ML25119A013

From kanterella
Jump to navigation Jump to search
Nuclear Fuel Cycle Facility Regulations and Guidance for Implementing Digital I&C Technologies in Items Relied on for Safety, Presentation Given to International Society of Automation, Nuclear Standards Committee Meeting, October 4, 2024
ML25119A013
Person / Time
Issue date: 04/29/2025
From: David Rahn
NRC/NRR/DEX/ELTB
To:
References
Download: ML25119A013 (1)
v  d  e


Text

Nuclear Fuel Cycle Facility Regulations and Guidance for Implementing Digital I&C Technologies in Items Relied on for Safety David L. Rahn, ISA Fellow, Senior Electronics Engineer US Nuclear Regulatory Commission Office of Nuclear Reactor Regulation 2024 ISA67 General Committee Meeting Workshop on Technology Development Charleston, South Carolina October 4, 2024

Agenda

  • Need for Digital I&C Technologies in Nuclear Fuel Cycle Facilities
  • Key Concepts and Principles for I&C Equipment in Fuel Facility Safety Applications
  • International Requirements for Safety of Fuel Cycle Facilities
  • Requirements for Design of Items Relied on for Safety (IROFS) - US Fuel Cycle Facilities
  • Regulations Pertinent to I&C Equipment used in Safety Applications - US Fuel Cycle Facilities
  • Guidance for Evaluating Digital I&C Equipment for Safety Applications - US Fuel Cycle Facilities 2

Need for Digital I&C in Nuclear Fuel Cycle Facilities

  • Existing Fuel Cycle Facilities
  • Obsolescence of Analog Equipment-many vendors cannot continue to support old designs
  • Expansion of Existing Facilities to Meet Growing Fuel Demand
  • New Fuel Cycle Facilities
  • Need for more efficient processes to enrich HALEU Fuel (5%-19.75% U235)
  • New and modernized processes to fabricate HALEU Fuel in new form factors
  • Reprocessing Facilities
  • Business models for some Microreactor designs rely on recovery of unused fuel being reprocessed for future reloads 3

What is the Nuclear Fuel Cycle?

4

NRC-Licensed Fuel Cycle Facilities 5

Key Concepts and Principles for I&C Equipment Important to Safety Digital I&C equipment provides flexibility for almost any plant functional requirement and allows fuel cycle facility designers to try to incorporate the I&C equipment that performs required safety actions into the same platforms and control system architecture that perform the normal process plant functions.

But....There are several good reasons why this should not be attempted.

6

Key Concepts and Principles for I&C Equipment Important to Safety (Continued)

Why Combining Normal and Safety I&C Functions onto a Common Platform May Not Be Worthwhile:

  • At a minimum, incorporation of I&C safety equipment into the normal process distributed control system could render it susceptible to common cause events (e.g., power failure, cyber attack, digital architecture communications error, etc.) that could adversely affect both the normal process controls and the safety controls, and thus invalidate the facilitys multiple layers of defense.
  • Another reason for maintaining complete independence of the I&C safety controls equipment from the normal process plant control systems is to facilitate the administration of the many management measures that are needed to ensure that the equipment relied on for safety will be designed, implemented, and maintained such that it will be reliable and available when needed.

7

Where Can We Find Appropriate Design Criteria and Licensing Requirements for Fuel Facility Digital I&C?

  • International Requirements/Safety Standards (e.g., IAEA)
  • US Nuclear Regulatory Requirements for Licensing (CFR/NRC)
  • International and US Industry Standards (e.g., ANS)
  • US Regulatory Review Guidance (NUREGs, Staff Review Guidance) 8

International Requirements for the Safety of Fuel Cycle Facilities

  • IAEA Safety Standard Requirements document SSR-4, Safety of Nuclear Fuel Cycle Facilities, identifies several key concepts and principles that are required to be applied in the design of systems and equipment important to safety:

oDefense in Depth oIndependence oSafety Controls for Criticality Prevention oHigh Quality Safety Systems

  • These criteria are very similar to criteria used in US NRC staff review guidance which are applied to demonstrate that digital I&C technologies used in safety applications are available and reliable.

9

Defense in Depth

  • SSR-4 Requirement 10: Application of the concept of defense in depth The design of a nuclear fuel cycle facility shall apply the concept of defense in depth. The levels of defense in depth shall be independent as far as is practicable.

Clause 6.21 The design of the nuclear fuel cycle facility:

(f) Shall provide reliable means for ensuring that each of the main safety functions is performed, thereby ensuring the effectiveness of the items important to safety and the procedures that prevent an event progressing or that mitigate its effects. These means provided shall be diverse and independent where possible, e.g., static and dynamic barriers providing confinement.

10

Defense in Depth (Continued)

  • Clause 6.22 The design shall prevent, as far as is practicable:

(c) Failure of a barrier or level of protection as a consequence of the failure of another barrier or level of protection, and common cause failures;

  • Clause 6.23 Depending on their safety classification, the structures, systems and components providing different levels of defense in depth shall be independent to avoid a failure of one level reducing the effectiveness of other levels. In normal operation, items important to safety shall not routinely be activated or challenged or shall be challenged only with a very wide safety margin.

11

Independence

  • Clause 6.1 The items relied on to ensure the main safety functions shall be independent, to the extent practicable, of those used for normal operation of the facility.

Footnote 19 states: Systems and characteristics in nuclear fuel cycle facilities differ from those in nuclear reactors, and the separation of safety systems from systems for normal operation is one of the principal means of avoiding common mode failures. Any use of systems that provide safety functions as primary systems for normal operational control requires justification.

  • Requirement 23: Redundancy, diversity and independence As required by the safety analysis, the design shall make adequate provision for redundancy, diversity and independence of equipment.
  • Clause 6.89. Items important to safety either shall be capable of functioning after a loss of support systems, e.g. compressed air, or, if not, shall be designed to fail to a safe configuration, with acceptable positions, settings and signals (or clear indication of their failed status).

12

Independence (continued)

  • Clause 6.91.... Adequate redundancy, diversity and independence with physical separation shall be provided for items important to safety.
  • Clause 6.92. items important to safety shall be physically separated and the use of shared systems shall be minimized. It shall be demonstrated that the design of the facility is such as to ensure that no single failure could result in a loss of the capability of a system to perform as intended, unless the time available from onset of the accident would be sufficient for operator actions.
  • Clause 6.93. The principle of diversity shall be considered in the design of the facility to enhance the reliability of items important to safety and to reduce the potential for common cause failures.

13

Safety Controls for Criticality Prevention

  • Clause 6.141. Safety controls for criticality shall be independent, diverse and robust. Any change to the design or the assumptions that affect processes or activities involving fissile material shall be reassessed for criticality safety.
  • Clause 6.142. For the prevention of criticality by means of design, the double contingency principle shall be the preferred approach. For application of the double contingency principle, the design for a process shall include sufficient safety factors to require at least two unlikely, independent and concurrent changes in process conditions before a criticality accident is possible.

Instrumentation and control systems for control of criticality:

  • Clause 6.172. Instrumentation and control systems used to ensure subcriticality shall be of high quality and shall be calibrated against known standards. Changes to computer codes and data shall be controlled to a high standard by means of the management system.

14

High-Quality Safety Systems

  • Requirement 12: Proven engineering practices for the design
  • Items important to safety for a nuclear fuel cycle facility shall be designed in accordance with the relevant national and international codes and standards.
  • Clause 6.31. Items important to safety shall preferably be of a design that has previously been proven in equivalent applications. In any case, items shall be of high quality and of a technology that has been qualified and tested.
  • Footnote 22: This does not override the need for safety to be enhanced by the use of new or improved designs and technology, subject to appropriate qualification, testing and safety analysis.

15

High-Quality Safety Systems (continued)

  • Clause 6.32. National and international codes and standards that are used as engineering design rules for items important to safety shall be identified and evaluated to determine their applicability, adequacy and sufficiency, and shall be supplemented or modified as necessary to ensure that the quality of the design is commensurate with the associated safety function and consequences of failure.
  • Clause 6.33. In the case of items important to safety for which there are no appropriate established codes or standards, [], the results of experience, tests, analysis or a combination of these shall be applied. The use of a results-based approach shall be justified.
  • Clause 6.34. new design feature or new practice shall be adequately tested to the extent practicable before being brought into service and shall be monitored in service to verify that the behaviour of the nuclear fuel cycle facility is as expected.

16

High-Quality Safety Systems (continued)

  • Requirement 45: Design and development of computer-based equipment in systems important to safety
  • The entire development cycle shall be subject to a quality management system.
  • Clause 6.179. The reliability of such systems shall be achieved by means of the following:

(a) A high quality of, and best practices for, hardware and software shall be used, in accordance with the importance of the system to safety.

(b) The entire development process, including the control, testing and commissioning of design changes, shall be systematically documented and shall be reviewable.

(c) Software specifically developed for items important to safety shall be tested on a platform that is as realistic as possible, prior to active commissioning.

(d) Protection shall be provided against disruption of or interference with system operation that includes isolation from data systems of lower safety classification.

17

Requirements for Design of Items Relied on for Safety - US Fuel Cycle Facilities

  • US regulations for the design of IROFS for fuel cycle facilities are stated differently from those in the IAEA Safety Standard SSR-4, but US review criteria and guidance for implementing IROFS is similar.
  • US regulations regarding fuel cycle facility licensing are contained in the US Code of Federal Regulations, Title 10 Part 70, Domestic Licensing of Special Nuclear Material.
  • NRC Staff Review Guidance pertinent to most types of fuel cycle facilities is presented in NUREG-1520 (Rev. 2) Standard Review Plan for Fuel Cycle Facilities License Applications
  • To assist licensees and applicants of fuel cycle facilities in the US, an Interim Staff Guidance (ISG) document was developed in 2010, entitled Digital Instrumentation and Control Systems in Safety Applications at Fuel Cycle Facilities, DI&C-ISG-07.

18

US Nuclear Regulatory Hierarchy Laws Regulations Guidance Industry Standards 19

Requirements for Design of Items Relied on for Safety - US Fuel Cycle Facilities (Continued)

  • 10 CFR Part 70 establishes procedures and criteria for the issuance of licenses to receive title to, own, acquire, deliver, receive, possess, use, and transfer special nuclear material; and establishes and provides for the terms and conditions upon which the US Nuclear Regulatory Commission will issue such licenses.
  • In the year 2000, the Commission updated its rules by incorporating Subpart H of Part 70, to require applicants and licensees to include within applications or amendments the results of an Integrated Safety Analysis (ISA) for the facility, for applicant or licensees that is or plans to process any special nuclear material.

20

Regulations Pertinent to I&C Equipment used in Safety Applications - US Fuel Cycle Facilities

  • 10 CFR 70.61(e) requires that each engineered or administrative control or control system that is necessary for the facility to meet the 10 CFR 70.61 (b), (c),

and (d) performance requirements be designated as an item relied on for safety (IROFS).

  • 10 CFR 70.62(d) requires that applicants establish management measures to ensure compliance with the performance requirements of 10 CFR 70.61. These management measures shall ensure that engineered and administrative controls and control systems that are identified as IROFS are designed, implemented, and maintained, to ensure they are available and reliable to perform their function when needed, to comply with the performance requirements of § 70.61.

21

Regulations Pertinent to I&C Equipment used in Safety Applications - US Fuel Cycle Facilities (Continued)

  • 10 CFR 70.64 requires prospective applicants to address certain Baseline Design Criteria (BDC) and defense-in-depth practices. These are applicable to I&C and electrical equipment relied on for safety:

o 10 CFR 70.64(a)(8) Inspection, testing, and maintenance. The design of items relied on for safety must provide for adequate inspection, testing, and maintenance, to ensure their availability and reliability to perform their function when needed.

o 10 CFR 70.64(a)(9) The design must provide for criticality control including adherence to the double contingency principle.

  • 10 CFR 70.64(b) Requires that facility and system design and facility layout must be based on defense-in-depth practices.

22

Regulations Pertinent to I&C Equipment used in Safety Applications - US Fuel Cycle Facilities (Continued)

(4) Information that demonstrates the licensee's compliance with the performance requirements of § 70.61, including a description of the management measures; the requirements for criticality monitoring and alarms in § 70.24; and, if applicable, the requirements of § 70.64; 23

Stop No Further Evaluation is Necessary Credible Events Not Credible Low Consequences Intermediate Consequences High Consequences (including criticality events)

Highly Unlikely Unlikely Not Unlikely IROFS are needed Highly Unlikely Unlikely Not Unlikely Facility-Level Performance Requirements (70.61) 24

Guidance for Evaluating Digital I&C Equipment for Safety Applications - US Fuel Cycle Facilities

  • The NRC Staff has developed an ISG Document, DI&C-ISG-07, Digital Instrumentation and Control Systems in Safety Applications at Fuel Cycle Facilities, describing the review criteria for evaluating the use of digital I&C equipment for safety applications at fuel cycle facilities.
  • The document identifies staff review criteria for evaluating facility:

oDefense in Depth oIndependence oUse of diverse equipment to be used for preventing Criticality accidents oHigh-Quality Development process for the design of digital I&C hardware and software relied on to accomplish safety functions 25

Guidance for Evaluating Digital I&C Equipment for Safety Applications - US Fuel Cycle Facilities (Continued)

  • Review criteria was included that is applicable to the proposed use of commercial off-the-shelf (COTS) equipment that has been certified by an accredited third-party certifying body to meet the criteria within Functional Safety of Electrical/Electronic/

Programmable Electronic Safety-related Systems IEC Standard 61508 Parts 2 and 3 for meeting safety integrity level (SIL) performance levels.

  • COTS review criteria were included for the proposed use of digital I&C equipment in safety applications required to remain independent of the normal process control systems. The review criteria could also be applied for the review of applications or amendments proposing replacement or refurbishment equipment.
  • Recent guidance developed for the use of COTS equipment in power reactor facilities that has been certified as SIL-performance level equipment to IEC 61508 Parts 2 and 3 criteria could be included in a future update to the ISG.

26

Conclusion

  • SubPart H of 10 CFR Part 70 requires that management measures must be applied to ensure that IROFS will be reliable and available when needed to perform the facility performance requirements (Clause 70.62(d)).
  • Concepts and principles identified in IAEA Safety Standards Requirements documents, are similar to the design criteria described in NRC staff review guidance for implementing digital I&C technology in fuel cycle facilities. (DI&C-ISG-07, Rev 1 ADAMS ML101900316).
  • The review guidance acceptance criteria include the use of a) Defense in Depth, b) Independence, c) Safety Controls for Criticality Prevention, and d) High-Quality Systems Development 27

Questions?

28

References

  • IAEA Nuclear Energy Series Report No. NR-T-3.34: Management of Ageing and Obsolescence of Instrumentation and Control Systems and Equipment in Nuclear Power Plants and Related Facilities Through Modernization, (Publication 2030) December 2022
  • IAEA Safety Reports Series 118: Ageing Management for Nuclear Fuel Cycle Facilities, (Publication 1994)

May 2023

  • IAEA Safety Standard SSR-4: Safety of Nuclear Fuel Cycle Facilities, (Publication 1791) October 2017
  • IAEA Safety Report Series 102: Safety Analysis and Licensing Documentation for Nuclear Fuel Cycle Facilities (Publication 1892) April 2020
  • NRC, DI&C-ISG-07, Digital Instrumentation and Control Systems in Safety Applications at Fuel Cycle Facilities, December 2010, ADAMS Accession No. (ML101900316)
  • US Code of Federal Regulations Title 10 Part 70, Domestic Licensing of Special Nuclear Material, as amended October 11, 2001
  • US Code of Federal Regulations Title 10 Part 70, Subpart H--Additional Requirements for Certain Licensees Authorized to Possess a Critical Mass of Special Nuclear Material, as amended September 18, 2000
  • International Electrotechnical Commission (IEC), IEC 615084, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems, Edition 2.0, Geneva, Switzerland, April 2010 29

Acronyms

  • ANS - American Nuclear Society
  • BDC - Baseline Design Criteria
  • CFR - U.S. Code of Federal Regulations
  • COTS - Commercial off the Shelf
  • DI&C - Digital Instrumentation and Controls
  • IAEA - International Atomic Energy Agency
  • IEC - International Electrotechnical Commission
  • IROFS - Items Relied on for Safety
  • ISA - Integrated Safety Analysis
  • ISG - Interim Staff Guidance
  • I&C - Instrumentation and Controls
  • NRC - Nuclear Regulatory Commission
  • SIL - Safety Integrity Levels
  • SSR - Specific Safety Requirements 30
Retrieved from "https://kanterella.com/w/index.php?title=ML25119A013&oldid=5468676"