ML17265A000
| ML17265A000 | |
| Person / Time | |
|---|---|
| Site: | Nuclear Energy Institute |
| Issue date: | 09/19/2017 |
| From: | Nuclear Energy Institute |
| To: | Division of Policy and Rulemaking |
| Holonich, J, NRR/DPR, 415-7297 | |
| Shared Package | |
| ML17265A000 | List: |
| References | |
| Download: ML17265A000 (60) | |
Text
NEI PROPOSED REVISIONS (Document Date: May 16, 2017)
NEI 96-07, Appendix D Draft Revision 0c Nuclear Energy Institute SUPPLEMENTAL GUIDANCE FOR APPLICATION OF 10 CFR 50.59 TO DIGITAL MODIFICATIONS
NEI PROPOSED REVISIONS (Document Date: May 16, 2017)
May 2017
NEI PROPOSED REVISIONS (Document Date: May 16, 2017)
ACKNOWLEDGMENTS NEI would like to thank the NEI 01-01 Focus Team for developing this document.
Although everyone contributed to the development of this document, NEI would like to give special recognition to David Ramendick, who was instrumental in preparing this document.
NOTICE Neither NEI, nor any of its employees, members, supporting organizations, contractors, or consultants make any warranty, expressed or implied, or assume any legal responsibility for the accuracy or completeness of, or assume any liability for damages resulting from any use of, any information apparatus, methods, or process disclosed in this report or that such may not infringe privately owned rights.
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 EXECUTIVE
SUMMARY
NEI 96-07, Appendix D, Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications, provides focused application of the 10 CFR 50.59 guidance contained in NEI 96-07, Revision 1, to activities involving digital modifications.
The main objective of this guidance is to provide all stakeholders a common framework and understanding of how to apply the 10 CFR 50.59 process to activities involving digital modifications.
The guidance in this appendix supersedes NEI 01-01/ EPRI TR-102348, Guideline on Licensing of Digital Upgrades.
i
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1
2 TABLE OF CONTENTS 3 EXECUTIVE
SUMMARY
...................................................................................................................................... i 4 1 INTRODUCTION ........................................................................................................................................ 2 5
1.1 BACKGROUND
............................................................................................ 2432 6 1.2 PURPOSE ............................................................................................... 354332 7 2 [NOT USED]DEFENSE IN DEPTH DESIGN PHILOSOPHY AS APPLIED TO DIGITAL I&C465443 8 3 DEFINITIONS AND APPLICABILITY OF TERMS ..................................................................476643 9 4 IMPLEMENTATION GUIDANCE................................................................................................ 798873 10 4.1 APPLICABILITY .................................................................................... 7109973 11 4.2 SCREENING ....................................................................................... 81110974 12 4.3 EVALUATION PROCESS................................................................ 363634332723 13 5.0 EXAMPLES ...................................................................................................................... 707167675852 14 15 D-1
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 16 1 INTRODUCTION 17 18 The intent of the § 50.59 process is to permit licensees to make changes to the 19 facility, provided the changes maintain the level of safety documented in the 20 original licensing basis, such as in the safety analysis report. There are 21 specific considerations that should be addressed as part of the 50.59 process 22 when performing 50.59 reviews for digital modifications. These specific 23 considerations includeing, for example, different potential failure modes of 24 digital equipment as opposed to the equipment being replaced, the effect of 25 combining functions of previously separate devices into one device, and the 26 potential for software common cause failure (software CCF).
27
1.1 BACKGROUND
28 Licensees have a need to modify existing systems and components due to the 29 growing problems of obsolescence, difficulty in obtaining replacement parts, 30 and increased maintenance costs. There also is great incentive to take 31 advantage of modern digital technologies which offer potential performance 32 and reliability improvements.
33 In 2002, a joint effort between the Electric Power Research Institute (EPRI) 34 and the Nuclear Energy Institute (NEI) produced NEI 01-01, Revision 0 (also 35 known as EPRI TR-102348, Revision 1), Guideline on Licensing Digital 36 Upgrades: A Revision of EPRI TR-102348 to Reflect Changes to the 10 CFR 37 50.59 Rule, which was endorsed (with qualifications) by the Nuclear 38 Regulatory Commission (NRC) in Regulatory Issue Summary (RIS) 2002-22.
39 Since the issuance of NEI 01-01 in 2002, digital modifications have become 40 more prevalent. Application of the 10 CFR 50.59 guidance contained in NEI 41 01-01 has not been consistent or thorough across the industry, leading to 42 NRC concern regarding uncertainty as to the effectiveness of NEI 01-01 and 43 the need for clarity to ensure an appropriate level of rigor is being applied to 44 a wide variety of activities involving digital modifications.
45 NEI 01-01 contained guidance for both the technical development and design 46 of digital modifications as well as the application of 10 CFR 50.59 to those 47 digital modifications. The NRC also identified this as an issue and proposed 48 stated that NEI could separateing technical guidance from 10 CFR 50.59 Commented [A1]: Source: ML17170A089 Comment No.
A2 49 related guidance. Rationale: To improve accuracy: NEI first proposed this idea, and then the NRC documented that is had no 50 EPRI document 3002005326, Methods for Assuring Safety and objection.
51 Dependability when Applying Digital Instrumentation and Control Systems, D-2
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 52 has been created to provide technical guidance for the development and 53 design of digital systems with the purpose of systematically identifying, 54 assessing, and managing failure susceptibilities of I&C systems and 55 components. However, the use of EPRI 3002005326 is not required for the 56 application of the 50.59-related guidance in this appendix.
57 58 NEI 16-16, Guidance for Addressing Digital Common Cause Failure has been 59 created to provide technical guidance for addressing Common Cause Failure 60 (CCF) for compliance to deterministic licensing criteria and NRC policies and 61 positions such as SRM-SECY-93-087 and BTP 7-19. The technical-focused 62 guidance contained in NEI 16-16, used in conjunction with the licensing-63 focused guidance in this document, provides a complimentary set of 64 approaches and considerations when implementing a digital modification.
65 However, the use of NEI 16-16 is not required for the application of the 50.59-66 related guidance in this appendix. Commented [A2]: Not necessary for 50.59 guidance.
67 1.2 PURPOSE 68 Appendix D is intended to assist licensees in the performance of 10 CFR 69 50.59 reviews of activities involving digital modifications in a consistent and 70 comprehensive manner. This assistance includes guidance for performing 10 71 CFR 50.59 Screens and 10 CFR 50.59 Evaluations. This appendix does not 72 include guidance regarding design requirements for digital activities.
73 The guidance in this appendix applies to 10 CFR 50.59 reviews for both 74 small-scale and large-scale digital modificationsfrom the simple 75 replacement of an individual analog meter with a microprocessor-based 76 instrument, to a complete replacement of an analog reactor protection system 77 with an integrated digital system. Examples of activities considered to be a 78 digital modification include computers, computer programs, data (and its 79 presentation), embedded digital devices, software, firmware, hardware, the 80 human-system interface, microprocessors and programmable digital devices 81 (e.g., Programmable Logic Devices and Field Programmable Gate Arrays).
82 This guidance is not limited to "stand-alone" instrumentation and control 83 systems. This guidance can also be applied to the digital aspects of Commented [A3]: This clarification is needed since the guidance in this document only includes aspects unique to 84 modifications or replacements of mechanical or electrical equipment if the digital equipment.
85 new equipment makes use of digital technology (e.g., a new HVAC design 86 that includes embedded microprocessors for control).
87 Finally, this guidance is applicable to digital modifications involving safety-88 related and non-safety-related systems and components and also covers 89 digital-to-digital activities (i.e., modifications or replacements of digital-90 based systems).
D-3
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 91 1.3 10 CFR 50.59 PROCESS
SUMMARY
Commented [A4]: Source: ML13298A787 Issue Nos. 5, 7, 9, & 10 Rationale: As discussed in the sources, 50.59 92 No additional guidance is provided. implementers have had trouble distinguishing between technical criteria and 50.59 criteria. The basic problem was they used guidance for one to do the other.
93 1.4 APPLICABILITY TO 10 CFR 72.48 94 This section is not used for digital modifications.No additional guidance is 95 provided.
96 97 1.5 CONTENT OF THIS GUIDANCE DOCUMENT 98 This section is not used for digital modifications. No additional guidance is 99 provided.
100 101 2 [NOT USED]DEFENSE IN DEPTH DESIGN PHILOSOPY AS APPLIED TO DIGITAL I&C Commented [A5]: Source: ML13298A787 Issue Nos. 5, 7, 9, & 10 Text adapted from NEI 01-01 Section 5.2 102 This section is not used for digital modifications.No additional guidance is Rationale: It is necessary to clearly articulate the D3 criteria, and show they are not new, but have always been 103 provided. there. It has been the application of these criteria to a new technology (i.e., digital I&C) that has been confusing to industry; therefore the basic concepts must be stated and 104 agreed to.
105 106 107 3 DEFINITIONS AND APPLICABILITY OF TERMS 108 There are no definitions or modifications to the definitions necessary for 109 application of 10 CFR 50.59 to digital modifications Definitions 3.1 through 110 3.14 are the same as those provided in NEI 96-07, Rev. 1. Terms specific to 111 this document appendix are defined below. Commented [A6]: Source:
(1) ML17068A092 Comment No. 12 (2) ML17170A089 Comment No. A4 Rationale: New terms are defined since undefined terms 112 3.1 10 CFR 50.59 EVALUATIONS are a source of regulatory uncertainty.
113 No additional giuidance is provided.
114 3.2 ACCIDENTS PREVIOUSLY EVALUATED IN THE UFSAR (AS UPDATED) 115 No additional giuidance is provided.
D-4
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 116 3.3 CHANGE 117 No additional giuidance is provided.
118 3.4 DEPRTURE FROM A METHOD OF EVALUATION DECRIBED IN THE UFSAR 119 No additional giuidance is provided.
120 3.5 DESIGN BASES (DESIGN BASIS) 121 No additional giuidance is provided.
122 3.6 FACILITY AS DESCRIBED IN THE UFSAR 123 No additional giuidance is provided.
124 3.7 FINAL SAFETY ANALYSIS REPORT (AS UPDATED) 125 No additional giuidance is provided.
126 3.8 INPUT PARAMETERS 127 No additional giuidance is provided.
128 3.9 MALFUNCTION OF A SSC IMPORTANT TO SAFETY 129 No additional giuidance is provided.
130 3.10 METHODS OF EVALUATION 131 No additional giuidance is provided.
132 3.11 PROCEDURES AS DESCRIBED IN THE UFSAR 133 No additional giuidance is provided.
134 3.12 SAFETY ANALYSIS 135 No additional giuidance is provided.
D-5
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 136 3.13 SCREENING 137 No additional giuidance is provided.
138 3.14 TEST OR EXPERIMENTS NOT DESCRIBED IN THE UFSAR 139 No additional giuidance is provided.
140 3.15 CCF 141 [LATER - coordinate with NEI 16-16]
142 3.16 SOFTWARE CCF 143 [LATER - coordinate with NEI 16-16]
144 3.17 CCF SUSCEPTABILITY ANALYIS Commented [A7]: Source:
(1) ML17068A092 Comment No. 12 (2) ML17170A089 Comment No. A4, A28, & A29 145 Rationale: New terms should be defined since undefined terms are a source of regulatory uncertainty.
146 3.18 PLANT LEVEL EFFECTS 147 148 3.19 Qualitative Assessment Commented [A8]: Global change to be addressed during meeting: Any examples that refer to technical information that is part of the qualitative assessment should state that the design satisfies the "suffently low" likelihood of the 149 For digital I&C systems, reasonable assurance of low likelihood of failure is qualitative assessment instead of describing a select 150 derived from a qualitative assessment of factors involving system design incomplete piece.
151 features, the quality of the design processes employed, and the operating 152 history of the software and hardware used (i.e., product maturity and in-153 service experience). The qualitative assessment is used to record the factors 154 and rationale and reasoning for making a determination that there is 155 reasonable assurance that the digital I&C modification will exhibit a low 156 likelihood of failure by considering the aggregate of these factors.
157 [REMOVE USE OF THE TERM "QUALITATIVE ASSESSMENT"]
158 3.17 Sufficiently Low 159 Sufficiently low means much lower than the likelihood of failures that are 160 considered in the UFSAR (e.g., single failures) and comparable to other D-6
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 161 common cause failures that are not considered in the UFSAR (e.g., design 162 flaws, maintenance errors, calibration errors).
163 164 4 IMPLEMENTATION GUIDANCE 165 In accordance with 10 CFR 50.59, plant changes are reviewed by the licensee 166 to determine whether the change can be made witout obtaining a license 167 amendment (i.e., without prior NRC review and approval of the change). The 168 10 CFR 50.59 process of determining when prior NRC review is required 169 includes three parts: Applicability, Screening, & Evaluation. The 170 applicability process involves determining whether a change is controlled 171 under another regulatory requirement. The screening process involves 172 determining whether a change has an adverse effect on a design function 173 described in the UFSAR. The evaluation process involves determining 174 whether the change has more than a minimal effect on the likelihood of 175 failure or on the outcomes associated with the proposed activity. Commented [A9]: Source: NEI 01-01 Page No 4-7.
Reason: To provide context. Small changes made to 176 improve clarity.
177 In general, since digital systems can not be verified to contain no errors, two 178 separate aspects should be considered, the design process and the design. A 179 high quality design process is used to minimize the likelihood of errors in the 180 softeware, and the design is evaluated to ensure it contains the proper design 181 attributes to ensure the assumptions of the accident analysis are maintained. Commented [A10]: Source: ML17170A089 Comment No.
A37 182 Rationale: Sotware development proceses and software 183 Design Process: For digital upgrades one of the challenges in the 10 CFR design are two distinct things, and each should be addressed separately.
184 50.59 process is addressing the effect of software, and potential failures of 185 software, on a UFSAR-described design function. The answer lies in the This background material and the following two paragraphs support other changes in the evaluation 186 engineering evaluations that are performed throughout the design process. section.
187 Commented [A11]: Source: NEI 01-01 Section 4.1 188 Design: Another challenge is evaluating the effect that design changes to Reason: To provide context. Small changes made to improve clarity.
189 system architecture has on the assumptions in the accident analyses, such as, 190 diversity, defense-in-depth, and independence. Furthermore, the coupling or 191 combining of functions and/or equipment also has the potential to challenge 192 these same assumptions. Commented [A12]: Source: Engineering judgement Reason: To provide context.
193 [Verify addressed in Screen and Evaluation sections]
194 4.1 APPLICABILITY 195 There is no Applicability guidance unique to digital modifications.Section 4.1 196 of NEI 96-07, Revision 1, provides guidance on the applicability of 10 CFR 197 50.59. In some cases, a change may be controlled by more specific 198 regulations. Also, for digital-to-digital changes that appear to be like-for-like 199 replacements, an equivalency evaluation should be performed to determine in D-7
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 200 the replacement is a plant design change (subject to 10 CFR 50.59) versus a 201 maintenance activity. Digital-to-digital change may not necessarily be like-202 for-like because the system behaviours, respionse time, failure modes, etc. for 203 the new system may be different from the old system. If the vendor, 204 hardware, firmware, application software, and the configuration data are 205 identical, then the upgrade may be a like-for-like maintenance activity where 206 10 CFR 50.59 would apply. Commented [A13]: Source: NEI 01-01 Section 4.2 Reason: To provide missing guidance.
207 208 4.2 SCREENING 209 CAUTION 210 The guidance contained in this appendix is intended to supplement the 211 generic Screen guidance contained in the main body in NEI 96-07, Section 4.2.
Namely, the generic Screen guidance provided in the main body of NEI 96-07 212 and the more-focused Screen guidance in this appendix BOTH apply to digital modifications.
213 214 Throughout this section, references to the main body of NEI 96-07, Rev. 1 will 215 be identified as "NEI 96-07."
216 In NEI 96-07, Section 4.2.1.1, equivalent replacements are discussed. Digital-217 to-digital changes may not necessarily be equivalent because the system behaviours, 218 response time, failure modes, etc. for the new system may be different from the old 219 system.
220 As stated in NEI 96-07, Section 4.2.1, the determination of the impact of a 221 proposed activity (i.e., adverse or not adverse) is based on the impact of the 222 proposed activity on UFSAR-described design functions. To assist in 223 determining the impact of a digital modification on a UFSAR-described 224 design function, the general guidance from NEI 96-07 will be supplemented 225 with the digital-specific guidance in the topic areas identified below.
226 In the following sections and sub-sections that provide the Screen guidance 227 unique to the application of 10 CFR 50.59 to digital modifications, each 228 section and sub-section addresses only a specific aspect, sometimes at the 229 deliberate exclusion of other related aspects. This focused approach is 230 intended to concentrate on the particular aspect of interest and does not 231 imply that the other aspects do not apply or could not be related to the aspect 232 being addressed. Initially, all aspects need to be considered, with the 233 knowledge that some of them may be able to be excluded based on the actual 234 scope of the digital modification being reviewed.
D-8
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 235 Within this appendix, examples are provided to illustrate the guidance.
236 Unless stated otherwise, a given example only addresses the aspect or topic 237 within the section/sub-section in which it is included, sometimes at the 238 deliberate exclusion of other aspects or topics that, if considered, could 239 potentially change the Screen conclusion.
240 The first step in screening is to determine whether the change affects a 241 design function as described in the UFSAR. If it does not, then the change 242 screens out, and can be implemented without further evaluation under the 10 243 CFR 50.59 process. If the change does affect a UFSAR-described design 244 function, then it should be evaluated to determine if it has an adverse affect.
245 Changes with adverse effects areas those that have the potential to increase 246 the likelihood of malfunctions, increase consequences, create new accidents, 247 or otherwise meet the 10 CFR 50.59 evaluation criteria. Additional guidance 248 on the definition of adverse is provided in the bulleted examples below:
249 Decreasing the reliability of a design function, 250 aAdding or deleting an automatic or manual design function, 251 Converting a feature that was automatic to amanual or visce versa, 252 Reducing redundancy, diversity, or defense-in-depth, or 253 Adversely affecting the response time required to perform requied 254 actions.
255 As discussed in 4.2.1, "Is the Activity a Change to the Facility or Procedures 256 as Described in the UFSAR?," Aa given activity may have both direct and 257 indirect effects that the screening review must consider. Consistent with 258 historical practice, changes to the facility or procedures affecting SSCs or 259 functions not described in the UFSAR must be screened for their effects (so-260 called indirect effects) on UFSAR-described design functions. A 10 CFR 261 50.59 evaluation is required when such changes adversely affect a UFSAR-262 described design function, Commented [A14]: Global Comment: Do not mention "described in the UFSAR" when indirect effects must be considered because it incorrectly implies that whether 263 Examples 4-C and 4-D illustrate typical screening considerations for a small something is explicitly described UFSAR is a factor in 50.59 decisionmaking. Specifically, explicitly described in 264 digital upgrade. the UFSAR is not a factor in screening (e.g., HSI) or criterion 2. NEI 96-07r1 clearly states when explict UFSAR wording matters (e.g., UFSAR described "design Example 4-C. Screening for a Recorder Upgrade (Screens Out) functions, "accidents", "methods of evaluation")
Commented [A15]: Source: NEI 01-01 Section 4.3.3 An analog recorder is to be replaced with a new microprocessor based Reason: To provide guidance. the following 2 examples are recorder. The recorder is used for various purposes including Post Accident from NEI 01-01.
Monitoring, which is an UFSAR-described design function. An Commented [A16]: Source: ML17006A341 Comment No.
A2 engineering/technical evaluation performed on the change determined that Reason: To provide example to illustrate when digital modifications are or are not adverse.
D-9
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 the new recorder will be highly dependable (based on a quality development process, testability, and successful operating history) and therefore, the risk of failure of the recorder due to software is considered very low. The new recorder also meets all current required performance, HSI, and qualification requirements, and would have no new failure modes or effects at the level of the design function. The operator will use the new recorder in the same way the old one was used, and the same information is provided to support the Post Accident Monitoring function, so the method of controlling or performing the design function is unaltered. The licensee concludes that the change will not adversely affect any design function and screens out the change.
265 266 Example 4-D. Screening for a Recorder Upgrade (Screens In) Commented [A17]: Source: ML17006A341 Comment No.
A2 Reason: To provide example to illustrate when digital Similar to Example 4-C, a licensee is planning to replace an analog recorder modifications are or are not adverse.
with a new microprocessor based recorder. However, in this instance, the engineering/technical evaluation determined that the new recorder does not truly record continuously. Instead, it samples at a rate of 10 hertz then averages the 10 samples and records the average every one second. This frequency response is lower compared to the originalequipment and may result in not capturing all process variable spikes or short-lived transients. In this case, the licensee concludes that there could be an adverse effect on an UFSAR-described design function and screens in the change. In the 10 CFR 50.59 evaluation, the licensee will evaluate the magnitude of this adverse effect.
267 268 4.2.1 Is the Activity a Change to the Facility or Procedures as Described in the 269 UFSAR?
270 There is no regulatory requirement for a proposed activity involving a digital 271 modification to default (i.e., be mandatorily "forced") to an adverse 272 conclusion.
273 Although there may be the potential for the introduction of adverse impacts 274 on UFSAR-described design functions due to the following types of activities 275 involving a digital modification, these typical activities do not default to an 276 adverse conclusion simply because of the activities themselves (i.e., not a 277 change that fundamentally alters (replaces) the existing means of performing 278 or controlling design function as described in NEI 96-07, Section 4.2.1.2), for 279 example:
D-10
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 280
- The introduction of software or digital devices.
281
- The replacement of software and/or digital devices with other software 282 and/or digital devices.
283
- The use of a digital processor to "calculate" a numerical value or 284 "generate" a control signal using software in place of using analog 285 components.
286
- Replacement of hard controls (i.e., pushbuttons, knobs, switches, etc.)
287 to operate or control plant equipment with a touch-screen.
288 Therefore, documented engineering/technical information determinations are Commented [PM18]: Placeholder for NRC comment A18 289 neededshould be documented (as part of the design process) to demonstrate 290 that there are no adverse impacts from the above activities.
291 Generally, a digital modification may consist of three areas of activities: (1) 292 software-related, (2) hardware-related and (3) Human-System Interface-293 related.
294 NEI 96-07, Section 4.2.1.1 provides guidance for activities that involve "...an 295 SSC design function..." or a "...method of performing or controlling a design Commented [PM19]: Placeholder for NRC comment A19 296 function..." and Section 4.2.1.2 provides guidance for activities that involve Formatted: Highlight 297 "...how SSC design functions are performed or controlled (including changes Formatted: Highlight 298 to UFSAR-described procedures, assumed operator actions and response 299 times)." Based on this segmentation of activities, the software and hardware 300 portions will be assessed within the "facility" Screen consideration since these 301 aspects involve SSCs or the method of performing or controlling a design Commented [PM20]: Placeholder for NRC comment A20 302 function and the Human-System Interface portion will be assessed within the Formatted: Highlight 303 "procedures" Screen consideration since this portion involves how SSCs are Formatted: Highlight 304 operated and controlled.
305 306 4.2.1.1 Screening of Changes to the Facility as Described in the UFSAR 307 SCOPE 308 Many of the examples in this section involve the Main Feedwater (MFW) 309 System to illustrate concepts. The reason for selecting the MFW system is 310 that it is one of the few non-safety-related systems that, upon failure, can Commented [A21]: Source: ML170170A089 Comment No.
A6.
311 initiate an accident. Rationale: Based on the definition of accident in NEI 96-07, many accidents are initiated by non-safety related SSCs. (Note: safety related SSCs are tpicaly credited to 312 In the determination of potential adverse impacts, the following aspects miigate accidents.)
313 should be addressed in the response to this Screen consideration:
314 (a) Use of Software and Digital Devices D-11
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 315 (b) Combination of Components/Functions 316 (c) Dependability Impact 317 Examples of activities that have the potential to cause an adverse effect 318 include the following activities:
319
- Addition or removal of a dead-band, or 320
- Replacement of instantaneous readings with time-averaged readings 321 (or vice-versa).
322 USE OF SOFTWARE AND DIGITAL DEVICES 323 The UFSAR may identify SSC design function conditions such asthrough 324 diversity, separation, independence, defense-in-depth and/or redundancy 325 through UFSAR discussions. With digital modifications, software and/or Commented [A22]: Strickly speaking diversity, separation, independence, defense-in-depth and/or 326 hardware have the potential to impact design function conditions such as the redundancy are properties or attributes of a design and 327 diversity, separation, independence, defense-in-depth, and/or redundancy of not design functions; however, NEI 96-07 page 12 states:
Implicitly included within the eaning of design function 328 SSCs explicitly and/or implicitly described in the UFSAR.1 are the conditions under which intened functions are required to be performed, such as equipment response times, process conditions, equipment qualification and 329 To assist in determining the impact of a digital modification on design single failure. Therefore diversity, separation, 330 function conditions such as the diversity, separation, independence, defense- independence, defense-in-depth and/or redundancy can be considered conditions of design functions.
331 in-depth and/or redundancy of the affected SSCs described in the UFSAR, 332 identify the features of the affected SSCs described in the UFSAR., Alternatively, the first sentence of this paragraph could be deleted.
333 Ccompare the proposed features of the affected SSCs with the existing Commented [A23]: Imporantly, adverse impact due to 334 features of the affected SSCs. The impact of any differences in the diversity, software is not limited to factors related to the diversity, 335 separation, independence, defense-in-depth and/or redundancy on the design separation, independence, defense-in-depth, and/or redundancy.
336 functions described in the UFSAR of the affected SSCs is then determined.
Commented [A24]: Source:
(1) ML17068A092 Comment No. 9 337 A digital modification that reduces SSC diversity, separation, independence, (2) ML17170A089 Comment No. A8 338 defense-in-depth and/or redundancy is adverse. In addition, an adverse effect Rationale: An SSC does not need to be described in the FASR (as updated) for a change to it to adversely affect a 339 may also consist of the potential marginal increase in the likelihood of SSC FSAR (as updated)-described design function.
340 failure due to the introduction of software. For redundant safety systems, Commented [A25]: Source: None 341 this marginal increase in likelihood creates a similar marginal increase in the Rationale: To improve claity. This intent being that only after it is determined that there is no reduction in then 342 likelihood of a common failure in the redundant safety systems. On this one can consider 343 basis, most digital modifications to redundant safety systems are adverse.
As previously written, someone could have understood that 344 However, for some digital modifications, engineering evaluations, using design atribtes can allow for redunctions in diversity, 345 methods approved by the NRC, may show that the digital modification separation, independence, defense-in-depth and/or redundancy.
346 contains design attributes to eliminate consideration of a software common 347 cause failure. In such cases, even when a digital modification involves Commented [A26]: Consider replacing with qualitative assessment guidance from RIS.
348 redundant systems, the digital modification would be not adverse. Note:
1 Refer to NEI 96-07, Section 4.2.1.1, 2nd paragraph.
D-12
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 349 In some cases the regulations require, and/or the UFSAR includes: (1) 350 diversity, and (2) defense-in-depth; both of which address, in part, CCF.
351 Engineering evaluations of design attributes should not be used to relax 352 conformance to such diversity and defense-in-depth requirements when 353 performing a 50.59 screening and evaluation.
354 For some relatively simple digital modifications, engineering evaluations may 355 show that the risk of failure due to software is not significant and need not be 356 evaluated further, even in applications of high safety significance. In such 357 cases, even when a digital modification involves redundant systems, the 358 digital modification would be not adverse. The engineering evaluation will 359 have concluded that the digital system is sufficiently dependable, based on 360 considerations such as:
361
- the quality of the design processes employed 362
- the change has a limited scope (e.g., replace analog transmitter 363 with a digital transmitter that drives an existing instrument 364 loop) 365
- single failures of the digital device are bounded by existing 366 failures of the analog device (e.g., no new digital 367 communications among devices that introduce possible new 368 failure modes involving separate devices).
369
- uses a relatively simple digital architecture internally (simple 370 process of acquiring one input signal, setting one output, and 371 performing some simple diagnostic checks),
372
- has limited functionality (e.g., transmitters are used to drive 373 signals for parameters monitored),
374
- can be comprehensively tested (but not necessarily 100 percent 375 of all combinations); and, 376
- has extensive operating history.
377 Considerations for screening relatively simple digital equipment are 378 illustrated in Example 4-A.
D-13
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 Example 4-A. Screening for a Smart Transmitter (Screens Out)
Transmitters are used to drive signals for parameters monitored by redundant ESFAS channels. The original analog transmitters are to be replaced with microprocessor-based transmitters. The change is of limit scope in that for each channel, the existing 4-20 mA instrument loop is maintained without any changes other than replacing the transmitter itself.
The digital transmitters are used to drive signals of monitored parameters and thus have limited functionality with respect to the ESFAS design function. The digital transmitters use a relatively simple digital architecture internally in that the firmware in the new transmitters implements a simple process of acquiring one input signal, setting one output, and performing some simple diagnostic checks. This process runs in a continuous sequence with no branching or interrupts.
Single failures of the digital device are bounded by existing failures of the analog device in that no new digital communications among devices that introduce possible new failure modes involving multiple devices. A qualitative assessment of the digital device concluded that the digital system is sufficiently dependable, based on the quality of the design processes employed, and the operating history of the software and hardware used. In addition, based on the simplicity of the device (one input and two outputs), it was comprehensively tested. Further, substantial operating history has demonstrated high reliability in applications similar to the ESFAS application.
The ESFAS design function is the ability to respond to plant accidents.
Consequently, it is concluded that no adverse effects on UFSAR-described design functions are created, and the change screens out.
379 Note that an upgrade that is similar to Example 4-A, but that uses digital 380 communications from the smart transmitter to other components in the 381 instrument loop might screen in because new interactions and potentially 382 new failure behaviors are introduced that could have adverse effects and 383 should be analyzed in a 10 CFR 50.59 evaluation (see Example 4-B).
D-14
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 Example 4-B. Screening for a Smart Transmitter (Screens In)
Smart transmitters similar to those described in Example 4-A are to be installed as part of an upgrade to the reactor protection system. The new smart transmitters have the capability to transmit their output signal using a digital communication protocol. Other instruments in the loop are to be replaced with units that can communicate with the transmitter using the same protocol. Because this change not only upgrades to a digital transmitter but also converts the instrument loop to digital communications among devices, there would be the potential for adverse effects owing to the digital communication and possible new failure modes involving multiple devices.
The ESFAS design function is the ability to respond to plant accidents.
As a result of the adverse affect on a UFSAR-described design function, this change screens in.
384 385 In some cases, the licensee's UFSAR describes (1) diversity, and (2) defense-386 in-depth; both of which address, in part, software CCF. Engineering 387 evaluations of design attributes should not be used to relax conformance to 388 such diversity and defense-in-depth requirements when performing a 50.59 389 screen.
390 Alternately, the use of different software in two or more redundant SSCs is 391 not adverse due to a software common cause failure because there is no 392 mechanism to increase in the likelihood of failure due to the introduction of 393 software.
394 Examples 4-1a and 4-1b illustrate the application of the Use of Software and 395 Digital Devices aspect. These examples illustrate how a variation in the 396 licensing basis identified in the UFSAR can affect the Screen conclusion.
Example 4-1a. NO ADVERSE IMPACT on a UFSAR-Described Design Function related to use of Software and Digital Devices Two non-safety-related main feedwater pumps (MFWPs) exist. There are two analog control systems (one per MFWP) that are physically and functionally the same.
The two analog control systems will be replaced with two digital control systems. The hardware platform for each digital control system is from the D-15
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 same supplier and the software in each digital control system is exactly the same.
The pertinent UFSAR SSC descriptions are as follows:
(1) Two analog control systems are identified.
(2) Both analog control systems consist of the same physical and functional characteristics.
(3) The analog control system malfunctions include (a) failures causing the loss of all feedwater to the steam generators and (b) failures causing an increase in main feedwater flow to the maximum output from both MFWPs.
The pertinent UFSAR-described design function of the main feedwater system is to automatically control and regulate feedwater to the steam generators.
With respect to the following considerations, the Uuse of the same hardware platforms and same software in both control systems is NOT ADVERSE for the following reasons:
(a) Redundancy Consideration: There is no impact on redundancy since the Commented [PM27]: Placeholder to align original comment numbering.
UFSAR does not describe redundant SSCs and there are no UFSAR-Commented [A28]: Source:
described design function conditions related to redundancy. (1) ML17068A092 Comment No. 9 (2) ML17170A089 Comment No. A11 Rationale: It does not mater if it is described in the FSAR (b) Diversity Consideration: There is no impact on diversity since the UFSAR (as updated) or not.
does not describe diverse SSCs and there are no UFSAR-described design Commented [A29]: Source: ML17170A089 Comment No.
function conditions related to diversity. A12 Rationale: It does not mater if it is described in the FSAR (as updated) or not.
(c) Separation Consideration: There is no impact on the separation of the control systems identified in the UFSAR since each of the analog control systems will be replaced with a separate digital control system.
(d) Independence Consideration: Although both of the new digital control systems contain the exact same software (which is subject to a software common cause failure), the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting the digital modification concluded that no new types of malfunctions are introduced since the loss of both MFWPs and failures causing an increase in main feedwater flow to the maximum output from both MFWPs are already considered in the licensing basis.
(e) Defense-in-Depth Consideration: There is no impact on defense-in-depth D-16
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 since the UFSAR does not describe SSCs for the purpose of establishing defense-in-depth and there are no UFSAR-described design function Commented [A30]: Source: ML17170A089 Comment No.
A13 conditions related to defense-in-depth. Rationale: It does not mater if it is described in the FSAR (as updated) or not.
Through consideration of items (a) through (e) above, there is NO ADVERSE impact on the method of performing or controlling the design function of the Commented [A31]: Source:
(1) ML17068A092 Comment No. 4 main feedwater system to automatically control and regulate feedwater to the (2) ML17170A089 Comment No. A14 steam generators due to the use of software and digital devices. Rationale: NEU 96-07 Rev. 1 Section 3.3 defines Method of performing of controlling a function and it is used exclusively to refer to the things people do.
397 Example 4-1b. ADVERSE IMPACT on a UFSAR-Described Design Function related to use of Software and Digital Devices This example differs from Example 4-1a in only the types of malfunctions already identified in the UFSAR, as reflected in item (3) shown below.
Items (1) and (2) are unaffected.
(3) [Modified from Example 4-1a] The analog control system malfunctions include (a) failures causing the loss of feedwater from only one MWFP to the steam generators and (b) failures causing an increase in main feedwater flow to the maximum output from only one MFWP.
The use of the same hardware platforms and same software in both control systems is ADVERSE due to its impact on the Independence Consideration.
Items (a), (b), (c) and (e) are unaffected.
(d) [Modified from Example 4-1a] Independence Consideration: Since the new digital control systems contain the exact same software (which is subject to a software common cause failure), the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting the digital modification concluded that two new types of malfunctions are introduced since the loss of both MFWPs and failures causing an increase in main feedwater flow to the maximum output from both MFWP have been created and were not considered in the original licensing basis.
There is an ADVERSE impact on the design function of the main feedwater system to automatically control and regulate feedwater to the steam generators due to the use of software that reduces independence and creates two new types of malfunctions.
398 399 D-17
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 400 COMBINATION OF COMPONENTS/FUNCTIONS Commented [A32]: Source: ML13298A787 - Concerns 5
&7 Rationale: Presumably this section was added to address this concern.
401 The UFSAR may identify the number of components, how the components 402 were arranged, and/or how functions were allocated to those components.
403 Any or all of these characteristics may have been considered in the process of 404 identifying possible malfunctions or accident initiators.
405 When replacing analog SSCs with digital SSCs, it is potentially advantageous 406 to combine multiple components and/or functions into a single device or 407 control system. However, the failure of the single device or control system for 408 any reason (e.g., a software common cause failure) can potentially affect Commented [A33]: Single device failures or misbehaviours are by definition not CCFs. Only when 409 multiple functions. there are multiple components that are assumed to be independent can one call it a CCF; therefore this example is technically incorrect.
410 The combination of previously separate components and/or functions (that 411 does not reduce SSC design aspects such as diversity, separation, 412 independence, defense-in-depth and/or redundancy), in and of itself, does not Commented [A34]: Source: In several meetings, Industry expressed that not all combinations are bad.
413 make the Screen conclusion adverse. Only if combining the previously Rationale: These word help provide conceptual guidance 414 separate components and/or functions causes a reduction in one of these for distinguishing combinations that are of regulatory concern, from those that do not.
415 aspects or a reduction in athe the required or assumed SSC design aspects The combinations that are bad are the one that combine or 416 such as diversity, separation, independence, defense-in-depth and/or couple items that span these criteria.
417 redundancy or in an SSC's ability or capability of to performing a design Commented [A35]: As screening criteria, ANY reduction in one of these aspects should be considered adverse.
418 function (e.g., by the creation of a new malfunction or the creation of a new Whether the outcomes of such a reduction requires a LAR, 419 malfunction or accident initiator) is the combination aspect of the digital is the subject of the evaluation section.
420 modification adverse. Commented [A36]: Source: ML17170A089 Comment No.
A16 Rationale: Change includes indirect effects.
421 To assure adequate existing defense in depth is maintained, one should first 422 identify potential coupling factors between equipment failures. A coupling 423 factor is the condition or mechanism through which multiple components 424 could be affected (or coupled) by the same cause.[DISCUSS MORE LATER, Commented [A37]: Source:
(1) ML17006A341 Comment No. A2 425 IN CONJUCTION WITH EXAMPLE 4-A AND 4-B] (2) ML170170A089 Comment No. A10.
(3) Text adapted from DG-1285 (ML16358A153)
(4) ML13298A787 - Concern 10 426 To assist in determining the impact of a digital modification on the number Rationale: To add key aspects to consider when 427 and/or arrangement of components, review the description(s) of the existing determining whether a digital modification should be considered adverse (or not) for 50.59 screening purposes.
428 SSCs described in the UFSAR (as updated). When comparing the existing Commented [A38]: As written this sentence is ambigious.
429 and proposed configurations, consider how the proposed configuration affects Without this change, it could be interpreted that only 430 the number and/or arrangement of components and the potential impacts of FSAR described arrangements (as opposed to actual arrangements) matter. The criteria should be actual 431 the proposed arrangement on UFSAR-described design functions. arangements, whether described in the FSAR or not.
Alternatively the entire first sentence could be deleted.
432 Examples 4-2 and 4-3 illustrate the application of the Combination of 433 Components/Functions aspect.
434 Examples 4-2a and 4-2b illustrate how variations in a proposed activity can 435 affect the Screen conclusion.
D-18
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 Example 4-2a. Combining Components and Functions with NO ADVERSE IMPACT on a UFSAR-Described Design Function Two non-safety-related main feedwater pumps (MFWPs) exist. There are two analog control systems (one per MFWP) that are physically and functionally the same. System drawings (incorporated by reference into the UFSAR) show that each analog control system has many subcomponents.
All of the analog subcomponents will be replaced with a single digital device that consolidates all of the components, sub-components and the technical functions associated with each component and sub-component. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same.
The pertinent UFSAR SSC descriptions are as follows:
(1) Two analog feedwater control systems are identified, including several major individual components.
(2) The SSC descriptions state that both analog control systems consist of the same physical and functional characteristics.
Although the control systems and the major components are described in the UFSAR, only a UFSAR-described design function for the feedwater control system is identified. No design functions for any of the individual components are described in the UFSAR. The pertinent UFSAR-described design function of the feedwater control system is "to provide adequate cooling water to the steam generators during normal operation."
The UFSAR identifies the following MFWP control system malfunctions:
(a) failures causing the loss of all feedwater to the steam generators, and (b) failures causing an increase in main feedwater flow to the maximum output from both MFWPs.
The combination of components and functions has NO ADVERSE IMPACT on the identified design function for the following reasons:
No new malfunctions are created. The Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting the digital modification concluded that no new types of malfunctions are introduced since the loss of both MFWPs and failures causing an increase in main D-19
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 feedwater flow to the maximum output from both MFWPs are already considered in the licensing basis. Since no new malfunctions are created, the ability to perform the design function "to provide adequate cooling water to the steam generators during normal operation" is maintained.
436 Using the same initial SSC configuration, proposed activity and UFSAR 437 descriptions from Example 4-2a, Example 4-2b illustrates how a variation in 438 the proposed activity would be addressed.
Example 4-2b. Combining Components and Functions with an ADVERSE IMPACT on a UFSAR-Described Design Function Instead of two separate, discreet, unconnected digital control systems being used for the feedwater control systems, only one central digital processor is proposed to be used that will combine the previously separate control systems and control both feedwater pumps.
In this case, the proposed activity is ADVERSE because there is a reduction in the separation of the two original control systems.
439 Example 4-3 illustrates the combining of control systems from different, 440 originally separate systems.
Example 4-3. Combining Components and Functions with an ADVERSE IMPACT on a UFSAR-Described Design Function Two non-safety-related analog feedwater control systems and a separate analog control system that controls the main turbine steam-inlet valves exist.
All three analog control systems will be replaced with one digital control system that will combine the two feedwater control systems and the main turbine steam-inlet valve control system into a single digital device.
The pertinent UFSAR SSC descriptions are as follows:
(1) Two analog feedwater control systems are identified. The feedwater control system contains a design function "to provide adequate cooling water to the steam generators during normal operation."
(2) One analog main turbine steam-inlet valve control system is identified.
The main turbine steam-inlet valve control system contains a design function "to control the amount of steam entering the main turbine during normal operation."
(3) The two feedwater control systems are independent from the main turbine D-20
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 steam-inlet valve control system.
(4) The function of controlling feedwater is separate from the function of controlling the main turbine steam-inlet valves. This separation is confirmed by a review of the accident analyses that do not include consideration of a simultaneous failure of the feedwater control system and the failure of the turbine control system.
In this case, the proposed activity is ADVERSE because there is a reduction in the separation and independence of the original control systems.
441 442 For some component upgrades the likelihood of failure due to software may Commented [PM39]: Placeholder for original NRC comment A39 443 be judged to be no greater than failure due to other causes, i.e., comparable to 444 hardware common cause failure, and includes no coupling mechanisms. In 445 such a case, even when it affects redundant systems, the digital upgrade 446 would screen out. Considerations for screening relatively simple digital 447 equipment are illustrated in Example 4-A and include:
448 The digital modification has a sufficiently low likelihood of Formatted: Indent: Left: 1", Bulleted + Level: 1 + Aligned at: 0.5" + Indent at: 1" 449 common cause failure based on the qualitative assessment of 450 system design features, the quality of the design processes 451 employed, and the operating history of the software and 452 hardware used. This qualitative assessment evaluates the 453 magnitude of the adverse effect (i.e., sufficiently low likelihood) 454 and which is the focus of the 10 CFR 50.59 evaluation, not the 455 screening. To screen out the digital modification, the following 456 additional considerations provide a greater degree of assurance 457 to conclude that change does not have an adverse effect on a 458 design function:
459 the change is of limited scope (e.g., replace analog transmitter 460 with a digital transmitter that drives an existing instrument 461 loop) 462 single failures of the digital device are bounded by existing 463 failures of the analog device (e.g., no new digital 464 communications among devices that introduce possible new 465 failure modes involving multiple devices).
D-21
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 466 uses a relatively simple digital architecture internally (simple 467 process of acquiring one input signal, setting one output, and 468 performing some simple diagnostic checks),
469 has limited functionality (e.g., transmitters are used to drive 470 signals for parameters monitored),
471 can be comprehensively tested (but not necessarily 100 percent 472 of all combinations); and, 473 has extensive operating history.
Example 4-A. Screening for a Smart Transmitter (Screens Out) Commented [PM40]: Placeholder for original NRC comment A40 Transmitters are used to drive signals for parameters monitored by redundant ESFAS channels. The original analog transmitters are to be replaced with microprocessor-based transmitters. The change is of limit scope in that for each channel, the existing 4-20 mA instrument loop is maintained without any changes other than replacing the transmitter itself.
The digital transmitters are used to drive signals of monitored parameters and thus have limited functionality with respect to the ESFAS design function. The digital transmitters use a relatively simple digital architecture internally in that the firmware in the new transmitters implements a simple process of acquiring one input signal, setting one output, and performing some simple diagnostic checks. This process runs in a continuous sequence with no branching or interrupts. An alarm relay is available to annunciate detected failures.
Single failures of the digital device are bounded by existing failures of the analog device in that no new digital communications among devices that introduce possible new failure modes involving multiple devices. A qualitative assessment of the digital device concluded and the likelihood of common cause failures in multiple channels was very low based on system design features, the quality of the design processes employed, and the operating history of the software and hardware used. In addition, based on the simplicity of the device (one input and two outputs), it was easily tested.
Further, substantial operating history has demonstrated high reliability in applications similar to the ESFAS application.
Consequently, it is concluded that no adverse effects are created, and the change screens out.
474 Note that an upgrade that is similar to Example 4-A, but that uses digital 475 communications from the smart transmitter to other components in the 476 instrument loop might screen in because new interactions and potentially D-22
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 477 new failure behaviors are introduced that could have adverse effects and 478 should be analyzed in a 10 CFR 50.59 evaluation (see Example 4-B).
Example 4-B. Screening for a Smart Transmitter (Screens In) Commented [PM41]: Placeholder for original NRC comment A41.
Smart transmitters similar to those described in Example 4-1 are to be installed as part of an upgrade to the reactor protection system. The new smart transmitters have the capability to transmit their output signal using a digital communication protocol. Other instruments in the loop are to be replaced with units that can communicate with the transmitter using the same protocol. Because this change not only upgrades to a digital transmitter but also converts the instrument loop to digital communications among devices, there would be the potential for adverse effects owing to the digital communication and possible new failure modes involving multiple devices. As a result, this change screens in.
479 480 DEPENDABILITY IMPACT 481 In the main body of NEI 96-07, Section 4.2.1, subsection titled "Screening for 482 Adverse Effects," reliability is mentioned in the following excerpt:
483 "...a change that decreases the reliability of a function whose 484 failure could initiate an accident would be considered to 485 adversely affect a design function..."
486 Based on the technical outcomes from applicable Industry and/or NRC 487 guidance documents and using the information considered in those sources to 488 develop those outcomes, the Screen should assess the dependability of 489 performing applicable design functions due to the introduction of software 490 and/or hardware.
491 Example 4-4 illustrates the application of the dependability consideration.
D-23
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 Example 4-4. Digital Modification that Satisfies Dependability, causing NO ADVERSE IMPACT on a UFSAR-described Design Function An analog recorder is to be replaced with a new microprocessor-based recorder. The recorder is used for various purposes including Post Accident Monitoring, which is a UFSAR-described design function.
Dependability Assessment: An engineering evaluation performed as part of the technical assessment supporting the digital modification concluded that the new recorder will be highly dependable (based on a quality development process, testability, and successful operating history) and therefore, the risk of failure of the recorder due to software is considered very low.
The change will have NO ADVERSE IMPACT on any design function due to the dependability assessment.
492 493 4.2.1.2 Screening of Changes to Procedures as Described in the UFSAR Commented [A42]: Comments on HSI Screening Guidance were previously provided in:
(1) ML17068A092 Comment Nos. 18-26 494 SCOPE (2) ML17170A089 Comment Nos. A17-A27 495 If the digital modification does not include or affect a Human-System 496 Interface (e.g., the replacement of a stand-alone analog relay with a digital 497 relay that has no features involving personnel interaction and does not feed 498 signals into any other analog or digital device), then this section does not 499 apply and may be excluded from the Screen assessment.
500 In NEI 96-07, Section 3.11 defines procedures as follows:
501 "...Procedures include UFSAR descriptions of how actions related to 502 system operation are to be performed and controls over the 503 performance of design functions. This includes UFSAR descriptions of 504 operator action sequencing or response times, certain descriptions...of 505 SSC operation and operating modes, operational...controls, and similar 506 information."
507 Although UFSARs do not typically describe the details of a specific Human-508 System Interface, UFSARs will describe any design functions associated with 509 the HSI.
510 Because the human-system interface (HSI) involves system/component 511 operation this portion of a digital modification is assessed in this Screen 512 consideration. The focus of the Screen assessment is on potential adverse 513 effects due to modifications of the interface between the human user and the 514 technical device.
D-24
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 515 There are 3 basic elements of an HSI (
Reference:
516
- Displays: the visual representation of the information operators need Formatted: Font: Century Schoolbook, 12 pt 517 to monitor and control the plant.
518
- Controls: the devices through which personnel interact with the HSI 519 and the plant.
520
- User-interface interaction and management: the means by which 521 personnel provide inputs to an interface, receive information from it, 522 and manage the tasks associated with access and control of 523 information.
524 Operators must be able to accurately perceive, comprehend and respond to 525 system information via the HSI to successfully complete their tasks.
526 Specifically, nuclear power plant personnel perform four primary types of 527 tasks (
Reference:
XXX):
528 (1) monitoring and detection (extracting information from the Formatted: Font: Century Schoolbook, 12 pt 529 environment and recognizing when something changes),
530 (2) situation assessment (evaluation of conditions),
531 (3) response planning (deciding upon actions to resolve the situation) and 532 (4) response implementation (performing an action).
533 To determine potential adverse impacts of HSI modifications on design 534 functions, a two-step analysis must be performed. Step one is assessing how 535 the modification impacts (i.e., positively, negatively or no impact) the 536 operators' abilities to perform each of the four primary types of tasks 537 described above. If there are negative impacts, step two of the analysis 538 consists of determining how the impacts affects the pertinent UFSAR-539 described design function(s) (i.e., adversely or not adversely). Examples of 540 negative impacts on operator performance of tasks that may result in adverse 541 effects on a design function include:
542
- increased possibility of mis-operation, Formatted: Font: Century Schoolbook, 12 pt 543
- increased difficulty in evaluating conditions, 544
- increased difficulty in performing an action, 545
- increased time to respond, 546
- creation of new potential failure modes.
547 548 Table 1 contains examples of modifications to HSI elements that should be 549 addressed in the response to this Screen consideration.
550 551 [INSERT TABLE 1 FROM HSI COMMENTS FILE HERE.]
552 553 In NEI 96-07, Section 3.11 defines procedures as follows:
554 D-25
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 555 "...Procedures include UFSAR descriptions of how actions 556 related to system operation are to be performed and controls 557 over the performance of design functions. This includes UFSAR 558 descriptions of operator action sequencing or response times, 559 certain descriptions...of SSC operation and operating modes, 560 operational...controls, and similar information."
561
- Because the Human-System Interface involves system/component operation, operator 562 actions, response times, etc., this portion of a digital modification is assessed in this Screen 563 consideration.
564 If the digital modification does not include or affect a Human-System 565 Interface (e.g., the replacement of a stand-alone analog relay with a digital 566 relay that has no features involving personnel interaction and does not feed 567 signals into any other analog or digital device), then this section does not 568 apply and may be excluded from the Screen assessment.
569 The focus of the Screen assessment is on potential adverse effects due to 570 modifications of the interface between the human user and the technical 571 device [e.g., equipment manipulations, actions taken, options available, 572 decision-making, manipulation sequences or operator response times 573 (including the impact of errors of a cognitive nature in which the information 574 being provided is unclear or incorrect)], not the written procedure 575 modifications that may accompany a physical design modification (which are 576 addressed in the guidance provided in NEI 96-07, Section 4.2.1.2).
577 PHYSICAL INTERFACE WITH THE HUMAN-SYSTEM INTERFACE 578 In the determination of potential adverse impacts, the following aspects 579 should be addressed in the response to this Screen consideration:
580 (a) Physical Interaction with the Human-System Interface (HSI) 581 (b) Number/Type of Parameters 582 (c) Information Presentation 583 (d) Operator Response Time 584 Physical Interaction with the Human-System Interface 585 A typical physical interaction modification might involve the use of a touch 586 screen in place of push-buttons, switches or knobs, including sensory-based 587 aspects such as auditory or tactile feedback.
D-26
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 588 To determine if the HSI aspects of a digital modification have an adverse 589 impact on UFSAR-described design functions, potential impacts due to the 590 physical interaction with the HSI should be addressed in the Screen.
591 Consideration of a digital modification's impact due to the physical 592 interaction with the HSI involves an examination of the actual physical 593 interface and how it could impact the performance and/or satisfaction of 594 UFSAR-described design functions. For example, if a new malfunction is 595 created as a result of the physical interaction, then the HSI portion of the 596 digital modification would be adverse. Such a new malfunction may be 597 created by the interface requiring the human user to choose which of multiple 598 components is to be controlled, creating the possibility of selecting the wrong 599 component (which could not occur with an analog system that did not need 600 the human user to "make a selection").
601 Characteristics of HSI changes that could lead to potential adverse effects 602 may include, but are not limited to:
603
- Changes from manual to automatic initiation (or vice versa) of 604 functions, 605
- Changes in the data acquisition process (such as replacing an edgewise 606 analog meter with a numeric display or a multipurpose CRT in which 607 access to the data requires operator interaction to display),
608
- Changes that create new potential failure modes in the interaction of 609 operators with the system (e.g., new interrelationships or 610 interdependencies of operator actions and/or plant response, or new 611 ways the operator assimilates plant status information),
612
- Increased possibility of mis-operation related to performing a design 613 function, 614
- Increased difficulty for an operator to perform a design function, or 615
- Increased complexity or duration in diagnosing or responding to an 616 accident [e.g., Time-Critical Operation Actions (TCOAs) identified in 617 the UFSAR].
618 If the HSI changes do not exhibit characteristics such as those listed above, 619 then it may be reasonable to conclude that the method of performing or 620 controlling a design function is not adversely affected.
621 Examples 4-5 through 4-7 illustrate the application of the Physical 622 Interaction aspect illustrates how to apply the assessment process to ONLY 623 the "controls" element of an HSI.
Example 4-5. Physical Interaction Assessment of the "Controls" Element of D-27
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 an HSI with NO ADVERSE IMPACT on a UFSAR-Described Design Function Description of the Proposed Activity Involving the Control Element:
Currently, a knob is rotated clock-wise to increase a control function and counter clock-wise to decrease the control function. This knob will be replaced with a touch screen. Using the touch screen, touching the "up" arrow will increase the control function and touching the "down" arrow will decrease the control function.
Identification and Assessment of Task Type(s) Involved:
(1) monitoring and detection (extracting information from the environment and recognizing when something changes) - INVOLVED (2) situation assessment (evaluation of conditions) - NOT INVOLVED (3) response planning (deciding upon actions to resolve the situation) - NOT INVOLVED (4) response implementation (performing an action) - NOT INVOLVED Formatted: Space Before: 0 pt, After: 0 pt, Hyphenate, Tab stops: Not at -0.5" Design Function Identification:
The UFSAR-described design function states the operator can "increase and decrease the control functions using manual controls located in the Main Control Room." Thus, this UFSAR description implicitly identifies the SSC (i.e., the knob) and the design function of the SSC (i.e., its ability to allow the operator to manually adjust the control function).
Identification and Assessment of Modification Impacts on the Task Type(s)
INVOLVED:
Formatted: Space Before: 0 pt, After: 0 pt, Hyphenate, Tab stops: Not at -0.5" As part of the technical evaluation supporting the proposed activity, a Human Factors Evaluation (HFE) was performed. The HFE concluded that no new failures or malfunctions have been introduced as a result of the replacement from a knob to a touch screen.
- possibility of mis-operation - NO IMPACT
- difficulty in evaluating conditions - N/A
- difficulty in performing an action - NO IMPACT
- time to respond - N/A
- new potential failure modes - NO IMPACT D-28
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 Assessment of Design Function Impact(s)
Using the results from the HFE and examining only the physical interaction aspect "controls" element of an HSI (e.g., ignoring the impact on operator response time or the number and/or sequence of steps necessary to access the new digital controlsthe other three HSI elements), the replacement of the "knob" with a "touch screen" is not adverse since it does not impact the ability of the operator to "increase and decrease the control functions using manual controls located in the Main Control Room," maintaining satisfaction of the UFSAR-described design function.
624 Using the same proposed activity provided in Example 4-5, Example 4-6 625 illustrates how a variation in the UFSAR description would cause an adverse 626 impact.
Example 4-6. Physical Interaction with an ADVERSE IMPACT on a UFSAR-Described Design Function The UFSAR states not only that the operator can "increase and decrease the control functions using manual controls located in the Main Control Room,"
but also that "the control mechanism provides tactile feedback to the operator as the mechanism is rotated through each setting increment."
Since a touch screen cannot provide (or duplicate) the "tactile feedback" of a mechanical device, replacing the "knob" with a "touch screen" is adverse because it adversely impacts the ability of the operator to obtain tactile feedback from the device.
627 Using the same proposed activity provided in Example 4-5 and the same 628 UFSAR descriptions from Example 4-6, Example 4-7 illustrates how a 629 variation in the proposed activity would also cause an adverse impact.
Example 4-7. Physical Interaction with an ADVERSE IMPACT on a UFSAR-Described Design Function In addition to the touch screen control "arrows" themselves, a sound feature and associated components will be added to the digital design that will emit a clearly audible and distinct "tone" each time the control setting passes through the same setting increment that the tactile feature provided with the mechanical device.
Although the operator will now receive auditory "feedback" during the operation of the digital device, the means by which this feedback is provided has been altered. Since the means of controlling the design function has D-29
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 changed, new malfunctions can be postulated (e.g., high ambient sound levels that prevent the operator from hearing the feedback). Therefore, the modification of the feedback feature (i.e., from tactile to auditory) has an adverse impact on the ability of the design function to be performed.
630 631 Number and/or Type of Parameters Displayed By and/or Available From the 632 Human-System Interface 633 One advantage of a digital system is the amount of information that can be 634 monitored, stored and presented to the user. However, the possibility exists 635 that the amount of such information may lead to an over-abundance that is 636 not necessarily beneficial in all cases.
637 To determine if the HSI aspects of a digital modification have an adverse 638 effect on UFSAR-described design functions, potential impacts due to the 639 number and/or type of parameters displayed by and/or available from the 640 HSI should be addressed in the Screen.
641 Consideration of a digital modification's impact due to the number and/or 642 type of parameters displayed by and/or available from the HSI involves an 643 examination of the actual number and/or type of parameters displayed by 644 and/or available from the HSI and how they could impact the performance 645 and/or satisfaction of UFSAR-described design functions. Potential causes for 646 an adverse impact on a UFSAR-described design function could include a 647 reduction in the number of parameters monitored (which could make the 648 diagnosis of a problem or determination of the proper action more challenging 649 or time-consuming for the operator), the absence of a previously available 650 parameter (i.e., a type of parameter), a difference in how the loss or failure of 651 parameters occurs (e.g., as the result of combining parameters), or an 652 increase in the amount of information that is provided such that the amount 653 of available information has a detrimental impact on the operator's ability to 654 discern a particular plant condition or to perform a specific task.
655 Example 4-8 illustrates the application of the Number and/or Type of 656 Parameters aspect.
Example 4-8. Number and Type of Parameters with NO ADVERSE IMPACT on a UFSAR-Described Design Function Currently, all controls and indications for a single safety-related pump are analog. There are two redundant channels of indications, either of which can be used to monitor pump performance, but only one control device. For direct monitoring of pump performance, redundant motor electrical current indicators exist. For indirect monitoring of pump performance, redundant D-30
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 discharge pressure and flow rate indicators exist. Furthermore, at the destination of the pump's flow, redundant temperature indicators exist to allow indirect monitoring of pump performance to validate proper pump operation by determination of an increasing temperature trend (i.e.,
indicating insufficient flow) or a stable/decreasing temperature trend (i.e.,
indicating sufficient flow). All of these features are described in the UFSAR.
The UFSAR also states that the operator will "examine pump performance and utilize the information from at least one of the redundant plant channels to verify performance" and "the information necessary to perform this task is one parameter directly associated with the pump (motor electrical current) and three parameters indirectly associated with pump performance (discharge pressure, flow rate, and response of redundant temperature indications)."
A digital system will replace all of the analog controls and indicators. Two monitoring stations will be provided, either of which can be used to monitor the pump. Each monitoring station will display the information from one of the two redundant channels. The new digital system does not contain features to automatically control the pump, but does contain the ability to monitor each of the performance indications and inform/alert the operator of the need to take action. Therefore, all pump manipulations will still be manually controlled.
Since the new digital system presents the same number (one) and type (motor electrical current) of pump parameters to directly ascertain pump performance and the same number (three) and type (discharge pressure, flow rate and redundant temperature) of system parameters to indirectly ascertain pump performance, there is no adverse impact on the UFSAR-described design function to perform direct monitoring of pump performance and no adverse impact on the UFSAR-described design function to perform indirect monitoring of pump performance.
657 658 Information Presentation on the Human-System Interface 659 660 A typical change in data presentation might result from the replacement of 661 an edgewise analog meter with a numeric display or a multipurpose CRT.
662 To determine if the HSI aspects of a digital modification have an adverse 663 effect on UFSAR-described design functions, potential impacts due to how 664 the information is presented should be addressed in the Screen.
665 Consideration of a digital modification's impact due to how the information is 666 presented involves an examination of how the actual information D-31
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 667 presentation method could impact the performance and/or satisfaction of 668 UFSAR-described design functions. To determine possible impacts, the 669 UFSAR should be reviewed to identify descriptions regarding how 670 information is presented, organized (e.g., how the information is physically 671 presented) or accessed, and if that presentation, organization or access 672 relates to the performance and/or satisfaction of a UFSAR-described design 673 function.
674 Examples of activities that have the potential to cause an adverse effect 675 include the following activities:
676
- Addition or removal of a dead-band, or 677
- Replacement of instantaneous readings with time-averaged readings 678 (or vice-versa).
679 If the HSI changes do not exhibit characteristics such as those listed above, 680 then it may be reasonable to conclude that the method of performing or 681 controlling a design function is not adversely affected.
682 Example 4-9 illustrates the application of the Information Presentation 683 aspect.
Example 4-9. Information Presentation with an ADVERSE IMPACT on a UFSAR-Described Design Function A digital modification consolidates system information onto two flat panel displays (one for each redundant channel/train). Also, due to the increased precision of the digital equipment, the increment of presentation on the HSI will be improved from 10 gpm to 1 gpm. Furthermore, the HSI will now present the information layout "by channel/train."
The UFSAR identifies the existing presentation method as consisting of "indicators with a 10 gpm increment" to satisfy safety analysis assumptions and the physical layout as being "by flow path" to allow the operator to determine system performance.
The increase in the display increment is not adverse since the operator will continue to be able to distinguish the minimum increment of 10 gpm UFSAR-described design function.
The new display method (i.e., "by channel/train") adversely affects the ability of the operator to satisfy the design function to ascertain system performance "by flow path."
684 685 Operator Response Time D-32
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 686 687 Typically, an increase in the operator response time might result from the 688 need for the operator to perform additional actions (e.g., due to the additional 689 steps necessary to call up or retrieve the appropriate display and operate the 690 soft control rather than merely reading an indicator on the Main Control 691 Board).
692 To determine if the HSI aspects of a digital modification have an adverse 693 effect on UFSAR-described design functions, potential impacts on the 694 operator response time should be addressed in the Screen.
695 Consideration of a digital modification's impact on the operator response time 696 due to the modification of the number and/or type of decisions made, and/or 697 the modification of the number and/or type of actions taken, involves an 698 examination of the actual decisions made/actions taken and how they could 699 impact the performance and/or satisfaction of UFSAR-described design 700 functions. To determine possible impacts, the UFSAR must be reviewed to 701 identify descriptions relating to operator response time requirements and if 702 those timing requirements are related to the performance and/or satisfaction 703 of a UFSAR-described design function.
704 Example 4-10 is the same as Example 4-9, but illustrates the application of 705 the Operator Response Time aspect.
Example 4-10. Operator Response Time with NO ADVERSE IMPACT on a UFSAR-Described Design Function A digital modification consolidates system information onto two flat panel displays (one for each redundant channel/train). Also, due to the increased precision of the digital equipment, the increment of presentation on the HSI will be improved from 10 gpm to 1 gpm. Furthermore, the HSI will now present the information layout "by channel/train."
The UFSAR identifies the existing presentation method as consisting of the physical layout as being "by flow path" to allow the operator to determine system performance.
Although the UFSAR identifies the existing presentation method as consisting of a physical layout "by flow path" to allow the operator to determine system performance and the new display method (i.e., "by channel/train") will require additional steps by the operator to determine system performance, requiring more time, there is no adverse impact on satisfaction of the design function to ascertain system performance because no response time requirements are applicable to the design function of the D-33
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 operator being able "to determine system performance."
706 707 COMPREHENSIVE HUMAN-SYSTEM INTERFACE EXAMPLE 708 Although no additional guidance is provided in this section, Example 4-11 709 illustrates how each of the aspects identified above would be addressed.
Example 4-11. Digital Modification involving Extensive HSI Considerations with NO ADVERSE IMPACTS on a UFSAR-Described Design Function Component controls for a redundant safety-related system are to be replaced with PLCs. The existing HSI for these components is made up of redundant hard-wired switches, indicator lights, and analog meters. The new system consolidates the information and controls onto two flat panel displays (one per redundant train), each with a touch screen providing soft control capability.
The existing number and type of parameters remains the same, which can be displayed in a manner similar to the existing presentations (e.g., by train).
However, the information can be also presented in different configurations that did not previously exist (e.g., by path or by parameter type to allow for easier comparison of like parameters), using several selectable displays.
The flat panel display can also present any of several selectable pages depending on the activity being performed by the operator (e.g.,
starting/initiating the system, monitoring the system during operation, or changing the system line-up).
To operate a control, the operator must (via the touch screen) select the appropriate activity (e.g., starting/initiating the system, monitoring the system during operation, or changing the system line-up), select the desired page (e.g., train presentation, path presentation, or parameter comparison),
select the component to be controlled (e.g., pump or valve), select the control action (e.g., start/stop or open/close), and execute it.
The display remains on the last page selected, but each page contains a "menu" of each possible option to allow direct access to any page without having to return to the "main menu."
The two new HSIs (one per redundant train) will provide better support of operator tasks and reduced risk of errors due to:
- Consolidation of needed information onto a single display (within the family of available displays) that provides a much more effective view of system operation when it is called into action.
D-34
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017
- Elimination of the need for the operator to seek out meter readings or indications, saving time and minimizing errors.
- Integration of cautions and warnings within the displays to help detect and prevent potential errors in operation (e.g., warnings about incorrect system lineups during a test or maintenance activity).
The design was developed using a human factors engineering design, with a verification and validation process consistent with current industry and regulatory standards and guidelines. As part of the technical evaluation supporting the proposed activity, a Human Factors Evaluation (HFE) was performed. Based on the conclusions from the HFE, the design provides a more effective HSI that is less prone to human error than the existing design.
The UFSAR-described design functions applicable to this proposed activity include descriptions of how the existing controls, including the physical switches, indicator lights and meters, and how each of these SSCs is used during normal and abnormal (including accident) operating conditions. The UFSAR identifies the current physical arrangement (i.e., two physically separate locations) as providing a provides assurance that the design function is satisfied by preventing the operator that prevents the operator from operating the "wrong" component. There are no UFSAR-described design functions related to the operator response times associated with using the existing controls.
The impacts on design functions are identified below:
- Physical Interaction - NOT ADVERSE because the new HSI consists of two physically separate displays.
- Number and Type of Parameters - NOT ADVERSE because the same number and type of parameters exist with the new HSI.
- Information Presentation - NOT ADVERSE because all of the existing features (e.g., individual controls, indicator lights and parameters displays that mimic the analog meters) continue to exist with the new HSI.
- Operator Response Time - NOT ADVERSE because no response time requirements were applicable to any of the design functions and there were no indirect adverse affects on any other design function.
710 D-35
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 711 4.2.1.3 Screening Changes to UFSAR Methods of Evaluation 712 By definition, a proposed activity involving a digital modification involves 713 SSCs and how SSCs are operated and controlled, not a method of evaluation 714 described in the UFSAR (see NEI 96-07, Section 3.10).
715 Methods of evaluation are analytical or numerical computer models used to 716 determine and/or justify conclusions in the UFSAR (e.g., accident analyses 717 that demonstrate the ability to safely shut down the reactor or prevent/limit 718 radiological releases). These models also use "software." However, the 719 software used in these models is separate and distinct from the software 720 installed in the facility. The response to this Screen consideration should 721 reflect this distinction.
722 A necessary revision or replacement of a method of evaluation (see NEI 96-723 07, Section 3.10) resulting from a digital modification is separate from the 724 digital modification itself and the guidance in NEI 96-07, Section 4.2.1.3 725 applies.
726 4.2.2 Is the Activity a Test or Experiment Not Described in the UFSAR?
727 By definition, a proposed activity involving a digital modification involves 728 SSCs and how SSCs are operated and controlled, not a test or experiment 729 (see NEI 96-07, Section 4.2.2). The response to this Screen consideration 730 should reflect this characterization.
731 A necessary test or experiment (see NEI 96-07, Section 3.14) involving a 732 digital modification is separate from the digital modification itself and the 733 guidance in NEI 96-07, Section 4.2.2 applies.
734 4.3 EVALUATION PROCESS 735 CAUTION 736 The guidance contained in this appendix is intended to supplement the generic 737 Evaluation guidance contained in the main body in NEI 96-07, Section 4.3.
Namely, the generic Evaluation guidance provided in the main body of NEI 96-07 and the more-focused Evaluation guidance in this appendix BOTH apply to 738 digital modifications.
739 Introduction 740 In the following sections and sub-sections that describe the Evaluation 741 guidance unique toparticularly usefull for the application of 10 CFR 50.59 to D-36
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 742 digital modifications, each section and sub-section describes only a specific Commented [A43]: Source: ML13298A787 Concern 3 Comment: The overarching goal is to have clear guidance.
743 aspect, sometimes at the deliberate exclusion of other related aspects. This That is, both licensees and inspectors must interpret this 744 focused approach is intended to concentrate on the particular aspect of document the same way.
745 interest and does not imply that the other aspects do not apply or could not The reason that NEI 01-01 was written was because it was 746 be related to the aspect being addressed. felt that it was not clear how to apply NEI 96-07 to digital modifications, because digital based SSCs were typicaly different that analog systems in certian ways.
747 Throughout this section, references to the main body of NEI 96-07, Rev. 1 will The typical ways in which new digital electronics SSCs are 748 be identified as "NEI 96-07." different are:
(1) Modes Behaviour & Misbehaviour (2) Combining of Functions 749 Credibility of Common Cause Failure (CCF) Likelihood Determination (3) Coupling of Functions 750 Outcomes (4) Potential for Increased Complexity (5) System Architecture Changes (6) Contain Software 751 The possible outcomes of an engineering evaluation (e.g., CCF Susceptibility While some of these aspects are considered in the screening section, the evaluation is silent on those that are addressed 752 Analysis), performed in accordance with regarding a CCF from the CCF in the screening section.
753 Susceptibility Analysis performed in accordance with applicable Industry The failure analysis section below was added to address 754 and/or NRC approved guidance documents, regarding the CCF likelihood are this comment.
755 as follows: Formatted: Highlight Commented [A44]: Source: Engineering Judgement 756 (1) CCF likelihood not credible (i.e., likelihood of a CCF caused by an I&C Rationale: There are two things of concern:
757 failure source is NOT greater than the likelihood of acomprable to CCF (1) Determination of if CCF is credible (2) Characterisation of behavior during CCF ... [1]
758 caused by other failure sources that are not considered specifically Commented [A45]: Source:
759 analyzed in the UFSAR)sufficiently low (as defined in Definition 3.17) (1) ML17068A092 Comment No. 12 (2) ML17170A089 Comment No. A4 Rationale: New terms should be defined since undefined 760 (2) CCF likelihood credible (i.e., likelihood of a CCF caused by an I&C terms are a source of regulatory uncertainty.
761 failure source IS greater than or equalcomprable to the likelihood of a Commented [A46]: In the August 29 Public Meeting, NEI 762 CCF caused by other failure sources that are considered specifically stated the terms CCF Credible/Not Credible will no longer be used. All instances of credible have been 763 analyzed in the UFSAR)not sufficiently low highlighted to facilitate making this change.
Formatted: Highlight 764 These outcomes will be used in developing the responses to Evaluation Commented [A47]: Source: ML17170A089 Comment No.
765 criteria 1, 2, 5 and 6. A30 Rationale: There are many ways that CCF can be considered in the FSAR (as updated), specifically 766 Failure Analysis postulating and analyzing the results being only one.
Formatted: Highlight 767 As described in SECY 91-292 regarding NRC review of advanced light water Commented [A48]: Source: ML17170A089 Comment No.
768 reactor (ALWR) designs, digital l&C systems employ a greater degree of A30 Rationale: There are many ways that CCF can be 769 sharing of data transmission, functions, and process equipment as compared considered in the FSAR (as updated), specifically 770 to analog systems. While this sharing enables some of the key benefits of postulating and analyzing the results being one one.
771 digital equipment, it also increases the potential consequences of individual Commented [A49]: Source: The following text (except as noted) adapted from NEI 01-01 Section 5.1 & 5.1.1.
772 failures. Rationale: To address the first comment in Section 4.3 above.
773 Consideration of potential system failures and undesirable behaviors should Commented [A50]: Source: Source: ML13298A787 -
Concern 11 774 be an integral pairt of the process of designing, specifying, and implementing Rationale: Text adapted from NEI 01-01 Section Section 775 a digital upgrade. Consideration of these undesirable events is referred to 5.3.1 to address the first comment in Section 4.3 above.
776 collectively as failure analysis. Failure analysis interacts with essentially all D-37
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 777 the main elements of the design process. It provides information needed to 778 support the licensing evaluations, and it provides the context in which the 779 digital upgrade issues ultimately can be resolved. Failure analysis examines 780 what you do not want the system or device to do.
781 Failure analysis should not be a stand-alone activity, and it should not 782 generate unnecessary effort or excessive documentation. It is part of the 783 design process, and it can vary widely in scope depending on the extent and 784 complexity of the upgrade. It should be performed as part of plant design 785 procedures and should be documented as a part of the design process.
786 The purpose of the failure analysis is to ensure the system is designed with 787 consideration of potential failures and undesirable behaviors such that the 788 risk posed by these events is acceptable. Failure analysis should include the 789 following elements:
790 Identification of potential system-level failures and undesirable 791 behavior (which may not be technically "failures") and their 792 consequences. This includes consideration of potential single failures 793 as well as plausible common cause failures.
794 Identification of potential vulnerabilities, which could lead to system 795 failures or undesirable conditions.
796 Assessment of the significance and risk of identified vulnerabilities.
797 Identification of appropriate resolutions for identified vulnerabilities, 798 including provide means for annunciating system failures to the 799 operator.
800 A variety of methodologies and analysis techniques can be used in these 801 evaluations, and the scope of the evaluations performed and documentation 802 produced depends on the scope and complexity of the upgrade. The analysis 803 maintains a focus at the level of the design functions performed by the 804 system, because it is the effects of the failure on the system and the resulting 805 impact on the plant that are important. Failures that impact plant safety are 806 those thal could: prevent performance of a safety function of the system, 807 affect the ability of other systems to perform their safety functions, or lead to 808 plant trips or transients that could challenge safety systems.
809 Ultimately, the digital equipment is installed to support overall system 810 requirements, which in turn are necessary to support the plant system-level 811 requirements. It is generally at the plant system level that major functional 812 requirements exist to support plant safety and availability. Consequently, D-38
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 813 failure analysis should start by identifying the system or "design function" 814 level functions, and examining how the digital equipment can cause these 815 functions not to be performed.
816 In addition to failures of the system to perform its function, other failures 817 such as spurious actions, challenges to safety systems, transient or accident 818 initiators, etc., should be examined.
819 Engineering Evaluation Topics Beneficial for Performing a 50.59 Evaluation 820 of Digital-Specific Adverse Effects 821 For digital modifications, attention should be given to the major things that 822 may be different in the new digital electronic equipment, for example:
823 In the preparation of responses to the Evaluation criteria, the outcomes from 824 the following engineering evaluation topics should be considered (as 825 necessary):
826 (1) Modes of Behaviour and Misbehaviour 827 (2) Combining of Functions 828 (3) Coupling of Functions (e.g., via digital communications) 829 (4) Potential for Increased Complexity 830 (5) System Architecture Changes 831 (6) Software 832 Items 1, 2, 3, & 5 have the most potential to create the possibility for 833 accidents of a different type and/or malfunctions with a different result.
834 Items 4 & 6 can make it more difficult to fully understand all aspects of the 835 modification. Commented [A51]: Source: ML13298A787 Modes of Beaviour and Misbehaviour - Concern 11 Combining of Functions - Concerns 5 & 7 836 Examples Coupling of Functions - Concern 10 Complexity - Concern 1 Rationale: To address the first comment in Section 4.3 837 Examples are provided to illustrate the guidance provided herein. Unless above, one must identify the important aspects to consider.
838 stated otherwise, a given example only addresses the aspect or topic within 839 the section/sub-section in which it is included, sometimes at the deliberate 840 exclusion of other aspects or topics that, if considered, could potentially 841 change the Evaluation conclusion. Commented [A52]: Source: ML170170A089 Comment No.
A6.
842 Many of the examples in this section involve the Main Feedwater (MFW) Rationale: Based on the definition of accident in NEI 96-07, many accidents are initiated by non-safety related 843 System to illustrate concepts. The reason for selecting the MFW system is SSCs. (Note: safety related SSCs are tpicaly credited to 844 that it is one of the few non-safety-related systems that, upon failure, can miigate accidents.)
845 initiate an accident. Furthermore, a failure of the MFW system is one of the Commented [A53]: Source: ML170170A089 Comment No.
A6.
846 few malfunctions that are also accident initiators. Rationale: Based on the definition of accident in NEI 96-07, many accidents are initiated by non-safety related SSCs. (Note: safety related SSCs are tpicaly credited to miigate accidents.)
D-39
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 847 4.3.1 Does the Activity Result in More Than a Minimal Increase in the Frequency 848 of Occurrence of an Accident?
849 INTRODUCTION 850 From NEI 96-07, Section 3.2:
851 "The term 'accidents' refers to the anticipated (or abnormal) 852 operational transients and postulated design basis accidents..."
853 Therefore, for purposes of 10 CFR 50.59, both Anticipated Operational 854 Occurrences (AOOs) and Postulated Accidents (PAs) fall within the definition 855 of "accident."
856 After applying the generic guidance in NEI 96-07, Section 4.3.1 to identify 857 any accidents affected by the systems/components involved with the digital 858 modification and examining the initiators of those accidents, the impact on 859 the frequency of the initiator (and, hence, the accident itself) due to the 860 digital modification can be assessed.
861 All accident initiators fall into one of two categories: equipment-related or 862 personnel-related. Therefore, the assessment of the impact of a digital 863 modification also needs to consider both equipment-related and personnel-864 related sources.
865 For a digital modification, the range of possible equipment-related sources 866 includes items unique to digital and items not unique to digital. An example Commented [A54]: Source: ML17170A089 Comment No.
867 of an item unique to digital is consideration of the impact on accident A34 Rationale: Please change CCF to software CCF as 868 frequency due to a software CCF, which will be addressed in the guidance in appropriate. CCF has always been, and continues to be, a 869 this section. An example of an itempotential source of CCF that is not unique regulatory concern, and it is addressed in many ways in the SARs (as is explained in Section 2 above).
870 to digital is consideration of the impact on accident frequency due to the Commented [A55]: Source: ML17170A089 Comment No.
871 digital system's compatibility with the environment in which the system is A34 872 being installed, which would be addressed by applying the general guidance Rationale: CCF has always been, and continues to be, a regulatory concern, and it is addressed in many ways in the 873 for applicable regulatory requirements, and commitments other acceptance SARs (as is explained in Section 2 above).
874 criteria to which the licensee is committed, and departures from standards as Commented [A56]: Source: ML17170A089 Comment No.
875 outlined in the general design criteria, as described discussed in NEI 96-07, A35 876 Section 4.3.1, and Section 4.3.1, Example 2. Rationale: By adding this text, the reference was change forom a general section reference, to a reference to the specific applicable paragraph and example (to be explicitly 877 For a digital modification, the assessment for personnel-related sources will clear what part of 4.3.1 was being reffered to). The point is:
Not meeting applicalbe technical criteria should be 878 consider the impact due to the Human-System Interface (HSI). considered as not compatible with not more then a minimal increase standard.
879 Typically, numerical values quantifying an accident frequency are not Commented [A57]: Source: ML17170A089 Comment No.
A40 880 available, so the qualitative approach using the causal relationship (i.e., Rationale: Clarification: The term attributable, since it is 881 attributable (i.e., causal relationshipor not) and the magnitude of the effect not defined, is used in the common English sence (i.e.,
indicationg causality).
D-40
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 882 (i.e., negligible/discernable (i.e., magnitude) criteria from NEI 96-07, Section 883 4.3.1 will be examined in the guidance in this section.
884 GUIDANCE 885 Factors to Consider and Address in the Response 886 1. Use of Software 887 Software developed in accordance with a defined life cycle process, and 888 complies with applicable industry standards and regulatory guidance does 889 not inherently result in more than a minimal increase in the frequency of an Commented [PM58]: Placeholder for original NRC comment A58 890 accident . The design change process and the design documentation contain 891 the information that will be used to determine if software increases the 892 frequency of an accident.
893 2. Use of Digital Components (e.g., microprocessors in place of 894 mechanical devices) 895 NOTE: This factor is not unique to digital and would be addressed by 896 applying the guidance described in NEI 96-07, Section 4.3.1.
897 This factor is included here for completeness.
898 Digital components are expected to be more reliable than the equipment 899 being replaced. Aspects to be addressed include the following: compliance 900 with applicable regulations and industry standards; qualification for 901 environmental conditions (e.g., seismic, temperature, humidity, radiation, 902 pressure, and electromagnetic compatibility); performance requirements for 903 the plant-specific application; proper design of electrical power supplies; 904 cooling or ventilation for thermal loads; and separation, independence and 905 grounding. The design change process and the design documentation contain Commented [A59]: Source: ML17170A089 Comment No.
A37 906 the information that will be used to determine if the use of digital Rationale: Sotware development proceses and software 907 components increases the frequency of an accident. design are two distinct things, and each should be addressed separately.
908 3. Creation of a Software Common Cause Failure (Software CCF) 909 An engineering evaluation of the quality design and design processes Commented [A60]: Source:
(1) ML13298A787 - Concern 9 910 determines the likelihood of failure due to software via a common cause (2) ML17170A089 Comment No. A37 & A39 911 failure and its potential impact on the frequency of an accident. The Rationale: Sotware development proceses and software design are two distinct things, and each should be 912 engineering evaluation that assesses CCF likelihood includes the possible addressed separately.
913 outcomes (i.e., CCF likelihood is sufficiently low or CCF likelihood is not 914 sufficiently low). This information is documented in the qualitative 915 assessment of the potential contributors to CCF and disposition of whether Commented [A61]: Check to assure useage matches definition.
D-41
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 916 the design effectively reduced the likelihood of the CCF to the extent that the 917 CCF can be considered not credible (e.g., in a CCF Susceptibility Analysis). Formatted: Highlight 918 4. Intended Benefits of the Digital Component/System 919 NOTE: This factor is not unique to digital and would be addressed by 920 applying the guidance described in NEI 96-07, Section 4.3.1.
921 This factor is included here for completeness.
922 In addition to the expected hardware-related reliability improvements of the 923 physical devices themselves (addressed in factor 2 above), overall 924 improvements in the reliability of the performance of the digital 925 component/system, operational flexibility and/or maintenance-related 926 activities may also be achieved. The design documentation contains the 927 information that will be used to identify the intended benefits of the digital 928 component/system and possible impacts on the frequency of an accident.
929 5. Design Attributes/Features Commented [A62]: Should expand based on recent draft RIS after RIS language has been finalized.
930 Design attributes of the proposed digital modification are features that serve 931 to prevent or limit failures from occurring, or that mitigate the 932 results/outcomes of such possible failures. Factors to be considered include 933 the following items:
934
- Design Criteria (as applicable) (e.g., diversity, independence and 935 redundancy) 936
- Inherent Design Features for Software, Hardware or the 937 Architectural/Network (e.g., external watchdog timers, isolation 938 devices, segmentation, self-testing and self-diagnostic features) 939
- Non-concurrent Triggers Commented [A63]: Source: ML17170A089 Comment No.
940
- Sufficiently Simple (i.e., enabling comprehensive testing) A40 941
- Unlikely Series of Events (e.g., the evaluation of a given digital Rationale: This section uses the term atributble in the same way that it iuses Negligible/Dicernable; to indicate 942 modification would need to postulate multiple independent random magnitude of effect. The wording was changed to more 943 failures in order to arrive at a state in which a SCCF is possible) clearly indicate causality rather than magnitude of effect as is the convention in the standard English interpretation of 944
- Failure State (e.g., always known to be acceptable) attributable.
945 Determination of Causality (using Attributable (i.e., causality) Formatted: Highlight Commented [A64]: Source: ML17170A089 Comment No.
A40 946 If a CCF is determined to be not credible, then there is NO attributable Rationale: The word attributable is about causality and 947 dicernable impact on the frequency of occurrence of an accident. Namely, if a the word discernable is related to magnitude of effect.
The term not credible means a suficently low probability 948 CCF is sufficiently unlikely to occur, then no mechanism for an attributable (so that it need not be considered), not that it is imposible.
949 discernable impact has been created. Only if CCF is impossible can there be no attributable impact.
950 If a CCF is determined to be credible, but the component/system is not an This paragraph should be moved after the next one, or moved to the next section.
951 accident initiator, then there is NO attributable impact on the frequency of Formatted: Highlight D-42
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 952 occurrence of an accident. Namely, even if a CCF does occur, there is no 953 relationship between the CCF and the accident initiator(s). Commented [A65]: Source: ML17170A089 Comment No.
A40 Rationale: This section uses the term atributble in the 954 Example 4-12 illustrates the case of NO attributable impact on the frequency same way that it iuses Negligible/Dicernable; to indicate magnitude of effect. The wording was changed to more 955 of occurrence of an accident for a SSC not being an accident initiator. clearly indicate causality rather than magnitude of effect as is the convention in the standard English interpretation of Example 4-12. NO ATTRIBUTABLE Impact on the Frequency of Occurrence attributable.
of an Accident Due to a SSC Not Being an Accident Initiator Proposed Activity Two safety-related containment chillers exist. There are two analog control systems (one per chiller) that are physically and functionally the same.
Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same.
Affected Accidents and Accident Initiators The review of the UFSAR accident analyses identified the Loss of Coolant Accident (LOCA) and Main Steam Line Break (MSLB) events as containing requirements related to the safety-related containment chillers. Specifically, the UFSAR states the following: "To satisfy single failure requirements, the loss of only one control system and its worst-case effect on the containment post-accident environment due to the loss of one chiller has been considered in the LOCA and MSLB analyses."
Therefore, the affected accidents are LOCA and MSLB. The UFSAR identified an equipment-related initiator in both cases as being a pipe break.
For LOCA, the pipe break occurs in a hot leg or a cold leg. For MSLB, the pipe break occurs in the main steam line exiting the steam generator.
Impact on Accident Frequency In this case, the safety-related containment chillers are not related to the accident initiators (i.e., pipe breaks). Furthermore, the chillers are only considered as part of accident mitigation; after the accidents have already occurred. Therefore, there is NO impact on the frequency of occurrence of the accidents that can be attributed to the digital modification.
D-43
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 956 If a CCF is determined to be credible and the component/system is an Commented [A66]: Source: ML17170A089 Comment No.
A40 957 accident initiator, then there is an attributable potential impact on the Rationale: The word attributable is about causality and 958 frequency of occurrence of the accident. the word discernable is related to magnitude of effect.
The term not credible means a suficently low probability (so that it need not be considered), not that it is imposible.
959 Example 4-13 illustrates the case of an attributable potential impact on the Only if CCF is impossible can there be no attributable impact.
960 frequency of occurrence of an accident for the SSC being an accident initiator.
Example 4-13. ATTRIBUTABLE Potential Impact on the Frequency of Occurrence of an Accident Due to a SSC Being an Accident Initiator Proposed Activity Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same.
Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same.
Affected Accident and Accident Initiators The affected accident is the Loss of Feedwater event. The UFSAR identifies the equipment-related initiators as being the loss of one MFWP or the closure of one MFWP flow control valve.
Impact on Accident Frequency Based on the technical outcome from the CCF Susceptibility Analysis and the Commented [A67]: Source: ML17170A089 Comment No.
A40 Failure Modes and Effects Analysis (FMEA) performed as part of the Rationale: The word attributable is about causality and technical assessment supporting this digital modification, a software CCF the word discernable is related to magnitude of effect.
The term not credible means a suficently low probability causing the loss of both feedwater control systems (resulting in the loss of (so that it need not be considered), not that it is imposible.
both MWFPs and/or the closure of both MFWP flow control valves) has been Only if CCF is impossible can there be no attributable impact.
determined to be attributable credible. (i.e., Since the failure of the digital Commented [A68]: Source: ML17170A089 Comment No.
feedwater control systems can cause the loss of MFWPs or the closure of A40 MFWP flow control valves, a potential impact on accident frequency due to Rationale: The word attributable is about causality and the word discernable is related to magnitude of effect.
the CCF can be attributed to the digital modification. The term not credible means a suficently low probability (so that it need not be considered), not that it is imposible.
Only if CCF is impossible can there be no attributable 961 Determination of Magnitude (using Negligible/Discernable) impact.
D-44
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 962 For the case in which a CCF is credible and there is an attributable potential Commented [A69]: Source: ML17170A089 Comment No.
A40 963 impact on the frequency of occurrence of an accident, the magnitude portion Rationale: The word attributable is about causality and 964 of the criteria (i.e., negligible/discernable) also needs to be assessed. the word discernable is related to magnitude of effect.
The term not credible means a suficently low probability (so that it need not be considered), not that it is imposible.
965 To determine the overall effect of the digital modification on the frequency of Only if CCF is impossible can there be no attributable impact.
966 an accident, examination of all the factors associated with the digital 967 modification and their interdependent relationship need to be considered.
968 To achieve a negligible conclusion, the examination of all the factors would 969 conclude that the net change in the accident frequency "...is so small or the 970 uncertainties in determining whether a change in frequency has occurred are 971 such that it cannot be reasonably concluded that the frequency has actually 972 changed (i.e., there is no clear trend toward increasing the frequency)"
973 [emphasis added] due to the net effect of the factors considered (i.e., use of 974 software, use of digital components, creation of a software CCF , intended 975 benefits and design attributes/features).
976 Alternately, if the net effects are such that a clear trend towards increasing 977 the frequency would result, a discernable increase in the accident frequency 978 would exist. However, to remain consistent with the guidance provided in 979 NEI 96-07, Section 4.3.1, a discernable increase in the accident frequency 980 maywould NOT be more than minimal if applicable NRC requirements, as 981 well as design, material, and construction standards, to which the licensee is 982 committed, continue to bewere not met. Commented [A70]: Source: ML17170A089 Comment No.
A45 & A46 Rationale: Standards are generally design neutral. That is 983 Examples 4-14 and 4-15 will examine the magnitude portion (i.e., problems could occur due to (1) not meeting standards, and (2) poor design. Standards are only one of the criteria that 984 negligible/discernable) of the criteria and assume the attributable portion of can cause increases, so meeting all design standards may 985 the criteria has been satisfied. not be enough; however, failing to meet standards may be ok, but must be reviewed by the NRC staff.
986 Example 4-14 illustrates the NEGLIGIBLE impact case.
Example 4-14. NEGLIGIBLE Impact on the Frequency of Occurrence of an Accident Proposed Activity Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same.
Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the D-45
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 same.
Attributable Conclusion See Example 4-13.
Magnitude Conclusion Factors Considered:
- 1. Software - Developed in accordance with a defined life cycle process, and complies with applicable industry standards and regulatory guidance
- 2. Digital Components - More reliable, comply with all applicable standards, and meet all applicable technical requirements
- 3. CCF - Not Credible Formatted: Highlight
- 4. Benefits - Reliability and performance increased
- 5. Design Attributes/Features - [LATER]
The net change in the frequency of occurrence of the Loss of Feedwater event is negligible due to the net effect of the factors considered.
Overall Conclusion Although an attributable impact on the frequency of occurrence of the Loss of Feedwater event was determined to exist, there was no clear trend toward increasing the frequency. With no clear trend toward increasing the frequency, there is not more than a minimal increase in the frequency of occurrence of the accident due to the digital modification.
987 Example 4-15 illustrates the DISCERNABLE increase case.
Example 4-15. DISCERNABLE Increase in the Frequency of Occurrence of an Accident Proposed Activity Same as Example 4-14.
Attributable Conclusion D-46
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 See Example 4-13.
Magnitude Conclusion Factors Considered:
- 1. Software - Same as Example 4-14.
- 2. Digital Components - Same as Example 4-14.
- 3. CCF - Credible Formatted: Highlight
- 4. Benefits - Same as Example 4-14.
- 5. Design Attributes/Features - Same as Example 4-14 Requirements/Standards Consideration All applicable NRC requirements, as well as design, material and construction standards, continue to be met.
The net change in the frequency of occurrence of the Loss of Feedwater event is discernable due to the net effect of the factors considered.
Overall Conclusion An attributable impact on the frequency of occurrence of the Loss of Feedwater event was determined to exist and there is a clear trend towards increasing the frequency. The clear trend toward increasing the frequency (i.e., the discernable increase) is due to the CCF being credible. However, Formatted: Highlight even with a clear trend towards increasing the frequency, the satisfaction of all applicable NRC requirements, as well as design, material and construction standards, means that there is NOT more than a minimal increase in the frequency of occurrence of the accident due to the digital modification.
988 D-47
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 989 HUMAN-SYSTEM INTERFACE ASSESSMENT 990 If no personnel-based initiators (e.g., operator error) are identified among the 991 accident initiators, then an increase in the frequency of the accident cannot 992 occur due to the Human-System Interface portion of the digital modification.
993 If personnel-based initiators (e.g., operator error) are identified among the 994 accident initiators, then the application of the attributable criterion and the 995 magnitude criterion (i.e., negligible/discernable) are assessed utilizing the 996 guidance described in NEI 96-07, Section 4.3.1.
997 4.3.2 Does the Activity Result in More Than a Minimal Increase in the Likelihood 998 of Occurrence of a Malfunction of an SSC Important to Safety?
999 INTRODUCTION 1000 After applying the generic guidance in NEI 96-07, Section 4.3.2 to identify 1001 any malfunctions affected by the systems/components involved with the 1002 digital modification and examining the initiators of those malfunctions, the 1003 impact on the likelihood of the initiator (and, hence, the malfunction itself) 1004 due to the digital modification can be assessed.
1005 All malfunction initiators fall into one of two categories: equipment-related 1006 or personnel-related. Therefore, the assessment of the impact of a digital 1007 modification also needs to consider both equipment-related and personnel-1008 related sources.
1009 For a digital modification, the range of possible equipment-related sources 1010 includes items unique to digital and items not unique to digital. An example 1011 of an item unique to digital is consideration of the impact on malfunction 1012 likelihood due to a software CCF, which will be addressed in the guidance in 1013 this section. An example of an item not unique to digital is consideration of 1014 the impact on malfunction likelihood due to the digital system's compatibility 1015 with the environment in which the system is being installed, which would be 1016 addressed by applying the guidance described in NEI 96-07, Section 4.3.2. Commented [A71]: Make same changes as in 6th paragraph of the introduction of Section 4.3.1.
1017 For a digital modification, the assessment for personnel-related sources will 1018 consider the impact due to the Human-System Interface (HSI).
1019 Typically, numerical values quantifying a malfunction likelihood are not 1020 available, so the qualitative approach using the attributable and the 1021 magnitude (i.e., negligible/discernable) criteria from NEI 96-07, Section 4.3.2 1022 will be examined in the guidance in this section.
1023 GUIDANCE D-48
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1024 Factors to Consider and Address in the Response 1025 1. Use of Software 1026 Software developed in accordance with a defined life cycle process, and 1027 complies with applicable industry standards and regulatory guidance does 1028 not result in more than a minimal increase in the likelihood of a malfunction.
1029 The design change process and the design documentation contain the 1030 information that will be used to determine if software increases the likelihood 1031 of a malfunction. Commented [A72]: Reword in similar manner as in Section 4.3.1, after agreement is reached there.
1032 2. Use of Digital Components (e.g., microprocessors in place of 1033 mechanical devices) 1034 NOTE: This factor is not unique to digital and would be addressed by 1035 applying the guidance described in NEI 96-07, Section 4.3.2.
1036 This factor is included here for completeness.
1037 Digital components are expected to be more reliable than the equipment 1038 being replaced. Aspects to be addressed include the following: compliance 1039 with applicable regulations and industry standards; qualification for 1040 environmental conditions (seismic, temperature, humidity, radiation, 1041 pressure, and electromagnetic compatibility); performance requirements for 1042 the plant-specific application; proper design of electrical power supplies; 1043 cooling or ventilation for thermal loads; and separation, independence and 1044 grounding. The design change process and the design documentation contain 1045 the information that will be used to determine if the use of digital 1046 components increases the likelihood of a malfunction. Commented [A73]: Reword in similar manner as in Section 4.3.1, after agreement is reached there.
1047 3. Creation of a Software Common Cause Failure Formatted: Highlight Commented [A74]: Reword in similar manner as in 1048 An engineering evaluation of the quality and design processes determines the Section 4.3.1, after agreement is reached there.
1049 likelihood of failure due to software via a common cause failure and its Commented [A75]: Source NEI 96-07r1. Also revise to 1050 potential impact on the likelihood of a malfunction. This information is reflect the following from the 50.59 Q&A document.:
Section 4.3.2 of NEI 96-07, R1, says that a change that 1051 documented in the qualitative assessment of the potential contributors to reduces system/equipment redundancy, diversity, 1052 CCF and disposition of whether the design effectively reduced the likelihood separation or independence requires prior NRC approval.
Does this mean reductions from redundancy, diversity, 1053 of the CCF to the extent that the CCF can be considered not credible (e.g., in separation or independence described in the UFSAR? Or is 1054 a CCF Susceptibility Analysis). prior NRC approval required only if the change reduces redundancy, diversity, separation or independence below the level required by the regulations?
1055 A. A change that reduces redundancy, diversity, separation 1056 Example 6 or independence of UFSAR-described design functions is considered more than a minimal increase in the likelihood 1057 of malfunction and requires prior NRC approval. Licensees 1058 The change would reduce system/equipment redundancy, diversity, may, however, without prior NRC approval, reduce excess redundancy, diversity, separation or independence, if any, 1059 separation or independence. to the level credited in the UFSAR.
D-49
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1060 A change that reduces redundancy, diversity, separation or independence of 1061 UFSAR-described design functions is considered more than a minimal 1062 increase in the likelihood of malfunction and requires prior NRC approval.
1063 Licensees may, however, without prior NRC approval, reduce excess 1064 redundancy, diversity, separation or independence, if any, to the level 1065 credited in the UFSAR. "As credited in the safety analysis" is discussed in 1066 NEI 96-07, Section 3.3.
1067 4. Intended Benefits of the Digital Component/System 1068 NOTE: This factor is not unique to digital and would be addressed by 1069 applying the guidance described in NEI 96-07, Section 4.3.2.
1070 This factor is included here for completeness.
1071 In addition to the expected hardware-related reliability improvements of the 1072 physical devices themselves (addressed in factor 2 above), overall 1073 improvements in the reliability of the performance of the digital 1074 component/system, operational flexibility and/or maintenance-related 1075 activities may also be achieved. The design documentation contains the 1076 information that will be used to identify the intended benefits of the digital 1077 component/system and possible impacts on the likelihood of a malfunction.
1078 5. Design Attributes/Features Commented [A76]: Reword in similar manner as in Section 4.3.1, after agreement is reached there.
1079 Design attributes of the proposed digital modification are features that serve 1080 to prevent or limit failures from occurring, or that mitigate the 1081 results/outcomes of such possible failures. Factors to be considered include 1082 the following items:
1083
- Design Criteria (as applicable) (e.g., diversity, independence and 1084 redundancy) 1085
- Inherent Design Features for Software, Hardware or the 1086 Architectural/Network (e.g., external watchdog timers, isolation 1087 devices, segmentation, self-testing and self-diagnostic features) 1088
- Non-concurrent Triggers 1089
- Sufficiently Simple (i.e., enabling comprehensive testing) 1090
- Unlikely Series of Events (e.g., the evaluation of a given digital 1091 modification would need to postulate multiple independent random 1092 failures in order to arrive at a state in which a SCCF is possible) 1093
- Failure State (e.g., always known to be acceptable) 1094 Determination of Attributable 1095 If a CCF is determined to be not credible, then there is NO attributable Formatted: Highlight 1096 impact on the likelihood of occurrence of a malfunction. Namely, if a CCF is D-50
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1097 sufficiently unlikely to occur, then no mechanism for an attributable impact 1098 has been created.
1099 If a CCF is determined to be credible, but the component/system is not a Formatted: Highlight 1100 malfunction initiator, then there is NO attributable impact on the likelihood 1101 of occurrence of a malfunction. Namely, even if a CCF does occur, there is no 1102 relationship between the CCF and the malfunction initiator(s). Commented [A77]: Reword in similar manner as in Section 4.3.1, after agreement is reached there.
1103 Example 4-16 illustrates a case of NO attributable impact on the likelihood of 1104 occurrence of a malfunction for a SSC not being a malfunction initiator.
Example 4-16. NO ATTRIBUTABLE Impact on the Likelihood of Occurrence Commented [A78]: Source: ML17170A089 Comment No.
A40 of a Malfunction Due to a SSC Not Being a Malfunction Initiator Rationale: Consistent with use of attributable to as indication causality.
Proposed Activity Two safety-related containment chillers exist. There are two analog control systems (one per chiller) that are physically and functionally the same.
Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same.
Affected Malfunctions and Malfunction Initiators The affected malfunction is the failure of one safety-related containment chiller. The UFSAR identifies two equipment-related initiators: (a) failure of the Emergency Diesel Generator (EDG) to start (preventing the EDG from supplying electrical power to the containment chiller it powers), (b) an electrical failure associated with the chiller system (e.g., feeder breaker failure) or a mechanical failure within the chiller itself (e.g., flow blockage).
Impact on Malfunction Likelihood In this case, the safety-related chiller control system is not related to the malfunction initiators (i.e., EDG failure, breaker failure or chiller failure).
ThereforeHowever,, there is NO may be an impact on the likelihood of Commented [A79]: Source: ML17170A089 Comment No.
A40 occurrence of the malfunction that can be attributed to the digital Rationale: Consistent with use of attributable to as modification. indication causality.
1105 If a CCF is determined to be credible and the component/system is a 1106 malfunction initiator, then there is an attributable potential impact on the 1107 likelihood of occurrence of the malfunction. Commented [A80]: Make similar to words in Section 4.3.1.
D-51
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1108 Example 4-17 illustrates the case of an attributable potential impact on the 1109 likelihood of occurrence of a malfunction for the SSC being a malfunction 1110 initiator.
Example 4-17. ATTRIBUTABLE Potential Impact on the Likelihood of Occurrence of a Malfunction Due to a SSC Being a Malfunction Initiator Proposed Activity Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same.
Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same.
Affected Malfunction and Malfunction Initiator The affected malfunction is the loss of a MFWP or the closure of a MFWP flow control valve. The UFSAR identifies an equipment-related initiator as involving the failure of a feedwater control system.
Impact on Malfunction Initiator Based on the technical outcome from the CCF Susceptibility Analysis and the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting this digital modification, a software CCF causing the loss of both feedwater control systems (resulting in the loss of both MWFPs and/or the closure of both MFWP flow control valves) has been determined to be credible. Formatted: Highlight Since the failure of the feedwater control systems can cause the loss of MFWPs or the closure of MFWP flow control valves, a potential impact on malfunction likelihood due to the CCF can be attributed to the digital modification.
1111 Determination of Magnitude (using Negligible/Discernable) 1112 For the case in which a CCF is credible and there is an attributable potential Commented [A81]: Source: ML17170A089 Comment No.
A40 1113 impact on the likelihood of occurrence of a malfunction, the magnitude Rationale: Consistent with use of attributable to as 1114 portion of the criteria (i.e., negligible/discernable) also needs to be assessed. indication causality.
D-52
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1115 To determine the overall effect of the digital modification on the likelihood of 1116 a malfunction, examination of all the factors associated with the digital 1117 modification and their interdependent relationship need to be considered.
1118 To achieve a negligible conclusion, the examination of all the factors would 1119 conclude that the net change in the malfunction likelihood "...is so small or 1120 the uncertainties in determining whether a change in likelihood has occurred 1121 are such that it cannot be reasonably concluded that the likelihood has 1122 actually changed (i.e., there is no clear trend toward increasing the 1123 likelihood)"[emphasis added] due to the net effect of the factors considered 1124 (i.e., use of software, use of digital components, creation of a software CCF ,
1125 intended benefits and design attributes/features).
1126 Alternately, if the net effects are such that a clear trend towards increasing 1127 the likelihood would result, a discernable increase in the malfunction 1128 likelihood would exist. However, to remain consistent with the guidance 1129 provided in NEI 96-07, Section 4.3.2, a discernable increase in the 1130 malfunction likelihood would NOT be more than minimal if applicable NRC 1131 requirements, as well as design, material, and construction standards, 1132 continue to be met. Commented [A82]: Change to be the same as Section 4.3.1 wording after agreement is reached.
1133 Examples 4-18 and 4-19 will examine the magnitude portion (i.e.,
1134 negligible/discernable) of the criteria and assume the attributable portion of 1135 the criteria has been satisfied.
D-53
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1136 Example 4-18 illustrates the NEGLIGIBLE impact case.
Example 4-18. NEGLIGIBLE Impact in the Likelihood of Occurrence of a Malfunction Proposed Activity Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same.
Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same.
Attributable Conclusion See Example 4-17.
Magnitude Conclusion Factors Considered:
- 1. Software - Developed in accordance with a defined life cycle process, and complies with applicable industry standards and regulatory guidance
- 2. Digital Components - More reliable, comply with all applicable standards, and meet all applicable technical requirements
- 3. CCF - Not Credible Formatted: Highlight
- 4. Benefits - Reliability and performance increased
- 5. Design Attributes/Features - [LATER]
The net change in the likelihood of occurrence of the loss of a MFWP or the closure of a MFWP flow control valve initiated by the failure of a feedwater control system is negligible due to the net effect of the factors considered.
Overall Conclusion Although an attributable impact on the likelihood of occurrence of the loss of a MFWP or the closure of a MFWP flow control valve was determined to D-54
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 exist, there was no clear trend toward increasing the likelihood. With no clear trend toward increasing the likelihood, there is not more than a minimal increase in the likelihood of occurrence of the malfunctions due to the digital modification.
1137 Example 4-19 illustrates the DISCERNABLE increase case.
Example 4-19. DISCERNABLE Increase in the Likelihood of Occurrence of a Malfunction Proposed Activity Two safety-related main control room chillers exist. There are two analog control systems (one per chiller) that are physically and functionally the same.
Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same.
The logic components/system and controls for the starting and operation of the safety injection pumps are located within the main control room boundary. The environmental requirements associated with the logic components/system and controls are maintained within their allowable limits by the main control room cooling system, which includes the chillers involved with this digital modification.
Affected Malfunction and Malfunction Initiator The review of the UFSAR accident analyses identified several events for which the safety injection pumps are assumed to start and operate (as reflected in the inputs and assumptions to the accident analyses). In each of these events, the UFSAR states the following: "To satisfy single failure requirements, the loss of only one control system and its worst-case effect on the event due to the loss of one chiller has been considered in the accident analyses."
Attributable Conclusion In this case, the safety-related main control room chiller control system is related to a malfunction initiator (i.e., loss of logic and/or operation function) of the safety injection pumps. Therefore, there is a potential impact on the likelihood of occurrence of the malfunction that can be attributed to the D-55
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 digital modification.
Magnitude Conclusion Factors Considered:
- 1. Software - Developed in accordance with a defined life cycle process, and complies with applicable industry standards and regulatory guidance
- 2. Digital Components - More reliable, comply with all applicable standards, and meet all applicable technical requirements
- 3. CCF - Credible Formatted: Highlight
- 4. Benefits - Reliability and performance increased
- 5. Design Attributes/Features - [LATER].
The net change in the likelihood of occurrence of the malfunction of both safety injection pumps is discernable due to the net effect of the factors considered.
Requirements/Standards Consideration Single failure criteria are no longer met.
Overall Conclusion An attributable impact on the likelihood of occurrence of the malfunction of both safety injection pumps was determined to exist and there is a clear trend toward increasing the likelihood. The clear trend toward increasing the likelihood (i.e., the discernable increase) is due to the CCF being credible, Formatted: Highlight which does not satisfy the NRC requirements associated with systems/components that must satisfy single failure requirements. With a clear trend toward increasing the likelihood and the failure to satisfy an NRC requirement, there is more than a minimal increase in the likelihood of occurrence of the malfunction of both safety injection pumps due to the digital modification.
1138 1139 HUMAN-SYSTEM INTERFACE ASSESSMENT D-56
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1140 If no personnel-based initiators (e.g., operator error) are identified among the 1141 accident initiators, then an increase in the likelihood of the malfunction 1142 cannot occur due to the Human-System Interface portion of the digital 1143 modification.
1144 If personnel-based initiators (e.g., operator error) are identified among the 1145 malfunction initiators, then the application of the attributable criterion and 1146 the magnitude criterion (i.e., negligible/discernable) are assessed utilizing the 1147 guidance described in NEI 96-07, Section 4.3.2.
1148 1149 4.3.3 Does the Activity Result in More Than a Minimal Increase in the 1150 Consequences of an Accident?
1151 There is no unique guidance applicable to digital modifications for responding 1152 to this Evaluation criterion because the identification of affected accidents 1153 and dose analysis inputs and/or assumptions are not unique for a digital 1154 modification. The guidance in NEI 96-07, Section 4.3.3 applies.
1155 1156 4.3.4 Does the Activity Result in More Than a Minimal Increase in the 1157 Consequences of a Malfunction?
1158 There is no unique guidance applicable to digital modifications for responding 1159 to this Evaluation criterion because the identification of the affected 1160 malfunctions and dose analysis inputs and/or assumptions are not unique for 1161 a digital modification. The guidance in NEI 96-07, Section 4.3.4 applies.
1162 1163 4.3.5 Does the Activity Create a Possibility for an Accident of a Different Type?
1164 INTRODUCTION 1165 From NEI 96-07, Section 3.2:
1166 "The term 'accidents' refers to the anticipated (or abnormal) 1167 operational transients and postulated design basis accidents..."
1168 Therefore, for purposes of 10 CFR 50.59, both Anticipated Operational 1169 Occurrences (AOOs) and Postulated Accidents (PAs) fall within the definition 1170 of "accident."
1171 From NEI 96-07, Section 4.3.5, the two considerations that need to be 1172 assessed when answering this Evaluation question are credible and Formatted: Highlight 1173 bounded/related.
D-57
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1174 GUIDANCE 1175 Determination of Credible Formatted: Highlight 1176 From NEI 96-07, Section 4.3.5:
1177 "The possible accidents of a different type are limited to those that are 1178 as likely to happen as those previously evaluated in the UFSAR. The 1179 accident must be credible in the sense of having been created within 1180 the range of assumptions previously considered in the licensing basis 1181 (e.g., random single failure, loss of off-site power, etc.)."
1182 Hence, credible accidents are defined as those as likely as the accidents 1183 already assumed in the UFSAR.
1184 If a CCF likelihood is determined to be not crediblesufficiently low, then the Formatted: Highlight 1185 creation of a possibility for an accident of a different type is NOT credible Formatted: Font: Not Italic, Highlight 1186 because there is no mechanism for the possibility of an accident of a different 1187 type to be created and possible accidents of a different type are limited to 1188 those that are as likely to happen as those previously evaluated in the 1189 UFSAR.2 1190 If a CCF likelihood is determined to be crediblenot sufficiently low, then the Formatted: Highlight 1191 creation of a possibility for an accident of a different type is credible. Formatted: Font: Not Italic, Highlight 1192 Determination of Bounded/Related 1193 For the case in which a CCF an accident of a different type is credible, the Formatted: Highlight 1194 bounded/related portion of the criteria also needs to be assessed.
1195 Events/sequences currently considered in the UFSAR form the basis for 1196 comparison of events, which makes it possible to identify and evaluate the 1197 limiting case.
1198 The UFSAR evaluates a broad spectrum of accidents (i.e., initiating events 1199 and the sequences that result from various combinations of plant and safety 1200 systems response). Accidents are categorized according to expected frequency 1201 of occurrence and by type. The accident type is defined by its effect on the 1202 plant (e.g., decrease in heat removal by the secondary system, increase in 1203 heat removal by the secondary system, etc.). Characterization of accidents by 1204 type provides a basis for comparison based on events/sequences, which makes 2 Refer to NEI 96-07, Section 4.3.5, 3rd paragraph.
D-58
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1205 it possible to identify and evaluate the limiting cases (i.e., the cases that can 1206 challenge the analysis acceptance criteria) and eliminate non-limiting cases 1207 from further consideration.
1208 Therefore, a new accident that is of the same type (i.e., its effect on the plant Commented [PM83]: Placeholder for original NRC comment A83.
1209 is the same), and is within the same expected frequency of occurrence , and 1210 results meets the bounded criterion. Alternately, For a new accident that is 1211 NOT of the same type, if: (i.e., its effect on the plant is different), and/or is 1212 NOT within the same expected frequency of occurrence, or result does NOT 1213 meet the bounded criterion does not apply.
1214 Accidents of a different type are credible accidents that the proposed activity Formatted: Highlight 1215 could create that have an impact on the type of events/sequences previously 1216 evaluated in the UFSAR. Namely, a different/new accident analysis would be 1217 needed for this different type of accident, not justor a revision of a current Commented [A84]: Source: ML17170A089 Comment No.
A67 & A69 1218 accident analysis. Rationale: These changes are necessary in order to be consistent with the newest version of RG 1.187.
1219 Therefore, a different/new accident analysis would NOT be related to an 1220 event already been analyzed. Alternately, the revision of a current accident 1221 analysis would be related to an event already analyzed, and a determination 1222 is needed if the already analyzed events bounds the new event in both 1223 frequency and results. Commented [A85]: Source: ML17170A089 Comment No.
A67 & A69 Rationale: These changes are necessary in order to be 1224 Example 4-20 illustrates the NO CREATION of the possibility of an accident consistent with the newest version of RG 1.187.
1225 of a different type case. Commented [A86]: Source: ML17170A089 Comment No.
A67 & A69 Rationale: These changes are necessary in order to be Example 4-20. NO CREATION of the Possibility of an Accident of a Different consistent with the newest version of RG 1.187.
Type Commented [A87]: Source: ML17170A089 Comment No.
A67 & A69 Proposed Activity Rationale: These changes are necessary in order to be consistent with the newest version of RG 1.187.
Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same.
Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same.
Malfunction / Accident Initiator The malfunction/accident initiator identified in the UFSAR for the D-59
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 analog main feedwater control system is the loss of one main feedwater pump (out of two pumps) due to the loss of one feedwater control system.
Accident Frequency and Type The pertinent accident is the Loss of Feedwater event. The characteristics of the Loss of Feedwater event are as follows:
Type of Accident - Decrease in Heat Removal by the Secondary System Accident Category - Infrequent Incident Credible Conclusion Formatted: Highlight Based on the technical outcome from the CCF Susceptibility Analysis and the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting this digital modification, a software CCF causing the loss of both feedwater control systems (resulting in the loss of both MWFPs) has been determined to be credible. Formatted: Highlight Therefore, in this case, a new accident has been created.
Bounded/Related Conclusion Although the CCF causes the loss of both feedwater pumps, potentially challenging the analysis acceptance criteria (which is the focus of Evaluation Question #7), the loss of both feedwater pumps still causes the same type of accident (i.e., a decrease in heat removal by the secondary system).
As identified in the UFSAR, the Loss of Feedwater event considered the loss of one main feedwater pump, allowing the safety analysis to credit a certain amount of flow from the remaining operational feedwater pump. Even though the CCF could disable both feedwater pumps, the accident type and category remain may not be bounded by a related accident because the new event would not require a "new" accident analysis, only a revision to the input parameter(s) and/or assumption(s) used in the current Loss of Feedwater accident analysis related to the operational status of the feedwater pumps. Therefore, the proposed activity does notmay create the possibility of an accident of a different type. Commented [A88]: Source: ML17170A089 Comment No.
A67 & A69 Rationale: These changes are necessary in order to be 1226 Example 4-21 illustrates the CREATION of the possibility of an accident of a consistent with the newest version of RG 1.187.
1227 different type case.
D-60
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 Example 4-21. CREATION of the Possibility of an Accident of a Different Type Proposed Activity Two non-safety-related analog feedwater control systems and one non-safety-related main turbine steam-inlet valves analog control system exist.
The two feedwater control systems and the one main turbine steam-inlet valves control system will be combined into a single digital control system.
Malfunction / Accident Initiator The identified feedwater control system malfunctions include (a) failures causing the loss of all feedwater to the steam generators [evaluated in the Loss of Feedwater event] and (b) failures causing an increase in main feedwater flow to the maximum output from both MFWPs [evaluated in the Excess Feedwater event].
The identified main turbine steam-inlet valve control system malfunctions include (a) all valves going fully closed causing no steam to be admitted into the turbine [evaluated in the Loss of Load event] and (b) all valves going fully open causing excess steam to be admitted into the turbine [evaluated in the Excess Steam Demand event].
Accident Frequency and Type The characteristics of the pertinent accidents are as follows:
Loss of Feedwater:
Type of Accident - Decrease in Heat Removal by the Secondary System Accident Category - Infrequent Incident Excess Feedwater:
Type of Accident - Increase in Heat Removal by the Secondary System Accident Category - Moderate Frequency Incident Loss of Load:
D-61
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 Type of Accident - Decrease in Heat Removal by the Secondary System Accident Category - Moderate Frequency Incident Excess Steam Demand:
Type of Accident - Increase in Heat Removal by the Secondary System Accident Category - Moderate Frequency Incident Credible Conclusion Formatted: Highlight Based on the technical outcome from the CCF Susceptibility Analysis and the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting this digital modification, a software CCF impacting both the feedwater control systems and the main turbine steam-inlet valves control system has been determined to be credible. Formatted: Highlight Therefore, in this case, the following conditions are credible: Formatted: Highlight (1) Loss of both feedwater pumps (2) Increase in main feedwater flow to the maximum output from both MFWPs.
(3) All main turbine steam-inlet valves going fully closed (4) All main turbine steam-inlet valves going fully open (5) Combination of (1) and (3)
(6) Combination of (1) and (4)
(7) Combination of (2) and (3)
(8) Combination of (2) and (4)
Conditions (1) though (4) are already considered in the UFSAR, so these do not create a new accident. Since conditions (1) through (4) do not create a new accident, they do not create the possibility for an accident of a different type.
D-62
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 Conditions (5) through (8) are not considered in the UFSAR, so four new accidents have been created.
Bounded/Related Conclusion Based on the current set of accidents identified in the UFSAR, the UFSAR accident analyses do not consider a simultaneous Feedwater event (i.e., Loss of Feedwater or Excess Feedwater) with a Main Steam event (i.e., Excess Steam Demand or Loss of Load).
Condition (5) still causes a decrease in heat removal by the secondary system.
Condition (6) involves both a decrease and an increase in heat removal by the secondary system.
Condition (7) involves both a decrease and an increase in heat removal by the secondary system.
Condition (8) still causes an increase in heat removal by the secondary system.
The new accidents created in Conditions (5) though (8) are NOT bounded by a related accident because new accident analyses will be needed. Therefore, the proposed activity does create the possibility of an accident of a different type.
1228 1229 4.3.6 Does the Activity Create a Possibility for a Malfunction of an SSC Important 1230 to Safety with a Different Result?
1231 INTRODUCTION 1232 From NEI 96-07, Section 4.3.6, the two considerations that need to be 1233 assessed when answering this question are credible as likely to happen as Formatted: Highlight 1234 those described in the UFSAR and bounded.
1235 GUIDANCE 1236 Determination of Credible as likely to happen as those described in the Formatted: Highlight 1237 UFSAR 1238 From NEI 96-07, Section 4.3.6:
1239 "The possible malfunctions with a different result are limited to those 1240 that are as likely to happen as those described in the UFSAR."
D-63
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1241 If a CCF likelihood is determined to be not credible sufficiently low, then the Formatted: Highlight 1242 creation of a possibility for a malfunction with a different result is NOT Formatted: Highlight 1243 credibleas likely to happen as those described in the UFSAR because there is 1244 no mechanism for the possibility of a malfunction with a different result to be 1245 created and possible malfunctions with a different result are limited to those 1246 that are as likely to happen as those previously evaluated in the UFSAR.3 1247 If a CCF likelihood is determined to be crediblenot sufficiently low, then the Formatted: Highlight 1248 creation of a possibility for a malfunction with a different result is credible as Formatted: Highlight 1249 likely to happen as those described in the UFSAR.
1250 Determination of Bounded 1251 For the case in which a CCF possibility for a malfunction with a different 1252 result is credible as likely to happen as those described in the UFSAR, the Formatted: Highlight 1253 bounded portion of the criteria also needs to be assessed.
1254 Types of Malfunctions to be Considered:
1255 NEI 96-07, Section 4.3.6 states:
1256 In evaluating a proposed activity against this criterion, the 1257 types and results of failure modes of SSCs that have previously 1258 been evaluated in the UFSAR and that are affected by the 1259 proposed activity should be identified. This evaluation should 1260 be performed consistent with any failure modes and effects 1261 analysis (FMEA) described in the UFSAR, recognizing that 1262 certain proposed activities may require a new FMEA to be 1263 performed. [emphasis added]
1264 Based on this excerpt, both previously-evaluated malfunctions and new 1265 malfunctions need to be considered when developing the response to this 1266 Evaluation question. Typically, a new FMEA will be necessary for a digital 1267 modification since the original considerations for malfunctions did not take 1268 into account the unique aspects of a digital modification (e.g., the possibility 1269 of a software CCF).
1270 Sources of Results:
1271 NEI 96-07, Section 4.3.6 states:
3 Refer to NEI 96-07, Section 4.3.6, 4th paragraph.
D-64
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1272 "Attention must be given to whether the malfunction was 1273 evaluated in the accident analyses at the component level or the 1274 overall system level." [emphasis added]
1275 Accident analyses are typically included and described in UFSAR 1276 Chapters 6 and 15 (or equivalent).
1277 The phrase "was evaluated in the accident analyses" refers to how the 1278 malfunction was addressed in the accident analysis (e.g., failure to perform a 1279 design function, failure to cease performing a design function, etc.) and the 1280 level at which the malfunction was addressed in the accident analysis (e.g.,
1281 component, train, system, etc.).
1282 Types of Results:
1283 In NEI 96-07, Section 4.3.6, the second bullet/example after the first 1284 paragraph states:
1285 If a feedwater control system is being upgraded from an analog 1286 to a digital system, new components may be added that could 1287 fail in ways other than the components in the original design.
1288 Provided the end result of the component or subsystem failure is 1289 the same as, or is bounded by, the results... of malfunctions 1290 currently described in the UFSAR (i.e., failure to maximum 1291 demand, failure to minimum demand, failure as-is, etc.)...,
1292 then...[the activity]...would not create a 'malfunction with a Commented [A89]: Source: NEI 96-07 Page 54.
Rational: Complete quotation is needed so that intent is 1293 different result'. [emphasis added] cearly understood.
1294 Many types of results can be described in a UFSAR. The focus on the end 1295 result implies the effect of the failure mode is what is important not the 1296 failure mechanismthe possible existence of other non-end results. For clarity, 1297 all results other than the end result will be identified as intermediate results.
1298 No intermediate results need to be considered. Commented [A90]: Source: NEI 96-07 Page 54.
Rationale: Intent of quotation is clarified.
1299 As a general example, consider the following possible levels of malfunction 1300 results that could be described in a UFSAR:
1301
- Failure Mechanism - new failure mechanisms for existing failure 1302 modes do not produce different results 1303
- Failure Mode - new failure modes need to be evaluated to determined 1304 whether their effect is a different result 1305
- Component Level Result D-65
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1306
- System Level Result (from the component level malfunction) 1307
- Plant Level Result (from the system level malfunction) 1308 In this generalized example, the Component Level and System Level results 1309 would be considered intermediate results and the Plant Level result would be 1310 considered the end result. Only the Plant Level result is pertinent and needs 1311 to be considered when determining if the possibility of a malfunction with a 1312 different result has been created. Commented [A91]: Source: NEI 96-07 Page 54.
Rationale: Intent of quotation is clarified.
1313 Example 4-22 illustrates the NO CREATION of the possibility of a 1314 malfunction with a different result case.
Example 4-22. NO CREATION of the Possibility of a Malfunction with a Different Result Proposed Activity Two non-safety-related main feedwater pumps (MFWPs) exist, each with its own flow control valve. There are two analog control systems (one per MFWP and flow control valve combination) that are physically and functionally the same.
Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same.
Malfunction / Accident A malfunction identified in the UFSAR for the analog main feedwater control systems involves the loss of one main feedwater pump (out of two pumps), which is evaluated in the Loss of Feedwater accident analysis.
Credible Conclusion Formatted: Highlight Based on the technical outcome from the CCF Susceptibility Analysis and the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting this digital modification, a software CCF impacting both feedwater control systems has been determined to be credible. Formatted: Highlight Bounded Conclusion D-66
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 Types of Malfunctions:
A CCF can cause the loss of both main feedwater pumps.
Source of Result:
Currently, the malfunction of the MFWP is evaluated to "stop" and the malfunction is evaluated at the component level (i.e., the "pump" is assumed to stop).
Assuming the CCF occurs, the malfunction will continue to be evaluated as the "stopping" of MFWPs and the level of the malfunction remains at the component level (i.e., the "pump").
Type of Result:
The UFSAR identifies the malfunction of one main feedwater pump as causing a reduction in flow (intermediate resultmode & effect) to the steam generators, which initiates a Loss of Feedwater event (end result).
The loss of both main feedwater pumps causes no flow to the steam generators ("new" intermediate mode & effectresult), which still initiates the Loss of Feedwater event ("new" end result);therefore,. a loss of feedwater accident analysis should be performed to determine whether any of the limiting criteria have been exceeded.
In both instances, the end result is the Loss of Feedwater event.
Overall Conclusion Although tThe impact of the intermediate result on the accident analysis acceptance criteria is most likely more severe (by going from the loss of one Commented [A92]: Incorrectly implies that a "different result" is limited to plant level accident analysis results pump to the loss of both pumps), the result of the CCF is NOT bounded. which is contrary to 50.59(c)(2)(viii) which states "different Therefore, the proposed activity does NOT create the possibility of a result than ANY previously evaluated malfunctions" which includes UFSAR described FMEAs for the affected system.
malfunction with a different result.
1315 Example 4-23 illustrates the CREATION of the possibility of a malfunction 1316 with a different result case.
D-67
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 Example 4-23. CREATION of the Possibility of a Malfunction with a Different Result Proposed Activity Two non-safety-related analog feedwater control systems and a separate analog control system that controls the main turbine steam-inlet valves exist.
All three analog control systems will be replaced with one digital control that will combine the two feedwater control systems and the main turbine steam-inlet valves control system into a single digital device.
Malfunction / Accident From the UFSAR, the identified feedwater control system malfunctions include (a) failures causing the loss of all feedwater to the steam generators
[evaluated in the Loss of Feedwater accident analysis] and (b) failures causing an increase in main feedwater flow to the maximum output from both MFWPs [evaluated in the Excess Feedwater accident analysis].
From the UFSAR, the identified main turbine steam-inlet valve control system malfunctions include (a) all valves going fully closed causing no steam to be admitted into the turbine [evaluated in the Loss of Load accident analysis] and (b) all valves going fully open causing excess steam to be admitted into the turbine [evaluated in the Excess Steam Demand accident analysis].
Credible Conclusion Formatted: Highlight Based on the technical outcome from the CCF Susceptibility Analysis and the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting this digital modification, a software CCF impacting the feedwater control systems and the main turbine steam-inlet valve control system has been determined to be credible. Formatted: Highlight Bounded Conclusion Types of Malfunctions:
A CCF can cause any of following conditions:
(1) Loss of both feedwater pumps (2) Increase in main feedwater flow to the maximum output from both D-68
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 MFWPs.
(3) All main turbine steam-inlet valves going fully closed (4) All main turbine steam-inlet valves going fully open (5) Combination of (1) and (3)
(6) Combination of (1) and (4)
(7) Combination of (2) and (3)
(8) Combination of (2) and (4)
Source of Result:
Currently, the malfunctions are evaluated as affecting only one system (i.e.,
feedwater control or main turbine control, NOT both) and the malfunctions are evaluated at the component level (i.e., "pump" or "valve").
Assuming the CCF occurs, the malfunction will no longer affect only one system, but will continue to be evaluated at the component level (i.e., "pump" or "valve").
Type of Result:
The UFSAR identifies the end result of a malfunction as causing a Feedwater event or a Main Steam event, NOT both.
In Conditions (5) through (8), the end result is no longer a Feedwater event or a Main Steam event.
Overall Conclusion Based on the current set of accidents identified in the UFSAR, the accident analyses do not consider a simultaneous Feedwater/Main Steam event.
The different results [simultaneous accidents in Conditions (5) though (8)] are NOT bounded by the previously-evaluated results of only one accident. Therefore, the proposed activity does create the possibility of a malfunction with a different result.
1317 D-69
NEI 96-07, Appendix D NEI Proposed Modifications: May 16, 2017 1318 4.3.7 Does the Activity Result in a Design Basis Limit for a Fission Product 1319 Barrier Being Exceeded or Altered?
1320 There is no unique guidance applicable to digital modifications for responding 1321 to this Evaluation question because the identification of possible design basis 1322 limits for fission product barriers and the process for determination of 1323 "exceeded" or "altered" are not unique for a digital modification. The guidance 1324 in NEI 96-07, Section 4.3.7 applies.
1325 1326 4.3.8 Does the Activity Result in a Departure from a Method of Evaluation 1327 Described in the UFSAR Used in Establishing the Design Bases or in the 1328 Safety Analyses?
1329 There is no unique guidance applicable to digital modifications for responding 1330 to this Evaluation criterion because activities involving methods of 1331 evaluation do not involve SSCs. The guidance in NEI 96-07, Section 4.3.8 1332 applies.
1333 5.0 EXAMPLES 1334 [LATER]
D-70
Page 37: [1] Commented [A44] Author Source: Engineering Judgement Rationale: There are two things of concern:
(1) Determination of if CCF is credible (2) Characterisation of behavior during CCF Both could be considered outcomes; therefore this change was made to clarify the Outcomes being considerd in this section.