Text

Licensing Process for Upgrading I&C Systems at Nonpower Production or Utilization Facilities (NPUFs)

D. A. Hardesty,* M. D. Muhlheim, N. Carte,+ R. Alvarado, P. G. Boyle,^ D. Warner,# and A. Adams@

• US Nuclear Regulatory Commission, Washington, DC, 20555, duane.hardesty@nrc.gov;

+

Norbert.Carte@nrc.gov; Rossnyev.Alvarado@nrc.gov; ^Patrick.Boyle@nrc.gov; #Daniel.Warner@nrc.gov; Alexander.Adams@nrc.gov Oak Ridge National Laboratory, P.O. Box 2008, Oak Ridge, TN, 37831, muhlheimmd@ornl.gov INTRODUCTION modifications may increase the potential likelihood of equipment failures by introducing new shared Seventeen of the 31 currently licensed and resources, hardware, or software among multiple operating Nonpower Production or Utilization functions (e.g., controllers, communication networks Facilities (NPUFs) in the United States are currently or video display units).

upgrading or planning changes to their An important consideration when applying any instrumentation and control (I&C) systems. Three digital/computer technology is to ensure that a have license amendment requests (LARs) under malfunction (accidental or malicious) cannot review by the US Nuclear Regulatory Commission prevent/block the safety system or operator from (NRC) under Title 10 of the Code of Federal performing the required safety function (e.g., the Regulations, Section 50.90 (10 CFR 50.90). Six are technology cannot prevent the facility from achieving performing changes using 50.59 (i.e., 10 CFR safe shut down). Another important consideration is 50.59), and eight are planning I&C systems changes to ensure that the operators have diverse means or upgrades in the next 6 months. Under 10 CFR available for viewing the current values of essential 50.59, the licensee is responsible for screening and operating parameters so that a malfunction cannot evaluation of a proposed modification to be blind the operator. Attributes of digital I&C implemented without prior NRC approval. Under systems include independence (physical, electrical, 10 CFR 50.90, the NRC staff evaluates the proposed and communications), redundancy, diversity, modification to be implemented to assess compliance defense-in-depth, determinism, simplicity, and with the regulations and ensure public health and control of access.

safety will be protected. The NRC staff encourages the use of public meetings prior to submittal of the I&C LICENSING PROCESS LAR to reduce regulatory uncertainty and discussion of issues that may challenge the staffs ability to The regulations in 10 CFR 50.59(c)(1) state that assess the systems compliance with NRC regulations. a licensee may make changes to its facility without requiring a licensing amendment if the change does NPUF Regulation not require a change to the technical specifications (TSs) or if the change does not meet any of the The NRC is committed to minimum regulation criteria in 10 CFR 50.59(c)(2). 10 CFR 50.59(c)(2) in the oversight of research reactors and testing requires a licensee to obtain a license amendment facilities and welcomes opportunities to work with pursuant to 10 CFR 50.90 prior to implementing a licensees to achieve this goal. NRC regulatory proposed change, test, or experiment if that change, standards and the degree of scrutiny applied uses a test, or experiment would:

graded approach in the regulatory review process i. result in more than a minimal increase in the informed by the safety significance of facility design frequency of occurrence of an accident, and operation. This ensures that adequate public ii. increase in the likelihood of failure of structures, health and safety are maintained and that licensed systems, or components (SSCs) to perform its activities comply with applicable regulations and are intended function, not inimical to the common defense and security. iii. increase in the consequences of an accident iv. increase in the consequences of a failure of SSCs Differences in Analog vs. Digital to perform its intended function,

v. create the possibility for an accident of a Unlike the point-to-point wiring for analog different type than any previously evaluated, control systems, a digital control system can vi. create the possibility for a malfunction of an SSC communicate with numerous systems and important to safety with a different result, components simultaneously. Digital modifications vii. exceed or alter a design basis limit for a fission may also introduce software. Thus, digital I&C product barrier, or 1

viii. depart from a method of evaluation described in cause failures, embedded digital devices [6], software the safety analysis report (SAR) in establishing failures, and digital hardware failures.

the safety analyses.

Amendments per 10 CFR 50.90 The licensee must answer no to all eight criteria for the proposed modification to be made Modifications that must be authorized by license under 10 CFR 50.59. Otherwise, the licensee will amendment are evaluated and approved by NRC have to make changes to its facility under 10 CFR staff. Licensees indicate their intention to seek NRC 50.90. approval of I&C upgrades by submitting a letter of intent. The LAR is docketed by the NRC and, if Changes under 10 CFR 50.59 approved, the NRC staff prepares a written safety evaluation (SE) and issues a license amendment that The capability of a licensee may make changes authorizes the proposed modification. The LAR must under 10 CFR 50.59 depends upon factors such as the contain sufficient detail for the NRC staff to scope of the modification, the affected systems or understand the safety of the proposed I&C components, and the conclusions of its 50.59 modification. Specifically, 10 CFR 50.90 states that evaluation. whenever a Part 50 license holder desires to amend The analysis of the eight criteria in 10 CFR its license, the amendment application must fully 50.59(c)(2) should be documented in sufficient detail, describe the changes desired, and it must follow, as either by reference to a source document or by direct far as applicable, the form prescribed for original statements such that an independent third party could applications.

verify the conclusions. In order to approve the LAR, the NRC staff must Sufficient detail means that the licensee be able to conclude that there is reasonable assurance thoroughly understands the modification. For that (1) health and safety of the public will not be example, two multi-range linear power channels for a endangered by operation in the proposed manner, TRIGA reactor are being upgraded to new, digital- (2) such activities will be conducted in compliance based General Atomics (GA) NMP-1000 replacement with NRC regulations, and (3) issuance of the channels [1]. The new power channels are replacing amendment will not be inimical to the common the existing NMP-1000 power channels. According defense and security of the public.

to GA [2], [t]he current NMP-1000 architecture (ca. The guidance provided in NUREG-1537, Format 2013) is very similar to all previous NMP units. and Content (Part 1) and Acceptance Criteria (Part 2)

Thus, because the old and new channels have the ensures the quality and uniformity of the staff same model number, this appears to be a like-for-like reviews, makes information about regulatory matters replacement. However, the new NMP-1000s have a concerning NPUFs widely available, and improves microprocessor and a liquid crystal display interface. the understanding of the staff review process by the Thus, the new GA NMP-1000 does not appear to NPUF community and the public. The document meet the criteria for implementing the change using covers all aspects of licensing an NPUF. The 10 CFR 50.59 and is undergoing a LAR review document can be used for the construction permit and because of changes to the human-system interfaces the initial operating license, license renewal, license (HSIs) and TSs. amendment, decommissioning and license In addition to determining eligibility to perform termination, and highly enriched to low-enriched a proposed change under 10 CFR 50.59, the SAR for uranium core conversions. Interim Staff Guidance each facility should be updated for all 10 CFR 50.59 (ISG) for Chapter 7 Parts 1 and 2 (full replacement) changes that impact the facility as described. [7] is being implemented and updated based on Significant changes are pending for the 10 CFR lessons learned during implementation. Licensees use 50.59 guidance for digital I&C, and licensees should of the ISG is an acceptable method for meeting the stay current with these changes. Industry and Nuclear requirements for an I&C modification. The draft ISG Energy Institute (NEI) are working on two is being used to review the digital I&C system documents to replace NEI 01-01 [3]licensing modifications at Massachusetts Institute of guidance in Appendix D to NEI 96-07 [4] and Technology (MIT), Purdue, and UMass-Lowell.

technical guidance in NEI 16-16 [5]. New guidance for 10 CFR 50.59 reviews will likely include an GUIDANCE FOR I&C UPGRADES interpretation of what qualifies as a simple device and will address concerns related to diversity and Provide a Complete Design with Supporting defense-in-depth, independence, as well as common- Documentation 2

Information is key to properly assessing changes Modifications to I&C May Change TSs to a facility under 10 CFR 50.59 or 10 CFR 50.90.

The SAR provides the design bases, design criteria, NRC regulations require licensees to obtain a and current system design implementation. The license amendment pursuant to 10 CFR 50.90 if the licensee must prepare a safety analysis with proposed modification would result in a change to comprehensive supporting documentation for the TSs or if the proposed modification meets any of the modification based on all aspects of what is being criteria stated in 10 CFR 50.59(c)(2).

modified. One licensee emphasized, based on The TSs specify operating limits and conditions experience, the need to become literate with the ISG and other facility requirements. A TS may need to be (both Part 1 and Part 2) and to highlight or write changed or modified because of I&C system down any questions early in the process [8]. components being removed, a change to the A thorough understanding of the facilitys minimum number of operable channels, analog accident analyses and knowledge of how failures of testing is no longer appropriate or when there are new the affected system are going to impact that accident types of testing, new self-test features, or new or analysis need to be described and analyzed in revised surveillance frequency. For example, sufficient detail. Information needed includes: changing to a digital system may add a watchdog

• initial conditions, timer, which in turn may be important enough to

• initiating events, result in a TS-required scram.

• failure modes of the old equipment,

• expected failure modes for the new equipment, New HSIs May Create New Malfunctions

• the impact of these assumed failures on the equipment and systems being controlled by the New physical interactions with the HSI will new equipment, require an examination of how the actual physical interface could impact performance of SAR-

• limiting conditions, and described design functions. For example, if a new

• postulated consequences.

malfunction is created as a result of the physical interaction, then the HSI portion of the digital This information is vital for comparing the new modification would be deemed adverse and evaluated system to the old system to properly assess potential per 10 CFR 50.59. Examples of new physical changes to the facility.

interactions include:

The design information should come from

• Use of touch screens in place of push-buttons, formal documentation on the new design or upgrades, switches, or knobs; such as the functional requirements specification (FRS), software requirements specification (SRS),

• A new interface requiring the human user to hardware development specification, and the failure choose which component is to be controlled; modes and effects analysis. Requirements traceability

• Changes to operating procedures; is essential because it maps the specification back to

• Information overload; the requirements. Test results should demonstrate and

• Changes in how a parameter is displayed; and document that the performance requirements related

• Changes in the data acquisition process.

to the safety functions have been met. Testing performed should also trace back to specific system SOME REVIEW EXAMPLES requirements.

Some changes may not only require revisions to Analog Recorder Screening the SAR or TS(s), but would also benefit from separate documents describing changes specific to An analog recorder is to be replaced with a new the license request. Below are some helpful items to microprocessor-based recorder. The recorder is used include in an application: for various monitoring purposes, some of which are

• A complete description of the change SAR-described design functions. The new digital recorder is highly dependable and has significant

• A safety analysis for what is being changed operating experience. Because the performance of its

• A copy of the revised SAR chapters, with change design function is unchanged, it might be assumed bars identifying changes related to the LAR that the recorder would screen out of a 10 CFR 50.59

• Revised TS pages (if needed) review. However, further analysis reveals that the

• Safety analysis conclusions, to be validated or sampling and recording frequency of the digital confirmed by NRC staff recorder are lower than that for the analog recorder, and the related recording function replaces instantaneous readings with time-averaged readings.

3

Accordingly, the replacement is deemed adverse, so a assurance of low likelihood of failure is derived from 10 CFR 50.59 evaluation would be required. Further assessment of factors involving system design evaluation of the new recorder would also include features, the quality of the design processes reviews of additional features such as networking employed, and the operating history of the software interfaces, remote control capability, USB ports and hardware used (i.e., product maturity and in-(intrusion protection), built-in or self-test diagnostics, service experience). The assessment must result in a environmental qualification (e.g., temperature, determination that there is reasonable assurance that pressure, humidity), and electromagnetic the digital I&C modification will exhibit a low compatibility to fully determine if the change can be likelihood of failure by considering the aggregate of made without prior NRC approval. these factors. Additionally, the analysis must contain sufficient detail either by reference or by direct Control Rod Drive Replacement statements, such that an independent third party can verify the conclusions. If the licensee determines that The original control rod drive mechanism used a the proposed modification cannot be performed under direct current motor with upper and lower limit 10 CFR 50.59, the licensee can redesign the proposed switches and a series of potentiometers that provided modification so that it can be implemented without rod position. Rod position was displayed on the requiring a license amendment. In lieu of 10 CFR control console. The new system uses a stepper motor 50.59, a licensee can still pursue performing with optical encoders for rod position, and it has a proposed modifications as a license amendment programmable logic controller interface with a touch under 10 CFR 50.90.

screen display for rod selection. Significant changes are pending for the 10 CFR For digital modifications such as this, the 50.59 guidance for digital I&C, and licensees should replacement would require a 10 CFR 50.59 stay current with these changes. Guidance is provided evaluation. A qualitative assessment of the design in the ISG for Chapter 7 for NUREG-1537 for LARs process, relevant operating experience, and the and new facilities.

system design features can be used to derive reasonable assurance of adequate quality and low REFERENCES likelihood of failure for the modification. The qualitative assessment considers an aggregate of 1. UMass-Lowell Research Reactor (UMLRR) factors such as system design features, the design Safety Analysis Report Chapters 1-7, 2015.

process, and operating history. 2. L. BOBEK, UMass Lowell, Digital Upgrade at UMass, Or: How I Learned to Stop Worrying Software Design Error and Love the Phase-0, NPUF Digital I&C Workshop, San Diego, September 2017.

A reactor trip channel was designed to trip if a 3. Nuclear Energy Institute (NEI) 01-01, EPRI TR-sensor was detected to be failed out of range. The trip 102348, Revision 1, Guideline on Licensing channel uses primary and secondary sets of Digital Upgrades, March 8, 2002.

instruments and multiplexors. If the primary sensor 4. NEI 96-07, Appendix D, Draft Revision 0c.

signal is out of range, then the trip channel will Supplemental Guidance for Application of 10 switch to the secondary sensor. If the secondary CFR 50.59 to Digital Modifications, May 2017.

sensor value is also out of range, the sensor reading (ADAMS Accession No. ML17265A000).

reverts to the last-stored good value. 5. NEI 16-16 Draft 2, Guidance for Addressing The design flaw is that a common-cause failure Digital Common Cause Failure, May 2017.

of all sensors of one type could result in continuous (ML17135A253).

use of the last good value. This failure mode was 6. RIS 2016-05, Embedded Digital Devices in discovered during a design review in which the Safety-Related Systems, April 29, 2016.

online SRS did not match the FRS. (ML15118A015).

This failure is an example of a software design 7. Draft Interim Staff Guidance (ISG) error. The SRS erroneously included the requirement Augmenting Chapter 7 of NUREG-1537 Part 1 for use of the last valid sensor data when a sensor & Part 2, November 9, 2015. (ML15134A484 fails, while the FRS required an automatic trip. and ML15134A486).

8. C. TOWNSEND, Digital I&CA Licensing CONCLUSIONS/

SUMMARY

Survival Guide, NPUF Digital I&C Workshop, San Diego, September 2017.

For digital I&C changes being reviewed by the NRC or performed under 10 CFR 50.59, reasonable 4