Text

SCHEDULING NOTE

Title:

Briefing on Digital Instrumentation and Control (Public Meeting)

Purpose:

To discuss with the Commission the plans for implementing digital instrumentation and control (l&C) systems Scheduled: May 14, 2019 9:00 am Duration: Approx. 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> Location: Commissioners' Conference Room, 151 Floor OWFN

Participants:

Presentation External Panel 30 mins.*

Doug True, Chief Nuclear Officer and Senior Vice President, Generation 10 mins.*

and Suppliers, Nuclear Energy Institute Dan Stoddard, Senior Vice President and Chief Nuclear Officer, 10 mins.*

Dominion Energy Neil Wilmshurst, Chief Nuclear Officer, Electric Power Research Institute 10 mins.*

Topics:

• Current and future plans for digital l&C adoption

• Remaining digital l&C impediments and regulatory gaps Commission Q & A 40 mins.

Break 5mins.

Staff Panel 30 mins.*

Margaret Doane, Executive Director for Operations Ho Nieh, Director, Office of Nuclear Reactor Regulation (NRR)

Eric Benner, Director, Division of Engineering, NRR Brian Thomas, Director, Division of Engineering, Office of Research Topics:

• Recent accomplishments

• Staff priorities for 2019 o Strategic assessment of digital l&C regulatory infrastructure (e.g.,

Evaluation of a risk-informed regulatory framework based on higher level design principles) o Endorsement of International Electrotechnical Commission (IEC) standards

• Measuring success and determining when the digital l&C Integrated Action Plan is complete Commission Q & A 40 mins.

Discussion - Wrap-Up 5mins.

2

CCF is Not Unique to Digital NEI CCF should not be treated as design basis Analog systems are also subject to CCF Analog CCF is primarily addressed through Special Treatment Requirements Same approach should be applied to digital

©2019 Nuclear Energy Institute 4

Digital l&C NRC Commission Briefing Dan Stoddard

• May14,2019

~ Dominion

~ Energy

Digital I&C Project Drivers

• Obsolescence

• Single point vulnerability elimination

• Equipment Reliability

• Operational Efficiency

• Innovation

• Cost reductions 2

~ Dominion

iiiiiii" Energy

Benefits

• Maintenance - dramatically improved reliability (MTBF) and reduced maintenance

• Engineering - equipment diagnostics, higher accuracy, and simplified fault detection

• Operations - greatly enhanced Operator interface and vision into the plant

• Commonality - Common platforms f9r Protection and Control minimize maintenance and training 3

iii

iiiiii" Dominion Energy*

Digital Upgrades-Tangible Performance Improvements Historical Performance Historical Performance Historical Performance BWR Digital Feedwater PWR Turbine Controls BWR Turbine Controls 0.300 0 .140 0.140 cu 0.250

~

"'>cu 0 .120

~

"'>cu 0 .120 cu u 8 0 .100 cu .~ 0 .100

....cu *-~ 0.200 cu*-

1u ~ 1u ~

a:: cu a:: cu 0.080 a:: cu 0 .080

~ -'2 0.150

E  ::E -  ::E -

u :,

~

u :,

'2 0.060 ct.~

a:: C 0.060 u  :,

V'l ':;" 0.100

....C V'l -

...."'C 0.040 V'l -

...."'C 0 .040

~ ~ 0.020 cu

- cu 0 .050 0.000 0.000

- > 0 .020 cu 0 .000

• Analog

• Digital

• Analog

• Digital

• Analog

• Digita l

• Exelon began installing digital upgrades in the early 90's beginning with the feedwater systems at Dresden , LaSalle, Quad Cities and Limerick

• Turbine controls were upgraded beginning in 2004 at Byron , Braidwood , Dresden , LaSalle, Quad Cities and Limerick and continue across the balance of the fleet

• 500+ "unit years" of operating experience conclusively demonstrates a significant reduction in initiating events

~ Dominion

=:;iii" Energy*

4

Ongoing Projects

• A number of Digital l&C replacement projects are ongoing across the industry.

• Issuance of RIS 2002-22 Supplement 1 has facilitated many of these projects

• Examples:

- Emergency Diesel Generator Controls

- Radiation Monitors Rod Control

- Safety-related Chiller Controls

~ Dominion

iiiiiiiiii" Energy

Risks and Challenges

• No Large Safety-Related Dl&C Upgrades (RPS/ESFAS)

Currently Planned or In-Progress

• Why?

- Regulatory uncertainty

- Cybersecurity Compliance

- Cost

~ Dominion

~ Energy

Needs/Next Steps

• NEI 96-07, Appendix D approval

• BTP 7-19 revision approval

• Implement Standard Digital Engineering Process and SOP interfacing procedure (NISP-EN-04)

• Collaboratively work with the staff on the IAP modernization plans A predictable regulatory path based on reasonable assurance of adequate protection.

er,. Dominion

~ Energy

E ~~, 1

, -, ~

ELECTRIC POWER RESEARCH INSTITUTE EPRI Integrated Digital Systems Engineering US-NRC Commission Briefing on Digital Instrumentation .and Control Neil Wilmshurst Chief Nuclear Officer-EPRI May 14th , 2019 in f WWW

• e p r i *C O m © 2019 Electrtc Power Research Institute. Inc. All nghts reserved

EPRI 450+ participants in more than 30 countries EPRI members generate approximately 90% of the electricity in the United States International funding - nearly 25% of EPRl's research, development, and demonstrations 2 www . epr1 . co m t> 2019 Llectnc Power ~ese~rch Institute, Inc. t.'.! p1ghts reserJed. r-:!a~, 1 E ,-1c:; mcmc ..,...,

llSf.MCM 1N1n ,un

EPRI Perspective On Digital Reliability Recent research using field failure data revealed no platform level Software Common Cause Failures (SCCF) over approx. 2 billion hours of operation for IEC-61508 SIL certified PLC's Application of existing SIL certifications, at the platform level, in place of existing design and review processes has proven to be effective.

• Additionally, cumulative nuclear OE from across the world (Korea, France, China, etc.) indicate that: Applications

- SCCF failures are no more problematic than other CCF contributors Integration

- There have been no identified events where diverse platforms would have been effective in protecting against SCCF Platform

- Several events confirmed effectiveness of signal and functional diversity in protecting against SCCF 3 www . e pr l.com C) 2819 El ...ctr*c Powl'>r Resear:h msn.ut~ ll"C. Alt rrgh::.s reservec

- - - - , 1IUU,1:CH

&:;1-fc;;; IUCTI IC ,own rNSJlfUTt

Integrated *Digital Systems Engineering Framework Architecture Hazard Analysis (STPA/FTA}-SPV/CCF Requirements Engineering Procurement Human Factors Engineering (HFE}

Cyber Security Data Communications Plant Integration Industry Standard ....11111...

Engineering ....,,.

Testing Process Configuration Management Life Cycle Management 4 w w w . e pr l.co m

--~~, 1IUfAl l;;;.l-11; mcmcCNl'OWII f'NSTITUTf

EPRl's Digital Framework Elements EPRI has developed a comprehensive engineering process, utilizing modern methods and international standards used in other safety related industries.

Element 1- Use of Industrial Standards: Use the same supply chain and structures that non-nuclear safety related industries use (IEC-61508/61511) to harvest the economies-of-scale of other safety industries.

• Element 2 - Use of Systems Engineering: Use of a modern, high performance, single engineering process that leverages systems engineering in the transition to team-based engineering for conception, design, and implementation.

Element 3 - Risk Informed Engineering: Effective engineering decision-making via hazards and risk analysis to integrate all engineering topics (such as cyber security and SCCF) into a single engineering process.

www . epri. r o m © ::Cl~ E.*ennr Power Re~ea,. :h "'St1t*1:P Ire.. AJI nghts reservPd . ,=~121 a=;.1- I"'cmc ,own H Sl.&IOt INSnrun

Policy Level vs. Implementation Level Ac.tivities Objective Objective Objective Objective Criteria Criteria The Gap Criteria Criteria SCCF Cyber EMC HFE

~ Implementation Level ~ .....,

(DEG/ HAZCADS / DRAM / TAM / IEC-61508} via Industry Standard Procedures .

EPRI Products are Used at the Implementation Level (what you actually do)

Objective Criteria provides the Policy to Implementation connector and can be formatted like a safety case argument 6 www . e pr ,. c~ m ,=~-,

a=,-,c::. 1l(SUICH lltCII IC POWII fNlnnnt

Acronyms

• CCF - Common Cause Failure

• DEG - Digital Engineering Guide (EPRI 3002011816, Oct 2018)

• DRAM - Digital Reliability Analysis Methodology (EPRI product in development, sch. Ql 2020)

• EMC - Electromagnetic Compatibility

• EPRI - Electric Power Research Institute

• FTA- Fault Tree Analysis

• IEC - International Electrotechnical Commission

• IEEE - Institute of Electrical and Electronics Engineers Standards Association

• HAZCADS - HAZCADS: Hazards .and Consequences Analysis for Digital Systems (EPRI 3002012755 Dec. 2018)

• HFE - Human Factors Engineering

• ISO - International Organization for Standardization

• OE - Operating Experience

• PLC- Programable Logic Controller 11 SCCF - Software Common Cause Failure

• SIL - Safety Integrity Level (based on IEC-61508)

• SPV - Single Point Vulnerability

• STPA- Systems Theoretic Process Analysis

• TAM - Cyber Security Technical Assessment Methodology (EPRI 3002012752, Nov. 2018) 7 www. e pr , . co m Cl 201 o (1,,.ctr*c Power Rec;f:!a,.cli tns*nute Ina:. All 11ght .. reserved ,=~r.::s1

~1-K;;;;;

IILICIIIC l'OWI I I HfAKH INSTIMl

Together ... Shaping the Future of Electricity 8 www .e p r 1.co m i=~~,

t=l-tc;;;

1Imcmc ,own UfAI.CH fNSnJUTf

T >

7

- U.S.NRC United States Nuclear Regulatory Commission Protecting People and the Environment BRIEFING ON DIGITAL INSTRUMENTATION AND CONTROL Commission Meeting May 14, 2019

On the Road to Digital Modernization 06

Speakers

• Margaret Doane, Executive Director for Operations (EDO)

• Ho Nieh, Director, Office of Nuclear Reactor Regulation (NRR)

• Eric Benner, Director, Division of .Engineering (DE), NRR

• Brian Thomas, Director, DE, Office of Nuclear Regulatory Research (RES) 3

NRC has Addressed High Priority Challenges ISG-06, Rev. 2 Explained NRC vendor/regional ISG-06, Rev. 2 inspection and oversight Alternative Review Process Traditional Review Process Concept and Initial Detailed hardware & Implementation, software NRC pre- system software design and validation/verification, Onsite installation and site application design and fabrication and factory testing acceptance testing meetings planning Licensee activities 4

Current NRC Guidance is Enabling Safe Digital Upgrades via 50.59 Chiller Controls Diesel Generator Controls Feedwater/Turbine Control System 5

Evaluation of an Issue with NEI 96-07 Appendix D is in Progress 10 CFR 50.59{c){2){vi)

SUPPLEMENTAL GUIDANCE FOR APPLICATION OF 10 CFR 50.59 TO DIGITAL MODIFICATIONS Prepared by the Nuclear Energy Institute, A license amendment is required if November 2018 the change would "create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated)."

6

Where else can we improve the regulatory framework?

IEEE 603-1991 10CFR 50 10 CFR 50 10 CFR 50 10CFR 73.54 Federal Regulations IEEE 279-1971 Standard Criteria for Safety

+-- Appendix A General Design 14- Domestic l icensing of Production and ~

Appendix B Quality Assurance Protection of Digital Computer and Communication and Systems Criteria Utlllz.atlon Facllitles Criteria Network Systems rl

• i i i

• RIS-2002*22 Use or NUMMARC NUREG-0800 Reg Guide 1.118 Reg Guide 1.152 EPRI TR-102348 1SG$ Reg Guide 1.153 1111..._UII Standard Review Plan Periodic Testing of Electrical Power and ProtecUon Systems Criteria for Proaramable

[);cftal Computer System!

Criteria for lnstrumentatio and Control Positions of

- .v-. (10 CFR SO.S9 Safety Systems Dllltal--

_,_ f Dl&C-ISG-01 I

~

~-

Cybe:rsecurity I

llelGulde1.1H 1111 Gulde 1.110 IIIIGuldeUn 1111 Gulde 1.111 _....,._ 1111 Gulde 1.173 Dl&C-ISG-02 Diversity and Defense In Depth

~

for- ,- --

Dae1*111tmwcfar

-UIIIIT_,.

~ ... .... ....._

Ufac,de-Issues (BTP 7-19R6) -; *-

~

Dl&C-ISG-03 Branch Technical IEEE-338 IEEE 7-4.3.2 IEEE-603 IEIE-10ZI Position 7-14 Standard Criteria for ft New Reactor Criteria for Periodic Digital Computers Standard Criteria for Digital Probabllistk Guidance for Software Sorvelllance Testing Safety Systems Risk Assessments and Standards Review for Dl*ital BTPs, and TRs

--- - --~

' ~

Dl&C-ISG-04 Hiahtv* lntegrated IEEE-828 ...

IEEE-1008

--T-

&WZ9 IEEE,&90 IEEE-1074 EPRl=TR-102348 Control Room Communications

~ ...

0DC119111llllltDI

..ir-..

I

~

J *-tor

--ll'oqdo Guidance In llcensfnc D111tal Uperadn (NEI 01-01 Rev . l) o--

Dl&C-JSG-05 *r

~ Highly Integrated Control Room EPRI TR-106439 i

• O Human Factors Acceptance of Commercial NUREG/CR-6101 Grade Dedication

• .,, Software Rellablllty and

~ Safety In Protection System s Dl&C-JSG-06 (life Cycle Models

~ Digital l&C Licensing Process NURE/CR-6421 Where can we Acceptance Process for COTS Software consohdate?

7

Proactively Addressing Additional Common Cause Failure Concerns Propose Risk-Informed Graded Approach for BTP 7-19 Safety-Related Not Safety-Related

- ~ -* - ........ -

A1 B1 Defense-in-D3 Analysis Depth/Qual itative Assessment A2 82 Defense-in- Assessment May be Depth/Qualitative Needed Assessment 8

Perceptions vs. Reality Reality A diverse analog system is mandatory to No. There are many options to backup all Dl&C safety systems accomplish the intended safety function, including ATWS and operator actions.

100% testing is required of the digital 100% testing is NOT required to address system to address CCF CCF in digital systems and may not be practical.

BTP 7-19 is applicable to Dl&C No, a licensee is NOT required to follow modifications under 10 CFR 50.59 BTP 7-19 for digital modifications under 10 CFR 50.59.

9

Pursuing Alternative Regulatory Approaches and Safety Standards

• Broader use of IEC standards as an alternative way to meet the requirements of IEEE 279 and 603-1991

• Ready to evaluate proposed industry guidance for commercial grade dedication 10

Research is Supporting the Success of Future Regulatory Modernization User Needs

• Embedded Digital Devices

• Common Cause Failure

• Risk-Informing

• Operational Exp*e rience 11

NRC is Coordinating with other Domestic Research Activities Domestic research activities are focused on using digital technologies to improve safety and reliability 12

NRC's International Collaboration is Focused on Safe Use of Digital l&C

~

IAEA lntomatlonal Atomic Energy Agoncy 13

What does success look like?

Shippingport Typical control Success is control room room today expanding the .

circa 1957 > 60 yea rs from safe use of Shippingport digital 14

We're Making Progress on Achieving an Efficient and Effective Digital l&C Framework

• Continue our efforts to:

- Modernize our decision making in the use of

• Dl&C systems

- Effectively communicate with all stakeholders to understand their challenges, priorities, and potential solutions

- Transform with risk-informed and innovative approaches 15

- - - _ _ _ _J

Acronyms

• BTP - Branch Technical Position

• IEC - International Electrotechnical

• CCF - Common Cause Failure Commission

• CFR - Code of Federal Regulations

• ISG - Interim Staff Guidance

• 03 - Diversity and Defense-in-Depth

• NEI - Nuclear Energy Institute

• Dl&C - Digital Instrumentation and

• RIS - R~gulatory Issue Summary Control

• NEA - Nuclear Energy Agency

• l&C - Instrumentation and Control

• SSC - Safety Systems, Structures, and

• IEEE - Institute of Electrical and Electronics Components Engineers

• EPRI - Electric Power Research Institute

• IAEA- International Atomic Energy

• TR - Topical Report Agency 16

Acronyms

• BTP - Branch Technical Position

• IEC - International Electrotechnical

• CCF - Common Cause Failure Commission

• CFR - Code of Federal Regulations

• ISG - Interim Staff Guidance

• 03 - Diversity and Defense-in-Depth

• NEI - Nuclear Energy Institute

• Dl&C- Digital Instrumentation and

• RIS - Regulatory Issue Summary Control

• NEA - Nuclear Energy Agency

• l&C - Instrumentation and Control

• SSC - Safety Systems, Structures, and

• IEEE - Institute of Electrical and Electronics Components Engineers

• EPRI - Electric Power Research Institute

• IAEA- International Atomic Energy

• TR - Topical Report Agency 16