ML17268A106
ML17268A106 | |
Person / Time | |
---|---|
Site: | Nuclear Energy Institute |
Issue date: | 09/19/2017 |
From: | Nuclear Energy Institute |
To: | Office of Nuclear Reactor Regulation |
Holonich J J | |
References | |
Download: ML17268A106 (60) | |
Text
NEI PROPOSED REVISIONS (Document Date: May 16, 2017)
NEI 96-07, Appendix D Draft Revision 0c
Nuclear Energy Institute SUPPLEMENTAL GUIDANCE FOR APPLICATION OF 10 CFR 50.59 TO DIGITAL MODIFICATIONS
NEI PROPOSED REVISIONS (Document Date: May 16, 2017)
May 2017 NEI PROPOSED REVISIONS (Document Date: May 16, 2017)
ACKNOWLEDGMENTS NEI would like to thank the NEI 01-01 Focus Team for developing this document. Although everyone contributed to the development of this document, NEI would like to give special recognition to David Ramendick, who was instrumental in preparing this document. NOTICE Neither NEI, nor any of its employees, members, supporting organizations, contractors, or consultants make any warranty, expressed or implied, or assume any legal responsibility for the accuracy or completeness of, or assume any liability for damages resulting from any use of, any information apparatus, methods, or process disclosed in this report or that such may not infringe privately owned rights.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 i EXECUTIVE
SUMMARY
NEI 96-07, Appendix D, Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications, provides focused application of the 10 CFR 50.59 guidance contained in NEI 96-07, Revision 1, to activities involving digital modifications. The main objective of this guidance is to provide all stakeholders a common framework and understanding of how to apply the 10 CFR 50.59 process to activities involving digital modifications. The guidance in this appendix supersedes NEI 01-01/ EPRI TR-102348, Guideline on Licensing of Digital Upgrades.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-1 1 TABLE OF CONTENTS 2 EXECUTIVE
SUMMARY
...................................................................................................................................... i 3 1 INTRODUCTION ........................................................................................................................................ 2 4
1.1 BACKGROUND
............................................................................................ 2432 5 1.2 PURPOSE ............................................................................................... 354332 6 2 [NOT USED]DEFENSE IN DEPTH DESIGN PHILOSOPHY AS APPLIED TO DIGITAL I&C465443 7 3 DEFINITIONS AND APPLICABILITY OF TERMS ..................................................................476643 8 4 IMPLEMENTATION GUIDANCE ................................................................................................ 798873 9 4.1 APPLICABILITY .................................................................................... 7109973 10 4.2 SCREENING ....................................................................................... 81110974 11 4.3 EVALUATION PROCESS ................................................................ 363634332723 12 5.0 EXAMPLES ......................................................................................................................
707167675852 13 14 15 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-2 1 INTRODUCTION 16 17 The intent of the § 50.59 process is to permit licensees to make changes to the 18 facility, provided the changes maintain the level of safety documented in the 19 original licensing basis, such as in the safety analysis report. There are 20 specific considerations that should be addressed as part of the 50.59 process 21 when performing 50.59 reviews for digital modifications. These specific 22 considerations includeing, for example, different potential failure modes of 23 digital equipment as opposed to the equipment being replaced, the effect of 24 combining functions of previously separate devices into one device, and the 25 potential for software common cause failure (software CCF).
26
1.1 BACKGROUND
27 Licensees have a need to modify existing systems and components due to the 28 growing problems of obsolescence, difficulty in obtaining replacement parts, 29 and increased maintenance costs. There also is great incentive to take 30 advantage of modern digital technologies which offer potential performance 31 and reliability improvements.
32 In 2002, a joint effort between the Electric Power Research Institute (EPRI) 33 and the Nuclear Energy Institute (NEI) produced NEI 01-01, Revision 0 (also 34 known as EPRI TR-102348, Revision 1), Guideline on Licensing Digital 35 Upgrades: A Revision of EPRI TR-102348 to Reflect Changes to the 10 CFR 36 50.59 Rule, which was endorsed (with qualifications) by the Nuclear 37 Regulatory Commission (NRC) in Regulatory Issue Summary (RIS) 2002-22.
38 Since the issuance of NEI 01-01 in 2002, digital modifications have become 39 more prevalent. Application of the 10 CFR 50.59 guidance contained in NEI 40 01-01 has not been consistent or thorough across the industry, leading to 41 NRC concern regarding uncertainty as to the effectiveness of NEI 01-01 and 42 the need for clarity to ensure an appropriate level of rigor is being applied to 43 a wide variety of activities involving digital modifications.
44 NEI 01-01 contained guidance for both the technical development and design 45 of digital modifications as well as the application of 10 CFR 50.59 to those 46 digital modifications. The NRC also identified this as an issue and proposed 47 stated that NEI could separat eing technical guidance from 10 CFR 50.59 48 related guidance.
49 EPRI document 3002005326, Methods for Assuring Safety and 50 Dependability when Applying Digital Instrumentation and Control Systems , 51 Commented [A1]: Source: ML17170A089 Comment No. A2 Rationale: To improve accuracy: NEI first proposed this idea, and then the NRC documented that is had no objection.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-3 has been created to provide technical guidance for the development and 52 design of digital systems with the purpose of systematically identifying, 53 assessing, and managing failure susceptibilities of I&C systems and 54 components. However, the use of EPRI 3002005326 is not required for the 55 application of the 50.59-related guidance in this appendix.
56 57 NEI 16-16, Guidance for Addressing Digital Common Cause Failure has been 58 created to provide technical guidance for addressing Common Cause Failure 59 (CCF) for compliance to deterministic licensing criteria and NRC policies and 60 positions such as SRM-SECY-93-087 and BTP 7-19. The technical-focused 61 guidance contained in NEI 16-16, used in conjunction with the licensing-62 focused guidance in this document, provides a complimentary set of 63 approaches and considerations when implementing a digital modification.
64 However, the use of NEI 16-16 is not required for the application of the 50.59-65 related guidance in this appendix.
66 1.2 PURPOSE 67 Appendix D is intended to assist licensees in the performance of 10 CFR 68 50.59 reviews of activities involving digital modifications in a consistent and 69 comprehensive manner. This assistance includes guidance for performing 10 70 CFR 50.59 Screens and 10 CFR 50.59 Evaluations. This appendix does not 71 include guidance regarding design requirements for digital activities.
72 The guidance in this appendix applies to 10 CFR 50.59 reviews for both 73 small-scale and large-scale digital modifications-from the simple 74 replacement of an individual analog meter with a microprocessor-based 75 instrument, to a complete replacement of an analog reactor protection system 76 with an integrated digital system. Examples of activities considered to be a 77 digital modification include computers, computer programs, data (and its 78 presentation), embedded digital devices, software, firmware, hardware, the 79 human-system interface, microprocessors and programmable digital devices 80 (e.g., Programmable Logic Devices and Field Programmable Gate Arrays). 81 This guidance is not limited to "stand-alone" instrumentation and control 82 systems. This guidance can also be applied to the digital aspects of 83 modifications or replacements of mechanical or electrical equipment if the 84 new equipment makes use of digital technology (e.g., a new HVAC design 85 that includes embedded microprocessors for control).
86 Finally, this guidance is applicable to digital modifications involving safety-87 related and non-safety-related systems and components and also covers 88 "digital-to-digital" activities (i.e., modifications or replacements of digital-89 based systems).
90 Commented [A2]: Not necessary for 50.59 guidance. Commented [A3]: This clarification is needed since the guidance in this document only includes aspects unique to digital equipment.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-4 1.3 10 CFR 50.59 PROCESS
SUMMARY
91 No additional guidance is provided.
92 1.4 APPLICABILITY TO 10 CFR 72.48 93 This section is not used for digital modifications.No additional guidance is 94 provided.
95 96 1.5 CONTENT OF THIS GUIDANCE DOCUMENT 97 This section is not used for digital modifications
. No additional guidance is 98 provided.
99 100 2 [NOT USED]DEFENSE IN DEPTH DESIGN PHILOSOPY AS APPLIED TO DIGITAL I&C 101 This section is not used for digital modifications.No additional guidance is 102 provided. 103 104 105 106 3 DEFINITIONS AND APPLICABILITY OF TERMS 107 There are no definitions or modifications to the definitions necessary for 108 application of 10 CFR 50.59 to digital modifications Definitions 3.1 through 109 3.14 are the same as those provided in NEI 96-07, Rev. 1. Terms specific to 110 this document appendix are defined below.
111 3.1 10 CFR 50.59 EVALUATIONS 112 No additional giuidance is provided. 113 3.2 ACCIDENTS PREVIOUSLY EVALUATED IN THE UFSAR (AS UPDATED) 114 No additional giuidance is provided. 115 Commented [A4]: Source: ML13298A787 Issue Nos. 5, 7, 9, & 10 Rationale: As discussed in the "sources," 50.59 implementers have had trouble distinguishing between technical criteria and 50.59 criteria. The basic problem was they used guidance for one to do the other. Commented [A5]: Source: ML13298A787 Issue Nos. 5, 7, 9, & 10 Text adapted from NEI 01-01 Section 5.2 Rationale: It is necessary to clearly articulate the D3 criteria, and show they are not new, but have always been there. It has been the application of these criteria to a new technology (i.e., digital I&C) that has been confusing to industry; therefore the basic concepts must be stated and agreed to. Commented [A6]: Source: (1) ML17068A092 Comment No. 12 (2) ML17170A089 Comment No. A4 Rationale: New terms are defined since undefined terms are a source of regulatory uncertainty.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-5 3.3 CHANGE 116 No additional giuidance is provided. 117 3.4 DEPRTURE FROM A METHOD OF EVALUATION DECRIBED IN THE UFSAR 118 No additional giuidance is provided. 119 3.5 DESIGN BASES (DESIGN BASIS) 120 No additional giuidance is provided. 121 3.6 FACILITY AS DESCRIBED IN THE UFSAR 122 No additional giuidance is provided. 123 3.7 FINAL SAFETY ANALYSIS REPORT (AS UPDATED) 124 No additional giuidance is provided. 125 3.8 INPUT PARAMETERS 126 No additional giuidance is provided. 127 3.9 M ALFUNCTION OF A SSC IMPORTANT TO SAFETY 128 No additional giuidance is provided. 129 3.10 METHODS OF EVALUATION 130 No additional giuidance is provided. 131 3.11 PROCEDURES AS DESCRIBED IN THE UFSAR 132 No additional giuidance is provided. 133 3.12 SAFETY ANALYSIS 134 No additional giuidance is provided. 135 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-6 3.13 SCREENING 136 No additional giuidance is provided. 137 3.14 TEST OR EXPERIMENTS NOT DESCRIBED IN THE UFSAR 138 No additional giuidance is provided. 139 3.15 CCF 140 [LATER - coordinate with NEI 16-16]
141 3.16 SOFTWARE CCF 142 [LATER - coordinate with NEI 16-16]
143 3.17 CCF SUSCEPTABILITY ANALYIS 144 145 3.18 P LANT LEVEL EFFECTS 146 147 3.19 Qualitative Assessment 148 For digital I&C systems, reasonable assurance of low likelihood of failure is 149 derived from a qualitative assessment of factors involving system design 150 features, the quality of the design processes employed, and the operating 151 history of the software and hardware used (i.e., product maturity and in-152 service experience). The qualitative assessment is used to record the factors 153 and rationale and reasoning for making a determination that there is 154 reasonable assurance that the digital I&C modification will exhibit a low 155 likelihood of failure by considering the aggregate of these factors. 156 [REMOVE USE OF THE TERM "QUALITATIVE ASSESSMENT"] 157 3.17 Sufficiently Low 158 Sufficiently low means much lower than the likelihood of failures that are 159 considered in the UFSAR (e.g., single failures) and comparable to other 160 Commented [A7]: Source: (1) ML17068A092 Comment No. 12 (2) ML17170A089 Comment No. A4, A28, & A29 Rationale: New terms should be defined since undefined terms are a source of regulatory uncertainty. Commented [A8]: Global change to be addressed during meeting: Any examples that refer to technical information that is part of the qualitative assessment should state that the design satisfies the "suffently low" likelihood of the qualitative assessment instead of describing a select incomplete piece.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-7 common cause failures that are not considered in the UFSAR (e.g., design 161 flaws, maintenance errors, calibration errors). 162 163 4 IMPLEMENTATION GUIDANCE 164 In accordance with 10 CFR 50.59, plant changes are reviewed by the licensee 165 to determine whether the change can be made witout obtaining a license 166 amendment (i.e., without prior NRC review and approval of the change). The 167 10 CFR 50.59 process of determining when prior NRC review is required 168 includes three parts: Applicability, Screening, & Evaluation. The 169 applicability process involves determining whether a change is controlled 170 under another regulatory requirement. The screening process involves 171 determining whether a change has an adverse effect on a design function 172 described in the UFSAR. The evaluation process involves determining 173 whether the change has more than a minimal effect on the likelihood of 174 failure or on the outcomes associated with the proposed activity. 175 176 In general, since digital systems can not be verified to contain no errors, two 177 separate aspects should be considered, the design process and the design. A 178 high quality design process is used to minimize the likelihood of errors in the 179 softeware, and the design is evaluated to ensure it contains the proper design 180 attributes to ensure the assumptions of the accident analysis are maintained. 181 182 Design Process: For digital upgrades one of the challenges in the 10 CFR 183 50.59 process is addressing the effect of software, and potential failures of 184 software, on a UFSAR-described design function. The answer lies in the 185 engineering evaluations that are performed throughout the design process. 186 187 Design: Another challenge is evaluating the effect that design changes to 188 system architecture has on the assumptions in the accident analyses, such as, 189 diversity, defense-in-depth, and independence. Furthermore, the coupling or 190 combining of functions and/or equipment also has the potential to challenge 191 these same assumptions. 192 [Verify addressed in Screen and Evaluation sections]
193 4.1 APPLICABILITY 194 There is no Applicability guidance unique to digital modifications.Section 4.1 195 of NEI 96-07, Revision 1, provides guidance on the applicability of 10 CFR 196 50.59. In some cases, a change may be controlled by more specific 197 regulations. Also, for digital-to-digital changes that appear to be like-for-like 198 replacements, an equivalency evaluation should be performed to determine in 199 Commented [A9]: Source: NEI 01-01 Page No 4-7. Reason: To provide context. Small changes made to improve clarity. Commented [A10]: Source: ML17170A089 Comment No. A37 Rationale: Sotware development proceses and software design are two distinct things, and each should be addressed separately.
This background material and the following two paragraphs support other changes in the evaluation section. Commented [A11]: Source: NEI 01-01 Section 4.1 Reason: To provide context. Small changes made to improve clarity. Commented [A12]: Source: Engineering judgement Reason: To provide context.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-8 the replacement is a plant design change (subject to 10 CFR 50.59) versus a 200 maintenance activity. Digital-to-digital change may not necessarily be like-201 for-like because the system behaviours, respionse time, failure modes, etc. for 202 the new system may be different from the old system. If the vendor, 203 hardware, firmware, application software, and the configuration data are 204 identical, then the upgrade may be a like-for-like maintenance activity where 205 10 CFR 50.59 would apply.
206 207 4.2 SCREENING 208 209 210 211 212 213 Throughout this section, references to the main body of NEI 96-07, Rev. 1 will 214 be identified as "NEI 96-07." 215 In NEI 96-07, Section 4.2.1.1, equivalent replacements are discussed.
Digital-216 to-digital changes may not necessarily be equivalent because the system behaviours, 217 response time, failure modes, etc. for the new system may be different from the old 218 system. 219 As stated in NEI 96-07, Section 4.2.1, the determination of the impact of a 220 proposed activity (i.e., adverse or not adverse) is based on the impact of the 221 proposed activity on UFSAR-described design functions. To assist in 222 determining the impact of a digital modification on a UFSAR-described 223 design function, the general guidance from NEI 96-07 will be supplemented 224 with the digital-specific guidance in the topic areas identified below. 225 In the following sections and sub-sections that provide the Screen guidance 226 unique to the application of 10 CFR 50.59 to digital modifications, each 227 section and sub-section addresses only a specific aspect, sometimes at the 228 deliberate exclusion of other related aspects. This focused approach is 229 intended to concentrate on the particular aspect of interest and does not 230 imply that the other aspects do not apply or could not be related to the aspect 231 being addressed. Initially, all aspects need to be considered, with the 232 knowledge that some of them may be able to be excluded based on the actual 233 scope of the digital modification being reviewed. 234 CAUTION The guidance contained in this appendix is intended to supplement the generic Screen guidance contained in the main body in NEI 96-07, Section 4.2. Namely, the generic Screen guidance provided in the main body of NEI 96-07 and the more-focused Screen guidance in this appendix BOTH apply to digital modifications. Commented [A13]: Source: NEI 01-01 Section 4.2 Reason: To provide missing guidance.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-9 Within this appendix, examples are provided to illustrate the guidance. 235 Unless stated otherwise, a given example only addresses the aspect or topic 236 within the section/sub-section in which it is included, sometimes at the 237 deliberate exclusion of other aspects or topics that, if considered, could 238 potentially change the Screen conclusion.
239 The first step in screening is to determine whether the change affects a 240 design function as described in the UFSAR. If it does not, then the change 241 screens out, and can be implemented without further evaluation under the 10 242 CFR 50.59 process. If the change does affect a UFSAR-described design 243 function, then it should be evaluated to determine if it has an adverse affect. 244 Changes with adverse effects areas those that have the potential to increase 245 the likelihood of malfunctions, increase consequences, create new accidents, 246 or otherwise meet the 10 CFR 50.59 evaluation criteria. Additional guidance 247 on the definition of adverse is provided in the bulleted examples below: 248 Decreasing the reliability of a design function, 249 aAdding or deleting an automatic or manual design function, 250 Converting a feature that was automatic to amanual or visce versa, 251 Reducing redundancy, diversity, or defense-in-depth, or 252 Adversely affecting the response time required to perform requied 253 actions. 254 As discussed in 4.2.1, "Is the Activity a Change to the Facility or Procedures 255 as Described in the UFSAR?," Aa given activity may have both direct and 256 indirect effects that the screening review must consider. Consistent with 257 historical practice, changes to the facility or procedures affecting SSCs or 258 functions not described in the UFSAR must be screened for their effects (so-259 called "indirect effects") on UFSAR-described design functions. A 10 CFR 260 50.59 evaluation is required when such changes adversely affect a UFSAR-261 described design function, 262 Examples 4-C and 4-D illustrate typical screening considerations for a small 263 digital upgrade. 264 Example 4-C. Screening for a Recorder Upgrade (Screens Out) An analog recorder is to be replaced with a new microprocessor based recorder. The recorder is used for various purposes including Post Accident Monitoring, which is an UFSAR-described design function. An engineering/technical evaluation performed on the change determined that Commented [A14]: Global Comment: Do not mention "described in the UFSAR" when indirect effects must be considered because it incorrectly implies that whether something is explicitly described UFSAR is a factor in 50.59 decisionmaking. Specifically, explicitly described in the UFSAR is not a factor in screening (e.g., HSI) or criterion 2. NEI 96-07r1 clearly states when explict UFSAR wording matters (e.g., UFSAR described "design functions, "accidents", "methods of evaluation") Commented [A15]: Source: NEI 01-01 Section 4.3.3 Reason: To provide guidance. the following 2 examples are from NEI 01-01. Commented [A16]: Source: ML17006A341 Comment No. A2 Reason: To provide example to illustrate when digital modifications are or are not adverse.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-10 the new recorder will be highly dependable (based on a quality development process, testability, and successful operating history) and therefore, the risk of failure of the recorder due to software is considered very low. The new recorder also meets all current required performance, HSI, and qualification requirements, and would have no new failure modes or effects at the level of the design function. The operator will use the new recorder in the same way the old one was used, and the same information is provided to support the Post Accident Monitoring function, so the method of controlling or performing the design function is unaltered. The licensee concludes that the change will not adversely affect any design function and screens out the change.
265 266 Example 4-D. Screening for a Recorder Upgrade (Screens In) Similar to Example 4-C, a licensee is planning to replace an analog recorder with a new microprocessor based recorder. However, in this instance, the engineering/technical evaluation determined that the new recorder does not truly record continuously. Instead, it samples at a rate of 10 hertz then averages the 10 samples and records the average every one second. This frequency response is lower compared to the originalequipment and may result in not capturing all process variable spikes or short-lived transients. In this case, the licensee concludes that there could be an adverse effect on an UFSAR-described design function and screens in the change. In the 10 CFR 50.59 evaluation, the licensee will evaluate the magnitude of this adverse effect. 267 4.2.1 Is the Activity a Change to the Facility or Procedures as Described in the 268 UFSAR? 269 There is no regulatory requirement for a proposed activity involving a digital 270 modification to default (i.e., be mandatorily "forced") to an adverse 271 conclusion. 272 Although there may be the potential for the introduction of adverse impacts 273 on UFSAR-described design functions due to the following types of activities 274 involving a digital modification, these typical activities do not default to an 275 adverse conclusion simply because of the activities themselves (i.e., not a 276 change that fundamentally alters (replaces) the existing means of performing 277 or controlling design function as described in NEI 96-07, Section 4.2.1.2), for 278 example: 279 Commented [A17]: Source: ML17006A341 Comment No. A2 Reason: To provide example to illustrate when digital modifications are or are not adverse.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-11
- The introduction of software or digital devices. 280
- The replacement of software and/or digital devices with other software 281 and/or digital devices. 282
- The use of a digital processor to "calculate" a numerical value or 283 "generate" a control signal using software in place of using analog 284 components. 285
- Replacement of hard controls (i.e., pushbuttons, knobs, switches, etc.) 286 to operate or control plant equipment with a touch-screen. 287 Therefore, documented engineering/technical information determinations are 288 neededshould be documented (as part of the design process) to demonstrate 289 that there are no adverse impacts from the above activities. 290 Generally, a digital modification may consist of three areas of activities: (1) 291 software-related, (2) hardware-related and (3) Human-System Interface-292 related. 293 NEI 96-07, Section 4.2.1.1 provides guidance for activities that involve "...an 294 SSC design function..." or a "...method of performing or controlling a design 295 function..." and Section 4.2.1.2 provides guidance for activities that involve 296 "...how SSC design functions are performed or controlled (including changes 297 to UFSAR-described procedures, assumed operator actions and response 298 times)." Based on this segmentation of activities, the software and hardware 299 portions will be assessed within the "facility" Screen consideration since these 300 aspects involve SSCs or the method of performing or controlling a design 301 function and the Human-System Interface portion will be assessed within the 302 "procedures" Screen consideration since this portion involves how SSCs are 303 operated and controlled. 304 305 4.2.1.1 Screening of Changes to the Facility as Described in the UFSAR 306 SCOPE 307 Many of the examples in this section involve the Main Feedwater (MFW) 308 System to illustrate concepts. The reason for selecting the MFW system is 309 that it is one of the few non-safety-related systems that, upon failure, can 310 initiate an accident. 311 In the determination of potential adverse impacts, the following aspects 312 should be addressed in the response to this Screen consideration: 313 (a) Use of Software and Digital Devices 314 Commented [PM18]: Placeholder for NRC comment A18 Formatted:
HighlightCommented [PM19]: Placeholder for NRC comment A19 Formatted:
Highlight Formatted:
HighlightCommented [PM20]: Placeholder for NRC comment A20 Formatted:
HighlightCommented [A21]: Source: ML170170A089 Comment No. A6.
Rationale: Based on the definition of "accident" in NEI 96-07, many accidents are initiated by non-safety related SSCs. (Note: safety related SSCs are tpicaly credited to miigate accidents.)
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-12 (b) Combination of Components/Functions 315 (c) Dependability Impact 316 Examples of activities that have the potential to cause an adverse effect 317 include the following activities: 318
- Addition or removal of a dead-band, or 319
- Replacement of instantaneous readings with time-averaged readings 320 (or vice-versa). 321 USE OF SOFTWARE AND DIGITAL DEVICES 322 The UFSAR may identify SSC design function condition s such asthrough 323 diversity, separation, independence, defense-in-depth and/or redundancy 324 through UFSAR discussions. With digital modifications, software and/or 325 hardware have the potential to impact design function conditions such as the 326 diversity, separation, independence, defense-in-depth, and/or redundancy of 327 SSCs explicitly and/or implicitly described in the UFSAR.
1 328 To assist in determining the impact of a digital modification on design 329 function conditions such as the diversity, separation, independence, defense-330 in-depth and/or redundancy of the affected SSCs described in the UFSAR, 331 identify the features of the affected SSCs described in the UFSAR., 332 Ccompare the proposed features of the affected SSCs with the existing 333 features of the affected SSCs. The impact of any differences in the diversity, 334 separation, independence, defense-in-depth and/or redundancy on the design 335 functions described in the UFSAR of the affected SSCs is then determined. 336 A digital modification that reduces SSC diversity, separation, independence, 337 defense-in-depth and/or redundancy is adverse. In addition, an adverse effect 338 may also consist of the potential marginal increase in the likelihood of SSC 339 failure due to the introduction of software. For redundant safety systems, 340 this marginal increase in likelihood creates a similar marginal increase in the 341 likelihood of a common failure in the redundant safety systems. On this 342 basis, most digital modifications to redundant safety systems are adverse. 343 However, for some digital modifications, engineering evaluations, using 344 methods approved by the NRC, may show that the digital modification 345 contains design attributes to eliminate consideration of a software common 346 cause failure. In such cases, even when a digital modification involves 347 redundant systems, the digital modification would be not adverse. Note: 348 1 Refer to NEI 96-07, Section 4.2.1.1, 2 nd paragraph. Commented [A22]: Strickly speaking "diversity, separation, independence, defense-in-depth and/or redundancy" are properties or attributes of a design and not "design functions;" however, NEI 96-07 page 12 states: "Implicitly included within the eaning of design function are the conditions under which intened functions are required to be performed, such as equipment response times, process conditions, equipment qualification and single failure." Therefore "diversity, separation, independence, defense-in-depth and/or redundancy" can be considered conditions of design functions.
Alternatively, the first sentence of this paragraph could be deleted. Commented [A23]: Imporantly, adverse impact due to software is not limited to factors related to the diversity, separation, independence, defense-in-depth, and/or redundancy. Commented [A24]: Source: (1) ML17068A092 Comment No. 9 (2) ML17170A089 Comment No. A8 Rationale: An SSC does not need to be described in the FASR (as updated) for a change to it to adversely affect a FSAR (as updated)-described design function. Commented [A25]: Source: None Rationale: To improve claity. This intent being that only after it is determined that there is no reduction in - then one can consider -
As previously written, someone could have understood that design atribtes can allow for redunctions in diversity, separation, independence, defense-in-depth and/or redundancy. Commented [A26]: Consider replacing with qualitative assessment guidance from RIS.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-13 In some cases the regulations require, and/or the UFSAR includes: (1) 349 diversity, and (2) defense-in-depth; both of which address, in part, CCF. 350 Engineering evaluations of design attributes should not be used to relax 351 conformance to such diversity and defense-in-depth requirements when 352 performing a 50.59 screening and evaluation. 353 For some relatively simple digital modifications, engineering evaluations may 354 show that the risk of failure due to software is not significant and need not be 355 evaluated further, even in applications of high safety significance. In such 356 cases, even when a digital modification involves redundant systems, the 357 digital modification would be not adverse. The engineering evaluation will 358 have concluded that the digital system is sufficiently dependable, based on 359 considerations such as: 360
- the quality of the design processes employed 361
- the change has a limited scope (e.g., replace analog transmitter 362 with a digital transmitter that drives an existing instrument 363 loop) 364
- single failures of the digital device are bounded by existing 365 failures of the analog device (e.g., no new digital 366 communications among devices that introduce possible new 367 failure modes involving separate devices). 368
- uses a relatively simple digital architecture internally (simple 369 process of acquiring one input signal, setting one output, and 370 performing some simple diagnostic checks), 371
- has limited functionality (e.g., transmitters are used to drive 372 signals for parameters monitored), 373
- can be comprehensively tested (but not necessarily 100 percent 374 of all combinations); and, 375
- has extensive operating history. 376 Considerations for screening relatively simple digital equipment are 377 illustrated in Example 4-A. 378 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-14 Example 4-A. Screening for a Smart Transmitter (Screens Out) Transmitters are used to drive signals for parameters monitored by redundant ESFAS channels. The original analog transmitters are to be replaced with microprocessor-based transmitters. The change is of limit scope in that for each channel, the existing 4-20 mA instrument loop is maintained without any changes other than replacing the transmitter itself. The digital transmitters are used to drive signals of monitored parameters and thus have limited functionality with respect to the ESFAS design function. The digital transmitters use a relatively simple digital architecture internally in that the firmware in the new transmitters implements a simple process of acquiring one input signal, setting one output, and performing some simple diagnostic checks. This process runs in a continuous sequence with no branching or interrupts. Single failures of the digital device are bounded by existing failures of the analog device in that no new digital communications among devices that introduce possible new failure modes involving multiple devices. A "qualitative assessment" of the digital device concluded that the digital system is sufficiently dependable, based on the quality of the design processes employed, and the operating history of the software and hardware used. In addition, based on the simplicity of the device (one input and two outputs), it was comprehensively tested. Further, substantial operating history has demonstrated high reliability in applications similar to the ESFAS application. The ESFAS design function is the ability to respond to plant accidents. Consequently, it is concluded that no adverse effects on UFSAR-described design functions are created, and the change screens out. Note that an upgrade that is similar to Example 4-A, but that uses digital 379 communications from the smart transmitter to other components in the 380 instrument loop might screen in because new interactions and potentially 381 new failure behaviors are introduced that could have adverse effects and 382 should be analyzed in a 10 CFR 50.59 evaluation (see Example 4-B). 383 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-15 Example 4-B. Screening for a Smart Transmitter (Screens In) Smart transmitters similar to those described in Example 4-A are to be installed as part of an upgrade to the reactor protection system. The new smart transmitters have the capability to transmit their output signal using a digital communication protocol. Other instruments in the loop are to be replaced with units that can communicate with the transmitter using the same protocol. Because this change not only upgrades to a digital transmitter but also converts the instrument loop to digital communications among devices, there would be the potential for adverse effects owing to the digital communication and possible new failure modes involving multiple devices. The ESFAS design function is the ability to respond to plant accidents. As a result of the adverse affect on a UFSAR-described design function, this change screens in.
384 In some cases, the licensee's UFSAR describes (1) diversity, and (2) defense-385 in-depth; both of which address, in part, software CCF. Engineering 386 evaluations of design attributes should not be used to relax conformance to 387 such diversity and defense-in-depth requirements when performing a 50.59 388 screen. 389 Alternately, the use of different software in two or more redundant SSCs is 390 not adverse due to a software common cause failure because there is no 391 mechanism to increase in the likelihood of failure due to the introduction of 392 software. 393 Examples 4-1a and 4-1b illustrate the application of the Use of Software and 394 Digital Devices aspect. These examples illustrate how a variation in the 395 licensing basis identified in the UFSAR can affect the Screen conclusion. 396 Example 4-1a. NO ADVERSE IMPACT on a UFSAR-Described Design Function related to use of Software and Digital Devices Two non-safety-related main feedwater pumps (MFWPs) exist. There are two analog control systems (one per MFWP) that are physically and functionally the same. The two analog control systems will be replaced with two digital control systems. The hardware platform for each digital control system is from the NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-16 same supplier and the software in each digital control system is exactly the same. The pertinent UFSAR SSC descriptions are as follows: (1) Two analog control systems are identified. (2) Both analog control systems consist of the same physical and functional characteristics. (3) The analog control system malfunctions include (a) failures causing the loss of all feedwater to the steam generators and (b) failures causing an increase in main feedwater flow to the maximum output from both MFWPs. The pertinent UFSAR-described design function of the main feedwater system is to automatically control and regulate feedwater to the steam generators. With respect to the following considerations, the Uuse of the same hardware platforms and same software in both control systems is NOT ADVERSE for the following reasons
- (a) Redundancy Consideration: There is no impact on redundancy since the UFSAR does not describe redundant SSCs and there are no UFSAR-described design function conditions related to redundancy. (b) Diversity Consideration: There is no impact on diversity since the UFSAR does not describe diverse SSCs and there are no UFSAR-described design function conditions related to diversity. (c) Separation Consideration: There is no impact on the separation of the control systems identified in the UFSAR since each of the analog control systems will be replaced with a separate digital control system. (d) Independence Consideration: Although both of the new digital control systems contain the exact same software (which is subject to a software common cause failure), the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting the digital modification concluded that no new types of malfunctions are introduced since the loss of both MFWPs and failures causing an increase in main feedwater flow to the maximum output from both MFWPs are already considered in the licensing basis. (e) Defense-in-Depth Consideration: There is no impact on defense-in-depth Commented [PM27]: Placeholder to align original comment numbering. Commented [A28]: Source: (1) ML17068A092 Comment No. 9 (2) ML17170A089 Comment No. A11 Rationale: It does not mater if it is described in the FSAR (as updated) or not. Commented [A29]: Source: ML17170A089 Comment No. A12 Rationale: It does not mater if it is described in the FSAR (as updated) or not.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-17 since the UFSAR does not describe SSCs for the purpose of establishing defense-in-depth and there are no UFSAR-described design function conditions related to defense-in-depth. Through consideration of items (a) through (e) above, there is NO ADVERSE impact on the method of performing or controlling the design function of the main feedwater system to automatically control and regulate feedwater to the steam generators due to the use of software and digital devices.
397 Example 4-1b. ADVERSE IMPACT on a UFSAR-Described Design Function related to use of Software and Digital Devices This example differs from Example 4-1a in only the types of malfunctions already identified in the UFSAR, as reflected in item (3) shown below. Items (1) and (2) are unaffected. (3) [Modified from Example 4-1a] The analog control sy stem malfunctions include (a) failures causing the loss of feedwater from only one MWFP to the steam generators and (b) failures causing an increase in main feedwater flow to the maximum output from only one MFWP. The use of the same hardware platforms and same software in both control systems is ADVERSE due to its impact on the Independence Consideration. Items (a), (b), (c) and (e) are unaffected. (d) [Modified from Example 4-1a] Independence Consideration: Since the new digital control systems contain the exact same software (which is subject to a software common cause failure), the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting the digital modification concluded that two new types of malfunctions are introduced since the loss of both MFWPs and failures causing an increase in main feedwater flow to the maximum output from both MFWP have been created and were not considered in the original licensing basis. There is an ADVERSE impact on the design function of the main feedwater system to automatically control and regulate feedwater to the steam generators due to the use of software that reduces independence and creates two new types of malfunctions.
398 399 Commented [A30]: Source: ML17170A089 Comment No. A13 Rationale: It does not mater if it is described in the FSAR (as updated) or not. Commented [A31]: Source: (1) ML17068A092 Comment No. 4 (2) ML17170A089 Comment No. A14 Rationale: NEU 96-07 Rev. 1 Section 3.3 defines "Method of performing of controlling a function" and it is used exclusively to refer to the things people do.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-18 COMBINATION OF COMPONENTS/FUNCTIONS 400 The UFSAR may identify the number of components, how the components 401 were arranged, and/or how functions were allocated to those components. 402 Any or all of these characteristics may have been considered in the process of 403 identifying possible malfunctions or accident initiators. 404 When replacing analog SSCs with digital SSCs, it is potentially advantageous 405 to combine multiple components and/or functions into a single device or 406 control system. However, the failure of the single device or control system for 407 any reason (e.g., a software common cause failure) can potentially affect 408 multiple functions. 409 The combination of previously separate components and/or functions (that 410 does not reduce SSC design aspects such as diversity, separation, 411 independence, defense-in-depth and/or redundancy), in and of itself, does not 412 make the Screen conclusion adverse. Only if combining the previously 413 separate components and/or functions causes a reduction in one of these 414 aspects or a reduction in athe the required or assumed SSC design aspects 415 such as diversity, separation, independence, defense-in-depth and/or 416 redundancy or in an SSC's ability or capability of to performing a design 417 function (e.g., by the creation of a new malfunction or the creation of a new 418 malfunction or accident initiator) is the combination aspect of the digital 419 modification adverse. 420 To assure adequate existing defense in depth is maintained, one should first 421 identify potential coupling factors between equipment failures. A coupling 422 factor is the condition or mechanism through which multiple components 423 could be affected (or coupled) by the same cause.
[DISCUSS MORE LATER, 424 IN CONJUCTION WITH EXAMPLE 4-A AND 4-B
] 425 To assist in determining the impact of a digital modification on the number 426 and/or arrangement of components, review the description(s) of the existing 427 SSCs described in the UFSAR (as updated). When comparing the existing 428 and proposed configurations, consider how the proposed configuration affects 429 the number and/or arrangement of components and the potential impacts of 430 the proposed arrangement on UFSAR-described design functions. 431 Examples 4-2 and 4-3 illustrate the application of the Combination of 432 Components/Functions aspect. 433 Examples 4-2a and 4-2b illustrate how variations in a proposed activity can 434 affect the Screen conclusion. 435 Commented [A32]: Source: ML13298A787 - Concerns 5 & 7 Rationale: Presumably this section was added to address this concern. Commented [A33]: Single device failures or misbehaviours are by definition not CCFs. Only when there are multiple components that are assumed to be independent can one call it a CCF; therefore this example is technically incorrect. Commented [A34]: Source: In several meetings, Industry expressed that "not all combinations are bad."
Rationale: These word help provide conceptual guidance for distinguishing combinations that are of regulatory concern, from those that do not. The combinations that are bad are the one that combine or couple items that span these criteria.Commented [A35]: As screening criteria, ANY reduction in one of these aspects should be considered adverse.
Whether the outcomes of such a reduction requires a LAR, is the subject of the evaluation section. Commented [A36]: Source: ML17170A089 Comment No. A16 Rationale: Change includes indirect effects. Commented [A37]: Source: (1) ML17006A341 Comment No. A2 (2) ML170170A089 Comment No. A10. (3) Text adapted from DG-1285 (ML16358A153)
(4) ML13298A787 - Concern 10 Rationale: To add key aspects to consider when determining whether a digital modification should be considered adverse (or not) for 50.59 screening purposes. Commented [A38]: As written this sentence is ambigious. Without this change, it could be interpreted that only FSAR described arrangements (as opposed to actual arrangements) matter. The criteria should be actual arangements, whether described in the FSAR or not.
Alternatively the entire first sentence could be deleted.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-19 Example 4-2a. Combining Components and Functions with NO ADVERSE IMPACT on a UFSAR-Described Design Function Two non-safety-related main feedwater pumps (MFWPs) exist. There are two analog control systems (one per MFWP) that are physically and functionally the same. System drawings (incorporated by reference into the UFSAR) show that each analog control system has many subcomponents. All of the analog subcomponents will be replaced with a single digital device that consolidates all of the components, sub-components and the technical functions associated with each component and sub-component. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same. The pertinent UFSAR SSC descriptions are as follows: (1) Two analog feedwater control systems are identified, including several major individual components. (2) The SSC descriptions state that both analog control systems consist of the same physical and functional characteristics. Although the control systems and the major components are described in the UFSAR, only a UFSAR-described design function for the feedwater control system is identified. No design functions for any of the individual components are described in the UFSAR. The pertinent UFSAR-described design function of the feedwater control system is "to provide adequate cooling water to the steam generators during normal operation." The UFSAR identifies the following MFWP control system malfunctions: (a) failures causing the loss of all feedwater to the steam generators, and (b) failures causing an increase in main feedwater flow to the maximum output from both MFWPs. The combination of components and functions has NO ADVERSE IMPACT on the identified design function for the following reasons: No new malfunctions are created. The Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting the digital modification concluded that no new types of malfunctions are introduced since the loss of both MFWPs and failures causing an increase in main NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-20 feedwater flow to the maximum output from bothMFWPsare already considered in the licensing basis. Since no new malfunctions are created, the ability to perform the design function "to provide adequate cooling water to the steam generators during normal operation" is maintained. Using the same initial SSC configuration, proposed activity and UFSAR 436 descriptions from Example 4-2a, Example 4-2b illustrates how a variation in 437 the proposed activity would be addressed. 438 Example 4-2b. Combining Components and Functions with an ADVERSE IMPACT on a UFSAR-Described Design Function Instead of two separate, discreet, unconnected digital control systems being used for the feedwater control systems, only one central digital processor is proposed to be used that will combine the previously separate control systems and control both feedwater pumps. In this case, the proposed activity is ADVERSE because there is a reduction in the separation of the two original control systems. Example 4-3 illustrates the combining of control systems from different, 439 originally separate systems. 440 Example 4-3. Combining Components and Functions with an ADVERSE IMPACT on a UFSAR-Described Design Function Two non-safety-related analog feedwater control systems and a separate analog control system that controls the main turbine steam-inlet valves exist.All three analog control systems will be replaced with one digital control system that will combine the two feedwater control systems and the main turbine steam-inlet valve control system into a single digital device. The pertinent UFSAR SSC descriptions are as follows: (1) Two analog feedwater control systems are identified. The feedwater control system contains a design function "to provide adequate cooling water to the steam generators during normal operation." (2) One analog main turbine steam-inlet valve control system is identified. The main turbine steam-inlet valve control system contains a design function "to control the amount of steam entering the main turbine during normal operation." (3) The two feedwater control systems are independent from the main turbine NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-21 steam-inlet valve control system. (4) The function of controlling feedwater is separate from the function of controlling the main turbine steam-inlet valves. This separation is confirmed by a review of the accident analyses that do not include consideration of a simultaneous failure of the feedwater control system and the failure of the turbine control system. In this case, the proposed activity is ADVERSE because there is a reduction in the separation and independence of the original control systems. 441 For some component upgrades the likelihood of failure due to software may 442 be judged to be no greater than failure due to other causes, i.e., comparable to 443 hardware common cause failure, and includes no coupling mechanisms. In 444 such a case, even when it affects redundant systems, the digital upgrade 445 would screen out. Considerations for screening relatively simple digital 446 equipment are illustrated in Example 4-A and include: 447 The digital modification has a sufficiently low likelihood of 448 common cause failure based on the "qualitative assessment" of 449 system design features, the quality of the design processes 450 employed, and the operating history of the software and 451 hardware used. This qualitative assessment evaluates the 452 magnitude of the adverse effect (i.e., "sufficiently low" likelihood) 453 and which is the focus of the 10 CFR 50.59 evaluation, not the 454 screening. To screen out the digital modification, the following 455 additional considerations provide a greater degree of assurance 456 to conclude that change does not have an adverse effect on a 457 design function: 458 the change is of limited scope (e.g., replace analog transmitter 459 with a digital transmitter that drives an existing instrument 460 loop) 461 single failures of the digital device are bounded by existing 462 failures of the analog device (e.g., no new digital 463 communications among devices that introduce possible new 464 failure modes involving multiple devices). 465 Commented [PM39]: Placeholder for original NRC comment A39 Formatted: Indent: Left: 1", Bulleted + Level: 1 + Alignedat: 0.5" + Indent at: 1" NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-22 uses a relatively simple digital architecture internally (simple 466 process of acquiring one input signal, setting one output, and 467 performing some simple diagnostic checks), 468 has limited functionality (e.g., transmitters are used to drive 469 signals for parameters monitored), 470 can be comprehensively tested (but not necessarily 100 percent 471 of all combinations); and, 472 has extensive operating history. 473 Example 4-A. Screening for a Smart Transmitter (Screens Out) Transmitters are used to drive signals for parameters monitored by redundant ESFAS channels. The original analog transmitters are to be replaced with microprocessor-based transmitters. The change is of limit scope in that for each channel, the existing 4-20 mA instrument loop is maintained without any changes other than replacing the transmitter itself. The digital transmitters are used to drive signals of monitored parameters and thus have limited functionality with respect to the ESFAS design function. The digital transmitters use a relatively simple digital architecture internally in that the firmware in the new transmitters implements a simple process of acquiring one input signal, setting one output, and performing some simple diagnostic checks. This process runs in a continuous sequence with no branching or interrupts. An alarm relay is available to annunciate detected failures. Single failures of the digital device are bounded by existing failures of the analog device in that no new digital communications among devices that introduce possible new failure modes involving multiple devices. A "qualitative assessment" of the digital device concluded and the likelihood of common cause failures in multiple channels was very low based on system design features, the quality of the design processes employed, and the operating history of the software and hardware used. In addition, based on the simplicity of the device (one input and two outputs), it was easily tested. Further, substantial operating history has demonstrated high reliability in applications similar to the ESFAS application. Consequently, it is concluded that no adverse effects are created, and the change screens out. Note that an upgrade that is similar to Example 4-A, but that uses digital 474 communications from the smart transmitter to other components in the 475 instrument loop might screen in because new interactions and potentially 476 Commented [PM40]: Placeholder for original NRC comment A40 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-23 new failure behaviors are introduced that could have adverse effects and 477 should be analyzed in a 10 CFR 50.59 evaluation (see Example 4-B). 478 Example 4-B. Screening for a Smart Transmitter (Screens In) Smart transmitters similar to those described in Example 4-1 are to be installed as part of an upgrade to the reactor protection system. The new smart transmitters have the capability to transmit their output signal using a digital communication protocol. Other instruments in the loop are to be replaced with units that can communicate with the transmitter using the same protocol. Because this change not only upgrades to a digital transmitter but also converts the instrument loop to digital communications among devices, there would be the potential for adverse effects owing to the digital communication and possible new failure modes involving multiple devices. As a result, this change screens in.
479 DEPENDABILITY IMPACT 480 In the main body of NEI 96-07, Section 4.2.1, subsection titled "Screening for 481 Adverse Effects," reliability is mentioned in the following excerpt: 482 "...a change that decreases the reliability of a function whose 483 failure could initiate an accident would be considered to 484 adversely affect a design function..." 485 Based on the technical outcomes from applicable Industry and/or NRC 486 guidance documents and using the information considered in those sources to 487 develop those outcomes, the Screen should assess the dependability of 488 performing applicable design functions due to the introduction of software 489 and/or hardware. 490 Example 4-4 illustrates the application of the dependability consideration. 491 Commented [PM41]: Placeholder for original NRC comment A41.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-24 Example 4-4. Digital Modification that Satisfies Dependability, causing NO ADVERSE IMPACT on a UFSAR-described Design Function An analog recorder is to be replaced with a new microprocessor-based recorder. The recorder is used for various purposes including Post Accident Monitoring, which is a UFSAR-described design function. Dependability Assessment: An engineering evaluation performed as part of the technical assessment supporting the digital modification concluded that the new recorder will be highly dependable (based on a quality development process, testability, and successful operating history) and therefore, the risk of failure of the recorder due to software is considered very low. The change will have NO ADVERSE IMPACT on any design function due to the dependability assessment.
492 4.2.1.2 Screening of Changes to Procedures as Described in the UFSAR 493 SCOPE 494 If the digital modification does not include or affect a Human-System 495 Interface (e.g., the replacement of a stand-alone analog relay with a digital 496 relay that has no features involving personnel interaction and does not feed 497 signals into any other analog or digital device), then this section does not 498 apply and may be excluded from the Screen assessment. 499 In NEI 96-07, Section 3.11 defines procedures as follows: 500 "...Procedures include UFSAR descriptions of how actions related to 501 system operation are to be performed and controls over the 502 performance of design functions. This includes UFSAR descriptions of 503 operator action sequencing or response times, certain descriptions...of 504 SSC operation and operating modes, operational...controls, and similar 505 information
." 506 Although UFSARs do not typically describe the details of a specific Human-507 System Interface, UFSARs will describe any design functions associated with 508 the HSI. 509 Because the human-system interface (HSI) involves system/component 510 operation this portion of a digital modification is assessed in this Screen 511 consideration. The focus of the Screen assessment is on potential adverse 512 effects due to modifications of the interface between the human user and the 513 technical device. 514 Commented [A42]: Comments on HSI Screening Guidance were previously provided in:
(1) ML17068A092 Comment Nos. 18-26 (2) ML17170A089 Comment Nos. A17-A27 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-25 There are 3 basic elements of an HSI (
Reference:
NUREG-0700): 515
- Displays: the visual representation of the information operators need 516 to monitor and control the plant. 517
- Controls: the devices through which personnel interact with the HSI 518 and the plant. 519
- User-interface interaction and management: the means by which 520 personnel provide inputs to an interface, receive information from it, 521 and manage the tasks associated with access and control of 522 information. 523 Operators must be able to accurately perceive, comprehend and respond to 524 system information via the HSI to successfully complete their tasks. 525 Specifically, nuclear power plant personnel perform four primary types of 526 tasks (
Reference:
XXX): 527 (1) monitoring and detection (extracting information from the 528 environment and recognizing when something changes), 529 (2) situation assessment (evaluation of conditions), 530 (3) response planning (deciding upon actions to resolve the situation) and 531 (4) response implementation (performing an action). 532 To determine potential adverse impacts of HSI modifications on design 533 functions, a two-step analysis must be performed. Step one is assessing how 534 the modification impacts (i.e., positively , negatively or no impact) the 535 operators' abilities to perform each of the four primary types of tasks 536 described above. If there are negative impacts, step two of the analysis 537 consists of determining how the impacts affects the pertinent UFSAR-538 described design function(s) (i.e., adversely or not adversely). Examples of 539 negative impacts on operator performance of tasks that may result in adverse 540 effects on a design function include: 541
- increased possibility of mis-operation, 542
- increased difficulty in evaluating conditions, 543
- increased difficulty in performing an action, 544
- increased time to respond, 545
- creation of new potential failure modes. 546 547 Table 1 contains examples of modifications to HSI elements that should be 548 addressed in the response to this Screen consideration. 549 550 [INSERT TABLE 1 FROM HSI COMMENTS FILE HERE.] 551 552 In NEI 96-07, Section 3.11 defines procedures as follows: 553 554 Formatted: Font: Century Schoolbook, 12 pt Formatted: Font: Century Schoolbook, 12 pt Formatted: Font: Century Schoolbook, 12 pt NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-26 "...Procedures include UFSAR descriptions of how actions 555 related to system operation are to be performed and controls 556 over the performance of design functions. This includes UFSAR 557 descriptions of operator action sequencing or response times, 558 certain descriptions...of SSC operation and operating modes, 559 operational...controls, and similar information
." 560
- Because the Human-System Interface involves system/component operation, operator 561 actions, response times, etc., this portion of a digital modification is assessed in this Screen 562 consideration. 563 If the digital modification does not include or affect a Human-System 564 Interface (e.g., the replacement of a stand-alone analog relay with a digital 565 relay that has no features involving personnel interaction and does not feed 566 signals into any other analog or digital device), then this section does not 567 apply and may be excluded from the Screen assessment. 568 The focus of the Screen assessment is on potential adverse effects due to 569 modifications of the interface between the human user and the technical 570 device [e.g., equipment manipulations, actions taken, options available, 571 decision-making, manipulation sequences or operator response times 572 (including the impact of errors of a cognitive nature in which the information 573 being provided is unclear or incorrect)], not the written procedure 574 modifications that may accompany a physical design modification (which are 575 addressed in the guidance provided in NEI 96-07, Section 4.2.1.2). 576 PHYSICAL INTERFACE WITH THE HUMAN-SYSTEM INTERFACE 577 In the determination of potential adverse impacts, the following aspects 578 should be addressed in the response to this Screen consideration: 579 (a) Physical Interaction with the Human-System Interface (HSI) 580 (b) Number/Type of Parameters 581 (c) Information Presentation 582 (d) Operator Response Time 583 Physical Interaction with the Human-System Interface 584 A typical physical interaction modification might involve the use of a touch 585 screen in place of push-buttons, switches or knobs, including sensory-based 586 aspects such as auditory or tactile feedback. 587 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-27 To determine if the HSI aspects of a digital modification have an adverse 588 impact on UFSAR-described design functions, potential impacts due to the 589 physical interaction with the HSI should be addressed in the Screen. 590 Consideration of a digital modification's impact due to the physical 591 interaction with the HSI involves an examination of the actual physical 592 interface and how it could impact the performance and/or satisfaction of 593 UFSAR-described design functions. For example, if a new malfunction is 594 created as a result of the physical interaction, then the HSI portion of the 595 digital modification would be adverse. Such a new malfunction may be 596 created by the interface requiring the human user to choose which of multiple 597 components is to be controlled, creating the possibility of selecting the wrong 598 component (which could not occur with an analog system that did not need 599 the human user to "make a selection").
600 Characteristics of HSI changes that could lead to potential adverse effects 601 may include, but are not limited to: 602
- Changes from manual to automatic initiation (or vice versa) of 603 functions, 604
- Changes in the data acquisition process (such as replacing an edgewise 605 analog meter with a numeric display or a multipurpose CRT in which 606 access to the data requires operator interaction to display), 607
- Changes that create new potential failure modes in the interaction of 608 operators with the system (e.g., new interrelationships or 609 interdependencies of operator actions and/or plant response, or new 610 ways the operator assimilates plant status information), 611
- Increased possibility of mis-operation related to performing a design 612 function, 613
- Increased difficulty for an operator to perform a design function, or 614
- Increased complexity or duration in diagnosing or responding to an 615 accident [e.g., Time-Critical Operation Actions (TCOAs) identified in 616 the UFSAR]. 617 If the HSI changes do not exhibit characteristics such as those listed above, 618 then it may be reasonable to conclude that the "method of performing or 619 controlling" a design function is not adversely affected. 620 Example s 4-5 through 4-7 illustrate the application of the Physical 621 Interaction aspect illustrates how to apply the assessment process to ONLY 622 the "controls" element of an HSI. 623 Example 4-5. Physical Interaction Assessment of the "Controls" Element of NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-28 an HSI with NO ADVERSE IMPACT on a UFSA R-Described Design Function Description of the Proposed Activity Involving the Control Element: Currently, a knob is rotated clock-wise to increase a control function and counter clock-wise to decrease the control function. This knob will be replaced with a touch screen. Using the touch screen, touching the "up" arrow will increase the control function and touching the "down" arrow will decrease the control function. Identification and Assessment of Task Type(s) Involved:
(1) monitoring and detection (extracting information from the environment and recognizing when something changes) - INVOLVED (2) situation assessment (evaluation of conditions) - NOT INVOLVED (3) response planning (deciding upon actions to resolve the situation) - NOT INVOLVED (4) response implementation (performing an action) - NOT INVOLVED Design Function Identification: The UFSAR-described design function states the operator can "increase and decrease the control functions using manual controls located in the Main Control Room." Thus, this UFSAR description implicitly identifies the SSC (i.e., the knob) and the design function of the SSC (i.e., its ability to allow the operator to manually adjust the control function).
Identification and Assessment of Modification Impacts on the Task Type(s) INVOLVED:
As part of the technical evaluation supporting the proposed activity, a Human Factors Evaluation (HFE) was performed. The HFE concluded that no new failures or malfunctions have been introduced as a result of the replacement from a knob to a touch screen.
- possibility of mis-operation - NO IMPACT
- difficulty in evaluating conditions - N/A
- difficulty in performing an action - NO IMPACT
- time to respond - N/A
- new potential failure modes - NO IMPACT Formatted: Space Before: 0 pt, After: 0 pt, Hyphenate, Tabstops: Not at -0.5" Formatted: Space Before: 0 pt, After: 0 pt, Hyphenate, Tabstops: Not at -0.5" NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-29 Assessment of Design Function Impact(s) Using the results from the HFE and examining only the physical interaction aspect "controls" element of an HSI (e.g., ignoring the impact on operator response time or the number and/or sequence of steps necessary to access the new digital controlsthe other three HSI elements), the replacement of the "knob" with a "touch screen" is not adverse since it does not impact the ability of the operator to "increase and decrease the control functions using manual controls located in the Main Control Room," maintaining satisfaction of the UFSAR-described design function.
Using the same proposed activity provided in Example 4-5, Example 4-6 624 illustrates how a variation in the UFSAR description would cause an adverse 625 impact. 626 Example 4-6. Physical Interaction with an ADVERSE IMPACT on a UFSAR-Described Design Function The UFSAR states not only that the operator can "increase and decrease the control functions using manual controls located in the Main Control Room," but also that "the control mechanism provides tactile feedback to the operator as the mechanism is rotated through each setting increment." Since a touch screen cannot provide (or duplicate) the "tactile feedback" of a mechanical device, replacing the "knob" with a "touch screen" is adverse because it adversely impacts the ability of the operator to obtain tactile feedback from the device.
Using the same proposed activity provided in Example 4-5 and the same 627 UFSAR descriptions from Example 4-6, Example 4-7 illustrates how a 628 variation in the proposed activity would also cause an adverse impact. 629 Example 4-7. Physical Interaction with an ADVERSE IMPACT on a UFSAR-Described Design Function In addition to the touch screen control "arrows" themselves, a sound feature and associated components will be added to the digital design that will emit a clearly audible and distinct "tone" each time the control setting passes through the same setting increment that the tactile feature provided with the mechanical device. Although the operator will now receive auditory "feedback" during the operation of the digital device, the means by which this feedback is provided has been altered. Since the means of controlling the design function has NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-30 changed, new malfunctions can be postulated(e.g., high ambient sound levels that prevent the operator from hearing the feedback). Therefore, the modification of the feedback feature (i.e., from tactile to auditory) has an adverse impact on the ability of the design function to be performed.
630 Number and/or Type of Parameters Displayed By and/or Available From the 631 Human-System Interface 632 One advantage of a digital system is the amount of information that can be 633 monitored, stored and presented to the user. However, the possibility exists 634 that the amount of such information may lead to an over-abundance that is 635 not necessarily beneficial in all cases. 636 To determine if the HSI aspects of a digital modification have an adverse 637 effect on UFSAR-described design functions, potential impacts due to the 638 number and/or type of parameters displayed by and/or available from the 639 HSI should be addressed in the Screen. 640 Consideration of a digital modification's impact due to the number and/or 641 type of parameters displayed by and/or available from the HSI involves an 642 examination of the actual number and/or type of parameters displayed by 643 and/or available from the HSI and how they could impact the performance 644 and/or satisfaction of UFSAR-described design functions. Potential causes for 645 an adverse impact on a UFSAR-described design function could include a 646 reduction in the number of parameters monitored (which could make the 647 diagnosis of a problem or determination of the proper action more challenging 648 or time-consuming for the operator), the absence of a previously available 649 parameter (i.e., a type of parameter), a difference in how the loss or failure of 650 parameters occurs (e.g., as the result of combining parameters), or an 651 increase in the amount of information that is provided such that the amount 652 of available information has a detrimental impact on the operator's ability to 653 discern a particular plant condition or to perform a specific task. 654 Example 4-8 illustrates the application of the Number and/or Type of 655 Parameters aspect. 656 Example 4-8. Number and Type of Parameters with NO ADVERSE IMPACT on a UFSAR-Described Design Function Currently, all controls and indications for a single safety-related pump are analog. There are two redundant channels of indications, either of which can be used to monitor pump performance, but only one control device. For direct monitoring of pump performance, redundant motor electrical current indicators exist. For indirect monitoring of pump performance, redundant NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-31 discharge pressur e and flow rat e indicators exist. Furthermore, at the destination of the pump's flow, redundant temperature indicators exist to allow indirect monitoring of pump performance to validate proper pump operation by determination of an increasing temperature trend (i.e., indicating insufficient flow) or a stable/decreasing temperature trend (i.e., indicating sufficient flow). All of these features are described in the UFSAR. The UFSAR also states that the operator will "examine pump performance and utilize the information from at least one of the redundant plant channels to verify performance" and "the information necessary to perform this task is one parameter directly associated with the pump (motor electrical current) and three parameters indirectly associated with pump performance (discharge pressure, flow rate, and response of redundant temperature indications)." A digital system will replace all of the analog controls and indicators. Two monitoring stations will be provided, either of which can be used to monitor the pump. Each monitoring station will display the information from one of the two redundant channels. The new digital system does not contain features to automatically control the pump, but does contain the ability to monitor each of the performance indications and inform/alert the operator of the need to take action. Therefore, all pump manipulations will still be manually controlled. Since the new digital system presents the same number (one) and type (motor electrical current) of pump parameters to directly ascertain pump performance and the same number (three) and type (discharge pressure, flow rate and redundant temperature) of system parameters to indirectly ascertain pump performance, there is no adverse impact on the UFSAR-described design function to perform direct monitoring of pump performance and no adverse impact on the UFSAR-described design function to perform indirect monitoring of pump performance.
657 Information Presentation on the Human-System Interface 658 659 A typical change in data presentation might result from the replacement of 660 an edgewise analog meter with a numeric display or a multipurpose CRT. 661 To determine if the HSI aspects of a digital modification have an adverse 662 effect on UFSAR-described design functions, potential impacts due to how 663 the information is presented should be addressed in the Screen. 664 Consideration of a digital modification's impact due to how the information is 665 presented involves an examination of how the actual information 666 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-32 presentation method could impact the performance and/or satisfaction of 667 UFSAR-described design functions. To determine possible impacts, the 668 UFSAR should be reviewed to identify descriptions regarding how 669 information is presented, organized (e.g., how the information is physically 670 presented) or accessed, and if that presentation, organization or access 671 relates to the performance and/or satisfaction of a UFSAR-described design 672 function. 673 Examples of activities that have the potential to cause an adverse effect 674 include the following activities: 675
- Addition or removal of a dead-band, or 676
- Replacement of instantaneous readings with time-averaged readings 677 (or vice-versa). 678 If the HSI changes do not exhibit characteristics such as those listed above, 679 then it may be reasonable to conclude that the "method of performing or 680 controlling" a design function is not adversely affected. 681 Example 4-9 illustrates the application of the Information Presentation 682 aspect. 683 Example 4-9. Information Presentation with an ADVERSE IMPACT on a UFSAR-Described Design Function A digital modification consolidates system information onto two flat panel displays (one for each redundant channel/train). Also, due to the increased precision of the digital equipment, the increment of presentation on the HSI will be improved from 10 gpm to 1 gpm. Furthermore, the HSI will now present the information layout "by channel/train." The UFSAR identifies the existing presentation method as consisting of "indicators with a 10 gpm increment" to satisfy safety analysis assumptions and the physical layout as being "by flow path" to allow the operator to determine system performance.
The increase in the display increment is not adverse since the operator will continue to be able to distinguish the minimum increment of 10 gpm UFSAR-described design function. The new display method (i.e., "by channel/train") adversely affects the ability of the operator to satisfy the design function to ascertain system performance "by flow path." 684 Operator Response Time 685 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-33 686 Typically, an increase in the operator response time might result from the 687 need for the operator to perform additional actions (e.g., due to the additional 688 steps necessary to call up or retrieve the appropriate display and operate the 689 "soft" control rather than merely reading an indicator on the Main Control 690 Board). 691 To determine if the HSI aspects of a digital modification have an adverse 692 effect on UFSAR-described design functions, potential impacts on the 693 operator response time should be addressed in the Screen. 694 Consideration of a digital modification's impact on the operator response time 695 due to the modification of the number and/or type of decisions made, and/or 696 the modification of the number and/or type of actions taken, involves an 697 examination of the actual decisions made/actions taken and how they could 698 impact the performance and/or satisfaction of UFSAR-described design 699 functions. To determine possible impacts, the UFSAR must be reviewed to 700 identify descriptions relating to operator response time requirements and if 701 those timing requirements are related to the performance and/or satisfaction 702 of a UFSAR-described design function. 703 Example 4-10 is the same as Example 4-9, but illustrates the application of 704 the Operator Response Time aspect. 705 Example 4-10. Operator Response Time with NO ADVERSE IMPACT on a UFSAR-Described Design Function A digital modification consolidates system information onto two flat panel displays (one for each redundant channel/train). Also, due to the increased precision of the digital equipment, the increment of presentation on the HSI will be improved from 10 gpm to 1 gpm. Furthermore, the HSI will now present the information layout "by channel/train." The UFSAR identifies the existing presentation method as consisting of the physical layout as being "by flow path" to allow the operator to determine system performance.
Although the UFSAR identifies the existing presentation method as consisting of a physical layout "by flow path" to allow the operator to determine system performance and the new display method (i.e., "by channel/train") will require additional steps by the operator to determine system performance, requiring more time, there is no adverse impact on satisfaction of the design function to ascertain system performance because no response time requirements are applicable to the design function of the NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-34 operator being able "to determine system performance.
" 706 COMPREHENSIVE HUMAN-SYSTEM INTERFACE EXAMPLE 707 Although no additional guidance is provided in this section, Example 4-11 708 illustrates how each of the aspects identified above would be addressed. 709 Example 4-11. Digital Modification involving Extensive HSI Considerations with NO ADVERSE IMPACTS on a UFSAR-Described Design Function Component controls for a redundant safety-related system are to be replaced with PLCs. The existing HSI for these components is made up of redundant hard-wired switches, indicator lights, and analog meters. The new system consolidates the information and controls onto two flat panel displays (one per redundant train), each with a touch screen providing "soft" control capability. The existing number and type of parameters remains the same, which can be displayed in a manner similar to the existing presentations (e.g., by train). However, the information can be also presented in different configurations that did not previously exist (e.g., by path or by parameter type to allow for easier comparison of like parameters), using several selectable displays. The flat panel display can also present any of several selectable pages depending on the activity being performed by the operator (e.g., starting/initiating the system, monitoring the system during operation, or changing the system line-up). To operate a control, the operator must (via the touch screen) select the appropriate activity (e.g., starting/initiating the system, monitoring the system during operation, or changing the system line-up), select the desired page (e.g., train presentation, path presentation, or parameter comparison), select the component to be controlled (e.g., pump or valve), select the control action (e.g., start/stop or open/close), and execute it. The display remains on the last page selected, but each page contains a "menu" of each possible option to allow direct access to any page without having to return to the "main menu." The two new HSIs (one per redundant train) will provide better support of operator tasks and reduced risk of errors due to:
- Consolidation of needed information onto a single display (within the family of available displays) that provides a much more effective view of system operation when it is called into action.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-35
- Elimination of the need for the operator to seek out meter readings or indications, saving time and minimizing errors.
- Integration of cautions and warnings within the displays to help detect and prevent potential errors in operation (e.g., warnings about incorrect system lineups during a test or maintenance activity). The design was developed using a human factors engineering design, with a verification and validation process consistent with current industry and regulatory standards and guidelines. As part of the technical evaluation supporting the proposed activity, a Human Factors Evaluation (HFE) was performed. Based on the conclusions from the HFE, the design provides a more effective HSI that is less prone to human error than the existing design. The UFSAR-described design functions applicable to this proposed activity include descriptions of how the existing controls, including the physical switches, indicator lights and meters, and how each of these SSCs is used during normal and abnormal (including accident) operating conditions. The UFSAR identifies the current physical arrangement (i.e., two physically separate locations) as providing a provides assurance that the design function is satisfied by preventing the operator that prevents the operator from operating the "wrong" component. There are no UFSAR-described design functions related to the operator response times associated with using the existing controls. The impacts on design functions are identified below:
- Physical Interaction - NOT ADVERSE because the new HSI consists of two physically separate displays.
- Number and Type of Parameters - NOT ADVERSE because the same number and type of parameters exist with the new HSI.
- Information Presentation - NOT ADVERSE because all of the existing features (e.g., individual controls, indicator lights and parameters displays that mimic the analog meters) continue to exist with the new HSI.
- Operator Response Time - NOT ADVERSE because no response time requirements were applicable to any of the design functions and there were no indirect adverse affects on any other design function
. 710 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-36 4.2.1.3 Screening Changes to UFSAR Methods of Evaluation 711 By definition, a proposed activity involving a digital modification involves 712 SSCs and how SSCs are operated and controlled, not a method of evaluation 713 described in the UFSAR (see NEI 96-07, Section 3.10). 714 Methods of evaluation are analytical or numerical computer models used to 715 determine and/or justify conclusions in the UFSAR (e.g., accident analyses 716 that demonstrate the ability to safely shut down the reactor or prevent/limit 717 radiological releases). These models also use "software." However, the 718 software used in these models is separate and distinct from the software 719 installed in the facility. The response to this Screen consideration should 720 reflect this distinction. 721 A necessary revision or replacement of a method of evaluation (see NEI 96-722 07, Section 3.10) resulting from a digital modification is separate from the 723 digital modification itself and the guidance in NEI 96-07, Section 4.2.1.3 724 applies. 725 4.2.2 Is the Activity a Test or Experiment Not Described in the UFSAR? 726 By definition, a proposed activity involving a digital modification involves 727 SSCs and how SSCs are operated and controlled, not a test or experiment 728 (see NEI 96-07, Section 4.2.2). The response to this Screen consideration 729 should reflect this characterization. 730 A necessary test or experiment (see NEI 96-07, Section 3.14) involving a 731 digital modification is separate from the digital modification itself and the 732 guidance in NEI 96-07, Section 4.2.2 applies. 733 4.3 EVALUATION PROCESS 734 735 736 737 738 Introduction 739 In the following sections and sub-sections that describe the Evaluation 740 guidance unique toparticularly useful l for the application of 10 CFR 50.59 to 741 CAUTIONThe guidance contained in this appendix is intended to supplement the generic Evaluation guidance contained in the main body in NEI 96-07, Section 4.3. Namely, the generic Evaluation guidance provided in the main body of NEI 96-07 and the more-focused Evaluation guidance in this appendix BOTH apply to digital modifications.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-37 digital modifications, each section and sub-section describes only a specific 742 aspect, sometimes at the deliberate exclusion of other related aspects. This 743 focused approach is intended to concentrate on the particular aspect of 744 interest and does not imply that the other aspects do not apply or could not 745 be related to the aspect being addressed. 746 Throughout this section, references to the main body of NEI 96-07, Rev. 1 will 747 be identified as "NEI 96-07." 748 Credibility of Common Cause Failure (CCF) Likelihood Determination 749 Outcomes 750 The possible outcomes of an engineering evaluation (e.g., CCF Susceptibility 751 Analysis), performed in accordance with regarding a CCF from the CCF 752 Susceptibility Analysis performed in accordance with applicable Industry 753 and/or NRC approved guidance documents
, regarding the CCF likelihood are 754 as follows: 755 (1) CCF likelihood not credible (i.e., likelihood of a CCF caused by an I&C 756 failure source is NOT greater than the likelihood of acomprable to CCF 757 caused by other failure sources that are not considered specifically 758 analyzed in the UFSAR)sufficiently low (as defined in Definition 3.17) 759 (2) CCF likelihood credible (i.e., likelihood of a CCF caused by an I&C 760 failure source IS greater than or equalcomprable to the likelihood of a 761 CCF caused by other failure sources that are considered specifically 762 analyzed in the UFSAR)not sufficiently low 763 These outcomes will be used in developing the responses to Evaluation 764 criteria 1, 2, 5 and 6. 765 Failure Analysis 766 As described in SECY 91-292 regarding NRC review of advanced light water 767 reactor (ALWR) designs, digital l&C systems employ a greater degree of 768 sharing of data transmission, functions, and process equipment as compared 769 to analog systems. While this sharing enables some of the key benefits of 770 digital equipment, it also increases the potential consequences of individual 771 failures. 772 Consideration of potential system failures and undesirable behaviors should 773 be an integral pairt of the process of designing, specifying, and implementing 774 a digital upgrade. Consideration of these undesirable events is referred to 775 collectively as failure analysis. Failure analysis interacts with essentially all 776 Commented [A43]: Source: ML13298A787 Concern 3 Comment: The overarching goal is to have clear guidance. That is, both licensees and inspectors must interpret this document the same way.
The reason that NEI 01-01 was written was because it was felt that it was not clear how to apply NEI 96-07 to digital modifications, because digital based SSCs were typicaly different that analog systems in certian ways.
The typical ways in which new digital electronics SSCs are different are:
(1) Modes Behaviour & Misbehaviour (2) Combining of Functions (3) Coupling of Functions (4) Potential for Increased Complexity (5) System Architecture Changes (6) Contain Software While some of these aspects are considered in the screening section, the evaluation is silent on those that are addressed in the screening section.
The failure analysis section below was added to address this comment.
Formatted:
HighlightCommented [A44]: Source: Engineering Judgement Rationale: There are two things of concern: (1) Determination of if CCF is credible (2) Characterisation of behavior during CCF ... [1]Commented [A45]: Source: (1) ML17068A092 Comment No. 12 (2) ML17170A089 Comment No. A4 Rationale: New terms should be defined since undefined terms are a source of regulatory uncertainty. Commented [A46]: In the August 29 Public Meeting, NEI stated the terms "CCF Credible/Not Credible" will no longer be used. All instances of "credible" have been highlighted to facilitate making this change.
Formatted:
HighlightCommented [A47]: Source: ML17170A089 Comment No. A30 Rationale: There are many ways that CCF can be considered in the FSAR (as updated), specifically postulating and analyzing the results being only one.
Formatted:
HighlightCommented [A48]: Source: ML17170A089 Comment No. A30 Rationale: There are many ways that CCF can be considered in the FSAR (as updated), specifically postulating and analyzing the results being one one. Commented [A49]: Source: The following text (except as noted) adapted from NEI 01-01 Section 5.1 & 5.1.1. Rationale: To address the first comment in Section 4.3 above. Commented [A50]: Source: Source: ML13298A787 - Concern 11 Rationale: Text adapted from NEI 01-01 Section Section 5.3.1 to address the first comment in Section 4.3 above.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-38 the main elements of the design process. It provides information needed to 777 support the licensing evaluations, and it provides the context in which the 778 digital upgrade issues ultimately can be resolved. Failure analysis examines 779 what you do not want the system or device to do. 780 Failure analysis should not be a stand-alone activity, and it should not 781 generate unnecessary effort or excessive documentation. It is part of the 782 design process, and it can vary widely in scope depending on the extent and 783 complexity of the upgrade. It should be performed as part of plant design 784 procedures and should be documented as a part of the design process. 785 The purpose of the failure analysis is to ensure the system is designed with 786 consideration of potential failures and undesirable behaviors such that the 787 risk posed by these events is acceptable. Failure analysis should include the 788 following elements: 789 Identification of potential system-level failures and undesirable 790 behavior (which may not be technically "failures") and their 791 consequences. This includes consideration of potential single failures 792 as well as plausible common cause failures. 793 Identification of potential vulnerabilities, which could lead to system 794 failures or undesirable conditions. 795 Assessment of the significance and risk of identified vulnerabilities. 796 Identification of appropriate resolutions for identified vulnerabilities, 797 including provide means for annunciating system failures to the 798 operator. 799 A variety of methodologies and analysis techniques can be used in these 800 evaluations, and the scope of the evaluations performed and documentation 801 produced depends on the scope and complexity of the upgrade. The analysis 802 maintains a focus at the level of the design functions performed by the 803 system, because it is the effects of the failure on the system and the resulting 804 impact on the plant that are important. Failures that impact plant safety are 805 those thal could: prevent performance of a safety function of the system, 806 affect the ability of other systems to perform their safety functions, or lead to 807 plant trips or transients that could challenge safety systems. 808 Ultimately, the digital equipment is installed to support overall system 809 requirements, which in turn are necessary to support the plant system-level 810 requirements. It is generally at the plant system level that major functional 811 requirements exist to support plant safety and availability. Consequently, 812 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-39 failure analysis should start by identifying the system or "design function" 813 level functions, and examining how the digital equipment can cause these 814 functions not to be performed. 815 In addition to failures of the system to perform its function, other failures 816 such as spurious actions, challenges to safety systems, transient or accident 817 initiators, etc., should be examined. 818 Engineering Evaluation Topics Beneficial for Performing a 50.59 Evaluation 819 of Digital-Specific Adverse Effects 820 For digital modifications, attention should be given to the major things that 821 may be different in the new digital electronic equipment, for example: 822 In the preparation of responses to the Evaluation criteria, the outcomes from 823 the following engineering evaluation topics should be considered (as 824 necessary):
825 (1) Modes of Behaviour and Misbehaviour 826 (2) Combining of Functions 827 (3) Coupling of Functions (e.g., via digital communications) 828 (4) Potential for Increased Complexity 829 (5) System Architecture Changes 830 (6) Software 831 Items 1, 2, 3, & 5 have the most potential to create the possibility for 832 accidents of a different type and/or malfunctions with a different result. 833 Items 4 & 6 can make it more difficult to fully understand all aspects of the 834 modification. 835 Examples 836 Examples are provided to illustrate the guidance provided herein. Unless 837 stated otherwise, a given example only addresses the aspect or topic within 838 the section/sub-section in which it is included, sometimes at the deliberate 839 exclusion of other aspects or topics that, if considered, could potentially 840 change the Evaluation conclusion. 841 Many of the examples in this section involve the Main Feedwater (MFW) 842 System to illustrate concepts. The reason for selecting the MFW system is 843 that it is one of the few non-safety-related systems that, upon failure, can 844 initiate an accident. Furthermore, a failure of the MFW system is one of the 845 few malfunctions that are also accident initiators. 846 Commented [A51]: Source: ML13298A787 Modes of Beaviour and Misbehaviour - Concern 11 Combining of Functions - Concerns 5 & 7 Coupling of Functions - Concern 10 Complexity - Concern 1 Rationale: To address the first comment in Section 4.3 above, one must identify the important aspects to consider. Commented [A52]: Source: ML170170A089 Comment No. A6.
Rationale: Based on the definition of "accident" in NEI 96-07, many accidents are initiated by non-safety related SSCs. (Note: safety related SSCs are tpicaly credited to miigate accidents.) Commented [A53]: Source: ML170170A089 Comment No. A6.
Rationale: Based on the definition of "accident" in NEI 96-07, many accidents are initiated by non-safety related SSCs. (Note: safety related SSCs are tpicaly credited to miigate accidents.)
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-40 4.3.1 Does the Activity Result in More Than a Minimal Increase in the Frequency 847 of Occurrence of an Accident? 848 INTRODUCTION 849 From NEI 96-07, Section 3.2:
850 "The term 'accidents' refers to the anticipated (or abnormal) 851 operational transients and postulated design basis accidents..." 852 Therefore, for purposes of 10 CFR 50.59, both Anticipated Operational 853 Occurrences (AOOs) and Postulated Accidents (PAs) fall within the definition 854 of "accident." 855 After applying the generic guidance in NEI 96-07, Section 4.3.1 to identify 856 any accidents affected by the systems/components involved with the digital 857 modification and examining the initiators of those accidents, the impact on 858 the frequency of the initiator (and, hence, the accident itself) due to the 859 digital modification can be assessed. 860 All accident initiators fall into one of two categories: equipment-related or 861 personnel-related. Therefore, the assessment of the impact of a digital 862 modification also needs to consider both equipment-related and personnel-863 related sources. 864 For a digital modification, the range of possible equipment-related sources 865 includes items unique to digital and items not unique to digital. An example 866 of an item unique to digital is consideration of the impact on accident 867 frequency due to a software CCF, which will be addressed in the guidance in 868 this section. An example of an itempotential source of CCF that is not unique 869 to digital is consideration of the impact on accident frequency due to the 870 digital system's compatibility with the environment in which the system is 871 being installed, which would be addressed by applying the general guidance 872 for applicable regulatory requirements, and commitments other acceptance 873 criteria to which the licensee is committed, and departures from standards as 874 outlined in the general design criteria, as described discussed in NEI 96-07, 875 Section 4.3.1
, and Section 4.3.1, Example 2. 876 For a digital modification, the assessment for personnel-related sources will 877 consider the impact due to the Human-System Interface (HSI). 878 Typically, numerical values quantifying an accident frequency are not 879 available, so the qualitative approach using the causal relationship (i.e., 880 attributable (i.e., causal relationshipor not
) and the magnitude of the effect 881 Commented [A54]: Source: ML17170A089 Comment No. A34 Rationale: Please change "CCF" to "software CCF" as appropriate. CCF has always been, and continues to be, a regulatory concern, and it is addressed in many ways in the SARs (as is explained in Section 2 above). Commented [A55]: Source: ML17170A089 Comment No. A34 Rationale: CCF has always been, and continues to be, a regulatory concern, and it is addressed in many ways in the SARs (as is explained in Section 2 above). Commented [A56]: Source: ML17170A089 Comment No. A35 Rationale: By adding this text, the reference was change forom a general section reference, to a reference to the specific applicable paragraph and example (to be explicitly clear what part of 4.3.1 was being reffered to). The point is: Not meeting applicalbe technical criteria should be considered as "not compatible with 'not more then a minimal increase' " standard. Commented [A57]: Source: ML17170A089 Comment No. A40 Rationale: Clarification: The term attributable, since it is not defined, is used in the common English sence (i.e.,
indicationg causality).
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-41 (i.e., negligible/discernable (i.e., magnitude) criteria from NEI 96-07, Section 882 4.3.1 will be examined in the guidance in this section. 883 GUIDANCE 884 Factors to Consider and Address in the Response 885 1. Use of Software 886 Software developed in accordance with a defined life cycle process, and 887 complies with applicable industry standards and regulatory guidance does 888 not inherently result in more than a minimal increase in the frequency of an 889 accident . The design change process and the design documentation contain 890 the information that will be used to determine if software increases the 891 frequency of an accident. 892 2. Use of Digital Components (e.g., microprocessors in place of 893 mechanical devices) 894 NOTE: This factor is not unique to digital and would be addressed by 895 applying the guidance described in NEI 96-07, Section 4.3.1. 896 This factor is included here for completeness. 897 Digital components are expected to be more reliable than the equipment 898 being replaced. Aspects to be addressed include the following: compliance 899 with applicable regulations and industry standards; qualification for 900 environmental conditions (e.g., seismic, temperature, humidity, radiation, 901 pressure, and electromagnetic compatibility); performance requirements for 902 the plant-specific application; proper design of electrical power supplies; 903 cooling or ventilation for thermal loads; and separation, independence and 904 grounding. The design change process and the design documentation contain 905 the information that will be used to determine if the use of digital 906 components increases the frequency of an accident. 907 3. Creation of a Software Common Cause Failure (Software CCF) 908 An engineering evaluation of the quality design and design processes 909 determine s the likelihood of failure due to software via a common cause 910 failure and its potential impact on the frequency of an accident. The 911 engineering evaluation that assesses CCF likelihood includes the possible 912 outcomes (i.e., CCF likelihood is sufficiently low or CCF likelihood is not 913 sufficiently low).
This information is documented in the qualitative 914 assessment of the potential contributors to CCF and disposition of whether 915 Commented [PM58]: Placeholder for original NRC comment A58 Commented [A59]: Source: ML17170A089 Comment No. A37 Rationale: Sotware development proceses and software design are two distinct things, and each should be addressed separately. Commented [A60]: Source: (1) ML13298A787 - Concern 9 (2) ML17170A089 Comment No. A37 & A39 Rationale: Sotware development proceses and software design are two distinct things, and each should be addressed separately. Commented [A61]: Check to assure useage matches definition.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-42 the design effectively reduced the likelihood of the CCF to the extent that the 916 CCF can be considered not credible (e.g., in a CCF Susceptibility Analysis).
917 4. Intended Benefits of the Digital Component/System 918 NOTE: This factor is not unique to digital and would be addressed by 919 applying the guidance described in NEI 96-07, Section 4.3.1. 920 This factor is included here for completeness. 921 In addition to the expected hardware-related reliability improvements of the 922 physical devices themselves (addressed in factor 2 above), overall 923 improvements in the reliability of the performance of the digital 924 component/system, operational flexibility and/or maintenance-related 925 activities may also be achieved. The design documentation contains the 926 information that will be used to identify the intended benefits of the digital 927 component/system and possible impacts on the frequency of an accident. 928 5. Design Attributes/Features 929 Design attributes of the proposed digital modification are features that serve 930 to prevent or limit failures from occurring, or that mitigate the 931 results/outcomes of such possible failures. Factors to be considered include 932 the following items: 933
- Design Criteria (as applicable) (e.g., diversity, independence and 934 redundancy) 935
- Inherent Design Features for Software, Hardware or the 936 Architectural/Network (e.g., external watchdog timers, isolation 937 devices, segmentation, self-testing and self-diagnostic features) 938
- Non-concurrent Triggers 939
- Sufficiently Simple (i.e., enabling comprehensive testing) 940
- Unlikely Series of Events (e.g., the evaluation of a given digital 941 modification would need to postulate multiple independent random 942 failures in order to arrive at a state in which a SCCF is possible) 943
- Failure State (e.g., always known to be acceptable) 944 Determination of Causality (using Attributable (i.e., causality
) 945 If a CCF is determined to be not credible, then there is NO attributable 946 dicernable impact on the frequency of occurrence of an accident. Namely, if a 947 CCF is sufficiently unlikely to occur, then no mechanism for an attributable 948 discernable impact has been created. 949 If a CCF is determined to be credible, but the component/system is not an 950 accident initiator, then there is NO attributable impact on the frequency of 951 Formatted:
HighlightCommented [A62]: Should expand based on recent draft RIS after RIS language has been finalized. Commented [A63]: Source: ML17170A089 Comment No. A40 Rationale: This section uses the term "atributble" in the same way that it iuses Negligible/Dicernable; to indicate magnitude of effect. The wording was changed to more clearly indicate causality rather than magnitude of effect as is the convention in the standard English interpretation of "attributable".
Formatted:
HighlightCommented [A64]: Source: ML17170A089 Comment No. A40 Rationale: The word "attributable" is about causality and the word "discernable" is related to magnitude of effect. The term "not credible" means a suficently low probability (so that it need not be considered), not that it is imposible. Only if CCF is impossible can there be no attributable impact.
This paragraph should be moved after the next one, or moved to the next section.
Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-43 occurrence of an accident. Namely, even if a CCF does occur, there is no 952 relationship between the CCF and the accident initiator(s). 953 Example 4-12 illustrates the case of NO attributable impact on the frequency 954 of occurrence of an accident for a SSC not being an accident initiator. 955 Example 4-12. NO ATTRIBUTABLE Impact on the Frequency of Occurrence of an Accident Due to a SSC Not Being an Accident Initiator Proposed Activity Two safety-related containment chillers exist. There are two analog control systems (one per chiller) that are physically and functionally the same. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same. Affected Accidents and Accident Initiators The review of the UFSAR accident analyses identified the Loss of Coolant Accident (LOCA) and Main Steam Line Break (MSLB) events as containing requirements related to the safety-related containment chillers. Specifically, the UFSAR states the following: "To satisfy single failure requirements, the loss of only one control system and its worst-case effect on the containment post-accident environment due to the loss of one chiller has been considered in the LOCA and MSLB analyses." Therefore, the affected accidents are LOCA and MSLB. The UFSAR identified an equipment-related initiator in both cases as being a pipe break. For LOCA, the pipe break occurs in a hot leg or a cold leg. For MSLB, the pipe break occurs in the main steam line exiting the steam generator. Impact on Accident Frequency In this case, the safety-related containment chillers are not related to the accident initiators (i.e., pipe breaks). Furthermore, the chillers are only considered as part of accident mitigation; after the accidents have already occurred. Therefore, there is NO impact on the frequency of occurrence of the accidents that can be attributed to the digital modification. Commented [A65]: Source: ML17170A089 Comment No. A40 Rationale: This section uses the term "atributble" in the same way that it iuses Negligible/Dicernable; to indicate magnitude of effect. The wording was changed to more clearly indicate causality rather than magnitude of effect as is the convention in the standard English interpretation of "attributable".
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-44 If a CCF is determined to be credible and the component/system is an 956 accident initiator, then there is an attributable potential impact on the 957 frequency of occurrence of the accident. 958 Example 4-13 illustrates the case of an attributable potential impact on the 959 frequency of occurrence of an accident for the SSC being an accident initiator. 960 Example 4-13. ATTRIBUTABLE Potential Impact on the Frequency of Occurrence of an Accident Due to a SSC Being an Accident Initiator Proposed Activity Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same. Affected Accident and Accident Initiators The affected accident is the Loss of Feedwater event. The UFSAR identifies the equipment-related initiators as being the loss of one MFWP or the closure of one MFWP flow control valve. Impact on Accident Frequency Based on the technical outcome from the CCF Susceptibility Analysis and the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting this digital modification, a software CCF causing the loss of both feedwater control systems (resulting in the loss of both MWFPs and/or the closure of both MFWP flow control valves) has been determined to be attributable credible. (i.e., Since the failure of the digital feedwater control systems can cause the loss of MFWPs or the closure of MFWP flow control valves, a potential impact on accident frequency due to the CCF can be attributed to the digital modification. Determination of Magnitude (using Negligible/Discernable) 961 Commented [A66]: Source: ML17170A089 Comment No. A40 Rationale: The word "attributable" is about causality and the word "discernable" is related to magnitude of effect. The term "not credible" means a suficently low probability (so that it need not be considered), not that it is imposible. Only if CCF is impossible can there be no attributable impact. Commented [A67]: Source: ML17170A089 Comment No. A40 Rationale: The word "attributable" is about causality and the word "discernable" is related to magnitude of effect. The term "not credible" means a suficently low probability (so that it need not be considered), not that it is imposible. Only if CCF is impossible can there be no attributable impact. Commented [A68]: Source: ML17170A089 Comment No. A40 Rationale: The word "attributable" is about causality and the word "discernable" is related to magnitude of effect. The term "not credible" means a suficently low probability (so that it need not be considered), not that it is imposible. Only if CCF is impossible can there be no attributable impact.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-45 For the case in which a CCF is credible and there is an attributable potential 962 impact on the frequency of occurrence of an accident, the magnitude portion 963 of the criteria (i.e., negligible/discernable) also needs to be assessed. 964 To determine the overall effect of the digital modification on the frequency of 965 an accident, examination of all the factors associated with the digital 966 modification and their interdependent relationship need to be considered. 967 To achieve a negligible conclusion, the examination of all the factors would 968 conclude that the net change in the accident frequency "...is so small or the 969 uncertainties in determining whether a change in frequency has occurred are 970 such that it cannot be reasonably concluded that the frequency has actually 971 changed (i.e., there is no clear trend toward increasing the frequency)" 972 [emphasis added] due to the net effect of the factors considered (i.e., use of 973 software, use of digital components, creation of a software CCF , intended 974 benefits and design attributes/features). 975 Alternately, if the net effects are such that a clear trend towards increasing 976 the frequency would result, a discernable increase in the accident frequency 977 would exist. However, to remain consistent with the guidance provided in 978 NEI 96-07, Section 4.3.1, a discernable increase in the accident frequency 979 maywould NOT be more than minimal if applicable NRC requirements, as 980 well as design, material, and construction standards, to which the licensee is 981 committed, continue to bewere not met. 982 Examples 4-14 and 4-15 will examine the magnitude portion (i.e., 983 negligible/discernable) of the criteria and assume the attributable portion of 984 the criteria has been satisfied. 985 Example 4-14 illustrates the NEGLIGIBLE impact case. 986 Example 4-14. NEGLIGIBLE Impact on the Frequency of Occurrence of an Accident Proposed Activity Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the Commented [A69]: Source: ML17170A089 Comment No. A40 Rationale: The word "attributable" is about causality and the word "discernable" is related to magnitude of effect. The term "not credible" means a suficently low probability (so that it need not be considered), not that it is imposible. Only if CCF is impossible can there be no attributable impact. Commented [A70]: Source: ML17170A089 Comment No. A45 & A46 Rationale: Standards are generally design neutral. That is problems could occur due to (1) not meeting standards, and (2) poor design. Standards are only one of the criteria that can cause increases, so meeting all design standards may not be enough; however, failing to meet standards may be ok, but must be reviewed by the NRC staff.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-46 same. Attributable Conclusion See Example 4-13. Magnitude Conclusion Factors Considered: 1. Software - Developed in accordance with a defined life cycle process, and complies with applicable industry standards and regulatory guidance 2. Digital Components - More reliable, comply with all applicable standards, and meet all applicable technical requirements 3. CCF - Not Credible 4. Benefits - Reliability and performance increased 5. Design Attributes/Features - [LATER] The net change in the frequency of occurrence of the Loss of Feedwater event is negligible due to the net effect of the factors considered. Overall Conclusion Although an attributable impact on the frequency of occurrence of the Loss of Feedwater event was determined to exist, there was no clear trend toward increasing the frequency. With no clear trend toward increasing the frequency, there is not more than a minimal increase in the frequency of occurrence of the accident due to the digital modification. Example 4-15 illustrates the DISCERNABLE increase case. 987 Example 4-15. DISCERNABLE Increase in the Frequency of Occurrence of an Accident Proposed Activity Same as Example 4-14. Attributable Conclusion Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-47 See Example 4-13. Magnitude Conclusion Factors Considered: 1. Software - Same as Example 4-14. 2. Digital Components - Same as Example 4-14. 3. CCF - Credible 4. Benefits - Same as Example 4-14. 5. Design Attributes/Features - Same as Example 4-14 Requirements/Standards Consideration All applicable NRC requirements, as well as design, material and construction standards, continue to be met. The net change in the frequency of occurrence of the Loss of Feedwater event is discernable due to the net effect of the factors considered. Overall Conclusion An attributable impact on the frequency of occurrence of the Loss of Feedwater event was determined to exist and there is a clear trend towards increasing the frequency. The clear trend toward increasing the frequency (i.e., the discernable increase) is due to the CCF being credible. However, even with a clear trend towards increasing the frequency, the satisfaction of all applicable NRC requirements, as well as design, material and construction standards, means that there is NOT more than a minimal increase in the frequency of occurrence of the accident due to the digital modification.
988 Formatted:
Highlight Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-48 HUMAN-SYSTEM INTERFACE ASSESSMENT 989 If no personnel-based initiators (e.g., operator error) are identified among the 990 accident initiators, then an increase in the frequency of the accident cannot 991 occur due to the Human-System Interface portion of the digital modification. 992 If personnel-based initiators (e.g., operator error) are identified among the 993 accident initiators, then the application of the attributable criterion and the 994 magnitude criterion (i.e., negligible/discernable) are assessed utilizing the 995 guidance described in NEI 96-07, Section 4.3.1. 996 4.3.2 Does the Activity Result in More Than a Minimal Increase in the Likelihood 997 of Occurrence of a Malfunction of an SSC Important to Safety? 998 INTRODUCTION 999 After applying the generic guidance in NEI 96-07, Section 4.3.2 to identify 1000 any malfunctions affected by the systems/components involved with the 1001 digital modification and examining the initiators of those malfunctions, the 1002 impact on the likelihood of the initiator (and, hence, the malfunction itself) 1003 due to the digital modification can be assessed. 1004 All malfunction initiators fall into one of two categories: equipment-related 1005 or personnel-related. Therefore, the assessment of the impact of a digital 1006 modification also needs to consider both equipment-related and personnel-1007 related sources. 1008 For a digital modification, the range of possible equipment-related sources 1009 includes items unique to digital and items not unique to digital. An example 1010 of an item unique to digital is consideration of the impact on malfunction 1011 likelihood due to a software CCF, which will be addressed in the guidance in 1012 this section. An example of an item not unique to digital is consideration of 1013 the impact on malfunction likelihood due to the digital system's compatibility 1014 with the environment in which the system is being installed, which would be 1015 addressed by applying the guidance described in NEI 96-07, Section 4.3.2. 1016 For a digital modification, the assessment for personnel-related sources will 1017 consider the impact due to the Human-System Interface (HSI). 1018 Typically, numerical values quantifying a malfunction likelihood are not 1019 available, so the qualitative approach using the attributable and the 1020 magnitude (i.e., negligible/discernable) criteria from NEI 96-07, Section 4.3.2 1021 will be examined in the guidance in this section. 1022 GUIDANCE 1023 Commented [A71]: Make same changes as in 6th paragraph of the introduction of Section 4.3.1.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-49 Factors to Consider and Address in the Response 1024 1. Use of Software 1025 Software developed in accordance with a defined life cycle process, and 1026 complies with applicable industry standards and regulatory guidance does 1027 not result in more than a minimal increase in the likelihood of a malfunction. 1028 The design change process and the design documentation contain the 1029 information that will be used to determine if software increases the likelihood 1030 of a malfunction. 1031 2. Use of Digital Components (e.g., microprocessors in place of 1032 mechanical devices) 1033 NOTE: This factor is not unique to digital and would be addressed by 1034 applying the guidance described in NEI 96-07, Section 4.3.2. 1035 This factor is included here for completeness. 1036 Digital components are expected to be more reliable than the equipment 1037 being replaced. Aspects to be addressed include the following: compliance 1038 with applicable regulations and industry standards; qualification for 1039 environmental conditions (seismic, temperature, humidity, radiation, 1040 pressure, and electromagnetic compatibility); performance requirements for 1041 the plant-specific application; proper design of electrical power supplies; 1042 cooling or ventilation for thermal loads; and separation, independence and 1043 grounding. The design change process and the design documentation contain 1044 the information that will be used to determine if the use of digital 1045 components increases the likelihood of a malfunction. 1046 3. Creation of a Software Common Cause Failure 1047 An engineering evaluation of the quality and design processes determines the 1048 likelihood of failure due to software via a common cause failure and its 1049 potential impact on the likelihood of a malfunction. This information is 1050 documented in the qualitative assessment of the potential contributors to 1051 CCF and disposition of whether the design effectively reduced the likelihood 1052 of the CCF to the extent that the CCF can be considered not credible (e.g., in 1053 a CCF Susceptibility Analysis).
1054 1055 Example 6 1056 1057 The change would reduce system/equipment redundancy, diversity, 1058 separation or independence
. 1059 Commented [A72]: Reword in similar manner as in Section 4.3.1, after agreement is reached there. Commented [A73]: Reword in similar manner as in Section 4.3.1, after agreement is reached there.
Formatted:
HighlightCommented [A74]: Reword in similar manner as in Section 4.3.1, after agreement is reached there. Commented [A75]: Source NEI 96-07r1. Also revise to reflect the following from the 50.59 Q&A document.:
Section 4.3.2 of NEI 96-07, R1, says that a change that reduces system/equipment redundancy, diversity, separation or independence requires prior NRC approval. Does this mean reductions from redundancy, diversity, separation or independence described in the UFSAR? Or is prior NRC approval required only if the change reduces redundancy, diversity, separation or independence below the level required by the regulations?
A. A change that reduces redundancy, diversity, separation or independence of UFSAR-described design functions is considered more than a minimal increase in the likelihood of malfunction and requires prior NRC approval. Licensees may, however, without prior NRC approval, reduce excess redundancy, diversity, separation or independence, if any, to the level credited in the UFSAR.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-50 A change that reduces redundancy, diversity, separation or independence of 1060 UFSAR-described design functions is considered more than a minimal 1061 increase in the likelihood of malfunction and requires prior NRC approval. 1062 Licensees may, however, without prior NRC approval, reduce excess 1063 redundancy, diversity, separation or independence, if any, to the level 1064 credited in the UFSAR. "As credited in the safety analysis" is discussed in 1065 NEI 96-07, Section 3.3.
1066 4. Intended Benefits of the Digital Component/System 1067 NOTE: This factor is not unique to digital and would be addressed by 1068 applying the guidance described in NEI 96-07, Section 4.3.2. 1069 This factor is included here for completeness. 1070 In addition to the expected hardware-related reliability improvements of the 1071 physical devices themselves (addressed in factor 2 above), overall 1072 improvements in the reliability of the performance of the digital 1073 component/system, operational flexibility and/or maintenance-related 1074 activities may also be achieved. The design documentation contains the 1075 information that will be used to identify the intended benefits of the digital 1076 component/system and possible impacts on the likelihood of a malfunction. 1077 5. Design Attributes/Features 1078 Design attributes of the proposed digital modification are features that serve 1079 to prevent or limit failures from occurring, or that mitigate the 1080 results/outcomes of such possible failures. Factors to be considered include 1081 the following items: 1082
- Design Criteria (as applicable) (e.g., diversity, independence and 1083 redundancy) 1084
- Inherent Design Features for Software, Hardware or the 1085 Architectural/Network (e.g., external watchdog timers, isolation 1086 devices, segmentation, self-testing and self-diagnostic features) 1087
- Non-concurrent Triggers 1088
- Sufficiently Simple (i.e., enabling comprehensive testing) 1089
- Unlikely Series of Events (e.g., the evaluation of a given digital 1090 modification would need to postulate multiple independent random 1091 failures in order to arrive at a state in which a SCCF is possible) 1092
- Failure State (e.g., always known to be acceptable) 1093 Determination of Attributable 1094 If a CCF is determined to be not credible, then there is NO attributable 1095 impact on the likelihood of occurrence of a malfunction. Namely, if a CCF is 1096 Commented [A76]: Reword in similar manner as in Section 4.3.1, after agreement is reached there.
Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-51 sufficiently unlikely to occur, then no mechanism for an attributable impact 1097 has been created. 1098 If a CCF is determined to be credible, but the component/system is not a 1099 malfunction initiator, then there is NO attributable impact on the likelihood 1100 of occurrence of a malfunction. Namely, even if a CCF does occur, there is no 1101 relationship between the CCF and the malfunction initiator(s). 1102 Example 4-16 illustrates a case of NO attributable impact on the likelihood of 1103 occurrence of a malfunction for a SSC not being a malfunction initiator. 1104 Example 4-16. NO ATTRIBUTABLE Impact on the Likelihood of Occurrence of a Malfunction Due to a SSC Not Being a Malfunction Initiator Proposed Activity Two safety-related containment chillers exist. There are two analog control systems (one per chiller) that are physically and functionally the same. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same. Affected Malfunctions and Malfunction Initiators The affected malfunction is the failure of one safety-related containment chiller. The UFSAR identifies two equipment-related initiators: (a) failure of the Emergency Diesel Generator (EDG) to start (preventing the EDG from supplying electrical power to the containment chiller it powers), (b) an electrical failure associated with the chiller system (e.g., feeder breaker failure) or a mechanical failure within the chiller itself (e.g., flow blockage). Impact on Malfunction Likelihood In this case, the safety-related chiller control system is not related to the malfunction initiators (i.e., EDG failure, breaker failure or chiller failure). ThereforeHowever,, there is NO may be an impact on the likelihood of occurrence of the malfunction that can be attributed to the digital modification. If a CCF is determined to be credible and the component/system is a 1105 malfunction initiator, then there is an attributable potential impact on the 1106 likelihood of occurrence of the malfunction. 1107 Formatted:
HighlightCommented [A77]: Reword in similar manner as in Section 4.3.1, after agreement is reached there. Commented [A78]: Source: ML17170A089 Comment No. A40 Rationale: Consistent with use of "attributable" to as indication causality. Commented [A79]: Source: ML17170A089 Comment No. A40 Rationale: Consistent with use of "attributable" to as indication causality. Commented [A80]: Make similar to words in Section 4.3.1.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-52 Example 4-17 illustrates the case of an attributable potential impact on the 1108 likelihood of occurrence of a malfunction for the SSC being a malfunction 1109 initiator.
1110 Example 4-17. ATTRIBUTABLE Potential Impact on the Likelihood of Occurrence of a Malfunction Due to a SSC Being a Malfunction Initiator Proposed Activity Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same. Affected Malfunction and Malfunction Initiator The affected malfunction is the loss of a MFWP or the closure of a MFWP flow control valve. The UFSAR identifies an equipment-related initiator as involving the failure of a feedwater control system. Impact on Malfunction Initiator Based on the technical outcome from the CCF Susceptibility Analysis and the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting this digital modification, a software CCF causing the loss of both feedwater control systems (resulting in the loss of both MWFPs and/or the closure of both MFWP flow control valves) has been determined to be credible. Since the failure of the feedwater control systems can cause the loss of MFWPs or the closure of MFWP flow control valves, a potential impact on malfunction likelihood due to the CCF can be attributed to the digital modification. Determination of Magnitude (using Negligible/Discernable) 1111 For the case in which a CCF is credible and there is an attributable potential 1112 impact on the likelihood of occurrence of a malfunction, the magnitude 1113 portion of the criteria (i.e., negligible/discernable) also needs to be assessed. 1114 Formatted:
HighlightCommented [A81]: Source: ML17170A089 Comment No. A40 Rationale: Consistent with use of "attributable" to as indication causality.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-53 To determine the overall effect of the digital modification on the likelihood of 1115 a malfunction, examination of all the factors associated with the digital 1116 modification and their interdependent relationship need to be considered. 1117 To achieve a negligible conclusion, the examination of all the factors would 1118 conclude that the net change in the malfunction likelihood "...is so small or 1119 the uncertainties in determining whether a change in likelihood has occurred 1120 are such that it cannot be reasonably concluded that the likelihood has 1121 actually changed (i.e., there is no clear trend toward increasing the 1122 likelihood)
"[emphasis added] due to the net effect of the factors considered 1123 (i.e., use of software, use of digital components, creation of a software CCF
, 1124 intended benefits and design attributes/features). 1125 Alternately, if the net effects are such that a clear trend towards increasing 1126 the likelihood would result, a discernable increase in the malfunction 1127 likelihood would exist. However, to remain consistent with the guidance 1128 provided in NEI 96-07, Section 4.3.2, a discernable increase in the 1129 malfunction likelihood would NOT be more than minimal if applicable NRC 1130 requirements, as well as design, material, and construction standards, 1131 continue to be met. 1132 Examples 4-18 and 4-19 will examine the magnitude portion (i.e., 1133 negligible/discernable) of the criteria and assume the attributable portion of 1134 the criteria has been satisfied. 1135 Commented [A82]: Change to be the same as Section 4.3.1 wording after agreement is reached.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-54 Example 4-18 illustrates the NEGLIGIBLE impact case. 1136 Example 4-18. NEGLIGIBLE Impact in the Likelihood of Occurrence of a Malfunction Proposed Activity Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same. Attributable Conclusion See Example 4-17. Magnitude Conclusion Factors Considered: 1. Software - Developed in accordance with a defined life cycle process, and complies with applicable industry standards and regulatory guidance 2. Digital Components - More reliable, comply with all applicable standards, and meet all applicable technical requirements 3. CCF - Not Credible 4. Benefits - Reliability and performance increased 5. Design Attributes/Features - [LATER] The net change in the likelihood of occurrence of the loss of a MFWP or the closure of a MFWP flow control valve initiated by the failure of a feedwater control system is negligible due to the net effect of the factors considered. Overall Conclusion Although an attributable impact on the likelihood of occurrence of the loss of a MFWP or the closure of a MFWP flow control valve was determined to Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-55 exist, there was no clear trend toward increasing the likelihood. With no clear trend toward increasing the likelihood, there is not more than a minimal increase in the likelihood of occurrence of the malfunctions due to the digital modification. Example 4-19 illustrates the DISCERNABLE increase case. 1137 Example 4-19. DISCERNABLE Increase in the Likelihood of Occurrence of a Malfunction Proposed Activity Two safety-related main control room chillers exist. There are two analog control systems (one per chiller) that are physically and functionally the same. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same. The logic components/system and controls for the starting and operation of the safety injection pumps are located within the main control room boundary. The environmental requirements associated with the logic components/system and controls are maintained within their allowable limits by the main control room cooling system, which includes the chillers involved with this digital modification. Affected Malfunction and Malfunction Initiator The review of the UFSAR accident analyses identified several events for which the safety injection pumps are assumed to start and operate (as reflected in the inputs and assumptions to the accident analyses). In each of these events, the UFSAR states the following: "To satisfy single failure requirements, the loss of only one control system and its worst-case effect on the event due to the loss of one chiller has been considered in the accident analyses." Attributable Conclusion In this case, the safety-related main control room chiller control system is related to a malfunction initiator (i.e., loss of logic and/or operation function) of the safety injection pumps. Therefore, there is a potential impact on the likelihood of occurrence of the malfunction that can be attributed to the NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-56 digital modification. Magnitude Conclusion Factors Considered: 1. Software - Developed in accordance with a defined life cycle process, and complies with applicable industry standards and regulatory guidance 2. Digital Components - More reliable, comply with all applicable standards, and meet all applicable technical requirements 3. CCF - Credible 4. Benefits - Reliability and performance increased 5. Design Attributes/Features - [LATER]. The net change in the likelihood of occurrence of the malfunction of both safety injection pumps is discernable due to the net effect of the factors considered. Requirements/Standards Consideration Single failure criteria are no longer met. Overall Conclusion An attributable impact on the likelihood of occurrence of the malfunction of both safety injection pumps was determined to exist and there is a clear trend toward increasing the likelihood. The clear trend toward increasing the likelihood (i.e., the discernable increase) is due to the CCF being credible, which does not satisfy the NRC requirements associated with systems/components that must satisfy single failure requirements. With a clear trend toward increasing the likelihood and the failure to satisfy an NRC requirement, there is more than a minimal increase in the likelihood of occurrence of the malfunction of both safety injection pumps due to the digital modification.
1138 HUMAN-SYSTEM INTERFACE ASSESSMENT 1139 Formatted:
Highlight Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-57 If no personnel-based initiators (e.g., operator error) are identified among the 1140 accident initiators, then an increase in the likelihood of the malfunction 1141 cannot occur due to the Human-System Interface portion of the digital 1142 modification. 1143 If personnel-based initiators (e.g., operator error) are identified among the 1144 malfunction initiators, then the application of the attributable criterion and 1145 the magnitude criterion (i.e., negligible/discernable) are assessed utilizing the 1146 guidance described in NEI 96-07, Section 4.3.2. 1147 1148 4.3.3 Does the Activity Result in More Than a Minimal Increase in the 1149 Consequences of an Accident? 1150 There is no unique guidance applicable to digital modifications for responding 1151 to this Evaluation criterion because the identification of affected accidents 1152 and dose analysis inputs and/or assumptions are not unique for a digital 1153 modification. The guidance in NEI 96-07, Section 4.3.3 applies. 1154 1155 4.3.4 Does the Activity Result in More Than a Minimal Increase in the 1156 Consequences of a Malfunction? 1157 There is no unique guidance applicable to digital modifications for responding 1158 to this Evaluation criterion because the identification of the affected 1159 malfunctions and dose analysis inputs and/or assumptions are not unique for 1160 a digital modification. The guidance in NEI 96-07, Section 4.3.4 applies. 1161 1162 4.3.5 Does the Activity Create a Possibility for an Accident of a Different Type? 1163 INTRODUCTION 1164 From NEI 96-07, Section 3.2:
1165 "The term 'accidents' refers to the anticipated (or abnormal) 1166 operational transients and postulated design basis accidents..." 1167 Therefore, for purposes of 10 CFR 50.59, both Anticipated Operational 1168 Occurrences (AOOs) and Postulated Accidents (PAs) fall within the definition 1169 of "accident." 1170 From NEI 96-07, Section 4.3.5, the two considerations that need to be 1171 assessed when answering this Evaluation question are credible and 1172 bounded/related. 1173 Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-58 GUIDANCE 1174 Determination of Credible 1175 From NEI 96-07, Section 4.3.5: 1176 "The possible accidents of a different type are limited to those that are 1177 as likely to happen as those previously evaluated in the UFSAR. The 1178 accident must be credible in the sense of having been created within 1179 the range of assumptions previously considered in the licensing basis 1180 (e.g., random single failure, loss of off-site power, etc.)." 1181 Hence, "credible" accidents are defined as those as likely as the accidents 1182 already assumed in the UFSAR. 1183 If a CCF likelihood is determined to be not crediblesufficiently low, then the 1184 creation of a possibility for an accident of a different type is NOT credible 1185 because there is no mechanism for the possibility of an accident of a different 1186 type to be created and possible accidents of a different type are limited to 1187 those that are as likely to happen as those previously evaluated in the 1188 UFSAR.2 1189 If a CCF likelihood is determined to be crediblenot sufficiently low, then the 1190 creation of a possibility for an accident of a different type is credible. 1191 Determination of Bounded/Related 1192 For the case in which a CCF an accident of a different type is credible, the 1193 bounded/related portion of the criteria also needs to be assessed. 1194 Events/sequences currently considered in the UFSAR form the basis for 1195 comparison of events, which makes it possible to identify and evaluate the 1196 limiting case. 1197 The UFSAR evaluates a broad spectrum of accidents (i.e., initiating events 1198 and the sequences that result from various combinations of plant and safety 1199 systems response). Accidents are categorized according to expected frequency 1200 of occurrence and by type. The accident type is defined by its effect on the 1201 plant (e.g., decrease in heat removal by the secondary system, increase in 1202 heat removal by the secondary system, etc.). Characterization of accidents by 1203 type provides a basis for comparison based on events/sequences, which makes 1204 2 Refer to NEI 96-07, Section 4.3.5, 3 rd paragraph.
Formatted:
Highlight Formatted:
Highlight Formatted: Font: Not Italic, Highlight Formatted:
Highlight Formatted: Font: Not Italic, Highlight Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-59 it possible to identify and evaluate the limiting cases (i.e., the cases that can 1205 challenge the analysis acceptance criteria) and eliminate non-limiting cases 1206 from further consideration. 1207 Therefore, a new accident that is of the same type (i.e., its effect on the plant 1208 is the same)
, and is within the same expected frequency of occurrence , and 1209 results meets the bounded criterion. Alternately, For a new accident that is 1210 NOT of the same type, if: (i.e., its effect on the plant is different)
, and/or is 1211 NOT within the same expected frequency of occurrence
, or result does NOT 1212 meet the bounded criterion does not apply. 1213 Accidents of a different type are credible accidents that the proposed activity 1214 could create that have an impact on the type of events/sequences previously 1215 evaluated in the UFSAR. Namely, a different/new accident analysis would be 1216 needed for this different type of accident, not justor a revision of a current 1217 accident analysis. 1218 Therefore, a different/new accident analysis would NOT be related to an 1219 event already been analyzed. Alternately, the revision of a current accident 1220 analysis would be related to an event already analyzed, and a determination 1221 is needed if the already analyzed events bounds the new event in both 1222 frequency and results. 1223 Example 4-20 illustrates the NO CREATION of the possibility of an accident 1224 of a different type case. 1225 Example 4-20. NO CREATION of the Possibility of an Accident of a Different Type Proposed Activity Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same. Malfunction / Accident Initiator The malfunction/accident initiator identified in the UFSAR for the Commented [PM83]: Placeholder for original NRC comment A83.
Formatted:
HighlightCommented [A84]: Source: ML17170A089 Comment No. A67 & A69 Rationale: These changes are necessary in order to be consistent with the newest version of RG 1.187. Commented [A85]: Source: ML17170A089 Comment No. A67 & A69 Rationale: These changes are necessary in order to be consistent with the newest version of RG 1.187. Commented [A86]: Source: ML17170A089 Comment No. A67 & A69 Rationale: These changes are necessary in order to be consistent with the newest version of RG 1.187. Commented [A87]: Source: ML17170A089 Comment No. A67 & A69 Rationale: These changes are necessary in order to be consistent with the newest version of RG 1.187.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-60 analog main feedwater control system is the loss of onemain feedwater pump (out of two pumps) due to the loss of one feedwater control system. Accident Frequency and Type The pertinent accident is the Loss of Feedwater event. The characteristics of the Loss of Feedwater event are as follows: Type of Accident - Decrease in Heat Removal by the Secondary System Accident Category - Infrequent Incident Credible Conclusion Based on the technical outcome from the CCF Susceptibility Analysis and the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting this digital modification, a software CCF causing the loss of both feedwater control systems (resulting in the loss of both MWFPs) has been determined to be credible. Therefore, in this case, a new accident has been created. Bounded/Related Conclusion Although the CCF causes the loss of both feedwater pumps, potentially challenging the analysis acceptance criteria (which is the focus of Evaluation Question #7), the loss of both feedwater pumps still causes the same type of accident (i.e., a decrease in heat removal by the secondary system). As identified in the UFSAR, the Loss of Feedwater event considered the loss of one main feedwater pump, allowing the safety analysis to credit a certain amount of flow from the remaining operational feedwater pump. Even though the CCF could disable both feedwater pumps, the accident type and category remain may not be bounded by a related accident because the new event would not require a "new" accident analysis, only a revision to the input parameter(s) and/or assumption(s) used in the current Loss of Feedwater accident analysis related to the operational status of the feedwater pumps. Therefore, the proposed activity does notmay create the possibility of an accident of a different type. Example 4-21 illustrates the CREATION of the possibility of an accident of a 1226 different type case. 1227 Formatted:
Highlight Formatted:
HighlightCommented [A88]: Source: ML17170A089 Comment No. A67 & A69 Rationale: These changes are necessary in order to be consistent with the newest version of RG 1.187.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-61 Example 4-21. CREATION of the Possibility of an Accident of a Different Type Proposed Activity Two non-safety-related analog feedwater control systems and one non-safety-related main turbine steam-inlet valves analog control system exist. The two feedwater control systems and the one main turbine steam-inlet valves control system will be combined into a single digital control system. Malfunction / Accident Initiator The identified feedwater control system malfunctions include (a) failures causing the loss of all feedwater to the steam generators [evaluated in the Loss of Feedwater event] and (b) failures causing an increase in main feedwater flow to the maximum output from both MFWPs [evaluated in the Excess Feedwater event]. The identified main turbine steam-inlet valve control system malfunctions include (a) all valves going fully closed causing no steam to be admitted into the turbine [evaluated in the Loss of Load event] and (b) all valves going fully open causing excess steam to be admitted into the turbine [evaluated in the Excess Steam Demand event]. Accident Frequency and Type The characteristics of the pertinent accidents are as follows: Loss of Feedwater: Type of Accident - Decrease in Heat Removal by the Secondary System Accident Category - Infrequent Incident Excess Feedwater: Type of Accident - Increase in Heat Removal by the Secondary System Accident Category - Moderate Frequency Incident Loss of Load:
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-62 Type of Accident - Decrease in Heat Removal by the Secondary System Accident Category - Moderate Frequency Incident Excess Steam Demand: Type of Accident - Increase in Heat Removal by the Secondary System Accident Category - Moderate Frequency Incident Credible Conclusion Based on the technical outcome from the CCF Susceptibility Analysis and the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting this digital modification, a software CCF impacting both the feedwater control systems and the main turbine steam-inlet valves control system has been determined to be credible. Therefore, in this case, the following conditions are credible: (1) Loss of both feedwater pumps (2) Increase in main feedwater flow to the maximum output from both MFWPs. (3) All main turbine steam-inlet valves going fully closed (4) All main turbine steam-inlet valves going fully open (5) Combination of (1) and (3) (6) Combination of (1) and (4) (7) Combination of (2) and (3) (8) Combination of (2) and (4) Conditions (1) though (4) are already considered in the UFSAR, so these do not create a new accident. Since conditions (1) through (4) do not create a new accident, they do not create the possibility for an accident of a different type. Formatted:
Highlight Formatted:
Highlight Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-63 Conditions (5) through (8) are not considered in the UFSAR, so four new accidents have been created. Bounded/Related Conclusion Based on the current set of accidents identified in the UFSAR, the UFSAR accident analyses do not consider a simultaneous Feedwater event (i.e., Loss of Feedwater or Excess Feedwater) with a Main Steam event (i.e., Excess Steam Demand or Loss of Load). Condition (5) still causes a decrease in heat removal by the secondary system.Condition (6) involves both a decrease and an increase in heat removal by the secondary system. Condition (7) involves both a decrease and an increase in heat removal by the secondary system. Condition (8) still causes an increase in heat removal by the secondary system. The new accidents created in Conditions (5) though (8) are NOT bounded by a related accident because new accident analyses will be needed. Therefore, the proposed activity does create the possibility of an accident of a different type.
1228 4.3.6 Does the Activity Create a Possibility for a Malfunction of an SSC Important 1229 to Safety with a Different Result? 1230 INTRODUCTION 1231 From NEI 96-07, Section 4.3.6, the two considerations that need to be 1232 assessed when answering this question are credible as likely to happen as 1233 those described in the UFSAR and bounded. 1234 GUIDANCE 1235 Determination of Credible as likely to happen as those described in the 1236 UFSAR 1237 From NEI 96-07, Section 4.3.6: 1238 "The possible malfunctions with a different result are limited to those 1239 that are as likely to happen as those described in the UFSAR." 1240 Formatted:
Highlight Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-64 If a CCF likelihood is determined to be not credible sufficiently low, then the 1241 creation of a possibility for a malfunction with a different result is NOT 1242 credibleas likely to happen as those described in the UFSAR because there is 1243 no mechanism for the possibility of a malfunction with a different result to be 1244 created and possible malfunctions with a different result are limited to those 1245 that are as likely to happen as those previously evaluated in the UFSAR
.3 1246 If a CCF likelihood is determined to be crediblenot sufficiently low, then the 1247 creation of a possibility for a malfunction with a different result is credible as 1248 likely to happen as those described in the UFSAR. 1249 Determination of Bounded 1250 For the case in which a CCF possibility for a malfunction with a different 1251 result is credible as likely to happen as those described in the UFSAR, the 1252 bounded portion of the criteria also needs to be assessed. 1253 Types of Malfunctions to be Considered: 1254 NEI 96-07, Section 4.3.6 states: 1255 "In evaluating a proposed activity against this criterion, the 1256 types and results of failure modes of SSCs that have previously 1257 been evaluated in the UFSAR and that are affected by the 1258 proposed activity should be identified. This evaluation should 1259 be performed consistent with any failure modes and effects 1260 analysis (FMEA) described in the UFSAR, recognizing that 1261 certain proposed activities may require a new FMEA to be 1262 performed." [emphasi s added] 1263 Based on this excerpt, both previously-evaluated malfunctions and new 1264 malfunctions need to be considered when developing the response to this 1265 Evaluation question. Typically, a new FMEA will be necessary for a digital 1266 modification since the original considerations for malfunctions did not take 1267 into account the unique aspects of a digital modification (e.g., the possibility 1268 of a software CCF). 1269 Sources of Results: 1270 NEI 96-07, Section 4.3.6 states: 1271 3 Refer to NEI 96-07, Section 4.3.6, 4 th paragraph.
Formatted:
Highlight Formatted:
Highlight Formatted:
Highlight Formatted:
Highlight Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-65 "Attention must be given to whether the malfunction was 1272 evaluated in the accident analyses at the component level or the 1273 overall system level." [emphasis added] 1274 Accident analyses are typically included and described in UFSAR 1275 Chapters 6 and 15 (or equivalent). 1276 The phrase "was evaluated in the accident analyses" refers to how the 1277 malfunction was addressed in the accident analysis (e.g., failure to perform a 1278 design function, failure to cease performing a design function, etc.) and the 1279 level at which the malfunction was addressed in the accident analysis (e.g., 1280 component, train, system, etc.). 1281 Types of Results: 1282 In NEI 96-07, Section 4.3.6, the second bullet/example after the first 1283 paragraph states: 1284 "If a feedwater control system is being upgraded from an analog 1285 to a digital system, new components may be added that could 1286 fail in ways other than the components in the original design. 1287 Provided the end result of the component or subsystem failure is 1288 the same as, or is bounded by, the results... of malfunctions 1289 currently described in the UFSAR (i.e., failure to maximum 1290 demand, failure to minimum demand, failure as-is, etc.)..., 1291 then...[the activity]
...would not create a 'malfunction with a 1292 different result'." [emphasis added] 1293 Many types of results can be described in a UFSAR. The focus on the end 1294 result implies the effect of the failure mode is what is important not the 1295 failure mechanismthe possible existence of other non-end results. For clarity, 1296 all results other than the end result will be identified as intermediate results. 1297 No intermediate results need to be considered.
1298 As a general example, consider the following possible levels of malfunction 1299 results that could be described in a UFSAR: 1300
- Failure Mechanism - new failure mechanisms for existing failure 1301 modes do not produce different results 1302
- Failure Mode - new failure modes need to be evaluated to determined 1303 whether their effect is a different result 1304
- Component Level Result 1305 Commented [A89]: Source: NEI 96-07 Page 54. Rational: Complete quotation is needed so that intent is cearly understood. Commented [A90]: Source: NEI 96-07 Page 54. Rationale: Intent of quotation is clarified.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-66
- System Level Result (from the component level malfunction) 1306
- Plant Level Result (from the system level malfunction) 1307 In this generalized example, the Component Level and System Level results 1308 would be considered intermediate results and the Plant Level result would be 1309 considered the end result. Only the Plant Level result is pertinent and needs 1310 to be considered when determining if the possibility of a malfunction with a 1311 different result has been created.
1312 Example 4-22 illustrates the NO CREATION of the possibility of a 1313 malfunction with a different result case. 1314 Example 4-22. NO CREATION of the Possibility of a Malfunction with a Different Result Proposed Activity Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same. Malfunction / Accident A malfunction identified in the UFSAR for the analog main feedwater control systems involves the loss of one main feedwater pump (out of two pumps), which is evaluated in the Loss of Feedwater accident analysis. Credible Conclusion Based on the technical outcome from the CCF Susceptibility Analysis and the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting this digital modification, a software CCF impacting both feedwater control systems has been determined to be credible.Bounded Conclusion Commented [A91]: Source: NEI 96-07 Page 54. Rationale: Intent of quotation is clarified.
Formatted:
Highlight Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-67 Types of Malfunctions: A CCF can cause the loss of both main feedwater pumps. Source of Result: Currently, the malfunction of the MFWP is evaluated to "stop" and the malfunction is evaluated at the component level (i.e., the "pump" is assumed to stop). Assuming the CCF occurs, the malfunction will continue to be evaluated as the "stopping" of MFWPs and the level of the malfunction remains at the component level (i.e., the "pump"). Type of Result: The UFSAR identifies the malfunction of one main feedwater pump as causing a reduction in flow (intermediate resultmode & effect) to the steam generators, which initiates a Loss of Feedwater event (end result). The loss of both main feedwater pumps causes no flow to the steam generators ("new" intermediate mode & effectresult), which still initiates the Loss of Feedwater event ("new" end result);therefore,. a loss of feedwater accident analysis should be performed to determine whether any of the limiting criteria have been exceeded.
In both instances, the end result is the Loss of Feedwater event. Overall Conclusion Although tThe impact of the intermediate result on the accident analysis acceptance criteria is most likely more severe (by going from the loss of one pump to the loss of both pumps), the result of the CCF is NOT bounded. Therefore, the proposed activity does NOT create the possibility of a malfunction with a different result. Example 4-23 illustrates the CREATION of the possibility of a malfunction 1315 with a different result case. 1316 Commented [A92]: Incorrectly implies that a "different result" is limited to plant level accident analysis results which is contrary to 50.59(c)(2)(viii) which states "different result than ANY previously evaluated malfunctions" which includes UFSAR described FMEAs for the affected system.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-68 Example 4-23. CREATION of the Possibility of a Malfunction with a Different Result Proposed Activity Two non-safety-related analog feedwater control systems and a separate analog control system that controls the main turbine steam-inlet valves exist.All three analog control systems will be replaced with one digital control that will combine the two feedwater control systems and the main turbine steam-inlet valves control system into a single digital device. Malfunction / Accident From the UFSAR, the identified feedwater control system malfunctions include (a) failures causing the loss of all feedwater to the steam generators [evaluated in the Loss of Feedwater accident analysis] and (b) failures causing an increase in main feedwater flow to the maximum output from both MFWPs [evaluated in the Excess Feedwater accident analysis]. From the UFSAR, the identified main turbine steam-inlet valve control system malfunctions include (a) all valves going fully closed causing no steam to be admitted into the turbine [evaluated in the Loss of Load accident analysis] and (b) all valves going fully open causing excess steam to be admitted into the turbine [evaluated in the Excess Steam Demand accident analysis]. Credible Conclusion Based on the technical outcome from the CCF Susceptibility Analysis and the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting this digital modification, a software CCF impacting the feedwater control systems and the main turbine steam-inlet valve control system has been determined to be credible. Bounded Conclusion Types of Malfunctions: A CCF can cause any of following conditions: (1) Loss of both feedwater pumps (2) Increase in main feedwater flow to the maximum output from both Formatted:
Highlight Formatted:
Highlight NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-69 MFWPs. (3) All main turbine steam-inlet valves going fully closed (4) All main turbine steam-inlet valves going fully open (5) Combination of (1) and (3) (6) Combination of (1) and (4) (7) Combination of (2) and (3) (8) Combination of (2) and (4) Source of Result: Currently, the malfunctions are evaluated as affecting only one system (i.e., feedwater control or main turbine control, NOT both) and the malfunctions are evaluated at the component level (i.e., "pump" or "valve"). Assuming the CCF occurs, the malfunction will no longer affect only one system, but will continue to be evaluated at the component level (i.e., "pump" or "valve"). Type of Result: The UFSAR identifies the end result of a malfunction as causing a Feedwater event or a Main Steam event, NOT both. In Conditions (5) through (8), the end result is no longer a Feedwater event or a Main Steam event. Overall Conclusion Based on the current set of accidents identified in the UFSAR, the accident analyses do not consider a simultaneous Feedwater/Main Steam event. The different results [simultaneous accidents in Conditions (5) though (8)] are NOT bounded by the previously-evaluated results of only one accident. Therefore, the proposed activity does create the possibility of a malfunction with a different result.
1317 NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 D-70 4.3.7 Does the Activity Result in a Design Basis Limit for a Fission Product 1318 Barrier Being Exceeded or Altered? 1319 There is no unique guidance applicable to digital modifications for responding 1320 to this Evaluation question because the identification of possible design basis 1321 limits for fission product barriers and the process for determination of 1322 "exceeded" or "altered" are not unique for a digital modification. The guidance 1323 in NEI 96-07, Section 4.3.7 applies. 1324 1325 4.3.8 Does the Activity Result in a Departure from a Method of Evaluation 1326 Described in the UFSAR Used in Establishing the Design Bases or in the 1327 Safety Analyses? 1328 There is no unique guidance applicable to digital modifications for responding 1329 to this Evaluation criterion because activities involving methods of 1330 evaluation do not involve SSCs. The guidance in NEI 96-07, Section 4.3.8 1331 applies. 1332 5.0 EXAMPLES 1333 [LATER] 1334 Page 37: [1] Commented [A44] Author Source: Engineering Judgement Rationale: There are two things of concern: (1) Determination of if CCF is credible (2) Characterisation of behavior during CCF Both could be considered outcomes; therefore this change was made to clarify the Outcomes being considerd in this section.