ML19056A533: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
(One intermediate revision by the same user not shown) | |||
Line 9: | Line 9: | ||
| docket = PROJ0689 | | docket = PROJ0689 | ||
|| license number = | || license number = | ||
| contact person = Govan T | | contact person = Govan T, 415-6197 | ||
| document type = Meeting Briefing Package/Handouts, Slides and Viewgraphs | | document type = Meeting Briefing Package/Handouts, Slides and Viewgraphs | ||
| page count = 33 | | page count = 33 | ||
Line 15: | Line 15: | ||
=Text= | =Text= | ||
{{#Wiki_filter: | {{#Wiki_filter:RIS 2002-22 Supplement 1 Neil Archambo Principal Engineer Duke Energy February 19, 2019 | ||
©2019 Nuclear Energy Institute | |||
DISCUSSION TOPICS | |||
* Scope | |||
* Intent | |||
* Concept | |||
* Qualitative Assessment Categories | |||
* Failure Likelihood Determination | |||
* The Role of Failure Analyses | |||
* Defense-in-Depth Analysis | |||
* Specific Areas of Concern | |||
* Qualitative Assessment Structure | |||
©2019 Nuclear Energy Institute | * Qualitative Assessment Retention | ||
* Example Qualitative Assessment | |||
* Industry Part | |||
* Upcoming DI&C Industry Guidance | |||
©2019 Nuclear Energy Institute 2 | |||
RIS 2002-22 SUPPLEMENT 1 SCOPE | |||
* Like NEI 01-01, the RIS Supplement applies primarily to modifications of safety related SSCs | |||
* The RIS Supplement can be applied to modifications of non-safety related SSCs at the discretion of the licensee | |||
* The RIS Supplement is not intended to be used for complete RPS or ESFAS upgrades or modifications that alter the internal logic of RPS or ESFAS | |||
* Generally, the RIS Supplement is applicable for use on all SSCs, however, more safety significant SSCs will require more qualitative assessment justification and documentation | |||
* The RIS supplement does not provide guidance for 50.59 Screening nor does it presume that all digital modifications screen in | |||
* The RIS Supplement provides examples of digital modifications where qualitative assessments would apply and highlights specific areas of concern | |||
©2019 Nuclear Energy Institute 3 | |||
-01 | |||
©2019 Nuclear Energy Institute | |||
RIS 2002-22, SUPPLEMENT 1 INTENT | |||
- | * NEI 01-01 permits the use of qualitative assessments to support a conclusion that a proposed digital I&C modification has a sufficiently low likelihood of failure | ||
* However, NEI 01-01 provides little guidance on how to develop the qualitative assessment or how the qualitative assessment could be used to eliminate further consideration of CCF | |||
* The pre-supplement regulatory position offered two alternatives for eliminating consideration of software CCF - (1) 100% testing of equipment or (2) use of sufficient diversity | |||
* However, 100% testing of software using the NRCs definition is considered unachievable, even in applications that make use of very simple code | |||
* Thus, with the current regulatory position before this supplement, the only way to eliminate further consideration of software CCF is to employ sufficient diversity | |||
©2019 Nuclear Energy Institute 4 | |||
RIS 2002-22, SUPPLEMENT 1 INTENT | |||
* RIS 2002-22 Supplement 1 provides a method, defined by and thus acceptable to the NRC, to develop and document an adequate qualitative assessment to determine digital equipment failure likelihood | |||
* If the qualitative assessment concludes that an SSC has a sufficiently low likelihood of failure, then by extension the SSC has a sufficiently low likelihood of a CCF, including the likelihood of software CCF | |||
- | * RIS 2002-22 Supplement 1 does not replace NEI 01-01 or the original RIS 2002-22 that endorsed it | ||
* Licensees are still expected to consider the guidance provided in NEI 01-01 as appropriate per their specific administrative design procedures | |||
©2019 Nuclear Energy Institute 5 | |||
RIS 2002-22, SUPPLEMENT 1 CONCEPT | |||
* A qualitative assessment can have one of two possible outcomes: | |||
o Failure likelihood is sufficiently low o Failure likelihood is not sufficiently low | |||
* Per NEI 01-01, sufficiently low means much lower than the likelihood of failures that are considered in the UFSAR (e.g., single failures) and comparable to other common cause failures that are not considered in the UFSAR (e.g., design flaws, maintenance errors, calibration errors, equipment qualification stressors) | |||
* If a qualitative assessment concludes that a potential failure has a sufficiently low likelihood, the 10 CFR 50.59 Evaluation does not need to consider the effects of the failure | |||
* The following slides illustrate how the qualitative assessment can be used to address 10 CFR 50.59 questions | |||
©2019 Nuclear Energy Institute 6 | |||
RIS 2002-22, SUPPLEMENT 1 CONCEPT | |||
* 10 CFR 50.59 Criterion 1 addresses accident frequency: | |||
o The frequency of occurrence of an accident is directly related to the likelihood of failure of equipment that can initiate the accident o Thus, an increase in the likelihood of failure of the modified equipment would result in an increase in the frequency of the accident o Therefore, if the qualitative assessment outcome is sufficiently low, there will be no more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the UFSAR | |||
©2019 Nuclear Energy Institute 7 | |||
RIS 2002-22, SUPPLEMENT 1 CONCEPT | |||
* 10 CFR 50.59 Criterion 2 addresses malfunction likelihood: | |||
o The likelihood of occurrence of a malfunction of an SSC important to safety is directly related to the likelihood of failure of equipment that causes a failure of SSCs to perform their intended design functions o Thus, the likelihood of failure of modified equipment that causes the failure of SSCs to perform their intended design functions is directly related to the likelihood of the occurrence of a malfunction of an SSC important to safety o Therefore, if the qualitative assessment outcome is sufficiently low, the activity will not result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety previously evaluated in the UFSAR | |||
©2019 Nuclear Energy Institute 8 | |||
RIS 2002-22, SUPPLEMENT 1 CONCEPT | |||
* 10 CFR 50.59 Evaluation Criterion 5 addresses accidents of a different type: | |||
o Accidents of a different type are caused by failures of equipment that can initiate an accident of a different type o If the outcome of the qualitative assessment concludes that the likelihood of failure associated with the proposed activity is sufficiently low, the activity will not introduce any failures that are as likely to happen as those in the UFSAR that can initiate an accident of a different type o Therefore, if the qualitative assessment outcome is sufficiently low, the activity cannot create a possibility for an accident of a different type than previously evaluated in the UFSAR | |||
©2019 Nuclear Energy Institute 9 | |||
RIS 2002-22, SUPPLEMENT 1 CONCEPT | |||
* 10 CFR 50.59 Evaluation Criterion 6 addresses malfunctions with a different result: | |||
o A malfunction of an SSC important to safety is an equipment failure that causes the failure of SSCs to perform their intended design functions o If the outcome of the qualitative assessment concludes the likelihood of failure associated with a proposed activity is sufficiently low, the activity will not introduce any failures that are as likely to happen as those in the UFSAR o Therefore, if the qualitative assessment outcome is sufficiently low, the activity cannot create a possibility for a malfunction of an SSC important to safety with a different result from any other previously evaluated in the UFSAR | |||
©2019 Nuclear Energy Institute 10 | |||
RIS 2002-22, SUPPLEMENT 1 CONCEPT What about the other 10 CFR 50.59 Evaluation Questions? | |||
* 10 CFR 50.59 Evaluation Criteria 3 and 4 address accident and malfunction consequences (dose), respectively | |||
* 10 CFR 50.59 Evaluation Criterion 7 addresses fission product barriers | |||
* 10 CFR 50.59 Criterion 8 addresses methods of evaluation | |||
* Criteria 3, 4, 7, and 8 do not have aspects unique to digital and can be addressed using existing guidance provided in NEI 96-07 | |||
©2019 Nuclear Energy Institute 11 | |||
RIS 2002-22, SUPPLEMENT 1 CONCEPT To summarize: | |||
* RIS 2002-22 Supplement 1 provides a framework for development of a qualitative assessment that can be used to assess digital equipment failure likelihood | |||
* If the likelihood of failure is sufficiently low, the likelihood of CCF (including software CCF) is considered sufficiently low | |||
* If a qualitative assessment determines that a potential failure has a sufficiently low likelihood, the associated 10 CFR 50.59 Evaluation does not need to consider the effects of the failure | |||
* Note that the information required to develop an acceptable qualitative assessment is information needed to develop a quality 10 CFR 50.59 Evaluation | |||
* A well-developed and well-documented qualitative assessment will help an inspector understand the considerations taken by a licensee in the development of a digital 10 CFR 50.59 Evaluation | |||
©2019 Nuclear Energy Institute 12 | |||
QUALITATIVE ASSESSMENT CATEGORIES | |||
* The RIS Supplement defines three qualitative assessment categories: | |||
o Design Attributes o Quality of the Design Process o Operating Experience | |||
* Design Attributes and Quality of the Design Process will always be essential elements of a qualitative assessment | |||
* Operating experience, if available, may serve to compensate for weakness in the other two categories | |||
* Qualitatively assessing and documenting these factors separately, and in the aggregate, will enable licensees to document qualitative assessments in sufficient detail that an independent third party can verify the judgements | |||
* A discussion for each category follows ©2019 Nuclear Energy Institute 13 | |||
©2019 Nuclear Energy Institute | |||
©2019 Nuclear Energy Institute | DESIGN ATTRIBUTES | ||
* Design attributes are design measures implemented to prevent or limit failures from occurring | |||
* Design attributes focus primarily on built-in features such as fault detection and failure management schemes, internal redundancy, and diagnostics | |||
* Design features external to the proposed modification (e.g., mechanical stops on valves or pump speed limiters) may also be considered | |||
* Table 1 of the RIS Supplement provides some sample design attributes for consideration | |||
* A comprehensive list of design attributes can be found in Appendix A, Defensive Measures, of EPRI Technical Report 3002005326, Methods for Assuring Safety and Dependability when Applying Digital Instrumentation and Control Systems | |||
©2019 Nuclear Energy Institute 14 | |||
DESIGN ATTRIBUTES | |||
* An adequate qualitative assessment of the likelihood of failure of a proposed modification will describe potential failures the proposed modification could introduce and the specific design attributes incorporated to resolve the identified potential failures | |||
* How the chosen design attributes and features resolve the identified potential failures should also be discussed in the qualitative assessment | |||
* Diversity is one example of a design attribute that licensees can use to demonstrate that an SSC modified with digital technology is protected from a loss of design function caused by a potential CCF | |||
* In some cases, a plants design basis may specify diversity as part of the design - in other cases, licensees do not need to consider the use of diversity in evaluating a proposed modification | |||
©2019 Nuclear Energy Institute 15 | |||
DESIGN ATTRIBUTES | |||
* Typical Design Attributes o Watchdog timers that function independent of software o Self-testing and diagnostics capabilities o Use of highly testable devices (e.g., breakers, relays) o Elimination of concurrent triggers o Segmentation o Redundant networks o Unidirectional communications o Network switches with traffic modulation o Use of redundant controllers, I/O, power sources, etc. | |||
o Internal or external diversity o Use of isolation devices o Extensive testing | |||
©2019 Nuclear Energy Institute 16 | |||
QUALITY OF THE DESIGN PROCESS | |||
* Quality of the design process is a key element in determining the dependability of proposed modifications | |||
* Digital equipment designed and implemented as safety related from an Appendix B supplier should have the necessary documentation to satisfy the quality of design process category | |||
* Digital equipment qualified through the commercial grade dedication process (e.g., | |||
EPRI TR-106439) will not likely have the same level of documentation needed to satisfy the high quality design process category as Appendix B processes. | |||
* However, utilities following their NRC-approved commercial grade dedication processes provide additional assurance of design quality needed to demonstrate an equivalent level of assurance as Appendix B. | |||
* Use of applicable industry standards contributes to a quality design process and provides a previously established acceptable approach | |||
©2019 Nuclear Energy Institute 17 | |||
QUALITY OF THE DESIGN PROCESS | |||
* Documented capability through qualification testing or analysis to withstand environmental conditions within which the SSC is credited to perform its design function (e.g., EMI/RFI, temperature, humidity, radiation, seismic activity) is important | |||
* Typical characteristics of a quality design process for safety related equipment consists of use of well-defined processes for: | |||
o Project management o Software design and development o Implementation o Software verification and validation o Software safety analysis o Change control o Configuration control | |||
©2019 Nuclear Energy Institute 18 | |||
QUALITY OF THE DESIGN PROCESS | |||
* For safety related SSCs, quality standards should be documents that are established by consensus and approved by an accredited standards development organization (e.g., IEEE) | |||
* Quality standards used to ensure that a quality design process was used to develop the proposed change need not be limited to those endorsed by the NRC staff (e.g., | |||
IEC 60880) | |||
* In some cases, other nuclear or non-nuclear standards can provide technically justifiable approaches for use if they apply to the specific application | |||
* For non-safety related SSCs, adherence to generally accepted commercial standards is generally sufficient | |||
* For non-safety related SSCs, procurement or manufacturer documentation showing that design specifications are met or exceeded with respect to the equipment being replaced is adequate | |||
©2019 Nuclear Energy Institute 19 | |||
OPERATING EXPERIENCE | |||
* NEI 01-01 states, Substantial applicable operating history reduces uncertainty in demonstrating adequate dependability | |||
* Although a qualitative assessment can be completed without consideration of operating experience, a qualitative assessment cannot be based solely on operating experience | |||
* Operating experience can be used to support a low likelihood of failure conclusion in instances where quality of the design process or design attributes are lacking | |||
* Operating experience is also applicable to software tools and the hardware used to implement the device, as well as the complete device | |||
* The design conditions and modes of operation of the equipment whose operating experience is being referenced should be similar to that of the proposed digital I&C modification | |||
©2019 Nuclear Energy Institute 20 | |||
OPERATING EXPERIENCE | |||
* The architecture of the OE-referenced equipment and software should be similar to that of the proposed system | |||
* Design features that serve to prevent or limit possible CCFs in a design that is referenced as relevant OE should be documented and considered for inclusion in the proposed design | |||
* When collecting operating experience, obtaining specific design information from the OE source, although not required, can help justify the qualitative assessment conclusions | |||
©2019 Nuclear Energy Institute 21 | |||
FAILURE LIKELIHOOD DETERMINATION | |||
* A qualitative assessment will typically conclude a sufficiently low likelihood of failure in the presence of the following: | |||
o Documented evidence of design attributes used and design measures implemented that can prevent or limit failures from occurring o Documented evidence that a quality process was used in the development of the equipment and an acceptable design process was followed o Relevant operating experience was captured on the equipment used in the design | |||
* Remember, more safety significant SSCs will require more qualitative assessment justification and documentation to support a sufficiently low likelihood of failure conclusion | |||
* Documentation is CRITICAL! | |||
©2019 Nuclear Energy Institute 22 | |||
THE ROLE OF FAILURE ANALYSES | |||
* The RIS Supplement uses the term failure analysis in the plain English context and does not necessarily mean a formal analysis - depending on the project scope and complexity, a failure analysis could simply consist of a short statement in the qualitative assessment | |||
* The RIS Supplement does not provide guidance on how to develop failure analyses - | |||
licensees are expected to develop various failure analyses for a given activity based on their approved administrative design procedures | |||
* A failure analysis can provide valuable input when constructing a qualitative assessment | |||
* The RIS Supplement emphasizes key areas of consideration for identifying CCF vulnerabilities that should be addressed and documented in the final design and to support a qualitative assessment | |||
©2019 Nuclear Energy Institute 23 | |||
THE ROLE OF FAILURE ANALYSES Key areas to consider in a failure analysis: | |||
* Potential sources of CCF o Sources of CCF that could affect more than one SSC need to be closely reviewed for adverse impacts on the design function(s) | |||
* Combination of design functions into a single digital device o A failure analysis should consider whether single failures that could previously have affected only individual design functions can now affect multiple design functions | |||
* Digital communications o The effect of digital communications on SSC independence should be considered within a failure analysis as digital communications may introduce interactions resulting in new types of failure modes | |||
©2019 Nuclear Energy Institute 24 | |||
THE ROLE OF FAILURE ANALYSES Key areas to consider in a failure analysis (cont.): | |||
* Creating new interactions with other SSCs o The interface of modified SSCs with other SSCs that use identical hardware and software, power supplies, or human-machine interfaces needs to be closely reviewed to ensure that possible common triggers have been addressed | |||
* Interconnectivity across channels, systems, and divisions o Ensure appropriate design attributes are incorporated to ensure redundancy, diversity, separation, and independence, as required by the plants licensing basis, have not been reduced | |||
* Changing response times o In some cases, digital equipment may change response times due to processing time - the failure analysis should consider the effect of response time | |||
©2019 Nuclear Energy Institute 25 | |||
DEFENSE IN DEPTH ANALYSIS | |||
* NEI 01-01 describes the need for a defense-in-depth analysis as limited to substantial replacements of RPS and ESFAS | |||
* However, a defense-in-depth analysis is a powerful tool that can be used to support arguments made in a 50.59 Evaluation | |||
* A defense-in-depth analysis can reveal the impact of potential CCFs caused by the introduction of: | |||
* Shared resources | |||
* Common hardware and software | |||
* Combination of design functions that were previously considered independent from one another | |||
* The results of a defense-in-depth analysis also informs the process for identifying applicable design attributes | |||
* The analysis may also demonstrate that existing SSCs or procedures could serve to mitigate effects of possible CCFs | |||
©2019 Nuclear Energy Institute 26 | |||
SPECIFIC AREAS OF CONCERN The NRC staff expressed the following specific areas of concern that require special attention and merit careful review: | |||
* Use of the same software/hardware in multiple safety related channels/trains | |||
* Combination of previously separate UFSAR-described design functions (safety or non-safety) previously analyzed as independent | |||
* Application of digital communications across safety related channels or equipment | |||
* Interconnectivity across channels, systems, or divisions in safety related SSCs | |||
* Use of shared resources (e.g., power supplies, networks) | |||
* Networking | |||
* Bidirectional digital communications | |||
* Multifunction displays and control stations | |||
* Use of common controllers | |||
©2019 Nuclear Energy Institute 27 | |||
QUALITATIVE ASSESSMENT STRUCTURE The following structure is suggested when documenting a qualitative assessment: | |||
* Activity Description | |||
* Identification of Affected Design Functions | |||
* Failure Mode Comparison | |||
* Failure Results | |||
* Assertions o Design Attributes o Quality of Design Process o Operating Experience | |||
* Documentation of Evidence | |||
* Conclusion (sufficiently low/not sufficiently low) | |||
* References Consulted | |||
©2019 Nuclear Energy Institute 28 | |||
QUALITATIVE ASSESSMENT RETENTION | |||
* There are no specific retention requirements for the qualitative assessment specified by the RIS Supplement | |||
* The qualitative assessment provides the materials needed by the 10 CFR 50.59 reviewer and approver, and should be part of their 50.59 review | |||
* The qualitative assessment should be easily retrievable | |||
* If not easily retrievable, consider attaching the qualitative assessment to the related 10 CFR 50.59 Evaluation | |||
* The qualitative assessment should be retained based on the licensees specific QA plan | |||
©2019 Nuclear Energy Institute 29 | |||
QUALITATIVE ASSESSMENT EXAMPLE | |||
* Replacement of motor operated potentiometer on EDG voltage regulator with a digital reference adjuster o Concern is a software CCF simultaneously affecting operability of both EDG trains - a condition that did not previously exist o Workshop exercise - step through and discuss the qualitative assessment developed for this activity | |||
©2019 Nuclear Energy Institute 30 | |||
INDUSTRY PART | |||
* We must do a better job properly addressing the 10 CFR 50.59 Screen and Evaluation questions associated with digital plant changes | |||
* We need to adequately document and explain why our designs have a low likelihood of failure | |||
* Documentation is the issue - industry has fallen short of adequate documentation and justification when developing our 10 CFR 50.59 Screens and Evaluations for digital plant modifications | |||
* Industry must work together and share information regarding digital project designs and associated 10 CFR 50.59 reviews | |||
* Implementation of an industry SharePoint where good examples of digital equipment qualitative assessments and digital-based 10 CFR 50.59 reviews can be easily accessed for industry use | |||
©2019 Nuclear Energy Institute 31 | |||
UPCOMING DI&C GUIDANCE | |||
* Appendix D to NEI 96-07, Supplemental 10 CFR 50.59 Guidance for Digital Activities o Provides supplemental 10 CFR 50.59 Screen and Evaluation guidance for digital activities o Now in the endorsement process - expected to be endorsed by June 2019 | |||
* Guidance for Addressing Digital CCF (Long Term) o Work continues on this item | |||
* NEI 17 Digital Equipment Commercial Grade Dedication Process o Investigating the use of SIL certification for software assessment o Expect NRC endorsement by mid-to-late 2019 | |||
* ISG-06, Revision 2, DI&C LAR Process o Approved December 2018 | |||
©2019 Nuclear Energy Institute 32 | |||
QUESTIONS? | |||
©2019 Nuclear Energy Institute 33}} |
Latest revision as of 00:14, 20 October 2019
ML19056A533 | |
Person / Time | |
---|---|
Site: | Nuclear Energy Institute |
Issue date: | 02/19/2019 |
From: | Nuclear Energy Institute |
To: | Tekia Govan NRC/NRR/DIRS/IRGB |
Govan T, 415-6197 | |
References | |
Download: ML19056A533 (33) | |
Text
RIS 2002-22 Supplement 1 Neil Archambo Principal Engineer Duke Energy February 19, 2019
©2019 Nuclear Energy Institute
DISCUSSION TOPICS
- Scope
- Intent
- Concept
- Qualitative Assessment Categories
- Failure Likelihood Determination
- The Role of Failure Analyses
- Defense-in-Depth Analysis
- Specific Areas of Concern
- Qualitative Assessment Structure
- Qualitative Assessment Retention
- Example Qualitative Assessment
- Industry Part
- Upcoming DI&C Industry Guidance
©2019 Nuclear Energy Institute 2
RIS 2002-22 SUPPLEMENT 1 SCOPE
- The RIS Supplement can be applied to modifications of non-safety related SSCs at the discretion of the licensee
- The RIS Supplement is not intended to be used for complete RPS or ESFAS upgrades or modifications that alter the internal logic of RPS or ESFAS
- Generally, the RIS Supplement is applicable for use on all SSCs, however, more safety significant SSCs will require more qualitative assessment justification and documentation
- The RIS supplement does not provide guidance for 50.59 Screening nor does it presume that all digital modifications screen in
- The RIS Supplement provides examples of digital modifications where qualitative assessments would apply and highlights specific areas of concern
©2019 Nuclear Energy Institute 3
RIS 2002-22, SUPPLEMENT 1 INTENT
- NEI 01-01 permits the use of qualitative assessments to support a conclusion that a proposed digital I&C modification has a sufficiently low likelihood of failure
- However, NEI 01-01 provides little guidance on how to develop the qualitative assessment or how the qualitative assessment could be used to eliminate further consideration of CCF
- The pre-supplement regulatory position offered two alternatives for eliminating consideration of software CCF - (1) 100% testing of equipment or (2) use of sufficient diversity
- However, 100% testing of software using the NRCs definition is considered unachievable, even in applications that make use of very simple code
- Thus, with the current regulatory position before this supplement, the only way to eliminate further consideration of software CCF is to employ sufficient diversity
©2019 Nuclear Energy Institute 4
RIS 2002-22, SUPPLEMENT 1 INTENT
- RIS 2002-22 Supplement 1 provides a method, defined by and thus acceptable to the NRC, to develop and document an adequate qualitative assessment to determine digital equipment failure likelihood
- If the qualitative assessment concludes that an SSC has a sufficiently low likelihood of failure, then by extension the SSC has a sufficiently low likelihood of a CCF, including the likelihood of software CCF
- RIS 2002-22 Supplement 1 does not replace NEI 01-01 or the original RIS 2002-22 that endorsed it
- Licensees are still expected to consider the guidance provided in NEI 01-01 as appropriate per their specific administrative design procedures
©2019 Nuclear Energy Institute 5
RIS 2002-22, SUPPLEMENT 1 CONCEPT
- A qualitative assessment can have one of two possible outcomes:
o Failure likelihood is sufficiently low o Failure likelihood is not sufficiently low
- Per NEI 01-01, sufficiently low means much lower than the likelihood of failures that are considered in the UFSAR (e.g., single failures) and comparable to other common cause failures that are not considered in the UFSAR (e.g., design flaws, maintenance errors, calibration errors, equipment qualification stressors)
- If a qualitative assessment concludes that a potential failure has a sufficiently low likelihood, the 10 CFR 50.59 Evaluation does not need to consider the effects of the failure
- The following slides illustrate how the qualitative assessment can be used to address 10 CFR 50.59 questions
©2019 Nuclear Energy Institute 6
RIS 2002-22, SUPPLEMENT 1 CONCEPT
- 10 CFR 50.59 Criterion 1 addresses accident frequency:
o The frequency of occurrence of an accident is directly related to the likelihood of failure of equipment that can initiate the accident o Thus, an increase in the likelihood of failure of the modified equipment would result in an increase in the frequency of the accident o Therefore, if the qualitative assessment outcome is sufficiently low, there will be no more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the UFSAR
©2019 Nuclear Energy Institute 7
RIS 2002-22, SUPPLEMENT 1 CONCEPT
- 10 CFR 50.59 Criterion 2 addresses malfunction likelihood:
o The likelihood of occurrence of a malfunction of an SSC important to safety is directly related to the likelihood of failure of equipment that causes a failure of SSCs to perform their intended design functions o Thus, the likelihood of failure of modified equipment that causes the failure of SSCs to perform their intended design functions is directly related to the likelihood of the occurrence of a malfunction of an SSC important to safety o Therefore, if the qualitative assessment outcome is sufficiently low, the activity will not result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety previously evaluated in the UFSAR
©2019 Nuclear Energy Institute 8
RIS 2002-22, SUPPLEMENT 1 CONCEPT
- 10 CFR 50.59 Evaluation Criterion 5 addresses accidents of a different type:
o Accidents of a different type are caused by failures of equipment that can initiate an accident of a different type o If the outcome of the qualitative assessment concludes that the likelihood of failure associated with the proposed activity is sufficiently low, the activity will not introduce any failures that are as likely to happen as those in the UFSAR that can initiate an accident of a different type o Therefore, if the qualitative assessment outcome is sufficiently low, the activity cannot create a possibility for an accident of a different type than previously evaluated in the UFSAR
©2019 Nuclear Energy Institute 9
RIS 2002-22, SUPPLEMENT 1 CONCEPT
- 10 CFR 50.59 Evaluation Criterion 6 addresses malfunctions with a different result:
o A malfunction of an SSC important to safety is an equipment failure that causes the failure of SSCs to perform their intended design functions o If the outcome of the qualitative assessment concludes the likelihood of failure associated with a proposed activity is sufficiently low, the activity will not introduce any failures that are as likely to happen as those in the UFSAR o Therefore, if the qualitative assessment outcome is sufficiently low, the activity cannot create a possibility for a malfunction of an SSC important to safety with a different result from any other previously evaluated in the UFSAR
©2019 Nuclear Energy Institute 10
RIS 2002-22, SUPPLEMENT 1 CONCEPT What about the other 10 CFR 50.59 Evaluation Questions?
- 10 CFR 50.59 Evaluation Criteria 3 and 4 address accident and malfunction consequences (dose), respectively
- 10 CFR 50.59 Evaluation Criterion 7 addresses fission product barriers
- 10 CFR 50.59 Criterion 8 addresses methods of evaluation
- Criteria 3, 4, 7, and 8 do not have aspects unique to digital and can be addressed using existing guidance provided in NEI 96-07
©2019 Nuclear Energy Institute 11
RIS 2002-22, SUPPLEMENT 1 CONCEPT To summarize:
- RIS 2002-22 Supplement 1 provides a framework for development of a qualitative assessment that can be used to assess digital equipment failure likelihood
- If the likelihood of failure is sufficiently low, the likelihood of CCF (including software CCF) is considered sufficiently low
- If a qualitative assessment determines that a potential failure has a sufficiently low likelihood, the associated 10 CFR 50.59 Evaluation does not need to consider the effects of the failure
- Note that the information required to develop an acceptable qualitative assessment is information needed to develop a quality 10 CFR 50.59 Evaluation
- A well-developed and well-documented qualitative assessment will help an inspector understand the considerations taken by a licensee in the development of a digital 10 CFR 50.59 Evaluation
©2019 Nuclear Energy Institute 12
QUALITATIVE ASSESSMENT CATEGORIES
- The RIS Supplement defines three qualitative assessment categories:
o Design Attributes o Quality of the Design Process o Operating Experience
- Design Attributes and Quality of the Design Process will always be essential elements of a qualitative assessment
- Operating experience, if available, may serve to compensate for weakness in the other two categories
- Qualitatively assessing and documenting these factors separately, and in the aggregate, will enable licensees to document qualitative assessments in sufficient detail that an independent third party can verify the judgements
- A discussion for each category follows ©2019 Nuclear Energy Institute 13
DESIGN ATTRIBUTES
- Design attributes are design measures implemented to prevent or limit failures from occurring
- Design attributes focus primarily on built-in features such as fault detection and failure management schemes, internal redundancy, and diagnostics
- Design features external to the proposed modification (e.g., mechanical stops on valves or pump speed limiters) may also be considered
- Table 1 of the RIS Supplement provides some sample design attributes for consideration
- A comprehensive list of design attributes can be found in Appendix A, Defensive Measures, of EPRI Technical Report 3002005326, Methods for Assuring Safety and Dependability when Applying Digital Instrumentation and Control Systems
©2019 Nuclear Energy Institute 14
DESIGN ATTRIBUTES
- An adequate qualitative assessment of the likelihood of failure of a proposed modification will describe potential failures the proposed modification could introduce and the specific design attributes incorporated to resolve the identified potential failures
- How the chosen design attributes and features resolve the identified potential failures should also be discussed in the qualitative assessment
- Diversity is one example of a design attribute that licensees can use to demonstrate that an SSC modified with digital technology is protected from a loss of design function caused by a potential CCF
- In some cases, a plants design basis may specify diversity as part of the design - in other cases, licensees do not need to consider the use of diversity in evaluating a proposed modification
©2019 Nuclear Energy Institute 15
DESIGN ATTRIBUTES
- Typical Design Attributes o Watchdog timers that function independent of software o Self-testing and diagnostics capabilities o Use of highly testable devices (e.g., breakers, relays) o Elimination of concurrent triggers o Segmentation o Redundant networks o Unidirectional communications o Network switches with traffic modulation o Use of redundant controllers, I/O, power sources, etc.
o Internal or external diversity o Use of isolation devices o Extensive testing
©2019 Nuclear Energy Institute 16
QUALITY OF THE DESIGN PROCESS
- Quality of the design process is a key element in determining the dependability of proposed modifications
- Digital equipment designed and implemented as safety related from an Appendix B supplier should have the necessary documentation to satisfy the quality of design process category
- Digital equipment qualified through the commercial grade dedication process (e.g.,
EPRI TR-106439) will not likely have the same level of documentation needed to satisfy the high quality design process category as Appendix B processes.
- However, utilities following their NRC-approved commercial grade dedication processes provide additional assurance of design quality needed to demonstrate an equivalent level of assurance as Appendix B.
- Use of applicable industry standards contributes to a quality design process and provides a previously established acceptable approach
©2019 Nuclear Energy Institute 17
QUALITY OF THE DESIGN PROCESS
- Documented capability through qualification testing or analysis to withstand environmental conditions within which the SSC is credited to perform its design function (e.g., EMI/RFI, temperature, humidity, radiation, seismic activity) is important
- Typical characteristics of a quality design process for safety related equipment consists of use of well-defined processes for:
o Project management o Software design and development o Implementation o Software verification and validation o Software safety analysis o Change control o Configuration control
©2019 Nuclear Energy Institute 18
QUALITY OF THE DESIGN PROCESS
- For safety related SSCs, quality standards should be documents that are established by consensus and approved by an accredited standards development organization (e.g., IEEE)
- Quality standards used to ensure that a quality design process was used to develop the proposed change need not be limited to those endorsed by the NRC staff (e.g.,
IEC 60880)
- In some cases, other nuclear or non-nuclear standards can provide technically justifiable approaches for use if they apply to the specific application
- For non-safety related SSCs, adherence to generally accepted commercial standards is generally sufficient
- For non-safety related SSCs, procurement or manufacturer documentation showing that design specifications are met or exceeded with respect to the equipment being replaced is adequate
©2019 Nuclear Energy Institute 19
OPERATING EXPERIENCE
- NEI 01-01 states, Substantial applicable operating history reduces uncertainty in demonstrating adequate dependability
- Although a qualitative assessment can be completed without consideration of operating experience, a qualitative assessment cannot be based solely on operating experience
- Operating experience can be used to support a low likelihood of failure conclusion in instances where quality of the design process or design attributes are lacking
- Operating experience is also applicable to software tools and the hardware used to implement the device, as well as the complete device
- The design conditions and modes of operation of the equipment whose operating experience is being referenced should be similar to that of the proposed digital I&C modification
©2019 Nuclear Energy Institute 20
OPERATING EXPERIENCE
- The architecture of the OE-referenced equipment and software should be similar to that of the proposed system
- Design features that serve to prevent or limit possible CCFs in a design that is referenced as relevant OE should be documented and considered for inclusion in the proposed design
- When collecting operating experience, obtaining specific design information from the OE source, although not required, can help justify the qualitative assessment conclusions
©2019 Nuclear Energy Institute 21
FAILURE LIKELIHOOD DETERMINATION
- A qualitative assessment will typically conclude a sufficiently low likelihood of failure in the presence of the following:
o Documented evidence of design attributes used and design measures implemented that can prevent or limit failures from occurring o Documented evidence that a quality process was used in the development of the equipment and an acceptable design process was followed o Relevant operating experience was captured on the equipment used in the design
- Remember, more safety significant SSCs will require more qualitative assessment justification and documentation to support a sufficiently low likelihood of failure conclusion
- Documentation is CRITICAL!
©2019 Nuclear Energy Institute 22
THE ROLE OF FAILURE ANALYSES
- The RIS Supplement uses the term failure analysis in the plain English context and does not necessarily mean a formal analysis - depending on the project scope and complexity, a failure analysis could simply consist of a short statement in the qualitative assessment
- The RIS Supplement does not provide guidance on how to develop failure analyses -
licensees are expected to develop various failure analyses for a given activity based on their approved administrative design procedures
- A failure analysis can provide valuable input when constructing a qualitative assessment
- The RIS Supplement emphasizes key areas of consideration for identifying CCF vulnerabilities that should be addressed and documented in the final design and to support a qualitative assessment
©2019 Nuclear Energy Institute 23
THE ROLE OF FAILURE ANALYSES Key areas to consider in a failure analysis:
- Potential sources of CCF o Sources of CCF that could affect more than one SSC need to be closely reviewed for adverse impacts on the design function(s)
- Combination of design functions into a single digital device o A failure analysis should consider whether single failures that could previously have affected only individual design functions can now affect multiple design functions
- Digital communications o The effect of digital communications on SSC independence should be considered within a failure analysis as digital communications may introduce interactions resulting in new types of failure modes
©2019 Nuclear Energy Institute 24
THE ROLE OF FAILURE ANALYSES Key areas to consider in a failure analysis (cont.):
- Creating new interactions with other SSCs o The interface of modified SSCs with other SSCs that use identical hardware and software, power supplies, or human-machine interfaces needs to be closely reviewed to ensure that possible common triggers have been addressed
- Interconnectivity across channels, systems, and divisions o Ensure appropriate design attributes are incorporated to ensure redundancy, diversity, separation, and independence, as required by the plants licensing basis, have not been reduced
- Changing response times o In some cases, digital equipment may change response times due to processing time - the failure analysis should consider the effect of response time
©2019 Nuclear Energy Institute 25
DEFENSE IN DEPTH ANALYSIS
- NEI 01-01 describes the need for a defense-in-depth analysis as limited to substantial replacements of RPS and ESFAS
- However, a defense-in-depth analysis is a powerful tool that can be used to support arguments made in a 50.59 Evaluation
- A defense-in-depth analysis can reveal the impact of potential CCFs caused by the introduction of:
- Shared resources
- Common hardware and software
- Combination of design functions that were previously considered independent from one another
- The results of a defense-in-depth analysis also informs the process for identifying applicable design attributes
- The analysis may also demonstrate that existing SSCs or procedures could serve to mitigate effects of possible CCFs
©2019 Nuclear Energy Institute 26
SPECIFIC AREAS OF CONCERN The NRC staff expressed the following specific areas of concern that require special attention and merit careful review:
- Use of the same software/hardware in multiple safety related channels/trains
- Combination of previously separate UFSAR-described design functions (safety or non-safety) previously analyzed as independent
- Application of digital communications across safety related channels or equipment
- Interconnectivity across channels, systems, or divisions in safety related SSCs
- Use of shared resources (e.g., power supplies, networks)
- Networking
- Bidirectional digital communications
- Multifunction displays and control stations
- Use of common controllers
©2019 Nuclear Energy Institute 27
QUALITATIVE ASSESSMENT STRUCTURE The following structure is suggested when documenting a qualitative assessment:
- Activity Description
- Identification of Affected Design Functions
- Failure Mode Comparison
- Failure Results
- Assertions o Design Attributes o Quality of Design Process o Operating Experience
- Documentation of Evidence
- Conclusion (sufficiently low/not sufficiently low)
- References Consulted
©2019 Nuclear Energy Institute 28
QUALITATIVE ASSESSMENT RETENTION
- There are no specific retention requirements for the qualitative assessment specified by the RIS Supplement
- The qualitative assessment provides the materials needed by the 10 CFR 50.59 reviewer and approver, and should be part of their 50.59 review
- The qualitative assessment should be easily retrievable
- If not easily retrievable, consider attaching the qualitative assessment to the related 10 CFR 50.59 Evaluation
- The qualitative assessment should be retained based on the licensees specific QA plan
©2019 Nuclear Energy Institute 29
QUALITATIVE ASSESSMENT EXAMPLE
- Replacement of motor operated potentiometer on EDG voltage regulator with a digital reference adjuster o Concern is a software CCF simultaneously affecting operability of both EDG trains - a condition that did not previously exist o Workshop exercise - step through and discuss the qualitative assessment developed for this activity
©2019 Nuclear Energy Institute 30
INDUSTRY PART
- We must do a better job properly addressing the 10 CFR 50.59 Screen and Evaluation questions associated with digital plant changes
- We need to adequately document and explain why our designs have a low likelihood of failure
- Documentation is the issue - industry has fallen short of adequate documentation and justification when developing our 10 CFR 50.59 Screens and Evaluations for digital plant modifications
- Industry must work together and share information regarding digital project designs and associated 10 CFR 50.59 reviews
- Implementation of an industry SharePoint where good examples of digital equipment qualitative assessments and digital-based 10 CFR 50.59 reviews can be easily accessed for industry use
©2019 Nuclear Energy Institute 31
UPCOMING DI&C GUIDANCE
- Appendix D to NEI 96-07, Supplemental 10 CFR 50.59 Guidance for Digital Activities o Provides supplemental 10 CFR 50.59 Screen and Evaluation guidance for digital activities o Now in the endorsement process - expected to be endorsed by June 2019
- Guidance for Addressing Digital CCF (Long Term) o Work continues on this item
- NEI 17 Digital Equipment Commercial Grade Dedication Process o Investigating the use of SIL certification for software assessment o Expect NRC endorsement by mid-to-late 2019
- ISG-06, Revision 2, DI&C LAR Process o Approved December 2018
©2019 Nuclear Energy Institute 32
QUESTIONS?
©2019 Nuclear Energy Institute 33