2_arndt - nrc digital i&c iaea 2008 rev 1

8/7/2019 2_Arndt - NRC Digital I&C IAEA 2008 rev 1

http://slidepdf.com/reader/full/2arndt-nrc-digital-ic-iaea-2008-rev-1 1/39

1

Key Issues and Lessons Learned

Associated with the Licensing of U.S.

Digital Instrumentation and Control

System Upgrades

IAEA Meeting

November 3-6, 2008

Steven A. ArndtOffice of Nuclear Reactor Regulation



3

NRC Mission

License and regulatethe Nation’s civilian

use of byproduct,source, and specialnuclear materials toensure adequateprotection of public

health and safety,promote the commondefense and security,and protect theenvironment.



4

NRC Regulatory Functions

• Establish standards,

regulations and requirements

• Issue licenses for nuclear

facilities and users of nuclear

materials

• Inspect facilities and users of nuclear materials to ensure

compliance with requirements



5

NRC Organization

• Two Major Programs

– Nuclear Reactor Safety Program

• Accounted for 80% of

NRC’s costs in FY 2008

– Nuclear Materials andWaste Safety Program

• Accounted for 16% of

NRC’s costs in FY 2008



6

Operating Power Reactors



Research & Test Reactors



Potential New Reactor Applicants



New Reactor Licensing Applications (Site and Technology Selected)

201320122011201020092008200720062005 2014

NOTE: Schedules depicted for future

activities represent nominal assumed

review durations based on submittal

time frames in letters of intent from

prospective applicants. Actualschedules will be determined when

applications are docketed.

An estimated schedule by Fiscal Year (October through September)

10/3/2008

Legend:

The NRC Fiscal Year 2009 (NUREG-1100,

Vol-24, pg. 24) establishes the budget for

the new reactor program. This budget

provides resources for the continuation of the licensing reviews that started in FY

2008, the performance of the COL

acceptance reviews included in the FY 2009

budget. After completion of these

acceptance reviews , the initiation of thelicensing reviews will begin within an 8-

month time frame.

Post SER/EIS Hearing (other hearing activities occur during ESP/COL

safety and environmental reviews)

Number in ( ) next to COL name indicate

number of units/site.

Design Certification

Projected Received

Early Site Permit

Projected Received

Combined License

Projected Received

Unspecified

Clinton ESP HearingSubmittal Dates TBD

Duke ESPs (2) Hearing

Unannounced Applicant ESP Hearing

Unannounced - TBD Hearing

Blue Castle Project - Utah Hearing

*

Hearing

Unannounced - TBD Hearing



Current Technology



Future Technology



Key Challenges

• Reactors in the US were designed and constructed withanalog instrumentation and control systems

• Anticipating future needs New Reactors, Operating Reactors Upgrades, Fuel Cycle Facilities Evolving technology

• Increased complexity– Consolidation of discrete analog functions into single digital system

– Potential consolidation of independent safety systems into a single digitalsystem

– Potential new failure modes

• Limited operational history in nuclear applications



14

Digital Project

• November 8, 2006, Commission briefing• Digital I&C Steering Committee

• Digital I&C Project Plan

– Enhancing regulatory transparence andpredictability and staff review efficiency and

effectiveness through refined regulatory

guidance

– Improving stakeholder interactions

• Maximizing value of domestic and

international interactions



15

EPRI TR-106439Guideline on Evaluation and

Acceptance of Commercial GradeDigital Equipment for Nuclear

Safety Applications

10 CFR Part 50,Domestic Licensing of Production and

Utilization FacilitiesMay 13, 1999

10CFR Part 50,

Appendix B ,Quality Assurance Criteria F or Nuclear Power Plants And Fuel

Reprocessing Plants

10CFR Part 50,

Appendix A,General Design Criteria For Nuclear

Power Plants

NUREG-0800 Rev. 5March 2007, Standard Review Plan

Branch TechnicalPosition HICB-14,

Guidance on Software Reviews for Digital Computer Based

Instrume ntation and Cont rol Systems.

USNRC Reg Guide

1.169,Configuration Management Plans for Digital Computer Software Used inSafety Systems of Nuclear Power

Plants

USNRC Reg Guide

1.170,Software Test Documentation for Digital Computer Software Used inSafety Systems of Nuclear Power

Plants

IEEE 828-1990,Standard for Software Configuration

Management Plans

IEEE 829-1983,Standard for Software Test

Documentation

USNRC Reg Guide

1.171,Software Unit Testing for Digital

Computer Software Used in SafetySystems of Nuclear Power Plants

IEEE 1008-1987,Standard for Software Unit T esting

USNRC Reg Guide

1.172,Software Requirements Specificationsfor Digital Computer Software Usedin Safety Systems of Nuclear Power

Plants

IEEE 830-1993,Recommended Practice for Software

Requirements Specification

USNRC Reg Guide

1.173,Developing Software Life CycleProcesses for Digital Computer

Software Used in Safety Systems of Nuclear Power Plants

IEEE 603-1991,Standard Criteria for Safety Systems

for Nuclear Power GeneratingStations

USNRC Reg Guide1.153,

Criteria for Power , Instrumentat ion,and Control Portions of Safety

Systems


Criteria for Programmable DigitalComputer System Software in Safety

Systems of Nuclear Power Plants

ASME NQA-2a-1990,Part 2.7,

Quality Assurance R equirements of Computer Software for Nuclear

Facility Applications

IEEE 7-4.3.2-2003,Standard Criteria for Digital

Computers in Safety Systems


Periodic Testing of Electrical Power and Protection Systems

IEEE 338-1987Criteria for the Periodic SurveillanceTesting of Nuclear Power Generating

Stations Safety Systems

IEEE 1074-1995,Standard for Developing Software

Lifecycle Processes



IEEE 279-1971Criteria for Protection Systems for

Nuclear Power Generating Stations



IEEE 1012-1986Standard for Software Verification and

Validation plans

IEEE 1012-1998Standard for Software Verification and

Validation

USNRC Reg Guide

1.168,Verification, Validation, Reviews, AndAudits For Digital Computer Softwareused in Safety Systems of Nuclear

Power Plants

IEEE 1028-1988Standard for Software Reviews and

Audits

USNRC RIS 2002-

22,Use of NUMAR C/EPRI T R-102348 in

Determining the Acceptablity of Performing Analog to Digital

Replacements Under 10 CFR50.59

EPRI TR-102348,Guideline on Licensing Digital

Upgrades

ASME NQA-1-1983,

Quality Assurance ProgramRequirements for Nuclear Facilities

Regulatory Framework



16

Digital I&C

Steering Committee

Cyber Security

Risk-Informed Digital I&C

Diversity and Defense-In-Depth

Licensing Process Issues

Highly-Integrated Control Room – Human Factors

Highly-Integrated Control Room - Communications

Fuel Cycle Facilities

Digital I&C Project Structure

Task Working Groups

I nd us t r y C ont ac t s

NR

C L i ne Or gani z at i ons



17

Task Working Groups

• Cyber Security– Resolve inconsistencies within existing NRC andindustry cyber security documents

• Diversity and Defense-In-Depth

– Identify acceptable diversity and defense-in-depthstrategies (D3) and provide clarification onincorporation of D3 in digital safety systems that willprovide more transparent and predictable reviews

• Risk-informed Digital I&C– Provide guidance as to what is needed for digital

system modeling in Part 52 licensing

– Determine how and if risk-insights can be used to assistin resolution of key digital issues



18

Task Working Groups

• Highly Integrated Control Room –Communications– Provide industry and NRC guidance that defines at a sufficient

level of detail the expectation for inter-divisionalcommunications independence

• Highly Integrated Control Room – HumanFactor – Provide human factors engineering regulatory positions,

guidance, and acceptance criteria to address new aspects of digital control room displays and controls

• Licensing Process Issue– Identify licensing process protocols for submittal and review

new of digital technology applications

• Fuel Cycle Facilities

– Develop guidance for digital I&C for fuel cycle facilities



19

Interim Staff Guidance

• Status of First ISGs– Diversity and Defense-in-Depth Complete (9/26/07)

– Highly Integrated Control Rooms – Complete (9/28/07)

Communication

– Highly Integrated Control Rooms – Complete (9/28/07)

Human Factors– Cyber Security Complete (12/31/07)

– Risk Informing Digital I&CComplete (8/11/08)

Guidance for Reviewing New Reactors

– Licensing Process Scheduled to be (excludingCyber) issued 2/28/09

– Fuel Cycle Facilities Scheduled to be issued 2/28/09

• Completed interim Staff Guidance is available on the NRCPublic Web site: http://www.nrc.gov/reading-rm/doc-collections/isg/digital-instrumentation-ctrl.html



20

Interim Staff Guidance

•Status of Additional ISGs– Highly Integrated Control Rooms- Human Factors

• Manual Operator Action (Scheduled to be issued 10/08)• Safety Parameter Display System (TBD)

• Graded Approach to Human Factors (TBD)

– Risk Informing Digital I&C

• Appling Risk Insights to operating and new reactors (TBD)• State-of-the-Art (TBD)

– Fuel Cycle Facilities• Cyber Security (02/09)

• Adequate Diversity and Defense-in-Depth (02/09)

• Criticality Safety, Independence and Double Contingency (02/09)

• Isolation, Separation and Protection of Digital I&C Systems (02/09)• Common Cause Software Failures (02/09)

• Longer Term Actions• Development of SRP and Regulatory Guide Revision



21

Diversity and Defense-

in-Depth (D3)

1. Adequate diversity

2. Manual operator actions

3. BTP 7-19 Position 4 challenges4. Effects of common cause failures (CCFs)

5. CCF applicability

6. Echelons of defense7. Single failure



22


in-Depth (D3)

• Adequate Diversity– Additional clarity is desired on what constitutes adequate D3.

Determine how much D3 is enough.

• Manual Operator Actions– Clarification is desired on the use of operator action as a

defensive measure and corresponding acceptable operator action times.

• Interim Staff Guidance– There is no distinction in D3 guidance for digital Reactor

Protection System (RPS) designs for new/future nuclear power

plants and current operating plants.– While CCFs in digital systems are beyond design basis, thedigital RPS should be protected against CCFs.

– A D3 analysis should be performed to demonstrate thatvulnerabilities to CCFs have been adequately addressed.



23


in-Depth (D3)

• Interim Staff Guidance (cont.)– Where the protective action that should have been automatically

performed by the system subject to CCF is required in less than 30minutes to meet the BTP 7-19 acceptance criteria, an independent anddiverse automated backup, achieving the same or equivalent function,should be provided.

– This automated backup guidance does not apply to follow-on actionsthat are handled in a manual fashion.

– In addition, a set of displays and controls (safety or non safety) should‑

be provided in the main control room for manual actuation and control of safety equipment to manage plant critical safety functions.

• Bases for 30-minute Operator Action Time– Minimizing operator burden under the conditions of a digital system CCF– Past regulatory decisions– Regulatory practices applied in the international community– Engineering judgment



24

Communications

• Areas of Interest– Interdivisional Communications

– Command Prioritization

– Multidivisional Control and Display stations– Digital System Network Configuration

• ISG has one section for each of the first

three areas, the last area is addressed inthe sections devoted to the others areas



25

Human Factors

• Minimum Inventory– Better describe the process for developing and the actual minimum inventory of alarms, controls, and displays

• Interim Staff Guidance

– Applicable only to new reactors– Identifies

• Selection criteria• Process development considerations• Verification

– Two step process consistent with the design acceptance criteria concept

• Computer-Based Procedures– Develop review guidance and acceptance criteria for review of computerized

procedures and associated soft controls• Interim Staff Guidance– Paper and computer based procedures can be essentially the same– Computer-based procedures should not limit the control or situation awareness of

the procedure user – Computer-based procedures can incorporate different levels of automation



26

Review of New Reactor

Digital I&C PRAs

• Areas of Interest– Clarify the use of current methods for modeling digital systems

required by 10 CFR Part 52 PRAs– Where possible, use risk-insights to improve operating reactor

DI&C reviews

– Determine if it is necessary to enhance the state-of-the-art so thata comprehensive, risk-informed decision-making process for licensing DI&C systems can be developed

• Challenges in risk-informing DI&C– Lack of consensus on how to model DI&C systems and their

unique failure modes including common cause failures (CCFs)– Lack of robust data with which to model DI&C system faults andCCFs

– Uncertainties– Linking the DI&C system Probabilistic Risk Assessment (PRA)

with the rest of the PRA



27


Digital I&C PRAs

• Interim Staff Guidance was developed to addresson the first area• Interim guidance for review of new reactor DI&C

PRAs was developed using– Previous NRC licensing experience

– Industry white papers outlining proposed current methods andlessons learned

– NRC review of current guidance and methods– Input from other industries/organizations

• Interim Staff Guidance

– Outlines various attributes and risk insights to help a reviewer identify, at a high level, any potential risk-significant problems in aDI&C implementation

– Provides guidelines for DI&C PRA review for situations where either detailed or limited review is required

– Appendix A provides additional risk insights from previous reviews

of new reactor DI&C risk assessments



28


Digital I&C PRAs

• Based on PRA reviews the NRC has previouslyperformed on new reactor DI&C systems andrecent research activities, 12 review guidelinesare for a basic review including:

– PRA quality– Failure modes– CCF- software and hardware– Uncertainties – modeling, data– Environment– External events– Assumptions– Recovery actions– Contribution of software failures– Data– Monitoring programs



29


Digital I&C PRAs

• Ten additional steps, as applicable, are included if a more detailed review is needed (e.g., through

field audits) including:– Dependencies

– Spurious actuation– Additional review of CCF– Design features– Communications– Additional review of data

– Dynamic effects– Target reliability and availability



30

Cyber Security • Issue was industry concerns of possible conflicts between

Regulatory Guide (RG) 1.152 Rev 2, “Criteria For Use Of Computers In Safety Systems Of Nuclear Power Plants”and NEI 04-04 Rev 1 “Cyber Security Program for Power Reactors”.– Reg. Guide 1.152 (Rev 2) to endorse the updated IEEE Std. 7-4.3.2-2003.

Reg. Positions 2.1 thru 2.9 to provide specific guidance concerningcomputer safety system cyber security.

• Analysis revealed some gaps and some overlaps but noinconsistencies/conflicts between RG 1.152 Rev 2 andNEI 04-04 Rev 1. Rather, the two documents arecomplementary.– Industry committed to revise NEI 04-04 Rev 1 to better incorporate cyber

security guidance for safety-related systems

• 10 CFR 73.55 will include provisions for cyber security of critical digital systems at power reactors, such as safetysystems, security systems, and emergency preparedness

systems.



31

Cyber Security

• ISG clarifies the NRC

staff’s guidance with

regard to implementation

of cyber security

requirements for nuclear

power plant safety

systems

• The ISG includes a cross-

correlation table to

facilitate licensing process

when using draft NEI 04-

04 Rev 2 in lieu of RG

1.152 Rev 2

RG 1.152 Rev. 2Criteria Corresponding DraftNEI 04-04 Rev. 2Criteria

2.2.2 Development Activities C1. Thedevelopment processshould ensure thesystem does not containundocumented code(e.g., back door coding),malicious code (e.g.,intrusions, viruses,worms, Trojan horses,or bomb codes), andother unwanted andundocumentedfunctions or applications.

Development Activities C1. NEI 04-04 Appendix D, page D-3, Section 2 DesignControl Procedures,Bullet 3, Sub-bullet5:“Development processshould ensure that noundocumented code –backdoors, maliciouscodes (viruses, wormTrojans, etc.) or undocumentedfunctions areintroduced.”



32

Fuel Cycle Facility

• Guidance for reviewing adequacy of cyber securityprotective measures

• Clarifies adequate diversity and defense-in-depthdesign features

• Guidance on channel independence for criticalityand non-criticality related safety actions

• Guidance on separation of safety-related functionsfrom non-safety related functions in commonoperator interface devices

• Clarifies acceptable use of software for safetyfunctions to minimize common cause failures



33

Lessons Learned

Operating Reactors

• New technology under review

– FPGA based safety system

– Additional Digital Safety System Platform topical reports

– Priority Logic Module

• Challenge associated with differences between

operating reactor (Part 50) and new reactor

(Part52) reviews

– Level of detail and schedule needed to approve theapplication and maintain technical consistency



34

Lessons Learned

New Reactors

• New technology under review similar to operating reactors

• Challenges for new reactor licensing– Level of design detail in conjunction with the use of I&C design

acceptance criteria (DAC) by applicants

• The use of DAC challenges the level of design detail in all newreactor design centers

• Driving a large number of requests for additional information

• Some technical areas may be addressed by DAC but a certain levelof information is needed in the application even with the use of DAC.

– First-of-a-kind technical reviews

– Dual applicability of reviews to new and current reactors,– Proposed alternatives to staff guidance by the applicants.



35

Operating Experience

• National and International data-bases

• Level of detail not yet sufficient for

revising guidance based on operatingexperience

• Reviewing additional nuclear and non-

nuclear data to identify insights that canbe used to update regulatory guidance



3636

Recent Review Experience

• Vendor LTR Submittal

– Unendorsed Standards were used to qualify the safety

system. DO – 254 (FAA standard) was used instead

of IEEE 7-4.3.2

– License amendment mischaracterized FPGA systemas being a “Non-Digital / Not software based System”

– Incorrect Commercial Grade Dedication guidance used

– Insufficient D3 Analysis performed

– Software Tools Requirements not met



3737

Recent Review Experience

• Licensee LAR Submittal

– D3 Analysis does not conform to ISG-02 guidance for Manual Operator actiontime.

– Documentation not provided to supportISG- 04 Guidance for Bi-directional communications for communications betweenSR and NSR systems.

– An un-approved Topical Report was referenced.

– Insufficient documentation of changes made to procedures referenced by theReference ATR.

– Insufficient documentation provided to support exception to V&V standard positionheld by applicant.



3838

Software Tools

• Tool usage for V&V activities

• Qualification Requirements for Tool itself

• Degree of V&V required for Output of Tool

Reference IEEE 7-4.3.2 section 5.3.2 Software Tools;

Qualification Issues



Moving Forward

• The ISGs will be formalized through Regulatory Guides,NUREGs, and/or SRPs

• NRC will continue to work closely with key stakeholders toaddress key high-priority issues in a timely manner

• NRC will use the ISGs as part of the review process for future

applications and feed back lessons learned as input for improving the guidance as it is formalized

• NRC is continuing conduct independent research to supportcontinued improvement of its regulatory guidance and workwith industry researchers as appropriate

• NRC staff will continue to engage with domestic andinternational nuclear community and other industries to gainrelevant operating experience and to cooperate future activitiesin digital I&C

2_arndt - nrc digital i&c iaea 2008 rev 1

Documents