Identify which of the functions from Step 1 are Design Functions and/or Design Bases Functions.

Step 3: Determine if a new Failure Modes and Effects Analysis (FMEA) needs to be generated.

Step 4: Determine if each design bases function continues to be performed/satisfied.

Step 5: Identify all involved malfunctions of an SSC important to safety previously evaluated in the UFSAR.

Step 6: For each involved malfunction of an SSC important to safety, compare the projected/postulated results with the previously evaluated results.

Evaluation 29 Clarification #2 in RG 1.187:

Use of Acceptance Criteria as Evaluation Results The NRC has now determined that, in addition to the existing guidance in NEI 96-07, Revision 1, licensees may consider whether all applicable acceptance criteria remain satisfied after a proposed change to demonstrate that no possibility for a malfunction with a different result has been created. Accordingly, whether a proposed change to an SSC creates a malfunction with a different result can be determined for the purposes of 10 CFR 50.59(c)(2), criterion (vi),

by comparison to the applicable acceptance criteria (see clarification 2.d).

Evaluation 30 Clarification #3: Basic Assumptions and Acceptance Criteria Step 6 includes new guidance for a two-prong test for determining whether a proposed change would create the possibility for a malfunction with a different result as follows:

For those design functions placed into [categories 1.b, 2.b, or 3 in Step 2], if any of the previous evaluations of involved malfunctions of an SSC important to safety have become invalid due to their basic assumptions no longer being valid (e.g., single failure assumption is not maintained), or if any existing safety analysis is no longer bounding (e.g., the revised safety analysis no longer satisfies the acceptance criteria identified in the associated safety analysis), then the proposed activity creates the possibility for a malfunction of an SSC important to safety with a different result. [Emphasis added.]

Evaluation 31 This guidance is not provided in NEI 96-07, Revision 1, which does not discuss basic assumptions or acceptance criteria Appendix D does not define basic assumptions.

First Prong (Basic Assumptions are Valid):

NRC staff understands basic assumption to refer to design functions of SSCs assumed to be performed in demonstrating the adequacy of design, including certain design functions that, although not specifically identified in the safety analysis, are credited in an indirect sense. The guidance in Section 4.3.6. lists the single failure assumption as an example of a basic assumption, however, there are others. Additional examples of basic assumptions include the assumptions (1) that credited plant and reactor protection system functions will be performed, (2) that credited engineered safety system functions will be performed, and (3) that credited plant system functions and associated instrumentation and controls functions will be performed.

Note: Basic Assumptions are not the assumptions used in Methods of Evaluations - departures from methods of evaluations are evaluated in Criterion viii.

Evaluation 32 Second prong (Safety Analysis Bounding):

Applicable acceptance criteria must be found in the licensees FSAR Acceptance criteria may not be directly stated in a licensees FSAR, licensees may need to refer to supporting documents referenced in the FSAR Further, the safety analysis may simply conclude that the analyzed result of a postulated event is acceptable without reference to any criteria or without specifically using the term acceptance criteria. For that reason, licensees should ensure they have correctly identified all applicable acceptance criteria for the event being analyzed for purposes of Section 4.3.6, Step 6.

Evaluation Example 33

Evaluation Example 34

Evaluation Example #2 35

Evaluation Example #2 36

Evaluation Example #2 37

Inspector Summary 38

  • Look for the Qualitative Assessment when inspecting digital modifications that screened in for an Evaluation (not a regulatory requirement)

- If screening result is not adverse, then no Qualitative Assessment is required

- If result of Qualitative Assessment is sufficiently low likelihood of failure, then licensee can answer no for the evaluation criteria (50.59(c)(2)(i), (ii), (v), (vi)

  • NEI 96-07, Appendix D gives digital mods screening guidance
  • Evaluation section of Appendix D is only used if there is not a sufficiently low likelihood of failure

Inspector Summary 39 Most digital modifications are inspected through IP 71111.18 or 71111.17T For digital modifications that involved a license amendment, IP 52003, Digital Instrumentation and Control Modification Inspection, (IMC 2515 Appendix C) is the correct IP

- Undergoing a revision

- Brings more inspection resources (Vendor Inspection Branch) and Inspection time (240 Hours)

- Not a ROP Baseline IP Digital modification smart sample in development New IMC 0355, Changes, Tests, and Experiments

- Out for regional comment

- Will replace guidance in TG 9900

- Future training on this IMC

Inspector Summary 40 NRR Points of

Contact:

Phil McKenna, Acting Deputy Director, DORL Dave Beaulieu, 50.59 inspection program lead, DRO/IRIB Mike Waters, Branch Chief, DEX/EICB Jeanne Johnson, Branch Chief, DEX/ELMB Wendell Morton, Electronics Engineer, DEX/ELMB Norbert Carte, Senior Electronics Eng, DEX/EICB

Back-Up Slides 41

Qualitative Assessment Factors 42

Qualitative Assessment Factors 43

Qualitative Assessment Factors 44

Qualitative Assessment Factors 45

Qualitative Assessment Factors 46

  • Typical Design Attributes

- Watchdog timers that function independent of software

- Self-testing and diagnostics capabilities

- Use of highly testable devices (i.e. breakers, relays)

- Elimination of concurrent triggers

- Segmentation

- Redundant networks

- Unidirectional communications

- Network switches with traffic control

- Use of redundant controllers, I/O, power sources, etc.

- Internal or external diversity

- Use of isolation devices

- Extensive testing

Failure Analysis 47

  • Can be used to identify possible CCF vulnerabilities and assess the need to further modify the design.
  • It can provide a valuable input into the Qualitative Assessment
  • Key Areas to Consider:

- Potential sources of CCF

- Combination of design functions into a single digital device

- Digital Communications

- Creating new interactions with other SSCs

- Interconnectivity across channels, systems, and divisions

- Changing response times

Failure Analysis Resolution and Documentation 48

Failure Analysis Resolution and Documentation 49

Failure Analysis Resolution and Documentation 50

Failure Analysis Resolution and Documentation 51

Digital I&C Mods 52

  • The following Digital I&C Mods are either started or planned based because of RIS 2002-22, Supplement One Issuance:

- 3 safety-related digital mods started in 2018 and planned to be complete in 2019:

  • Diesel Generator Controls
  • Digital Breakers
  • Chiller Controls

- 8 safety-related mods planned to start in 2019 and completion in 2020, 2021, and 2022

  • RWCU Instrumentation
  • Chiller Controls
  • Digital Inverters
  • Control Room HVAC Controls
  • Low Voltage MCC Breakers
  • Radiation Monitoring System (2 mods)

Digital I&C Mods 53

  • Planned Digital I&C Modifications (Contd) 3 safety-related digital mods with a start date TBD HPCI/RCIC Speed Control Single Loop Controllers (AFW, HPCI, RCIC)

Incore TS and RVLIS Upgrade 6 non-safety related mods started in 2018 and 2019 Turbine Controls Plant Computer System Feedwater Control Fuel Handling Rod Control (2 mods)

Retrieved from "https://kanterella.com/w/index.php?title=ML23135A774&oldid=3774243"