ML19025A312
ML19025A312 | |
Person / Time | |
---|---|
Issue date: | 02/01/2019 |
From: | Jason Paige Beyond-Design-Basis Management Branch |
To: | |
Paige J, NRR/DLP, 415-1474 | |
References | |
Download: ML19025A312 (29) | |
Text
Integrated Action Plan to Modernize Digital Instrumentation and Controls Regulatory Infrastructure Update: January 2019 NUCLEAR REGULATORY COMMISSION ML19025A312 IAP - Revision 3
Contents Summary ................................................................................................................................... 1.0 Introduction .......................................................................................................................... 2.0 Background ......................................................................................................................... 3.0 Integrated Strategy Stakeholder Challenges ....................................................................... Strategy .................................................................................................................................. Industry Stakeholder Challenges and Issues ......................................................................... Stakeholder input to Transformational Recommendations (SECY-18-0060)......................... 4.0 Detailed Modernization Plans .............................................................................................. MP #1. Protection against Common Cause Failure ............................................................. Introduction......................................................................................................................... Background ........................................................................................................................ Objectives ......................................................................................................................... Actions .............................................................................................................................. Status ............................................................................................................................... Potential Regulatory Challenges and Policy Issues ......................................................... Interactions with other Action Plan Items ......................................................................... MP #2. Considering Digital Instrumentation & Controls in Accordance with 10 CFR 50.59 Introduction....................................................................................................................... Background ...................................................................................................................... Objectives ......................................................................................................................... Actions .............................................................................................................................. Status ............................................................................................................................... Potential Regulatory Challenges and Policy Issues ......................................................... Interactions with Other Action Plan Items ........................................................................ MP #3. Acceptance of Digital Equipment ............................................................................ Introduction....................................................................................................................... Background ...................................................................................................................... Objectives ......................................................................................................................... Actions .............................................................................................................................. Status ............................................................................................................................... Potential Regulatory Challenges, DI&C Modernization Recommendations, and Policy Issues-20 -
ML19025A312 IAP - Revision 3
Interactions with other Action Plan Items ......................................................................... MP #4. Assessment for Modernization of the Instrumentation & Control Regulatory Infrastructure. ....................................................................................................................... Introduction....................................................................................................................... Background ...................................................................................................................... Objectives ......................................................................................................................... Actions ..................................................................................... Error! Bookmark not defined.
Status ............................................................................................................................... Potential Regulatory Challenges and Policy Issues ......................................................... Interactions with other Action Plan Items ......................................................................... ML19025A312 IAP - Revision 3
ML19025A312 *concurrence via e-mail OFFICE NRR/DLP/PLPB/LA* NRR/DLP/PLPB/BC* NRR/DE/EICA/BC*
NAME DHarrison DMorey NSalgado DATE 1/31/19 1/31/19 1/24/18 OFFICE NRR/DE/EICB/BC* NRO/DE/ICEEB/BC* RES/DE*
NAME MWaters RJenkins BThomas DATE 1/30/18 1/24/19 1/31/19 OFFICE NRR/DE* NRR/DLP/PLPB/PM NAME EBenner JPaige DATE 1/31/19 1/31/19
Integrated Action Plan to Modernize Digital Instrumentation and Controls Regulatory Infrastructure Summary As identified in SECY-16-00701, the U.S. Nuclear Regulatory Commission (NRC or the Commission) staff continues to update and modify the integrated action plan (IAP) as a living document. This revision to the IAP maintains the Staff Requirements Memorandum (SRM) to SECY-15-01062, direction to develop an integrated strategy to modernize the NRC's digital instrumentation and control (l&C) regulatory infrastructure. Additionally, consistent with Commission direction, this revision updates the strategy for engaging external stakeholders to reach a common understanding of digital I&C regulatory challenges, priorities, and potential solutions to address them. The plan considers the broad context of digital l&C regulatory challenges and includes related activities being pursued by the staff. The plan has been revised using NRC staff and external stakeholder input. In resolving the regulatory challenges, the plan continues to provide for frequent public and stakeholder interactions. A senior management steering committee (SC) oversees the resolution of digital I&C regulatory challenges identified within the plan. As the IAP is implemented and the modernization plans (MPs) are accomplished, the staff will submit any recommended changes to NRC policies to the Commission.
The staff, in coordination with stakeholders, continues to update key topics including Protection Against Common Cause Failure, Digital I&C Upgrades and Replacements under Title 10 of the Code of Federal Regulations (10 CFR) Section 50.59, Commercial Grade Dedication of Off-the-Shelf Digital Equipment for Safety Related Applications, and Licensing Process Improvements that have the greatest tactical impact, in the near-term, in addressing regulatory challenges and improving timeliness, efficiency, and effectiveness. These key topics have resulted in corresponding detailed modernization programs that are defined herein. The plan prioritizes and implements the regulatory changes, to provide tactical regulatory clarity and support industry confidence to perform digital I&C upgrades.
The longer-term goal is to evaluate and strategically implement improvement of the NRCs digital I&C regulatory infrastructure. The infrastructure improvements will result in a state in which the nuclear power industry can perform digital upgrades under the 10 CFR 50.59 licensing process or, where necessary, obtain regulatory approval to use digital technology that provides for adequate safety and security through processes that are efficient, minimize uncertainty, and can be consistently applied across different technologies. The staff will evaluate the results of implementation of the tactical activities and, with continued stakeholder interaction and will complete a broader modernization assessment. The assessment will consider performance-based, technology-neutral regulatory infrastructure consistent with Commission Direction and will anticipate the evolution and future development of digital I&C technology as it is applied to nuclear technologies.
1 SECY-16-0070, Integrated Strategy to Modernize the Nuclear Regulatory Commissions Digital Instrumentation and Control Regulatory Infrastructure (Agencywide Documents Access and Management System (ADAMS) Accession No. ML16126A140) 2 SRM-SECY-15-0106, Proposed Rule: Incorporation by Reference of Institute of Electrical and Electronics Engineers Standard 603-2009, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations (ADAMS Accession No. ML16056A614).
ML19025A312 IAP - Revision 3
This IAP is a living document. It is updated based on progress made on related activities and modified, if necessary, based on Commission direction and new information.
1.0 Introduction The purpose of this IAP is to implement a strategy for modernizing the NRC's digital l&C regulatory infrastructure. Consistent with Commission direction in SRM-SECY-15-0106, the IAP has been developed and updated to primarily consider the broad context of digital l&C regulatory challenges for operating reactors, new and advanced reactors, and digital I&C vendors. The IAP is based on NRC licensing and inspection experiences as well as stakeholder engagement to reach a common understanding of digital I&C regulatory challenges, priorities, and potential solutions to address them. The ultimate goal of the plan is to continue to ensure safety and security while improving the predictability and consistency of the agencys regulatory process for licensing and oversight of digital I&C systems. As further discussed in Section 3 of the IAP, the plan contains MPs for making tactical improvements to the regulatory infrastructure and defines strategic assessments and supporting research of broader modernization to improve effectiveness of NRC licensing and inspection and address challenges for the different I&C stakeholders.
The digital I&C SC was established to provide senior management oversight of the formulation of the strategy and execution of this action plan to modernize the digital I&C regulatory infrastructure. The SC is comprised of division directors with management responsibility for DI&C technology in the Office of Nuclear Reactor Regulation (Chairperson) and the Office of Nuclear Regulatory Research. The SC is supplemented as needed with members from the Office of New Reactors (NRO), Office of Nuclear Material Safety and Safeguards (NMSS) and the Office of Nuclear Security and Incident Response (NSIR). The SC ensures appropriate management focus on the resolution of regulatory issues and enhancement initiatives.
The SC will periodically assess the status and effectiveness of this IAP consistent with the Commission direction and evaluate the progress of meeting the overall objectives of the modernization of the NRCs digital I&C regulatory infrastructure. The SC will be supported by managers and staff in the offices with expertise and shared responsibility in the field of digital I&C. This IAP will be implemented and updated by the respective NRC line organizations under the supervision of the SC. Ownership of each MP will be assigned to appropriate NRC office leads. This IAP will be updated and published periodically to indicate progress made within each activity. Changes to the MPs that are identified during these periodic reviews shall be agreed upon by the SC. The IAP is a living document and specific activities will be adjusted and updated in between revisions based on SC direction and stakeholder engagement.
2.0 Background
On February 25, 2016, the Commission issued SRM-SECY-15-0106, which disapproved the staff's recommendation to publish for comment in the Federal Register a proposed rule which would incorporate by reference into 10 CFR 50.55a the Institute of Electrical and Electronics Engineers (IEEE) Standard (Std.) 603-2009, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations. This proposed rule had included, along with the incorporation by reference of IEEE Std. 603-2009, additional conditions for addressing digital hazards analysis, independence, and digital communications.
In the SRM, the Commission directed the staff to develop an integrated strategy, with proposed implementation milestones, to modernize the NRC's digital I&C regulatory infrastructure. In ML19025A312 IAP - Revision 3
developing an IAP, the Commission directed the staff to consider the broader context of digital I&C regulatory challenges and include all related activities being pursued by the staff including incorporation by reference of IEEE Std. 603-2009, updates to the policy on common cause failure (CCF) in SRM-SECY-93-087, and development of guidance for 10 CFR 50.59 evaluations of digital I&C upgrades.
The Commission also directed the staff to engage in public workshops and meetings with the relevant IEEE standards setting committee, licensees, vendors, and other external stakeholders to reach a common understanding of the digital I&C regulatory challenges, priorities, and potential solutions to address them. The Commission also directed the development of the plan to be guided by the following principles:
- The staff's plan should include the establishment of a senior management SC to oversee resolution of digital I&C regulatory challenges.
- Any new or revised requirements addressed in the action plan should be performance-based rather than prescriptive.
- Digital I&C safety requirements should be technology neutral, however, guidance should be tailored, if necessary.
- The same requirements should apply to operating and new reactors.
- The guidance should focus on acceptable approaches to complying with requirements and may include specific technology-focused provisions. If only one approach is acceptable to the staff to ensure safety based on current understanding, and this approach is appropriately technology neutral and performance-based, then it should be included in a requirement rather than in guidance.
- The NRC requirements and guidance should not pose an unnecessary impediment to advancement in nuclear applications of digital technology.
On October 25, 2016, the Commission issued SRM-SECY-16-00703, which approved the implementation of the staffs IAP to modernize the NRCs digital I&C regulatory infrastructure.
To modernize the NRCs digital I&C regulatory within Commission direction, the staff has undertaken a number tactical initiatives discussed within MP #1 to MP #4A of the IAP.
Commission Interactions On September 21, 2017, the staff provided SECY-17-0096, Status of Guidance Development for Digital Instrumentation and Control Upgrades Under Title 10 of the Code of Federal Regulations, Section 50.59, Changes, Tests, and Experiments. The paper informed the Commission of staffs progress in developing guidance for digital instrumentation and control (I&C) upgrades in the supplement to regulatory issue summary (RIS) 2002-22. The RIS clarifies the staffs endorsement of industry guidance for preparing and documenting qualitative assessments licensees use in determining whether a change requires a license amendment.
Licensees are expected to use this information to facilitate near-term digital upgrades and 3
SRM-SECY-16-0070, Staff Requirements - SECY-16-0070 - Integrated Strategy to Modernize the Nuclear Regulatory Commissions Digital Instrumentation and Control Regulatory Infrastructure (ADAMS Accession No. ML16299A157)
ML19025A312 IAP - Revision 3
replacements to I&C systems, with initial focus on non-safety-related systems and auxiliary support safety systems for new and operating power reactors.
On May 23, 2018, the staff recommended in SECY-18-0060, Achieving Modern Risk-Informed Regulation, that the Commission direct the staff to develop a new regulation to define high-level performance-based I&C safety design principles and associated regulatory guidance that documents the acceptable standards that may be used to meet these principles. The recommendation is currently before the Commission for consideration.
On September 12, 2018, the staff provided SECY-18-00904, Plan for Addressing Potential Common Cause Failure in Digital Instrumentation and Controls to the Commission. The paper informed the Commission about the staffs plan to update and clarify guidance associated with evaluating and addressing potential CCF of digital I&C systems. The paper noted that the staff will ensure consistent application of the direction provided in SRM-SECY-93-0875 and address stakeholder comments by continuing to apply the five guiding principles for addressing CCF, which are intended to reduce regulatory uncertainty.
The staff provided Annual Commission paper reporting on the status of the work and describing future activities for our modernization effort. Prior Commission updates are in SECY-17-00966 on September 21, 2017, and SECY-17-01057 on October 25, 2017. With input from stakeholders, Revision 1 to the IAP8 was published in March 2017, and Revision 2 to the IAP9 was published in January 2018.
On October 25, 2018, the Commission was briefed by an external panel and a staff panel on the progress of implementing the regulatory infrastructure for digital l&C systems, and industry initiatives in implementing digital l&C. During the meeting, the external panel provided its perspectives on the current state of nuclear digital I&C system modifications, identified perceived barriers to an efficient and streamlined digital I&C review process, and discussed methods and processes that would improve the efficiency of the digital I&C regulatory review and evaluation process.
Revision 3 to the IAP Revision 3 to the IAP provides updates to on-going MPs, including completion of activities in MP #1A, Guidance for developing and documenting acceptable qualitative assessments crediting the proposed design attributes, quality measures, operating history in support of 10 CFR 50.59 evaluations of proposed digital instrumentation and control, and MP #1C, Evaluate NRCs current position on defense against common-cause failures in digital instrumentation and control systems and components.
4 SECY-18-0090, Plan for Addressing Potential Common Cause Failure in Digital Instrumentation and Controls Systems, dated September 12, 2018 (ADAMS Accession No. ML18179A066).
5 SRM-SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light Water Reactor (ALWR) Designs, (ADAMS Accession No. ML18179A068) 6 SECY-17-0096, Status of Guidance Development for Digital Instrumentation and Control Upgrades Under Title 10 of the Code of Federal Regulations, Section 50.59, "Changes, Tests and Experiments" (ADAMS Accession No. ML17213A774 7
SECY-17-0105, Update to the Integrated Strategy to Modernize the NRC'S Digital Instrumentation and Control Regulatory Infrastructure (ADAMS Accession No. ML17277B542) 8 Integrated Action Plan to Modernize Digital Instrumentation and Controls Regulatory Infrastructure, Revision 1, dated March 31, 2017 (ADAMS Accession No. ML17102B307).
9 Integrated Action Plan to Modernize Digital Instrumentation and Controls Regulatory Infrastructure, Revision 2, dated January 31, 2018 (ADAMS Accession No. ML18016B023).
ML19025A312 IAP - Revision 3
Revision 3 to the IAP also includes two new activities (1) MP #1D, Update to Branch Technical Position (BTP) 7-19, for revising Branch Technical Position 7-1910, Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems, which is included in NUREG-080011, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, and (2) MP #2B, Implement Inspector Training on 10 CFR 50.59 Guidance and Conduct Stakeholder Workshops, for inspector coordination on new digital I&C 10 CFR 50.59 guidance.
MP #4B, Broad Assessment for Modernization of Digital Instrumentation and Controls Regulatory Infrastructure, has also been updated to clarify the plan for a broad assessment of the regulatory infrastructure to identify improvement activities consistent with the Commission direction in SRM-15-0106 and considering the challenges (potential impediments) that may be unique to specific I&C stakeholder communities (see Section 3.0 of this IAP).
The staff held a public meeting to discuss the status of the draft IAP Revision 3 in July 201812.
To facilitate interactions with the public, the staff provided a description of the proposed updates to re-baseline Revision 3 of the IAP. During the meeting industry stakeholders generally expressed support for addressing broader modernization efforts, but stated that NRC focus and priority should remain first on the near-term tactical activities in MP #1-#4A. Subsequent to the meeting, three stakeholders provided comments and supporting documents on MP #4B and considerations for future research on preventing CCF. In addition, industry stakeholders provided comments of the staffs recommendations associated with SECY-18-0060, Achieving Modern Risk-Informed Regulation13.
3.0 Integrated Strategy to Address Stakeholder Challenges Strategy To address the principles in the Commission direction, the IAP is focused on improving the regulatory infrastructure so that it integrates performance-based and technology-neutral engineering concepts for ensuring safety, assists stakeholders in demonstrating the safety and security of I&C systems, and assists the NRC staff in performing regulatory reviews and I&C system inspections in more efficient, effective, consistent, and risk-informed manner.
The integrated strategy within this plan is twofold: (1) implement specific MPs for making tactical improvements to the regulatory infrastructure, primarily to address near-term digital upgrade challenges identified by the operating reactor fleet; and (2) perform a broad evaluation of strategic improvements to the regulatory infrastructure, including supporting research to address stakeholder challenges and improve the effectiveness of NRC licensing and oversight.
Given that several technical and regulatory issues in the plan are interrelated, the IAP is continually updated to appropriately sequence MP activities.
Specific objectives of planned activities are derived in part from industry stakeholder interactions to reach a common understanding of the digital I&C regulatory challenges, priorities, and 10 Branch Technical Position 7-19, Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems, Revision 7, dated August 2016, (ADAMS Accession No. ML16019A344).
11 NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, (ADAMS Accession No. ML16019A344).
12 July 25, 2018 Public Meeting on Digital Instrumentation and Control Integrated Action Plan, Revision 3 Status and Broader Modernization Plan 4B Activities (ADAMS Accession No. ML18204A313).
13 SECY-18-0060, Achieving Modern Risk-Informed Regulation, dated May 23, 2018 (ADAMS Accession No. ML18110A186)
ML19025A312 IAP - Revision 3
potential solutions to address them. As discussed below, the IAP also recognizes that different industry stakeholders share common goals in digital I&C modernization; and may also have unique priorities for the specific regulatory improvement activities in terms of scoping, timing, and overall benefit.
Each MP defines specific activities with defined outcomes and timelines. The MPs are defined by major topical areas (e.g., CCF, 10 CFR 50.59, and licensing and oversight) and may be further subdivided into sub-activities with defined outcomes.
Industry Stakeholder Challenges and Issues Different industry stakeholders share common goals in digital I&C modernization. The staff understands that each community may have unique priorities for the specific regulatory improvement activities in terms of scoping, timing, and overall benefit. The following summarizes key challenges and issues associated with each industry stakeholders:
- Operating Reactors - Operating reactors continue to address obsolesce issues and make tactical digital modifications to improve plant reliability. Operating reactors are also planning or evaluating for strategic upgrades to major systems (e.g. reactor protection systems and engineered safety features actuation systems) to support long-term operations into subsequent license renewal phases. The licensing basis for most plants are founded upon current I&C-related general design criteria (GDCs) or pre-GDCs and the standards in IEEE Std 279-1968, IEEE Std 279-1971, and IEEE Std 603-1991 that have been incorporated by reference into 10 CFR 50.55a(h).
- New and Advanced and Reactors - New and advanced reactor stakeholders are developing digital I&C systems and architectures for new types of I&C for advanced reactor designs (e.g., small modular reactors and non-light water reactors). The licensing framework for new and advanced reactor designs may benefit from a framework different than the I&C-related GDCs and IEEE Std 603-1991.
I&C designs are developed in consideration for plants in multiple countries with multiple regulatory infrastructures. Digital I&C platforms may often be developed with alternative standards, such as International Electrotechnical Commission (IEC) standards, particularly IEC 61513, Nuclear power plants - Instrumentation and control important to safety - General requirements for systems. While past vendors have demonstrated that IEC-based systems can satisfy the IEEE standards in the NRC regulatory framework, they have challenged the value of this exercise to gain NRC approval. In addition, the alternative standards may be more-developed for some digital technologies and applications, such as field programmable gate arrays.
The staff recognizes that other stakeholder communities may have unique digital I&C challenges and priorities, such as non-power reactors and fuel cycle facilities. While the broader MPs are not directly tailored towards these communities, the staff believes they can benefit from IAP improvements, as appropriate.
ML19025A312 IAP - Revision 3
Stakeholder input to Transformational Recommendations (SECY-18-0060)
In 2018, an independent NRC Transformation Team (the Team) was formed to identify potential transformational changes to NRCs regulatory framework, culture and infrastructure to further enhance our effectiveness, efficiency and agility. The Team gathered information on transformative approaches to the review of new technologies by independently interacting with both internal and external NRC stakeholders. The Team assessed digital I&C technologies across non-US-nuclear regulators and non-nuclear industries. Internal and external stakeholders indicated that the IEEE Std 603-1991 is adequate to assess safety. However, the Team indicated that relying on this standard as the primary method to demonstrate compliance may not provide the desired flexibility for new digital I&C systems associated with both operating and new and advanced reactors. In SECY-18-0060, the Team recommended, in part, that the Commission direct the staff to develop a new regulation to define high-level performance-based I&C safety design principles and associated regulatory guidance that documents the acceptable standards, including IEC standards, that may be used to meet these principles.
The recommendation for digital I&C in SECY-18-0060 is currently with the Commission for consideration. The strategic assessment will incorporate these recommendations as further described in MP #4B. The IAP may also be updated to integrate any future Commission direction on this matter, as warranted.
4.0 Detailed Modernization Plans The following four MPs will be used to resolve regulatory challenges, provide confidence to licensees, and modernize the I&C regulatory infrastructure. Detailed MPs have been developed for each activity and updated for this revision based on lessons learned and interfaces between NRC Offices and industry stakeholders. These activities are inter-related and the NRC working groups will ensure integration and coordination on common issues.
- 1. Protection against Common Cause Failure. This MP addresses developing guidance for using effective qualitative assessments of the likelihood of failures, along with coping and/or bounding analysis for addressing CCFs, use of defensive design measures for eliminating CCF from further consideration, and staff evaluation of the NRCs existing positions on defense against CCF. The NRCs current position on protection against CCF is articulated in SRM-SECY-93-087 and Standard Review Plan (SRP) BTP 7-19.
The NRCs current position allows the use of sufficient diversity and simple designs which provide for complete testability of components to eliminate consideration of software-based or software logic based CCF from further consideration in a defense-in-depth and diversity analysis. The current guidance, however, is not clear regarding the applicability of criteria for using coping analysis and other design features (e.g., defensive measures) for eliminating CCF from further consideration.
- 2. Considering Digital Instrumentation & Controls in accordance with 10 CFR 50.59.
This activity addresses the need for clarity of mutual industry and staff understanding that NRC guidance is being properly translated into industry actions for performing 10 CFR 50.59 evaluations of proposed digital I&C plant modifications. Under existing guidance for the 10 CFR 50.59 screening and evaluation of digital I&C systems, several licensees have improperly performed or documented the technical bases for 10 CFR 50.59 analyses for modifications of I&C systems using digital technologies.
Industry stakeholders have stated they are hesitant to pursue the deployment of digital ML19025A312 IAP - Revision 3
I&C upgrades through changes under the 10 CFR 50.59 process because of regulatory uncertainty.
- 3. Acceptance of Digital Equipment. This activity will support improved guidance for acceptance of commercial grade digital equipment. Many digital I&C and other digital equipment that is readily available in the marketplace was not designed specifically for use in nuclear facilities and has not been designed, developed, and fabricated in accordance with NRC quality assurance criteria (as defined in Appendix B to 10 CFR Part 50).
This MP consists of activities intended to evaluate the suitability of additional guidance and industry standards to determine whether the NRC should accept third party certifications based on industry consensus standards to address the dependability critical characteristics aspects of commercial grade digital equipment for use in nuclear safety-related applications.
- 4. Assessment for Modernization of the Instrumentation & Control Regulatory Infrastructure. This activity has been divided into the following sub-sections to allow for focused product development:
A. The objective of this effort is to update the guidance in digital I&C interim staff guidance (DI&C-ISG)-06, Licensing Process to incorporate lessons learned from using this guidance, and to include a new streamline process to improve the efficiency and effectiveness of licensing reviews.
B. Broadly assess the current overall digital I&C regulatory infrastructure and consider areas such as past review experiences, ongoing licensing review and research efforts, lessons learned from operating experience, insights from other safety-critical industries, and international perspectives to identify and prioritize the improvements necessary to modernize the digital I&C regulatory infrastructure over the longer term in light of evolving approaches to digital I&C technology.
MP #1. Protection against Common Cause Failure Introduction This MP describes the activities and schedule for addressing methods for evaluating the potential for a CCF, which could lead to safety-significant consequences. The occurrence of CCF can compromise functional independence across redundant channels or divisions, across echelons of defense, across operator displays and monitored elements, and other layers of defense. As part of modernizing the NRCs digital I&C regulatory infrastructure, the staff evaluated the NRCs existing positions on acceptable defenses against CCF within digital I&C systems and measures that can be applied to prevent, or mitigate against postulated CCF events occurring within digital I&C safety and non-safety systems.
Background
The Commission provided its current direction to the staff regarding protection against CCF in digital I&C systems in its SRM-SECY-93-087 item II.Q. The SRM provides specific acceptance criteria for the evaluation of CCF, which the staff implemented in SRP BTP 7-19. Item II.Q of ML19025A312 IAP - Revision 3
the SRM includes the following position: The applicant shall assess the defense-in-depth and diversity of the proposed instrumentation and control system to demonstrate that vulnerabilities to common mode failures have adequately been addressed. The intent behind the application of the defense-in-depth and diversity (D3) philosophy in digital I&C safety systems is to protect against residual unknowns (beyond design basis) such as latent engineering development (including software) deficiencies. SRM-SECY-93-087 does not specify the criteria which must be evaluated to eliminate from further consideration the potential of a latent software deficiency in a defense-in-depth and diversity analysis. However, the staff review guidance in SRP BTP 7-19 includes two criteria, which, if satisfied, can be used to eliminate from further consideration the potential for software CCF, based on a demonstration that adequate internal diversity exists, or based on assurance that the systems are sufficiently simple that all possible logic failure paths can be tested for and shown to have non-existent errors. The staffs position was previously communicated to the Commission in SECY-09-0061, Status of the Nuclear Regulatory Commission Staff Efforts to Improve the Predictability and Effectiveness of Digital Instrumentation and Control Reviews (ADAMS Accession No. ML090790409).
Representatives of the nuclear industry (hereinafter referred to as industry) have stated that the current digital I&C licensing and oversight process for power and non-power reactors is cumbersome, inefficient, and/or unpredictable. In particular, they have suggested the guidance to perform digital I&C plant modifications is insufficiently detailed regarding: a) how to address the potential for introduction of new forms of CCF (e.g., potential plant vulnerabilities from having identical redundant digital I&C divisions, or mistakes made or errors introduced by processes for implementing configuration changes); b) how to acceptably analyze and document the safety impact of any new instances of potential CCF; and c) how conclusions from this analysis may be acceptably applied in licensing activities.
Further, licensees have stated that the current regulatory treatment and acceptance criteria dealing with the potential for CCF in the analysis of digital I&C systems have been problematic.
Specifically, they have stated that the proper application of the screening criteria for simple systems as identified in SRP BTP 7-19 regarding 100 percent testability, and the lack of a graded approach based on risk significance or safety significance, place a high burden for demonstrating that the potential for CCF in digital I&C systems have been adequately reduced, especially for systems containing local embedded digital I&C components. Therefore, the resolution of CCF concerns is the lead technical issue and a critical enabler for successfully addressing other issues related to digital I&C. Industry stakeholders are seeking clearer NRC staff guidance on methods for analysis of the potential for CCF of digital I&C systems. In addition, industry is seeking a more risk-informed, consequence-based regulatory infrastructure that removes uncertainty, ambiguity, and overlap in requirements and enables technical consistency.
The staff previously endorsed NEI-developed guidance (NEI 01-01, Guideline on Licensing Digital Upgrades: EPRI [Electric Power Research Institute] TR [Technical Report] -102348, Revision 1, NEI 01-01: A Revision of EPRI TR-102348 to Reflect Changes to the 10 CFR 50.59
[Code of Federal Regulations, Title 10, Section 50.59, Changes, tests and experiments]
Rule.). This document provides guidance for designing, implementing, and licensing plant modifications that employ digital I&C components and systems. In its endorsement of the use of that guidance in RIS 2002-22 (ADAMS Accession No. ML023160044), the staff found the guidance to be acceptable for designing a digital replacement for equipment currently installed, and for determining whether the modification can be implemented under 10 CFR 50.59 without prior staff approval. However, during inspections of modification documentation prepared by some licensees, the staff has found inconsistencies in the evaluation of proposed modifications ML19025A312 IAP - Revision 3
and inadequacies in the documentation of the technical bases for responses made to the 10 CFR 50.59 evaluation criteria. The staff clarified its previous endorsement of the NEI 01-01 guidance by providing additional guidance for developing and documenting acceptable qualitative assessments of the characteristics of proposed designs that may be used, to credit proposed system critical design attributes, quality of the design processes, and available operating history when assessing the likelihood of failure of the proposed digital modification while performing evaluations of the proposed modification under 10 CFR 50.59. This clarification of the staffs previous endorsement of NEI 01-01 was completed on May 31, 2018, and appears in RIS 2002-22, Supplement 1.
The staff also plans to evaluate an industry-proposed guidance document outlining a technical basis for application of such development practices and defensive measures. The staff is attempting to ascertain how the effectiveness of applying such measures may be assessed, and whether the criteria and methodology for crediting them can be consistently applied. Industry representatives also recommended the use of previous plant licensing basis analyses to demonstrate that the consequences of a potential CCF are bounded.
Objectives The objectives of MP #1 are to:
A. COMPLETED. Produce durable guidance for evaluating and documenting the proposed use of design attributes, quality of the design processes, and operating history to address CCF when replacing or modifying lower risk-significant safety system auxiliary and/or support digital I&C systems (e.g., main control room chiller control systems), in the form of a supplement to RIS 2002-22, clarifying the staffs previous endorsement of NEI 01-01. This RIS supplement is aimed at supporting the upgrade of lower risk-significant digital upgrades under 10 CFR 50.59, and is not intended to address potential CCF evaluation issues associated with the implementation of protection systems or I&C-based engineered safety features initiation logic systems, which are addressed in SRP BTP 7-19 and NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems. This guidance identifies clarifications to the staffs endorsement of currently used digital I&C CCF technical evaluation process guidance for use by NRC and licensees. This objective has been completed. RIS 2002-22, Supplement 1, was issued on May 31, 2018. Follow-up activities regarding 50.59 guidance for implementation and inspection are described in Objective MP #2B.
B. NOT COMPLETED. Evaluate NEIs proposed guidance in NEI 16-16 for addressing CCF in digital I&C systems, based on the application of design measures for preventing, limiting, or mitigating CCF that are incorporated during the development process. Once NEI submits NEI 16-16, the NRC staff will evaluate whether the proposal provides adequate technical justification to preclude the need for performance of a D3 analysis when specific defensive design measures are present.
The staff will evaluate the acceptability for use of a graded approach based on the risk significance of potential CCF. The staff will also evaluate the proposed guidance for assessing CCF malfunctions with coping and bounding assessments. If industrys proposal is deemed technically acceptable and provides reasonable assurance of adequate protection, the staff will develop a document to convey its endorsement, in whole or in part, of the NEI 16-16 guidance.
ML19025A312 IAP - Revision 3
C. COMPLETED. Evaluate NRCs current position on protection of digital I&C systems and components against CCF. This includes: (1) an evaluation of the scope of systems intended to be addressed under the position; and (2) an examination of the technical acceptability for using a graded approach based on risk significance or safety significance. The results of activities completed while addressing MP #1 Objectives were included with the results of the staffs examination of the NRCs current position.
This activity has been completed, as described in SECY-18-0090. The follow-up activity, revision of BTP 7-19 is described in MP #1D.
D. NOT COMPLETED. Revise BTP 7-19 to provide guidance to staff on evaluating potential CCF and associated diversity and defense-in-depth analysis. Consistent with the five guiding principles described in SRM-SECY-93-087 and SECY-18-0090, the revision will ensure that future staff reviews can continue to make reasonable assurance determinations that vulnerabilities to CCF have been adequately addressed in accordance with SRM-SECY-93-087. The guidance will facilitate reviews that include, in part, the use of design attributes, quality of design process, and operating experience in licensing reviews, as described in RIS 2002-22, Supplement 1.
Actions NEI 16-16: Once NEI 16-16 is submitted, the staff will continue to engage industry through workshops and public meetings to discuss its findings and refine the project plan as needed. As part of the activities below, the staff will take into consideration applicable information within NEI 16-16 in developing relevant guidance. NEI 16-16 describes a set of methods to assess and address CCF concerns.
The industry indicated that the document may be segmented to allow agreement on certain topics (e.g., scope, coping analysis, and bounded results) in the near term while other topics (e.g., design measures that result in reasonable assurance of adequate protection against a potential CCF) may be evaluated over a longer term schedule. In addition, once finalized, NEI intends to submit NEI 16-16 for NRCs review and potential endorsement.
BTP 7-19: In revising BTP 7-19, the staff will take into consideration past stakeholder comments on the current revision of BTP 7-19 as well as solicit feedback from industry stakeholders during development of the draft of the revision. The staff will also ensure that the revision to BTP 7-19 is in alignment with the guiding principles identified in SECY-18-0090.
MP #1. Protection Against Common Cause Failure Activities for Each Objective Schedule A. Supplement 1 to RIS-2002-22: Guidance for developing and documenting acceptable qualitative assessments crediting the proposed design attributes, quality measures, operating history in support of 10 CFR 50.59 evaluations of proposed digital I&C modifications (COMPLETE)
B. Evaluation of NEI 16-16. (ON HOLD) 14 B.1 Begin staff evaluation of NEI 16-16 [Draft 1] December 2016 (c) received 12/22/2016 and develop staff comments/gap analysis B.2 Meeting to discuss NEIs plans for completion of February 8-9 2017 (c) 14 Activities are subject to change depending on timing and scope of revised NEI 16-16.
ML19025A312 IAP - Revision 3
MP #1. Protection Against Common Cause Failure Activities for Each Objective Schedule CCF likelihood technical basis, associated defensive measures, Appendices, and the balance of NEI 16-16 content B.3 NRC to provide comments on NEI 16-16 [Draft 1] March 13, 2017 (c)
B.4 Meeting to discuss and clarify NRC comments on March 29, 2017 (c)
NEI 16-16 [Draft 1]
B.5 Meeting to preview Appendix A content to be April 11, 2017 (c) included in Draft 2 of NEI 16-16 B.6 NEI to deliver NEI 16-16 [Draft 2], including May 12, 2017 (c) technical basis, examples, and Appendices B.7 NRC staff to review and provide comment on July 14, 2017 (c)
NEI 16-16 [Draft 2]
B.8 Meeting to discuss NRC comments on NEI 16-16 September 7, 2017 (c)
[Draft 2]
B.09 Meeting to discuss NRC comments on NEI 16-16 November 2, 2017 (c)
[Draft 2]
B.10 Teleconference Call/Webinar on NEI 16-16 November 29, 2017 (c)
[Draft 2]
B.11 Public Meeting on NEI 16-16 [Draft 2] December 13, 2017 (c)
B.12 NRC to deliver final comments on NEI 16-16 February 1, 2018 (c)
[Draft 2], Appendix A B.13 Conference Call to clarify comments on February 2018 (c)
Appendix A B.14 NEI to deliver NEI 16-16 [Draft 3] TBD B. 15 Meetings to discuss NRC comments on NEI 16-16 TBD
[Draft 3]
B.15 NRC endorsement decision based on resolution of TBD staff comments on NEI 16-16 [Draft 3]
B.16 Release NRC Regulatory Guide Draft for public TBD comment B.17 NEI to submit NEI 16-16 Rev. 0 TBD B.18 Present to ACRS Subcommittee and TBD ACRS Committee B.19 Interact with Stakeholders on Draft Regulatory TBD Guide B.20 Issuance of Regulatory Guide endorsing NEI 16-16 TBD C. Evaluate NRCs current position on defense against CCF in digital I&C systems and components (COMPLETE)
D. Update to BTP 7-19 D.1 Begin revision of BTP 7-19 January 2019 D.2 Public Meeting - General Overview Discussion of January 31, 2019 BTP 7-19 Revision with Industry Stakeholders D.3 Public Meeting - Discuss BTP 7-19 Revision with March 2019 Industry Stakeholders D.4 Complete preliminary draft revision to BTP 7-19, May 2019 and share preliminary draft with industry stakeholders and conduct workshop ML19025A312 IAP - Revision 3
MP #1. Protection Against Common Cause Failure Activities for Each Objective Schedule D.5 Finalize draft revision to BTP 7-19 June 2019 D.6 Brief ACRS Subcommittee for digital I&C July 2019 D.7 Federal Register notice to issue proposed revision September 2019 to BTP 7-19 for public comments D.8 Formal public comment period September - October 2019 D.9 Resolve public comments November 2019 D.10 ACRS Sub Committee meeting January 2020 D.11 ACRS Full Committee meting February 2020 D.12 Public comment resolution meeting February 2020 D.13 Issue Revision 7 to BTP 7-19 for use into SRP May 2020 Update Process Note: (c) indicates completed activity.
Status (As of January 2019)
The staff is currently in the process of reviewing the current version of BTP 7-19 to determine key areas of improvement for a new revision. This review will incorporate the guiding principles in SECY-18-0090 as well as assess previous feedback provided by industry stakeholders that could provide valuable insights into areas for improvement in the upcoming revision. The staff plans on continuing engagement with industry stakeholders in future public meetings.
Potential Regulatory Challenges and Policy Issues In SECY-18-0090, the staff informed the Commission about the staffs plan to update and clarify guidance associated with evaluating and addressing potential CCF of digital I&C systems. The staff does not expect any policy issues resulting from BTP 7-19. However, if any are identified, the staff will present any potential policy issues in implementing this activity to the Commission.
Interactions with other Action Plan Items CCF of digital I&C systems is an important aspect supporting the working group responsible for improving licensee guidance for replacing or modifying digital I&C using the 10 CFR 50.59 process (MP #2). In particular, the guidance developed in RIS 2002-22, Supplement 1 required close coordination with MP #2A. Implementation of guiding principles as identified in SECY-18-0090 will be addressed in MP #1D. In addition, MP #1Ds efforts play an important factor in longer-term activities to be conducted under MP #4B. Therefore, the MP #1D team will coordinate these efforts with the MP #4B team. Alignment with the relevant MP activities is an essential part of the overall IAP.
MP #2. Considering Digital Instrumentation & Controls in Accordance with 10 CFR 50.59 Introduction This MP describes the activities and schedule for improving guidance regarding digital I&C modifications using the 10 CFR 50.59 change process. These activities will address the need for mutual clarity between industry and NRC staff to ensure NRC guidance is being properly translated into industry actions while performing 10 CFR 50.59 screening and evaluations for potential digital I&C plant modifications.
ML19025A312 IAP - Revision 3
=
Background===
Inadequate guidance for the 10 CFR 50.59 screening and evaluation of digital I&C systems has contributed to several licensees having improperly performed 10 CFR 50.59 evaluations for modifications of I&C systems using digital technologies. The current guidance addresses both 10 CFR 50.59 licensing positions and technical methodologies, which has resulted in ambiguity on key evaluation issues such as CCF in digital modifications. The staff held several public meetings with industry representatives on this subject, and indicated where the industry guidance should be improved. Industry representatives stated that they are hesitant to pursue the deployment of digital I&C upgrades through changes under the 10 CFR 50.59 process because of regulatory uncertainty and a lack of clarity in the regulatory process.
Regulatory Guide 1.187, Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments, provides the staffs endorsement of industry guidance for evaluating the impact on plant safety analyses for plant modifications performed under 10 CFR 50.59. The objectives of 10 CFR 50.59 are to ensure that licensees: (1) evaluate proposed changes to their facilities for their effects on the licensing basis of the plant, as described in their updated final safety analysis report (UFSAR), and (2) obtain prior NRC approval for changes that meet specified criteria as having a potential impact upon the basis for issuance of the operating license.
Regulatory Guide 1.187 endorsed Revision 1 of NEI 96-07, Guidelines for 10 CFR 50.59 Evaluation, dated November 2000, which provides methods that are acceptable to the staff for complying with the provisions of 10 CFR 50.59.
RIS 2002-22, Use of EPRI/NEI Joint Task Force Report, Guideline on Licensing Digital Upgrades: EPRI TR-102348, Revision 1, NEI 01-01: A Revision of EPRI TR-102348 to Reflect Changes to the 10 CFR 50.59 Rule, provides the staffs endorsement for the use of NEI 01-01 (ADAMS Accession No. ML020860169). However, experience with implementing digital I&C upgrades under 10 CFR 50.59 using NEI 01-01 at nuclear facilities has revealed several shortfalls in the screening of modifications, addressing the appropriate design criteria, and evaluating the impact of proposed digital I&C on established licensing bases. A key issue identified as a result of recent oversight experience has been licensee assessment of potential CCF and any potential new malfunctions, with respect to addressing the specific criteria in 10 CFR 50.59(c)(2).
In a November 2013 letter to NEI (ADAMS Accession No. ML13298A787), the staff summarized its concerns regarding licensee implementation of the current guidance in NEI 01-01.
In response, NEI formed a working group to update its guidance for implementing digital I&C modifications under 10 CFR 50.59. The NEI working group found that additional guidance was needed to support certain aspects of reviewing the impact of such modifications on design functions as described in licensees UFSAR.
In April 2016, NEI requested staffs initial comments on its draft Appendix D to NEI 96-07 for digital modifications. NEI has stated that draft Appendix D is only focused on evaluating the specific licensing criteria in 10 CFR 50.59 for digital I&C, and not the supporting technical methodologies for addressing CCF and failure likelihoods. The NRC endorsed technical methods and associated regulatory positions are addressed in other existing regulatory documents including RIS 2002-22, Supplement 1, which provides guidance for evaluating and documenting the proposed use of design attributes, quality of the design processes, and operating history to address CCF when replacing or modifying lower risk-significant safety ML19025A312 IAP - Revision 3
system auxiliary and/or support digital I&C systems NEI is therefore not providing or referencing any technical methodologies in Appendix D.
Along with the request to provide comment on Appendix D, NEI has subsequently requested NRCs endorsement of Appendix D15.
Objectives The objectives of MP #2 are to:
A. NOT COMPLETED. Ensure there is adequate guidance within NEI 96-07 for 10 CFR 50.59 evaluations of digital I&C upgrades in order to reduce licensing uncertainty and clarify the regulatory process. NRC has provided guidance in Supplement 1 to RIS 2002-22, as described above in MP1A. The NRC provided comments on the draft Appendix D to NEI 96-07 for possible endorsement in NRC regulatory guidance in Regulatory Guide 1.187. Specifically, the goal is to address legacy issues identified with current guidance and provide additional licensing flexibilities to industry when considering CCF under 10 CFR 50.59 as well as evaluating what content in NEI 01-01 should be brought forward into draft Appendix D or other guidance documents.
B. NOT COMPLETED. Ensure common understanding of the use, interpretation, and application of guidance. The NRC staff is preparing and planning training for inspectors on the use of 50.59 guidance for digital I&C. The objective of this effort is to ensure consistent implementation of 50.59 guidance in inspections, including continuity from the development of 50.59 guidance in both Supplement 1 to RIS-2002-22 (MP #1A) to potential endorsement of Appendix D (MP #2A). The staff has separately observed NEI-led workshops on the RIS 2002-22, Supplement 1 to identify potential licensee questions and help inform inspector training.
Actions MP #2A. Evaluation of Draft Appendix D to NEI 96-07 for digital upgrades under with 10 CFR 50.59 Activity Schedule
- 1. Receive NEI guidance document, Appendix D 96-07, Guidelines April 4, 2016 (c) for 10 CFR 50.59 Evaluations.
- 2. Conduct public meeting: NEI presented the guidance in Appendix April 28, 2016 (c)
D and engaged with NRC staff discussion.
- 3. Complete initial review of Appendix D and provide general August 2016 (c) comments to NEI.
- 4. Finalize Draft NEI 96-07 Appendix D, Definitions Section November 2016 (c)
- 5. Receive revised Draft NEI 96-07 Appendix D, Evaluation February 15, 2017 (c)
Guidance Section for review
- 6. Finalize Draft NEI 96-07 Appendix D, Introduction Section March 2017 (c)
- 7. Provide formal comments on Draft NEI 96-07 Appendix D, Screen March 17, 2017 (c)
Guidance Section
- 9. Finalize Draft NEI 96-07 Appendix D Screen Guidance Section September 2017 (c) 15 Request for NRC Endorsement of NEI 96-07, Appendix D, Rev. 0 (ADAMS Accession No. ML19015A312).
ML19025A312 IAP - Revision 3
MP #2A. Evaluation of Draft Appendix D to NEI 96-07 for digital upgrades under with 10 CFR 50.59 Activity Schedule
- 10. Upon mutual agreement between NEI and NRC, Appendix D December 2017 (c) review is put on hold until the issuance of RIS 2002-22, Supplement 1
- 11. Restart of the Draft NEI 96-07 Appendix D review activities June 26, 2018 (c)
- 12. Finalize Draft NEI 96-07 Appendix D, inclusive of all sections July 16, 2018 (c)
- 13. Final Category 2 public meeting to resolve NRC comments on November 14, 2018 (c)
Draft NEI 96-07 Appendix D
- 14. NEI to submit Draft NEI 96-07 Appendix D for endorsement via January 8, 2019 (c)
Regulatory Guide
- 15. Issue Regulatory Guide endorsing, with exceptions, NEI 96-07, June 2019 Appendix D MP #2B. 50.59 Guidance Implementation and Inspection Training B1. Complete Inspector Training on RIS 2002-22, Supplement 1 June 2019 B2. Complete Lessons Learned Public Meeting on RIS 2002-22, February 2019 Supplement 1 Implementation B3. Conduct Inspector Training on Appendix D TBD Note: (c) indicates completed activity.
Status (As of January 2019)
Throughout 2017, the staff and industry participated in public meetings to resolve NRC comments on the draft NEI 96-07, Appendix D. In December 2017, NEI and the NRC staff mutually agreed to place the review of NEI 96-07, Appendix D on hold in order to dedicate resources to the issuance of RIS 2002-22, Supplement 1. The review of NEI 96-07, Appendix D resumed in June 2018. The staff and industry have worked together to resolve most of the NRC comments. NEI submitted NEI 96-07, Appendix D, Revision 0 for NRC endorsement on January 8, 2019. The staff plans to issue a Regulatory Guide endorsing, with exceptions, Appendix D by June 2019.
The staff expects to conduct a lessons-learned public meeting on RIS 2002-22, Supplement 1 by February 2019 and complete 50.59 guidance implementation and inspector training in June 2019.
Potential Regulatory Challenges and Policy Issues The staff does not expect any policy issues resulting from this guidance document. However, if any are identified, the staff will present to the Commission any potential policy issues in implementing this activity.
Industry has generally preferred to maintain separation between technical and licensing content in 10 CFR 50.59 discussions and associated guidance improvements. Licensing decisions based upon guidance in NEI 96-07, Appendix D (i.e. 10 CFR 50.59 licensing guidance for digital I&C) is supported by technical basis, which is not provided in Appendix D. Coordination is needed to ensure alignment with resolution of technical guidance that supports the development of a technical basis that supports a 10 CFR 50.59 evaluation. Technical guidance for CCF ML19025A312 IAP - Revision 3
issues in support of draft NEI 96-07, Appendix D will be developed and reviewed separately as part of the MP #1 activities.
Though not currently identified, any potential actions for modifying the current 10 CFR 50.59 change process would have to be informed by consideration of backfitting, regulatory analysis, and cumulative effects of regulation.
Interactions with Other Action Plan Items Coordination with MP #1 activities is necessary to ensure alignment with NRC regulatory guidance and NRC policy for addressing CCF. Future updates of the IAP will capture any specific changes in strategy for MP #2 based on coordination with MP #1 activities.
This activity will also be coordinated within the context of the assessment activities as part of MP #4B to modernize the regulatory infrastructure.
MP #3. Acceptance of Digital Equipment Introduction Nuclear licensees do not have a wide variety of options when it comes to selecting digital equipment for safety-related applications. Most digital equipment used in nuclear safety related applications was not designed from the ground up under a 10 CFR 50 Appendix B Quality Assurance program; therefore, it must be evaluated and accepted for nuclear safety applications. Many, if not most, cases of commercial grade digital equipment acceptance require first-of-a-kind efforts, involving uncertainties with respect to duration, cost, and overall success. In some cases, the effort is hampered by lack of Original Equipment Manufacturer (OEM) involvement, driven by the fact that the nuclear market is too small to justify OEM resources necessary to support this process. The staff has identified activities to: a) engage with stakeholders; b) further evaluate domestic and international standards; and c) continue to improve NRC regulatory infrastructure and guidance for acceptance of digital equipment. The staff is engaging with stakeholders to better understand current challenges and evaluate recommended solutions. Other process industries avoid above mentioned uncertainties by deploying digital equipment certified by an independent third-party to be appropriate for use in systems required to accomplish safety functions of a particular Safety Integrity Level (SIL). To address these challenges in dedicating digital equipment, the staff is evaluating taking credit for third party certification (i.e., IEC 61508, Functional Safety, Safety Integrity Level (SIL) certification) in support of commercial grade dedication (CGD) process.
Background
Many I&C and other digital equipment readily available in the marketplace is not designed specifically for use in nuclear facilities and have not been subject to NRC quality assurance criteria (as defined in Appendix B to 10 CFR Part 50). In order for this equipment to be used in safety-related and important-to-safety digital equipment (those whose adverse performance could challenge the assumptions in safety analyses) in nuclear facilities, they must undergo CGD under 10 CFR Part 21. For the purposes of this discussion, we will refer to this equipment as commercial grade items (CGIs).
ML19025A312 IAP - Revision 3
In order for CGIs to be properly dedicated, critical characteristics (important design, material, performance, and dependability16 characteristics) must be defined and verified for the CGIs to provide reasonable assurance that the equipment will perform its intended safety function. The verification step is critical and must be performed by a dedicating entity (equipment manufacturer, NRC licensee, or an independent third-party dedicator). Increasing the industrys ability to utilize readily available marketplace CGIs which can be dedicated could help streamline the procurement process and reduce the licensing burden for nuclear facilities.
Industry guidance has been developed to clarify what steps are needed when evaluating and accepting CGIs for use in safety-related applications. The staff endorsed guidance for the CGD acceptance method in Regulatory Guide 1.164, Dedication of Commercial-Grade Items for Use in Nuclear Power Plants (previously draft guide (DG)-1292), including specific reference to digital equipment. Regulatory Guide 1.164 provides guidance and endorses in part, EPRI 3002002982, Revision 1. Specifically, EPRI NP-5652 and TR-102260, Guideline for the Acceptance of Commercial-Grade Items in Nuclear Safety-Related Applications, Section 14.1 on digital equipment and computer programs integral to plant safety systems includes references to two technical reports which have been reviewed and endorsed by the NRC:
- EPRI TR-106439, Guideline on Evaluation and Acceptance of Commercial-Grade Digital Equipment for Nuclear Safety Applications, and
- EPRI TR-107330, Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants.
This plan provides activities intended to evaluate the suitability of additional guidance and standards and determine if the NRC should endorse them for the purpose of defining critical characteristics of digital equipment and the mechanism by which they are verified.
Digital equipment is sometimes embedded within other components used in nuclear facilities.
As noted, this equipment is not specifically designed for nuclear applications. However, there may be advantages to using this third party certified digital equipment, such as the large amount of operating experience generated from use in non-nuclear applications.
In addition to commercially dedicating digital devices and I&C components, establishing improved guidelines for acceptance will also be applicable to embedded digital devices (EDDs). As equipment is replaced within licensee facilities, new safety-related components may contain EDDs. The staff issued RIS 2016-05, Embedded Digital Devices in Safety-Related Systems, to alert industry for the need to control implementation of these devices.
Certain forms of CCF and other new vulnerabilities can result from the introduction of EDDs.
Industry has stated that NRC licensing burden and licensee regulatory risk could be reduced by leveraging certification of commercially available digital hardware and software by independent third parties with demonstrated expertise and experience for part or all of the acceptance process. This independent, third-party certification has been effective in some other industries. These certifications, including certification to IEC 61508 are used to demonstrate that a high quality process was used to develop digital hardware and software equipment. The use of this process in conjunction with the CGD process could reduce the scope of digital systems reviews that the staff needs to complete. NEI intends to provide this 16 The dependability critical characteristic is unique to digital I&C as explained in EPRI TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications.
ML19025A312 IAP - Revision 3
process in NEI 17-06 for NRC endorsement. The staff will evaluate this concept and any policy implications that it may have.
Objectives The objectives of MP #3 are to:
NOT COMPLETED. Evaluate if previously performed SIL certification constitutes an alternate approach for acceptable demonstration of commercially available digital hardware and software basic quality. In other words, the specification of SIL certified equipment can be accepted as fact, and as-verification of certain dependability critical characteristics per NRC endorsed EPRI TR-106439. This acceptance would include the elements within the scope of an independent third-party SIL certification, and it would exclude those elements not within such scope (e.g., application specific functionality and performance requirements).
Actions MP #3. Acceptance of Digital Equipment Activity Schedule
- 1. Public Meeting to discuss resolution of RIS 2016-05 public April 6, 2016 (c) comments
- 2. Issue RIS 2016-05 April 29, 2016 (c)
- 3. Obtain public comments on DG-1292 September 2016 (c)
- 4. Stakeholder interaction to discuss proposed use of November 3, 2016 (c) standards and third party process certifiers
- 5. NEI provide a revision to the Digital Device February 16, 2017 (c)
Procurement white paper (Appendix C from the April 22, 2016 NEI submittal) to further clarify objectives, terminology and incorporate discussion points from the November 3, 2016 public meeting
- 6. Assess results of stakeholder information gathering and February 16, 2017 (c) examine potential approaches for reviewing and endorsing additional EPRI guidance related to CGD
- 7. EPRI to confirm and communicate scope and schedule February 16, 2017 (c) for EPRI research. NRC and industry reach mutual agreement on acceptability and sufficiency for this purpose. EPRI research begins
- 8. NRC/stakeholder regular interactions to discuss Ongoing progress and course adjustments as necessary
- 9. Issue RG 1.164 (DG-1292), Dedication of Commercial- June 2017 (c)
Grade Items for Use in Nuclear Power Plants
- 10. NRC will monitor EPRIs investigative and research Ongoing activities to evaluate third party process certification for digital equipment
- 11. EPRI publishes research results March 2019
- 12. NEI submits NEI 17-06 for NRC Review July 2019
- 13. NRC makes decision on technical adequacy of NEI 17-06 October 2019 ML19025A312 IAP - Revision 3
MP #3. Acceptance of Digital Equipment Activity Schedule
- 14. NRC staff performs audits of SIL certification organizations June 2019-November 2019 and accrediting entities
- 15. NRC formally enters NEI 17-06 into the Regulatory Guide December 2019 development process (if decision is made to endorse)
Note: (c) indicates completed activity.
Status (As of January 2019)
In 2018, the NRC held a number of public meetings with NEI and the stakeholders to continue to make progress on the MP #3 task. EPRI concluded their research of the SIL certification process in summer 2018 and is working on the report that is expected to be published in March 2019. During these public meetings, the objective of MP #3 was further clarified to (1) demonstrate that the SIL certification process is equivalent to performing verification of certain dependability critical characteristics of digital CGI per NRC endorsed EPRI TR-106439, and (2) develop a process for quality assurance oversight of the third party SIL certifying entities. NEI is working with NUPIC for developing the QA oversight process which will be documented in NEI 17-06. Development of this document has been delayed as a result of other EPRI review and industry guidance development priorities. NEI expects to submit NEI 17-06 in summer 2019 for NRC endorsement.
Potential Regulatory Challenges and Policy Issues The staff evaluation may identify potential policy issues arising from analysis and recommendations related to third party process certification. The staff will present to the Commission any potential policy issues identified in implementing this activity.
Potential actions for addressing acceptance involving third party process certification will have to be informed by consideration of backfitting, regulatory analysis, and cumulative effects of regulation.
Interactions with other Action Plan Items This activity will take into account the results from activities relating to CCF (MP #1) and 10 CFR 50.59 (MP #2). To provide the broadest possible agency alignment, this plan will also be coordinated with staff supporting fuel-cycle facilities (NMSS), identification of critical digital assets (NSIR), vendor inspections, and identification of counterfeit or fraudulent parts.
MP #4. Assessment for Modernization of the Instrumentation & Control Regulatory Infrastructure.
Introduction Although activities in MP #1-3 above are considered by staff and industry to be important in the near-term, MP #4 focuses on: identifying and implementing the complete set of activities needed to provide regulatory clarity and achieve stakeholder confidence in how the NRC will review digital I&C upgrades and ensure nuclear safety and security; and, identifying additional ML19025A312 IAP - Revision 3
efficiencies and effectiveness improvements to modernize the regulatory infrastructure in support of the strategic goal. This activity entails a broad look at the current I&C regulatory infrastructure (regulations and guidance), supporting technical basis for safety and security decisions, experiences from past licensing/inspection (operating experience), and stakeholder suggestions and priorities. This activity and the continuing work on the previous three activities will be executed in a coordinated and integrated manner.
Background
MPs #1-3 of this plan identify specific activities in which significant work was accomplished in 2018. The staff has identified other issues and areas for potential improvement to the regulatory infrastructure, many which may be dependent on outcomes of MPs #1-3. Some potential improvement items are broad-scoped in nature and others are focused on more specific regulatory challenges. Since the initial development of the plan, the staff has identified a specific activity in streamlining the guidance for licensing process (tracked under MP #4A).
Objectives The overall objective of this effort is to improve the licensing and inspection process for digital I&C for operating reactors, and to perform a comprehensive modernization assessment to identify further improvements to the I&C regulatory infrastructure and develop plans for accomplishing such improvements. The staff recognizes that some additional modernization topics will be strategic in nature. There are two key objectives of this MP:
A. COMPLETED. Modernize the licensing process in DI&C-ISG-06, Licensing Process, including evaluating lessons learned from review of license applications, including factory acceptance testing and scope of supporting application material. The staff considers the update to DI&C-ISG-06 as a specific tactical activity to streamline the efficiency and effectiveness of licensing reviews. The goals of this activity are to reduce scope of license document submittals; and provide an alternative for earlier approval, which would precede factory acceptance testing, for digital designs that are based on approved topical reports.
B. NOT COMPLETED. Perform a broad digital I&C regulatory infrastructure assessment to review and evaluate the current overall I&C regulatory infrastructure and the supporting technical bases and consider other important areas beyond those identified in the tactical activities, such as past review experiences, ongoing licensing review and research efforts, lessons learned from operating experience, insights from other safety-critical industries, and international perspectives, including the use of IEC standards, to identify and prioritize the improvements to modernize the regulatory infrastructure over the longer term in light of evolving approaches to I&C.
The MP4B broad assessment plans objectives are to provide recommendations that would:
- Provide an improved regulatory infrastructure that integrates performance-based and technology-neutral safety engineering concepts;
- Assist stakeholders in demonstrating the safety and security of digital I&C systems; and ML19025A312 IAP - Revision 3
- Assist the NRC staff in performing regulatory reviews and digital I&C system inspections in an efficient, effective, consistent, and risk-informed manner.
MP #4. Assessment of Modernization of the I&C Regulatory Infrastructure.
Activity Schedule MP #4A: Streamline the licensing process guidance in DI&C-ISG-06
- 1. Identify vehicle, scope and milestone plan to address key April-June 2017 (c) significant issues with guidance for digital I&C license amendments (DI&C-ISG-06)
- 2. Establish high priority plan to develop a draft revision to DI&C- February-July 2017 (c)
ISG-06 that is suitable for use with targeted digital safety license amendment requests
- 3. Obtain licensee confirmation that draft revision to DI&C-ISG-06 (to December 2017 (c) date) supports targeted license amendment request
- 4. Complete draft revision to DI&C-ISG-06 January 2018 (c)
- 5. Present DI&C-ISG-06 to ACRS Subcommittee May 2018 (c)
- 6. Present DI&C-ISG-06 to ACRS Full Committee July 2018 (c)
- 7. Issue draft revision to DI&C-ISG-06 for public comment July 2018 (c)
- 8. Conduct workshop on digital I&C inspection processes November 2018 (c)
- 9. Issue final revision to DI&C-ISG-06 December 2018 (c)
MP #4B: Develop strategic activities for long-term improvements to the I&C regulatory infrastructure.
- 1. Begin to develop strategic plan to modernize overall regulatory October 2017 (c) infrastructure
- 2. Initial evaluation of lessons learned from MPs #1-4A April 2018 (c)
- 3. Initial coordination with stakeholders to identify potential July 2018 (c) regulatory gaps and potential options for improving the regulatory infrastructure
- 5. Begin broad assessment to identify and provide digital I&C December 2018 (c) regulatory infrastructure modernization recommendations.
- 6. Stakeholder Public Broad Assessment Meeting January 31, 2019
- 7. Complete broad assessment of the overall digital I&C regulatory March 2019 infrastructure
- 8. Develop recommendations to improve and modernize digital I&C April 2019 regulatory infrastructure consistent with the SRM to SECY 0106 Note: (c) indicates completed activity.
ML19025A312 IAP - Revision 3
The MP #4B broad assessment plan will:
- 1) Focus on the scope identified in the SRM to SECY-15-0106 and on findings and recommendations that will satisfy the conditions given in the SRM such as adoption of more performance-based, technology-neutral requirements.
- 2) Leverage existing digital I&C work that has been completed for assessing other domestic non-nuclear and international nuclear regulatory safety evaluation methods and by the NRCs Advanced Reactor and Policy Branch.
- 3) Identify beneficial attributes of these regulatory safety evaluation methods and group the beneficial attributes into a manageable number of categories. Example of such categories could be:
o Adopt a more graded approach to licensing evaluations o Explicitly incorporate risk-insights into licensing reviews and/or inspection procedures o Reduce barriers to utilizing alternative standards
- 4) Seek input from the public and the various stakeholder communities listed below about their concerns, needs, and priorities:
Operating Reactors; New Reactors; Advanced Reactors; Digital I&C Vendors; Research and Test Reactors; and Fuel Cycle Facilities.
Status (As of January 2019)
The NRC held the first public meeting in February 2017, at which industry stakeholders expressed a need for a higher priority to address key significant issues with the licensing guidance currently provided within DI&C-ISG-06, Licensing Process. This and subsequent stakeholder comments to the IAP are addressed in the revised plan.
The NRC held numerous public meetings to develop and refine planned activities to produce revised license amendment guidance for digital safety systems that will support targeted license amendment requests (LARs). In August 2017, staff began holding monthly public meetings and biweekly public teleconferences. These meetings discussed, produced, and reviewed draft sections for inclusion in a draft revision to DI&C-ISG-06.
For digital safety equipment modifications that require license amendments and are based on a previously approved platform topical report, an alternative licensing review approach was developed to eliminate review activities (e.g., detailed design below the system level, implementation, and test) that are currently identified within the SRP to be part of digital I&C licensing reviews. Under the alternative, these activities would become inspection items falling under the overall licensing quality assurance program (i.e., an obligation through a licensing basis document). Additionally, the alternative requires sufficient information at the time of the ML19025A312 IAP - Revision 3
LAR to allow the staffs reasonable assurance of safety conclusion to be reached. This information focuses on system level, architectural attributes, key safety principles to demonstrate regulatory compliance, and a description of the detailed design, implementation and testing processes and procedures. Under this alternative, the system level design would be complete and there would be no subsequent phased submittals during development. When using the proposed alternative process, industry indicated they would request the staff to approve the license amendment within a year of the request.
The final Revision 2 to DI&C-ISG-06 with the alternative licensing review approach was issued in December 2018. A workshop was held in November 2018 to discuss with industry how vendor and site inspection activities may take place for digital I&C modifications performed under the new licensing process. The NRC expects to engage a lead plant in pre-application meetings to use the revised ISG-06 between 2019 and 2020.
On July 25, 2018, the staff held a public meeting to discuss the status and proposed updates for MP #4B in Revision 3 to the IAP. During the meeting industry stakeholders generally expressed support for addressing broader modernization efforts; but stated that NRC focus and priority should remain first on the near-term tactical activities in MP #1-#4A. In addition, industry stakeholders provided comments on the staffs recommendations associated with SECY-18-0060. Subsequent to the meeting, three stakeholders provided comments and supporting documents on MP #4B and considerations for future research on preventing CCF.
Lastly, during the Commissions October 25, 2018 public meeting on DI&C, an external panel provided suggestions for improving the DI&C regulatory infrastructure.
The MP #4B broad assessment plan has been developed and the plans tasks to perform the broad assessment have been defined and scheduled. In December 2018, the MP #4B Working Group started collecting existing documented agency data and information about potential digital I&C regulatory infrastructure impediments to an efficient, improved, and modernized, digital I&C regulatory infrastructure. On January 31, 2019, the staff held a public meeting with stakeholders to get feedback on this broad assessment in general, and feedback on benefits of endorsement of IEC 61513 in particular.
Potential Regulatory Challenges, DI&C Modernization Recommendations, and Policy Issues The staff will present to the Commission potential DI&C regulatory infrastructure modernization recommendations and any associated policy issues.
The resource requirements will be periodically assessed and those actions that provide the most significant improvements will be addressed using the current Planning Budgeting and Performance Management process.
The broad scope of the assessment and its resultant approaches may require additional resources to achieve the goal of modernizing the digital I&C regulatory infrastructure. In addition, modernization will have to be informed by consideration of backfitting, regulatory analysis, and cumulative effects of regulation.
ML19025A312 IAP - Revision 3
A key regulatory challenge is presented by the dependencies between current efforts to update the regulatory infrastructure (MPs #1-4A) and the recommendations and improvements to be addressed under the MP #4B broad assessment considering the emerging technological environment.
Interactions with other Action Plan Items This activity will take into account the results and lessons learned from all MPs.
ML19025A312 IAP - Revision 3