ML18051A084
| ML18051A084 | |
| Person / Time | |
|---|---|
| Issue date: | 03/01/2018 |
| From: | Mcginty T, Chris Miller Division of Construction Inspection and Operational Programs, Division of Inspection and Regional Support |
| To: | |
| Govan T | |
| References | |
| RIS-02-022, Supp 1 | |
| Download: ML18051A084 (22) | |
See also: RIS 2002-22
Text
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
OFFICE OF NEW REACTORS
WASHINGTON, D.C. 20555-0001
Month XX, 2018
DRAFT NRC REGULATORY ISSUE SUMMARY 2002-22, SUPPLEMENT 1
CLARIFICATION ON ENDORSEMENT OF NUCLEAR ENERGY INSTITUTE GUIDANCE IN
DESIGNING DIGITAL UPGRADES IN INSTRUMENTATION AND CONTROL SYSTEMS
ADDRESSEES
All holders and applicants for power reactor operating licenses or construction permits under
Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of
Production and Utilization Facilities.
All holders of and applicants for a combined license, standard design approval, or
manufacturing license under 10 CFR Part 52, Licenses, Certifications, and Approvals for
Nuclear Power Plants. All applicants for a standard design certification, including such
applicants after initial issuance of a design certification rule.
All holders of, and applicants for, a construction permit or an operating license for non-power
production or utilization facilities under 10 CFR Part 50, including all existing non-power reactors
and proposed facilities for the production of medical radioisotopes, such as molybdenum-99,
except those that have permanently ceased operations and have returned all of their fuel to the
U.S. Department of Energy.
INTENT
The U.S. Nuclear Regulatory Commission (NRC) is issuing a supplement to Regulatory Issue
Summary (RIS) 2002-22, dated November 25, 2002 (Agencywide Documents Access and
Management System (ADAMS) Accession No. ML023160044). In RIS 2002-22, the NRC staff
endorsed Guideline on Licensing Digital Upgrades: EPRI TR-102348, Revision 1, NEI 01-01: A
Revision of EPRI TR-102348 to Reflect Changes to the 10 CFR 50.59 Rule, (Nuclear Energy
Institute (NEI) hereinafter NEI 01-01) (ADAMS Accession No. ML020860169). NEI 01-01
provides guidance for designing, licensing, and implementing digital upgrades and
replacements to instrumentation and control (I&C) systems (hereinafter digital I&C) in a
consistent and comprehensive manner.
The purpose of this RIS Supplement is to clarify RIS 2002-22, which remains in effect. The
NRC continues to endorse NEI 01-01 as stated in RIS 2002-22, as clarified by this RIS
Supplement. Specifically, the guidance in this RIS Supplement clarifies the NRC staffs
endorsement of the guidance pertaining to Sections 4, 5, and Appendices A and B of NEI 01-01.
This RIS Supplement clarifies the guidance for preparing and documenting qualitative
assessments, that can be used to evaluate the likelihood of failure of a proposed digital
modification, including the likelihood of failure due to a common cause, i.e., common cause
failure (CCF). Licensees can use these qualitative assessments to support a conclusion that a
Draft RIS 2002-22 Supplement 1
Page 2 of 5
proposed digital I&C modification has a sufficiently low1 likelihood of failure. This conclusion,
and the reasons for it, should be documented, per 10 CFR 50.59(d)(1), as part of the
evaluations of proposed digital I&C modifications against some of the criteria in 10 CFR 50.59,
Changes, tests and experiments.
This RIS Supplement is not directed toward digital I&C upgrades and replacements of reactor
protection systems and engineered safety features actuation systems, since application of the
guidance in this RIS Supplement to such changes would likely involve additional considerations.
This RIS Supplement does not provide new design process guidance for addressing common
cause failure of the reactor protection systems and engineered safety features actuation
systems. Additional guidance for addressing potential common cause failure of digital I&C
equipment is contained in other NRC guidance documents and NRC-endorsed industry
guidance documents.
This RIS Supplement requires no action or written response on the part of an addressee.
BACKGROUND INFORMATION
By letter dated March 15, 2002, NEI submitted EPRI TR-102348, Revision 1 (NEI 01-01) for
NRC staff review. NEI 01-01 replaced the original version of EPRI TR-102348, dated
December 1993, which the NRC endorsed in Generic Letter 1995-02, Use of NUMARC/EPRI
Report TR-102348, Guideline on Licensing Digital Upgrades, in Determining the Acceptability
of Performing Analog-to-Digital Replacements Under 10 CFR 50.59, dated April 26, 1995
(ADAMS Accession No. ML031070081). In 2002, the NRC staff issued RIS 2002-22 to notify
addressees that the NRC staff had reviewed NEI 01-01 and was endorsing the report for use as
guidance in designing and implementing digital upgrades to nuclear power plant instrumentation
and control systems.
Following the NRC staffs 2002 endorsement of NEI 01-01, holders of construction permits and
operating licenses have used that guidance in support of digital design modifications in
conjunction with Regulatory Guide 1.187, Guidance for Implementation of 10 CFR 50.59,
Changes, Tests, and Experiments, dated November 2000 (ADAMS Accession
No. ML003759710), which endorsed NEI 96-07, Guidelines for 10 CFR 50.59 Implementation,
Revision 1, dated November 2000 (ADAMS Accession No. ML003771157).
NRC inspections of documentation for digital I&C plant modifications prepared by some
licensees using the guidance in NEI 01-01 identified inconsistencies in the performance and
documentation of licensee engineering evaluations. NRC inspections also identified
documentation issues with the written evaluations of the 10 CFR 50.59(c)(2) criteria. The term
engineering evaluation refers to evaluations performed in designing digital I&C modifications
other than the 10 CFR 50.59 evaluation, for example, evaluations performed under the
licensees NRC approved quality assurance program. This RIS Supplement clarifies the
guidance for licensees performing and documenting engineering evaluations and the
development of qualitative assessments.
In response to staff requirements memorandum (SRM)-SECY-16-0070 Integrated Strategy to
Modernize the Nuclear Regulatory Commissions Digital Instrumentation and Control Regulatory
1 NEI 01-01, Page 4-20, defines sufficiently low to mean much lower than the likelihood of failures that are
considered in the UFSAR (e.g., single failures) and comparable to other common cause failures that are not
considered in the UFSAR (e.g., design flaws, maintenance errors, calibration errors).
Draft RIS 2002-22 Supplement 1
Page 3 of 5
Infrastructure (ADAMS Accession No. ML16299A157), NRC staff has engaged the public,
including NEI and industry representatives, to improve the guidance for applying 10 CFR 50.59
to digital I&C-related design modifications as part of a broader effort to modernize I&C
regulatory infrastructure. Making available the guidance in this RIS Supplement is described as
a near-term action in the integrated action plan to provide specific guidance for documenting
qualitative assessments concluding that a proposed digital I&C modification will exhibit a
sufficiently low likelihood of failure.
Applicability to Non-Power Reactor Licensees
The examples and specific discussion in this RIS Supplement and other guidance referenced by
this RIS Supplement (i.e., NEI 01-01 and original RIS 2002-22) primarily focus on power
reactors. Nonetheless, licensees of non-power production or utilization facilities (NPUFs) may
also use the guidance in RIS 2002-22 and apply the guidance in this RIS Supplement to
develop written evaluations addressing the criteria in 10 CFR 50.59(c)(2). In particular, NPUF
licensees may use the guidance to prepare qualitative assessments that consider design
attributes, quality measures, and applicable operating experience to evaluate proposed digital
I&C changes to their facilities as described in Sections 4, 5, and Appendix A of NEI 01-01.
However, certain aspects of the guidance that discuss the relationship of other regulatory
requirements to 10 CFR 50.59 may not be fully applicable to NPUFs (e.g., 10 CFR Part 50,
Appendix A and B are not applicable to NPUFs).
SUMMARY OF ISSUE
In general, digital I&C modifications may include a potential for an increase in the likelihood of
equipment failures occurring within modified SSCs, including common cause failures. In
particular, digital I&C modifications that introduce or modify identical software within
independent trains, divisions, or channels within a system, and those that introduce new shared
resources, hardware, or software among multiple control functions, may include such a
potential. A qualitative assessment can be used to support a conclusion that there is not more
than a minimal increase in the frequency of occurrence of accidents or in the likelihood of
occurrence of malfunctions (10 CFR 50.59(c)(2)(i) and (ii)). A qualitative assessment can also
be used to support a conclusion that the proposed modification does not create the possibility of
an accident of a different type or malfunction with a different result than previously evaluated in
the UFSAR (10 CFR 50.59(c)(2)(v) and (vi)).
For digital I&C modifications, an adequate basis for a determination that a change involves a
sufficiently low likelihood of failure may be derived from a qualitative assessment of factors
involving system design features, the quality of the design processes employed, and an
evaluation of relevant operating experience of the software and hardware used (i.e., product
maturity and in-service experience). A licensee may use a qualitative assessment to document
the factors and rationale for concluding that there is an adequate basis for determining that a
digital I&C modification will exhibit a sufficiently low likelihood of failure. In doing so, a licensee
may consider the aggregate of these factors. The attachment to this RIS Supplement provides
a framework for preparing and documenting qualitative assessments and engineering
evaluations.
In addition, this RIS Supplement clarifies the applicability of some aspects of the NRC policy
described in Item II.Q of SRM/SECY 93-087, Policy, Technical, and Licensing Issues
Pertaining to Evolutionary and Advanced Light Water Reactor (ALWR) Designs, (ADAMS
Draft RIS 2002-22 Supplement 1
Page 4 of 5
No. ML003708056), in regard to the application of 10 CFR 50.59(c)(2) criteria for digital I&C
modifications.
BACKFITTING AND ISSUE FINALITY DISCUSSION
This RIS Supplement clarifies but does not supersede RIS 2002-22, and includes additional
guidance regarding how to perform and document qualitative assessments for digital I&C
changes under 10 CFR 50.59.
The NRC does not intend or approve any imposition of the guidance in this RIS Supplement,
and this RIS Supplement does not contain new or changed requirements or staff positions that
constitute either backfitting under the definition of backfitting in 10 CFR 50.109(a)(1) or a
violation of issue finality under any of the issue finality provisions in 10 CFR Part 52. Therefore,
this RIS Supplement does not represent backfitting as defined in 10 CFR 50.109(a)(1), nor is it
otherwise inconsistent with any issue finality provision in 10 CFR Part 52. Consequently, the
NRC staff did not perform a backfit analysis for this RIS Supplement or further address the issue
finality criteria in 10 CFR Part 52.
FEDERAL REGISTER NOTIFICATION
The NRC will publish a notice of opportunity for public comment on this draft RIS in the Federal
Register.
CONGRESSIONAL REVIEW ACT
This RIS is a rule as defined in the Congressional Review Act (5 U.S.C. §§ 801-808). However,
the Office of Management and Budget has not found it to be a major rule as defined in the
Congressional Review Act.
PAPERWORK REDUCTION ACT STATEMENT
This RIS provides guidance for implementing mandatory information collections covered by
10 CFR Part 50 that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et.
seq.). This information collection was approved by the Office of Management and Budget
(OMB) under control number 3150-0011. Send comments regarding this information collection
to the Information Services Branch, U.S. Nuclear Regulatory Commission, Washington, DC
20555-0001, or by e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of
Information and Regulatory Affairs, NEOB-10202, (3150-0011) Office of Management and
Budget, Washington, DC 20503.
Public Protection Notification
The NRC may not conduct or sponsor, and a person is not required to respond to, a request for
information or an information collection requirement unless the requesting document displays a
currently valid OMB control number.
Draft RIS 2002-22 Supplement 1
Page 5 of 5
CONTACT
Please direct any questions about this matter to the technical contact(s) or the Lead Project
Manager listed below.
Timothy J. McGinty, Director Christopher G. Miller, Director
Division of Construction Inspection Division of Inspection and Regional Support
and Operation Programs Office of Nuclear Reactor Regulation
Office of New Reactors
Technical Contacts: David Rahn, NRR Wendell Morton, NRR
301-415-1315 301-415-1658
e-mail: David.Rahn@nrc.gov e-mail: Wendell.Morton@nrc.gov
Norbert Carte, NRR David Beaulieu, NRR
301-415-5890 301-415-3243
e-mail: Norbert.Carte@nrc.gov e-mail: David.Beaulieu@nrc.gov
301-415-3724
email: Duane.Hardesty@nrc.gov (Specifically for non-power reactors)
Project Manager Contact: Tekia Govan, NRR
301-415-6197
e-mail: Tekia.Govan@nrc.gov
Note: NRC generic communications may be found on the NRC public Web site,
http://www.nrc.gov, under NRC Library/Document Collections.
Attachment: Qualitative Assessment and Engineering Evaluation Framework
Qualitative Assessment and Engineering Evaluation Framework
1. Purpose
Regulatory Issue Summary (RIS) 2002-22 provided the U.S. Nuclear Regulatory Commission
(NRC) staffs endorsement of Nuclear Energy Institute (NEI) Guidance document NEI 01-01,
Guideline on Licensing Digital Upgrades: EPRI TR-102348, Revision 1, NEI 01-01: A Revision
of EPRI TR-102348 To Reflect Changes to the 10 CFR 50.59 Rule. NEI 01-01 provides
guidance for implementing and licensing digital upgrades, in a consistent, comprehensive, and
predictable manner, as well as guidance in performing qualitative assessments of the
dependability of digital instrumentation and control (I&C) systems.
The purpose of this attachment is to provide supplemental clarifying guidance to licensees to
ensure that, if qualitative assessments are used, they are described and documented
consistently, through an evaluation of applicable qualitative evidence. Following the guidance in
RIS 2002-22 and NEI 01-01, as clarified by the guidance in this RIS Supplement, will help
licensees document qualitative assessments in sufficient detail that an independent third
party can verify the judgements, as stated in NEI 01-01. While this qualitative assessment is
used to support the Title 10 of the Code of Federal Regulations (10 CFR) 50.59, Changes tests
and experiments, evaluation, it does not provide guidance for screening and it does not
presume that all digital modifications screen in.
NEI 01-01 uses the terms qualitative assessment and dependability evaluations
interchangeably. Within this document only the terms qualitative assessment and sufficiently
low2 are used in conjunction with performance of 10 CFR 50.59 evaluations. The term
dependability evaluation is used in the context of engineering evaluations, which are not
performed or documented as part of a 10 CFR 50.59 evaluation, but engineering evaluations
are performed in accordance with the licensees NRC quality assurance program in developing
digital I&C modification.
If a qualitative assessment determines that a potential failure (e.g., software common cause
failure (CCF) has a sufficiently low likelihood, then the effects of the failure do not need to be
considered in the 10 CFR 50.59 evaluation. Thus, the qualitative assessment provides a
means of addressing software CCF. In some cases, the effects of a software CCF may not
create a different result than any previously evaluated in the updated final safety analysis report
(UFSAR).
Sections 2 and 3 of this attachment provide acceptable approaches for describing the scope,
form, and content of the type of a qualitative assessment described above. Section 4 of this
attachment provides acceptable approaches for engineering evaluations that may be used in
performing and documenting a qualitative assessment.
2
NEI 01-01, Page 4-20, defines sufficiently low to mean much lower than the likelihood of failures that are
considered in the UFSAR (e.g., single failures) and comparable to other common cause failures that are not
considered in the UFSAR (e.g., design flaws, maintenance errors, calibration errors).
Attachment
Draft RIS 2002-22 Supplement 1, Attachment
Page 2 of 17
2. Regulatory ClarificationApplication of Qualitative Assessments to Title 10 of the
Code of Federal Regulations, Section 50.59
When a licensee decides to undertake an activity that changes its facility as described in the
updated final safety evaluation report, the licensee first performs the engineering and technical
evaluations in accordance with plant procedures. If the licensee determines that an activity is
acceptable through appropriate engineering and technical evaluations, the licensee enters the
10 CFR 50.59 process. The regulations in 10 CFR 50.59 provide a threshold for regulatory
review, not a determination of safety, for the proposed activities. In addition, 10 CFR 50.59
establishes the conditions under which licensees may make changes to the facility or
procedures and conduct tests or experiments without prior NRC approval.
Evaluations must address all elements of proposed changes. Some elements of a change may
have positive effects on SSC failure likelihood while other elements of a change may have
adverse effects. As derived from the guidance in NEI 96-07, positive and negative elements
can be considered together if they are interdependent. This means that if elements are not
interdependent, they must be evaluated separately.
2.1 Likelihood
Properly documented qualitative assessments may be used to support a conclusion that a
proposed digital I&C modification has a sufficiently low likelihood of failure, consistent with the
UFSAR analysis assumptions. This conclusion is used in the 10 CFR 50.59 written evaluation
to determine whether prior NRC approval is required.
Qualitative Assessment
The determination that a digital I&C modification will exhibit a sufficiently low likelihood of failure
can be derived from a qualitative assessment of factors involving system design attributes, the
quality of the design processes employed, the operating experience with the software and
hardware used (i.e., product maturity and in-service experience). Documenting the qualitative
assessment includes describing the factors, rationale, and reasoning (including engineering
judgement) for determining that the digital I&C modification exhibits a sufficiently low likelihood
of failure.
The determination of likelihood of failure may consider the aggregate of all the factors described
above. Some of these factors may compensate for weaknesses in other areas. For example,
for a digital device that is simple and highly testable, thorough testing may provide additional
assurance of a sufficiently low likelihood of failure that helps compensate for a lack of operating
experience.
Qualitative Assessment Outcome
There are two possible outcomes of the qualitative assessment: (1) failure likelihood is
sufficiently low, and (2) failure likelihood is not sufficiently low. Guidance in NEI 01-01,
Section 4.3.6, states, sufficiently low means much lower than the likelihood of failures that are
considered in the UFSAR (e.g., single failures) and comparable to other common cause failures
that are not considered in the UFSAR (e.g., design flaws, maintenance error, calibration errors).
This sufficiently low threshold is not interchangeable with that for distinguishing between
events that are credible or not credible. The threshold for determining whether an event is
Draft RIS 2002-22 Supplement 1, Attachment
Page 3 of 17
credible or not is whether it is as likely as (i.e., not much lower than) malfunctions already
assumed in the UFSAR.
Likelihood Thresholds for 10 CFR 50.59(c)(2)(i), (ii), (v), and (vi)
A key element of 10 CFR 50.59 evaluations is demonstrating whether the modification
considered will exhibit a sufficiently low likelihood of failure. For digital modifications,
particularly those that introduce software, there may be a potential increase in likelihood of
failure. For redundant SSCs, this potential increase in the likelihood of failure creates a similar
increase in the likelihood of a common cause failure.
The sufficiently low threshold discussions have been developed using criteria from NEI 96-07,
Revision 1, and NEI 01-01. They are intended to clarify the existing 10 CFR 50.59 guidance
and should not be interpreted as a new or modified NRC position.
Criteria
Although it may be required by other criteria, prior NRC approval is not required by 10 CFR 50.59(c)(2)(i), (ii), (v), and (vi) if there is a qualitative assessment outcome of sufficiently low, as
described below:
Does the activity result in more than a minimal increase in the frequency of occurrence of an
accident previously evaluated in the UFSAR?
Sufficiently low threshold - The frequency of occurrence of an accident is directly
related to the likelihood of failure of equipment that initiates the accident (e.g., an
increase in the likelihood of a steam generator tube failure has a corresponding increase
in the frequency of a steam generator tube rupture accident). Thus, an increase in
likelihood of failure of the modified equipment results in an increase in the frequency of
the accident. Therefore, if the qualitative assessment outcome is sufficiently low, then
there is a no more than a minimal increase in the frequency of occurrence of an accident
previously evaluated in the UFSAR.
Does the activity result in more than a minimal increase in the likelihood of occurrence of a
malfunction of a structure, system, or component (SSC) important to safety3 previously
evaluated in the UFSAR?
Sufficiently low threshold - The likelihood of occurrence of a malfunction of an SSC
important to safety is directly related to the likelihood of failure of equipment that causes
a failure of SSCs to perform their intended design functions4 (e.g., an increase in the
3 NEI 96-07, Revision 1, Section 3.9, states, Malfunction of SSCs important to safety means the failure of SSCs to
perform their intended design functions described in the UFSAR (whether or not classified as safety-related in
accordance with 10 CFR [Part] 50, Appendix B).
4
The term design functions, as used in this RIS Supplement, conforms to the definition of design functions in NEI 96-07, Revision 1.
Draft RIS 2002-22 Supplement 1, Attachment
Page 4 of 17
likelihood of failure of an auxiliary feedwater (AFW) pump has a corresponding increase
in the likelihood of occurrence of a malfunction of SSCs-the AFW pump and AFW
system). Thus, the likelihood of failure of modified equipment that causes the failure of
SSCs to perform their intended design functions is directly related to the likelihood of
occurrence of a malfunction of an SSC important to safety. Therefore, if the qualitative
assessment outcome is sufficiently low, then the activity does not result in more than a
minimal increase in the likelihood of occurrence of a malfunction of an SSC important to
safety previously evaluated in the UFSAR.
Does the activity create a possibility for an accident of a different type than any previously
evaluated in the UFSAR?
Sufficiently low threshold-NEI 96-07, Revision 1, Section 4.3.5, states, Accidents of a
different type are limited to those that are as likely to happen as those previously
evaluated in the UFSAR. Accidents of a different type are caused by failures of
equipment that initiate an accident of a different type. If the outcome of the qualitative
assessment of the proposed change is that the likelihood of failure associated with the
proposed activity is sufficiently low, then there are no failures introduced by the activity
that are as likely to happen as those in the UFSAR that can initiate an accident of a
different type. Therefore, the activity does not create a possibility for an accident of a
different type than any previously evaluated in the UFSAR. If the qualitative assessment
determines that a potential failure (e.g., software CCF) does not have a sufficiently low
likelihood, then the effects of this failure need to be considered in the 10 CFR 50.59
evaluation.
Does the activity create a possibility for a malfunction of an SSC important to safety with a
different result than any previously evaluated in the UFSAR?
Sufficiently low threshold - NEI 96-07, Section 4.3.6, states, malfunctions with a
different result are limited to those that are as likely to happen as those in the UFSAR.
A malfunction of an SSC important to safety is an equipment failure that causes the
failure of SSCs to perform their intended design functions. If the outcome of the
qualitative assessment of the proposed change is that the likelihood of failure associated
with the proposed activity is sufficiently low, then there are no failures introduced by the
activity that are as likely to happen as those in the UFSAR. Therefore, the activity does
not create a possibility for a malfunction of an SSC important to safety with a different
result than any previously evaluated in the UFSAR. If the qualitative assessment
determines that a potential failure (e.g., software CCF) does not have a sufficiently low
likelihood, then the effects of this failure need to be considered in the 10 CFR 50.59
evaluation using methods consistent with the plants UFSAR.
3. Qualitative Assessments
The NRC staff has determined that proposed digital I&C modifications having the characteristics
listed below are likely to result in qualitative assessment outcomes that support a sufficiently low
likelihood determination:
Draft RIS 2002-22 Supplement 1, Attachment
Page 5 of 17
1. Digital I&C modifications that:
a) Do not create a CCF vulnerability due to the integration of subsystems or
components from different systems that combine design functions that were
not previously combined within the same system, subsystem, or component
being replaced.
Note: Integration, as used in this RIS supplement refers to the process of
combining software components, hardware components, or both into an overall
system, or the merger of the design function of two or more systems or
components into a functioning, unified system or component. Integration also
refers to the coupling of design functions (software/ hardware) via bi-directional
digital communications. Modifications can result in design functions of different
systems being integrated or combined either directly in the same digital device or
indirectly via shared resources, such as bi-directional digital communications or
networks, common controllers, power supplies, or visual display units. Such
integration could be problematic because the safety analysis may have explicitly
or implicitly modeled the equipment performing the design functions that would
be integrated on the basis that it is not subject to any potential source of common
cause failure.
b) Do not create a CCF vulnerability due to new shared resources (such as
power supplies, controllers, and human-machine interfaces) with other design
functions that are (i) explicitly or implicitly described in the UFSAR as
functioning independently from other plant design functions, or (ii) modeled in
the current design basis to be functioning independently from other plant
design functions.
c) Do not affect reactor trip or engineered safety feature initiation/control logic or
emergency power bus load sequencers.
2. Digital I&C modifications that maintain the level of diversity, separation, and
independence of design functions described in the UFSAR. A change that reduces
redundancy, diversity, separation or independence of USFAR-described design
functions is considered a more than minimal increase in the likelihood of malfunction.
3. Digital I&C modifications that are sufficiently simple (as demonstrated through 100
percent testing or a combination of testing and input/output state analysis); or
demonstrate adequate internal diversity.
3.1 Qualitative Assessment Categories
Consistent with the guidance provided in NEI 01-01, this attachment specifies three general
categories of characteristics: design attributes, quality of the design process, and operating
experience. Qualitatively assessing and then documenting these characteristics separately, by
category, and in the aggregate provides a common framework that will better enable licensees
Draft RIS 2002-22 Supplement 1, Attachment
Page 6 of 17
to document qualitative assessments in sufficient detail that an independent third party can
verify the judgements.
Table 1 provides acceptable examples of design attributes, quality of the design processes, and
documentation of operating experience. This listing is not all inclusive nor does the qualitative
assessment need to address each specific item.
3.1.1 Design attributes
NEI 01-01 Section 5.3.1 states:
To determine whether a digital system is sufficiently dependable, and therefore
that the likelihood of failure is sufficiently low, there are some important
characteristics that should be evaluated. These characteristics, discussed in
more detail in the following sections include: Hardware and software design
features that contribute to high dependability (See Section 5.3.4). Such
[hardware and software design] features include built-in fault detection and failure
management schemes, internal redundancy and diagnostics, and use of software
and hardware architectures designed to minimize failure consequences and
facilitate problem diagnosis.
Consistent with the above-quoted text, design attributes of a proposed modification can prevent
or limit failures from occurring. A qualitative assessment describes and documents hardware
and software design features that contribute to high dependability. Design attributes focus
primarily on built-in features such as fault detection and failure management schemes, internal
redundancy and diagnostics, and use of software and hardware architectures and facilitate
problem diagnosis. However, design features external to the proposed modification (e.g.,
mechanical stops on valves) may also need to be considered.
Many system design attributes, procedures, and practices can contribute to significantly
reducing the likelihood of failure (e.g., CCF). A licensee can account for this by deterministically
assessing the specific vulnerabilities through postulated failure modes (e.g., software CCF)
within a proposed modification and applying specific design attributes to address those
vulnerabilities (see Table 1). An adequate qualitative assessment regarding the likelihood of
failure of a proposed modification would consist of a description of: (a) the potential failures
introduced by the proposed modification, (b) the design attributes used to resolve identified
potential failures, and (c) how the chosen design attributes and features resolve identified
potential failures.
Diversity is one example of a design attribute that can be used to demonstrate an SSC modified
with digital technology is protected from a loss of design function due to a potential common
cause failure. In some cases, a plants design basis may specify diversity as part of the design.
In all other cases, the licensees need not consider the use of diversity (e.g., as described in the
staff requirements memorandum on SECY 93-087) in evaluating a proposed modification.
However, diversity within the proposed design, and any affected SSCs is a powerful means for
significantly reducing the occurrence of failures affecting the accomplishment of design
functions.
Draft RIS 2002-22 Supplement 1, Attachment
Page 7 of 17
3.1.2 Quality of the Design Process
Section 5.3.3 of NEI 01-01 states:
For digital equipment incorporating software, it is well recognized that
prerequisites for quality and dependability are experienced software engineering
professionals combined with well-defined processes for project management,
software design, development, implementation, verification, validation, software
safety analysis, change control, and configuration control.
Consistent with the guidance provided in NEI 01-01, Quality Design Processes means those
processes employed in the development of the proposed modification. Such processes include
software development, hardware and software integration processes, hardware design, and
validation and testing processes that have been incorporated into the development process.
For safety-related equipment this development process would be documented and available for
referencing in the qualitative assessment for proposed modifications. However, for
commercial-grade-dedicated or non-safety related equipment documentation of the
development process may not be readily available. In such cases, the qualitative assessment
may place greater emphasis on the design attributes included and the extent of successful
operating experience for the equipment proposed.
Quality of the design process is a key element in determining the dependability of proposed
modifications. Licensees employing design processes consistent with their NRC-approved
quality assurance programs will result in a quality design process.
When possible, the use of applicable industry consensus standards contributes to a quality
design process and provides a previously established acceptable approach (e.g., Institute of
Electrical and Electronics Engineers (IEEE) Standard 1074-2006, IEEE Standard for
Developing a Software Project Life Cycle Process, endorsed in Regulatory Guide 1.173,
Developing Software Life Cycle Processes for Digital Computer Software Used in Safety
Systems of Nuclear Power Plant). In some cases, other nuclear or non-nuclear standards also
provide technically justifiable approaches that can be used if confirmed applicable for the
specific application.
Quality standards should not be confused with quality assurance programs or procedures.
Quality standards are those standards which describe the benchmarks that are specified to be
achieved in a design. Quality standards should be documents that are established by
consensus and approved by an accredited standards development organization. For example,
IEEE publishes consensus-based quality standards relevant to digital I&C modifications and is a
recognized standards development organization. Quality standards used to ensure the
proposed change has been developed using a quality design process do not need to be solely
those endorsed by the NRC staff. The qualitative assessment document should demonstrate
that the standard being applied is valid for the circumstances for which it is being used.
3.1.3 Operating Experience
Section 5.3.1 of NEI 01-01 states, Substantial applicable operating history reduces uncertainty
in demonstrating adequate dependability.
Draft RIS 2002-22 Supplement 1, Attachment
Page 8 of 17
Consistent with the above-quoted text, relevant operating experience can be used to help
demonstrate that software and hardware employed in a proposed modification have adequate
dependability. The licensee may document information showing that the proposed system or
component modification employs equipment with significant operating experience in nuclear
power plant applications, or in non-nuclear applications with comparable performance standards
and operating environment. The licensee may also consider whether the suppliers of such
equipment incorporate quality processes such as continual process improvement, incorporation
of lessons learned, etc., and document how that information demonstrates adequate equipment
dependability.
Operating experience relevant to a proposed digital I&C change may be credited as part of an
adequate basis for a determination that the proposed change does not result in more than a
minimal increase in the frequency of occurrence of initiating events that can lead to accidents or
in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC
important to safety previously evaluated in the UFSAR. Differences may exist in the specific
digital I&C application between the proposed digital I&C modification and that of the equipment
and software whose operating experience is being credited. In all cases, however, the
architecture of the referenced equipment and software should be substantially similar to that of
the system being proposed.
Further, the design conditions and modes of operation of the equipment whose operating
experience is being referenced also needs to be substantially similar to that being proposed as
a digital I&C modification. For example, one needs to understand what operating conditions
(e.g., ambient environment, continuous duty, etc.) were experienced by the referenced design.
In addition, it is important to recognize that when crediting operating experience from other
facilities, one needs to understand what design features were present in the design whose
operating experience is being credited. Design features that serve to prevent or limit possible
common cause failures in a design referenced as relevant operating experience should be
noted and considered for inclusion in the proposed design. Doing so would provide additional
support for a determination that the dependability of the proposed design will be similar to the
referenced application.
Draft RIS 2002-22 Supplement 1, Attachment
Page 9 of 17
Table 1Qualitative Assessment Category Examples
Categories Examples for Each Category
Design * Design criteriaDiversity (if applicable), Independence, and Redundancy.
Attributes * Inherent design features for software, hardware or architectural/network
Watchdog timers that operate independent of software, isolation devices,
segmentation of distributed networks, self-testing, and self-diagnostic
features.
- Basis for identifying that possible triggers are non-concurrent.
- Sufficiently simple (i.e., enabling 100 percent testing or comprehensive
testing in combination with analysis of likelihood of occurrence of
input/output states not tested).
- Failure state always known to be safe, or at least the same state as allowed
by the previously installed equipment safety analysis.
Quality of * Justification for use of industry consensus standardsfor codes and
the Design standards not endorsed by the NRC.
Process * Justification for use of other standards.
- Use of Appendix B vendors. If not an Appendix B vendor, the analysis can
state which generally accepted industrial quality program was applied.
- Use of Commercial Grade Dedication processes per guidance of EPRI TR-
106439, Annex D of IEEE 7-4.3.2, and examples within EPRI TR-107330.
- Demonstrated capability (e.g., through qualification testing) to withstand
environmental conditions within which the SSC is credited to perform its
design function (e.g., EMI/RFI, Seismic).
- Development process rigor (adherence to generally-accepted commercial or
nuclear standards.)
- Demonstrated dependability of custom software code for application
software through extensive evaluation or testing.
Operating * Wide range of operating experience in similar applications, operating
Experience environments, duty cycles, loading, comparable configurations, etc., to that
of the proposed modification.
- History of lessons learned from field experience addressed in the design.
- Relevant operating experience: Architecture of the referenced equipment
and software (operating system and application) along with the design
conditions and modes of operation of the equipment should be substantially
similar to those of the system being proposed as a digital I&C modification.
High volume production usage in different applicationsNote that for
software, the concern is centered on lower volume, custom, or
user-configurable software applications. High volume, high quality
commercial products with relevant operating experience used in other
applications have the potential to avoid design errors.
- Experience working with software development tools used to create
configuration files.
Draft RIS 2002-22 Supplement 1, Attachment
Page 10 of 17
3.2 Qualitative Assessment Documentation
The U.S. Nuclear Regulatory Commission endorsed guidance for documenting 10 CFR 50.59
evaluations to meet the requirements of 10 CFR 50.59 (d) is provided in both NEI 96-07,
Revision 1 in Section 5.0, Documentation and Reporting and NEI 01-01, Appendix B. Both of
these documents reiterate the principles that documentation should include an explanation
providing adequate basis for the conclusion so that a knowledgeable reviewer could draw the
same conclusion.
Considerations and conclusions reached while performing qualitative assessments supporting
the evaluation criteria of 10 CFR 50.59, are subject to the aforementioned principles. In order
for a knowledgeable reviewer to draw the same conclusion regarding qualitative assessments,
details of the considerations made, and their separate and aggregate effect on any qualitative
assessments need to be included or clearly referenced in the 10 CFR 50.59 evaluation
documentation. References to other documents should include the document name and location
of the information within any referenced document.
If qualitative assessment categories are used, each category would be discussed in the
documentation including positive and negative aspects considered, consistent with the
examples provided in Table 1. In addition, a discussion of the degree to which each of the
categories was relied on to reach the qualitative assessment conclusion would be documented.
4. Engineering Evaluations
4.1 Overview
This section describes approaches that could be used for conducting and documenting
engineering evaluations. completed in accordance with the licensees NRC approved quality
assurance program. The term engineering evaluation refers to evaluations performed in
designing digital I&C modifications. These evaluations are performed under the licensees NRC
approved quality assurance program. These engineering evaluations may include, but are not
limited to discussion of compliance with regulatory requirements and conformity to the UFSAR,
regulatory guidance, and design standards.
In addition, these engineering evaluations may include discussions of: a) the performance of
deterministic failure analyses, including analysis of the effects of digital I&C failures at the
component-level, system-level, and plant-level; b) the evaluation of defense-in-depth; and c) the
evaluation of the proposed modification for its overall dependability. The qualitative
assessment framework discussed in the previous sections of this attachment may rely, in part,
on the technical bases and conclusions documented within these engineering evaluations.
Thus, improved performance and documentation of engineering evaluations can enable better
qualitative assessments.
One result of performing these evaluations is to provide insights as to whether a proposed
digital I&C design modification may need to be enhanced with the inclusion of different or
additional design attributes. Such different or additional design attributes would serve to
prevent the occurrence of a possible CCF or reduce the potential for a software CCF to cause a
loss of design function.
Draft RIS 2002-22 Supplement 1, Attachment
Page 11 of 17
These approaches are provided for consideration only. They do not represent NRC
requirements and may be used at the discretion of licensees.
4.2 Selected Design Considerations
During the design process, it is important to consider both the positive effects of installing the
digital equipment (e.g., elimination of single-point vulnerabilities (SPVs), ability to perform signal
validation, diagnostic capabilities) with the potential negative effects (e.g., software CCF).
Digital I&C modifications can reduce SSC independence. Reduction in independence of design
functions from that described in the USFAR would require prior NRC approval.
4.2.1 Digital Communications
Careful consideration of digital communications is needed to preclude adverse effects on SSC
independence. DI&C-ISG-04, Revision 1, Highly-Integrated Control Rooms - Communications
Issues (Agencywide Documents Access and Management System Accession Number
ML083310185) provides guidance for NRC staff reviewing digital communications. This ISG
describes considerations for the design of communications between redundant SSCs, echelons
of defense-in-depth5 or SSCs with different safety classifications. The principles of this ISG or
other technically justifiable considerations, may be used to assess non-safety related SSCs.
4.2.2 Combining Design Functions
Combining design functions of different safety-related or non-safety related SSCs in a manner
not previously evaluated or described in the UFSAR could introduce new interdependencies and
interactions that make it more difficult to account for new potential failure modes. Failure of
combined design functions that: 1) can effect malfunctions of SSCs or accidents evaluated in
the UFSAR; or 2) involve different defense-in-depth echelons; are of significant concern.
Combining previously separate component functions can result in more dependable system
performance due to the tightly coupled nature of the components and a reduction in complexity.
If a licensee proposes to combine previously separate design functions in a safety-related
and/or non-safety related digital I&C modification, possible new failures need to be carefully
weighed with respect to the benefits of combining the previous separately controlled functions.
Failure analyses and control system segmentation analyses can help identify potential issues.
Segmentation analyses are particularly helpful for the evaluation of the design of non-safety
related distributed networks.
4.3 Failure Analyses
Failure analysis can be used to identify possible CCFs in order to assess the need to further
modify the design. In some cases, potential failures maybe excluded from consideration if the
failure has been determined to be implausible as a result of factors such as design
features/attributes, and procedures. Modifications that employ design attributes and features,
5
As stated in NEI 01-01, Section 5.2, A fundamental concept in the regulatory requirements and expectations for
instrumentation and control systems in nuclear power plants is the use of four echelons of defense-in-depth: 1)
Control Systems; 2) Reactor Trip System (RTS) and Anticipated Transient without SCRAM (ATWS); 3) Engineered
Safety Features Actuation System (ESFAS); and 4) Monitoring and indications.
Draft RIS 2002-22 Supplement 1, Attachment
Page 12 of 17
such as internal diversity, help to minimize the potential for CCFs. Sources of CCF, could
include the introduction of identical software into redundant channels, the use of shared
resources; or the use of common hardware and software among systems performing different
design functions. Therefore, it is essential that such sources of CCF be identified, to the extent
practicable, and addressed during the design stage as one acceptable method to support the
technical basis for the proposed modification.
Digital designs having sources of CCF that could affect more than one SSC need to be closely
reviewed to ensure that an accident of a different type from those previously evaluated in the
UFSAR has not been created. This is particularly the case when such common sources of CCF
also are subject to common triggers. For example, the interface of the modified SSCs with
other SSCs using identical hardware and software, power supplies, human-machine interfaces,
needs to be closely reviewed to ensure that possible common triggers have been addressed.
A software CCF may be assessed using best-estimate methods and realistic assumptions.
Unless already incorporated into the licensees UFSAR, best-estimate methods cannot be
used for evaluating different results than those previously evaluated in the UFSAR.
4.4 Defense-in-Depth Analyses
NEI 01-01 describes the need for defense-in-depth analysis as limited to substantial digital
replacements of reactor protection system and ESFAS. A defense-in-depth analysis for
complex digital modifications of systems other than protection systems may also reveal the
impact of any new potential CCFs due to the introduction of shared resources, common
hardware and software, or the combination of design functions of systems that were previously
considered to be independent of one another. Additionally, defense-in-depth analysis may
reveal direct or indirect impacts on interfaces with existing plant SSCs. This type of analysis
may show that existing SSCs and/or procedures could serve to mitigate effects of possible
CCFs introduced through the proposed modification.
4.5 Dependability Evaluation
Section 5.3.1 of NEI 01-01 states that a digital system that is sufficiently dependable will have a
likelihood of failure that is sufficiently low. This section describes considerations that can be
used to determine whether a digital system is sufficiently dependable.
The dependability evaluation relies on some degree of engineering judgment to support a
conclusion that the digital modification is considered to be sufficiently dependable. When
performing a dependability evaluation, one acceptable method is to consider: (1) inclusion of
any deterministically-applied defensive design features and attributes; (2) conformance with
applicable standards regarding quality of the design process for software and hardware; and (3)
relevant operating experience. Although not stated in NEI 01-01, judgments regarding the
quality of the design process and operating experience may supplement, but not replace the
inclusion of design features and attributes.
For proposed designs that are more complex or more risk significant, the inclusion of design
features and attributes that: serve to prevent CCF, significantly reduce the possible occurrence
of software CCF, or significantly limit the consequences of such software CCF, should be key
considerations for supporting a sufficiently dependable determination. Design features
Draft RIS 2002-22 Supplement 1, Attachment
Page 13 of 17
maximizing reliable system performance, to the extent practicable, can also be critical in
establishing a basis for the dependability of complex or risk significant designs.
Section 5.1.3 of NEI 01-01 states that Judgments regarding dependability, likelihood of failures,
and significance of identified potential failures should be documented. Depending on the
SSCs being modified and the complexity of the proposed modification, it may be challenging to
demonstrate sufficient dependability based solely upon the quality of the design process
and/or operating history. Engineering judgments regarding the quality of the design process
and operating experience may supplement, but not replace the inclusion of design features and
attributes when considering complex modifications.
Figure 1 of this attachment provides a simplified illustration of the engineering evaluations
process described in Section 4 of this attachment.
4.6 Engineering Documentation
Documentation for a proposed digital I&C modification is developed and retained in accordance
with the licensees design engineering procedures, and the NRC-approved QA program. The
documentation of an engineering evaluation identifies the possible failures introduced in the
design and the effects of these failures. It also identifies the design features and/or procedures
that document resolutions to identified failures, as described in NEI 01-01, Section 5.1.4. The
level of detail used may be commensurate with the safety significance and complexity of the
modification in accordance with licensees procedures.
Although not required, licensees may use Table 2 of this attachment to develop and document
engineering evaluations. Documentation should include an explanation providing adequate
bases for conclusions so that a knowledgeable reviewer could draw the same conclusion.
Draft RIS 2002-22 Supplement 1, Attachment
Page 14 of 17
Draft RIS 2002-22 Supplement 1, Attachment
Page 15 of 17
Table 2Example - Engineering Evaluation Documentation Outline
to support a Qualitative Assessment
Topical Area Description
Step 1- Describe the full extent of the SSCs to be modifiedboundaries of the
Identification design change, interconnections with other SSCs, and potential
commonality to vulnerabilities with existing equipment.
- What are all of the UFSAR-described design functions of the
upgraded/modified components within the context of the plant
system, subsystem, etc.?
- What design function(s) provided by the previously installed
equipment are affected and how will those design functions be
accomplished by the modified design? Also describe any new
design functions that were not part of the original design.
- What assumptions and conditions are expected for each associated
design function? For example, the evaluation should consider both
active and inactive states, as well as transitions from one mode of
operation to another.
Step 2Identify Consider the possibility that the proposed modification may have
potential failure introduced potential failures.
modes and * Are there potential failure modes or undesirable behaviors as a
undesirable behavior result of the modification? A key consideration is that
undesirable behaviors may not necessarily constitute an SSC
failure, but a misoperation. (e.g., spurious actuation)
- Are failures including, but not limited to, hardware, software,
combining of functions, shared resources, or common
hardware/software considered?
- Are there interconnections or interdependencies among the
- Are there sources of CCF being introduced that are also subject
to common triggering mechanisms with those of other SSCs not
being modified?
- Are potential failure modes introduced by software tools or
programmable logic devices?
Step 3Assess the * Could the possible failure mode or undesired behavior lead to a
effects of identified plant trip or transient?
failures * Can the possible failure mode or undesired behavior affect the
ability of other SSCs to perform their design function?
- Could the possible failure mode of the SSC, concurrent with a
similar failure of another SSC not being modified but sharing a
common failure and triggering mechanism affect the ability of the
SSC or other SSCs to perform their design functions?
- What are the results of the postulated new failure(s) of the
modified SSC(s) compared to previous evaluation results
described in the UFSAR?
Step 4Identify What actions are being taken (or were taken) to address significant
appropriate identified failures?
- Are further actions warranted?
Draft RIS 2002-22 Supplement 1, Attachment
Page 16 of 17
Table 2Example - Engineering Evaluation Documentation Outline
to support a Qualitative Assessment
Topical Area Description
resolutions for each * Is re-design warranted to add additional design features or
identified failures attributes?
- Is the occurrence of failure self-revealing or are there means to
annunciate the failure or misbehavior to the operator?
Step 5 * Describe the resolutions identified in Step 4 of this table that
Documentation address the identified failures.
- Describe the conformance to regulatory requirements, plants
UFSAR, regulatory guidance, and industry consensus standards
(e.g., seismic, EMI/RFI, ambient temperature, heat contribution).
- Describe the quality of the design processes used within the
software life cycle development (e.g., verification and validation
process, traceability matrix, quality assurance documentation,
unit test and system test results).
- Describe relevant operating history (e.g., platform used in
numerous applications worldwide with minimal failure history).
- Describe the design features/attributes that support the
dependability conclusion (e.g., internal design features within the
digital I&C architectures such as self-diagnostic and self-testing
features or physical restrictions external to the digital I&C
portions of the modified SSC), defense-in-depth (e.g., internal
diversity, redundancy, segmentation of distributed networks, or
alternate means to accomplish the design function).
- Summarize the results of the engineering evaluation including the
dependability determination.
Draft RIS 2002-22 Supplement 1, Attachment
Page 17 of 17
DRAFT NRC REGULATORY ISSUE SUMMARY 2002-22, SUPPLEMENT 1, CLARIFICATION
ON ENDORSEMENT OF NUCLEAR ENERGY INSTITUTE GUIDANCE IN DESIGNING
DIGITAL UPGRADES IN INSTRUMENTATION AND CONTROL SYSTEMS DATE: Month
XX, 2018
OFFICE NRR/DIRS/IRGB/PM NRR/PMDA OE/EB OCIO
NAME TGovan LHill JPeralta DCullison
DATE 02/16/2018 01/18/2018 01/22/2018 01/17/2018
OFFICE NRR/DE/EICB/BC NRR/DIRS/IRGB/LA NRR/DIRS/IRGB/PM NRR/DIRS/IRGB/BC
NAME MWaters ELee TGovan HChernoff
DATE 03/01/2018 02/22/2018 03/01/2018 03/01/2018