M190514: Scheduling Note and Slides - Briefing on Digital Instrumentation and Control (Public Meeting)

ML19133A101
Person / Time
Issue date:	05/14/2019
From:	NRC/SECY
To:
References
M190514
Download: ML19133A101 (1)
v • d • e

Text

Title: SCHEDULING NOTE Briefing on Digital Instrumentation and Control (Public Meeting) Purpose: To discuss with the Commission the plans for implementing digital instrumentation and control (l&C) systems Scheduled:

May 14, 2019 9:00 am Duration:

Approx. 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> Location:

Commissioners' Conference Room, 1 51 Floor OWFN Participants:

External Panel Doug True, Chief Nuclear Officer and Senior Vice President , Generation and Suppliers, Nuclear Energy Institute Dan Stoddard, Senior Vice President and Chief Nuclear Officer, Dominion Energy Neil Wilmshurst, Chief Nuclear Officer, Electric Power Research Institute Topics:

• Current and future plans for digital l&C adoption

• Remaining digital l&C impediments and regulatory gaps Commission Q & A Break Presentation 30 mins.* 10 mins.* 10 mins.* 10 mins.* 40 mins. 5mins.

Staff Panel 30 mins.* Margaret Doane , Executive Directo r for Operations Ho Nieh, Director , Office of Nuclear Reactor Regulation (NRR) Eric Benner, Director , Division of Engineering , NRR Brian Thomas, Director , Division of Engineering, Office of Research Topics:

• Recent accomplishments

• Staff priorities for 2019 o Strategic assessment of digital l&C regulatory infrastructure (e.g., Evaluation of a risk-informed regulatory framework based on higher level design principles) o Endorsement of International Electrotechnical Commission (IEC) standards

• Measuring success and determining when the digital l&C Integrated Action Plan is complete Commission Q & A Discussion

-Wrap-Up 40 mins. 5mins. 2

CCF is Not Unique to Digital CCF should not be treated as design basis Analog systems are also subject to CCF Analog CCF is primarily addressed through Special Treatment Requirements Same approach should be applied to digital NEI ...,, ©2019 Nuclear Energy Institute 4

Digital l&C NRC Commission Briefing Dan Stoddard

• May14,2019 Dominion Energy Digital I&C Project Drivers

• Obsolescence

• Single point vulnerability elimination

• Equipment Reliability

• Operational Efficiency

• Innovation

• Cost reductions 2 Dominion ::;iiiiiii" Energy Benefits

• Maintenance

-dramatically improved reliability (MTBF) and reduced maintenance

• Engineering

-equipment diagnostics, higher accuracy, and simplified fault detection

• Operations

-greatly enhanced Operator interface and vision into the plant

• Commonality

-Common platforms f9r Protection and Control minimize maintenance and training 3 iii Dominion :;iiiiii" Energy*

Digital Upgrades-Tangible Performance Improvements Historical Performance BWR Digital Feedwater 0.300 -... "' 0.250 cu > cu u cu*-0.200 .... "' cu a:: "' ::E -'2 0.150 u :, V'l ':;" 0.100 .... C 0.050 cu -0.000

• Analog

• Digital Historical Performance PWR Turbine Controls 0.1 4 0 "' 0.120 cu > 8 0.100 cu*-1u a:: cu 0.080 "' ::E -'2 0.060 u :, V'l -"' 0.040 .... C 0.020 .!. 0.000

• A nalog

• Digital Historical Performance BWR Turbine Controls 0.140 "' 0.120 cu > cu .~ 0.100 1u a:: cu 0.0 8 0 "' ::E -ct.~ a:: C 0.060 u :, V'l -"' 0.040 .... C cu > 0.020 cu -0.000

• A nalog

• Digita l

• Exelon began installing digital upgrades in the early 90's beginning with the feedwater systems at Dresden , LaSalle , Quad Cities and Limerick

• Turbine controls were upgraded beginning i n 2004 at Byron , Braidwood , Dresden , LaSal l e , Quad Cities and Limerick and continue across the balance of the fleet

• 500+ " unit years" of operating experience conclusively demonstrates a significant reduction in initiating events 4 Dominion =:;iii" Energy*

Ongoing Projects

• A number of Digital l&C replacement projects are ongoing across the industry.

• Issuance of RIS 2002-22 Supplement 1 has facilitated many of these projects

• Examples:

-Emergency Diesel Generator Controls -Radiation Monitors Rod Control -Safety-related Chiller Controls Dominion ::;iiiiiiiiii" Energy Risks and Challenges

• No Large Safety-Related Dl&C Upgrades (RPS/ESFAS)

Currently Planned or In-Progress

• Why? -Regulatory uncertainty

-Cybersecurity Compliance

-Cost Dominion Energy Needs/Next Steps

• NEI 96-07, Appendix D approval

• BTP 7-19 revision approval

• Implement Standard Digital Engineering Process and SOP interfacing procedure (NISP-EN-04)

• Collaboratively work with the staff on the IAP modernization plans A predictable regulatory path based on reasonable assurance of adequate protection.

er,. Dominion Energy

. . EPRI Integrated Digital Systems Engineering US-NRC Commission Briefing on Digital Instrumentation. and Control Neil Wilmshurst Chief Nuclear Officer-EPRI May 14th , 2019 i n f WWW

• e p r i

• C O m © 2019 Electrtc Power Research Institute.

Inc. All nghts reserved E~~, 1 ELECTRIC POWER ,-,~ RESEARCH INSTITUTE 2 . . EPRI 450+ participants in more than 30 countries EPRI members generate approximately 90% of the electricity in the United States International funding -nearly 25% of EPRl's research, development, and demonstrations www.epr1.co m t> 2019 Llectnc Power ~ese~rch Institute, Inc. t.'.! p1ghts reserJed.

E r-:!a~, 1 mc m c ..,..., ,-1c:; ll S f.M CM 1 N1 n ,un 3 EPRI Perspective On Digital Reliability Recent research using field failure data revealed no platform level Software Common Cause F ailures (SCCF) over approx. 2 billion hours of operation for IEC-61508 SIL certified PLC's Application of existing SIL certifications, at the platform level, in place of existing design and review processes has proven to be effective.

• Additionally, cumulative nuclear OE from across the world (Korea, France, China, etc.) indicate that: -SCCF failures are no more problematic than other CCF contributors

-There have been no identified events where diverse platforms would have been effective in protecting against SCCF -Several events confirmed effectiveness of signal and functional diversity in protecting against SCCF www.e pr l.com C) 2819 El ... ctr*c Powl'>r Resear:h msn.ut~ ll"C. Alt rrgh::.s reservec Applications Integration Platform ----, 1 IUCT I IC , o wn &:;1-fc;;;

IUU,1: CH rNSJlfUTt 4 Integrated

• Digital Systems Engineering Framework Architecture Hazard Analysis (STPA/FTA}-SPV/CCF Requirements Engineering Procurement Human Factors Engineering (HFE} Cyber Security Data Communications Plant Integration Testing Configuration Management Life Cycle Management w w w.e pr l.co m Industry Standard ....11111...

Engineering

....,,. Process --~~, 1 mcmc l'OWI I l;;;.l-11; IUfA l CN f'NSTITUTf EPRl's Digital Framework Elements EPRI has developed a comprehensive engineering process, utilizing modern methods and international standards used in other safety related industries.

Element 1-Use of Industrial Standards:

Use the same supply chain and structures that non-nuclear safety related industries use (IEC-61508/61511) to harvest the economies-of-scale of other safety industries.

• Element 2 -Use of Systems Engineering:

Use of a modern, high performance, single engineering process that leverages systems engineering in the transition to team-based engineering for conception, design, and implementation.

Element 3 -Risk Informed Engineering:

Effective engineering decision-making via hazards and risk analysis to integrate all engineering topics (such as cyber security and SCCF) into a single engineering process. www.epri.r o m © ::Cl~ E.*ennr Power Re~ea,. :h "'St1t*1:P Ire.. AJI nghts reservPd. ,=~121 I "'c mc ,own a=;.1-H S l.&I Ot INSn ru n 6 Policy Level vs. Implementation Level Ac.tivities Objective Criteria SCCF Objective Criteria Cyber The Gap Objective Criteria EMC Objective Criteria H FE Implementation Level ....., (DEG/ HAZCADS / DRAM / TAM / IEC-61508}

via Industry Standard Procedures . . . . EPRI Products are Used at the Implementation Level (what you actually do) Objective Criteria provides the Policy to Implementation connector and can be formatted like a safety case argument www.e pr ,.c~m ,=~-, 1 lltCI I IC POW II a=,-,c::.

l(SUICH fNlnnn t 7 Acronyms

• CCF -Common Cause Failure

• DEG -Digital Engineering Guide (EPRI 3002011816, Oct 2018)

• DRAM -Digital Reliability Analysis Methodology (EPRI product in development, sch. Ql 2020)

• EMC -Electromagnetic Compatibility

• EPRI -Electric Power Research Institute

• FTA-Fault Tree Analysis

• IEC -International Electrotechnical Commission

• IEEE -Institute of Electrical and Electronics Engineers Standards Association

• HAZCADS -HAZCADS: Hazards .and Consequences Analysis for Digital Systems (EPRI 3002012755 Dec. 2018)

• HFE -Human Factors Engineering

• ISO -International Organization for Standardization

• OE -Operating Experience

• PLC-Programable Logic Controller 11 SCCF -Software Common Cause Failure

• SIL -Safety Integrity Level (based on IEC-61508)

• SPV -Single Point Vulnerability

• STPA-Systems Theoretic Process Analysis

• TAM -Cyber Security Technical Assessment Methodology (EPRI 3002012752, Nov. 2018) www.e pr ,.co m Cl 201 o (1,,.ctr*c Power Rec;f:!a,.cli tns*n ute Ina:. All 11gh t .. r ese r ved ,=~r.::s1 I ILICII IC l'OWI I ~1-K;;;;;

I HfAKH INSTIM l

' . 8 Together ... Shaping the Future of Electricity www.e p r 1.co m i=~~, 1 mcmc ,own t=l-tc;;;

I UfAI.CH fNSnJUTf T > -7 U.S.NRC United States Nuclear Regulatory Commission Protecting People and the Environment . " > BRIEFING ON DIGITAL INSTRUMENTATION AND CONTROL Commission Meeting May 14, 2019 On the Road to Digital Modernization 06 Speakers

• Margaret Doane, Executive Director for Operations (EDO)

• Ho Nieh, Director, Office of Nuclear Reactor Regulation (NRR)

• Eric Benner, Director, Division of .Engineering (DE), NRR

• Brian Thomas, Director, DE, Office of Nuclear Regulatory Research (RES) 3 N RC has Addressed High Priority Challenges ISG-06, Rev. 2 Explained ISG-06, Rev. 2 Alternative Review Process Traditional Review Process Concept and Initial NRC pre-system application design and meetings planning Licensee activities Detailed hardware & software design and fabrication NRC vendor/regional inspection and oversight Implementation, software validation/verification, and factory testing Onsite installation and site acceptance testing 4 Current NRC Guidance is Enabling Safe Digital Upgrades via 50.59 Chiller Controls Diesel Generator Controls Feedwater/Turbine Control System 5 Evaluation of an Issue with NEI 96-07 Appendix D is in Progress SUPPLEMENTAL GUIDANCE FOR APPLICATIO N OF 1 0 C F R 50.59 TO DIGITAL MODIFICATIO N S Prepared by the Nuclear Energy Institute, November 2018 10 CFR 50.59{c){2){vi)

A license amendment is required if the change would "create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated)." 6 Standards BTPs , and TRs Where else can we improve the regulatory framework?

Federal Regulation s

• IEEE 603-1991 IEEE 279-1971 +--Standard Criteria for Safety Syste ms i lOCFR 50 Appendix A 14-General D esign Cri te ria i 10 CFR 50 Domestic l ice n sing of Production and Utlllz.atlon Facllitles i 10 CFR 50 Appendix B Quality Assurance Criteria lOCFR 73.54 Protection of Digital Computer a nd Communication and N e twork Syste m s rl 1SG$ NUREG-0800 Reg Guide 1.118 Reg Guide 1.1 52 Periodic Testing of Criteria for Proaramable Standard Re vi ew Plan

• Reg Guide 1.153 1111..._UII Criteria for ln strume ntatio -.v-. ! RIS-2002*22 Use or N U MMAR C EPRI TR-102348 (1 0 C FR SO.S9 Dl&C-ISG-01 Cybe:rsecurity Dl&C-ISG-02

• Diversity and Defense I n Depth Issues (BTP 7-19R 6) Dl&C-ISG-03 ft New R eactor Digita l Probabllistk Risk Assessments Dl&C-ISG-04

• H i ahtv*lntegrated Control Room Communications Dl&C-JSG-05 Highly Int egrated Control Room Human Factors Dl&C-JSG-06 Digital l&C Licensing Process f Electrical Power and [);cftal Computer System! and Con trol Positions of -*-... ProtecUon Systems Sa f ety Syste ms Dllltal--I I ' llelGulde1.1H 1111 Gulde 1.110 1111 Gulde 1.111 IIIIGuldeUn 1111 Gulde 1.173 _,_ -UIIIIT_,.

_....,._ ~-----Dae1*111tmwcfar

... -. ... Ufac,de-for----.... ....._ *-,. -; ,-,, -,, ' Branch Technical IEEE-338 IEEE 7-4.3.2 IEEE-603 IEIE-10ZI

... Position 7-14 Cri t eria for Periodic Standa rd Criteria for Sta ndard Criteria for ----... Digital Co mput ers Guida n ce for Softwa r e Sorvelllance Testing Safety Systems ---and Review for Dl*ital ' ' IEEE-828 &WZ9 IEEE-1008 IEEE,&90 IEEE-1074

---

... _ ... _ I J *-tor --~ --T-..ir-.. _...._ --ll'oqdo

---

0DC119111llllltDI ,_ *r -i o-EPRI TR-106439 Accepta nc e o f Comme rcial *O NUREG/CR-6101 Gra d e Dedication

--So ftw are Rellablllty and Sa f ety In Protection Syste m s * .,, (lif e Cycle Model s NURE/CR-6421 Where can we Acceptance Process for COTS Software . consohdate?

EPRl=TR-102348 Guidance In llcensfnc D111tal Uperadn (NEI 01-01 Rev. l)

• 7 Proactively Addressing Additional Common Cause Failure Concerns Propose Risk-Informed Graded Approach for BTP 7-19 Safety-Related

--* -........ -A1 D3 Analysis A2 Depth/Qualitative Assessment Not Safety-Related B1 Depth/Qual itative Assessment 82 Assessment May be Needed 8 Perceptions vs. Reality A diverse analog system is mandatory to backup all Dl&C safety systems 100% testing is required of the digital system to address CCF BTP 7-19 is applicable to Dl&C modifications under 10 CFR 50.59 Reality No. There are many options to accomplish the intended safety function, including ATWS and operator actions. 100% testing is NOT required to address CCF in digital systems and may not be practical.

No, a licensee is NOT required to follow BTP 7-19 for digital modifications under 10 CFR 50.59. 9

---

, Pursuing Alternative Regulatory Approaches and Safety Standards

• Broader use of IEC standards as an alternative way to meet the requirements of IEEE 279 and 603-1991

• Ready to evaluate proposed industry guidance for commercial grade dedication 10 Research is Supporting the Success of Future Regulatory Modernization User Needs

• Embedded Digital Devices

• Common Cause Failure

• Risk-Informing

• Operational Exp*erience 11 N RC is Coordinating with other Domestic Research Activities Domestic research activities are focused on using digital technologies to improve safety and reliability 12 NRC's International Collaboration is Focused on Safe Use of Digital l&C IAEA l ntomatlonal Atomic Energy Agoncy 13 What does success look like? Shippingport control room circa 1957 Typical control room today > 60 yea rs from Shippingport Success is expanding the. safe use of digital 14 We're Making Progress on Achieving an Efficient and Effective Digital l&C Framework

• Continue our efforts to: -Modernize our decision making in the use of

• Dl&C systems -Effectively communicate with all stakeholders to understand their challenges, priorities, and potential solutions

-Transform with risk-informed and innovative approaches 15 ---___ _J Acronyms

• BTP -Branch Technical Position

• IEC -International Electrotechnical

• CCF -Common Cause Failure Commission

• CFR -Code of Federal Regulations

• ISG -Interim Staff Guidance

• 03 -Diversity and Defense-in-Depth

• NEI -Nuclear Energy Institute

• Dl&C -Digital Instrumentation and

• RIS -R~gulatory Issue Summary Control

• NEA -Nuclear Energy Agency

• l&C -Instrumentation and Control

• SSC -Safety Systems, Structures, and

• IEEE -Institute of Electrical and Electronics Components Engineers

• EPRI -Electric Power Research Institute

• IAEA-International Atomic Energy

• TR -Topical Report Agency 1 6

• Acronyms

• BTP -Branch Technical Position

• IEC -International Electrotechnical

• CCF -Common Cause Failure Commission

• CFR -Code of Federal Regulations

• ISG -Interim Staff Guidance

• 03 -Diversity and Defense-in-Depth

• NEI -Nuclear Energy Institute

• Dl&C-Digital Instrumentation and

• RIS -Regulatory Issue Summary Control

• NEA -Nuclear Energy Agency

• l&C -Instrumentation and Control

• SSC -Safety Systems, Structures, and

• IEEE -Institute of Electrical and Electronics Components Engineers

• EPRI -Electric Power Research Institute

• IAEA-International Atomic Energy

• TR -Topical Report Agency 1 6