NRC Generic Letter 1995-02: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
| issue date = 04/26/1995 | | issue date = 04/26/1995 | ||
| title = NRC Generic Letter 1995-002: Use of Numarc/Epri Report TR-102348, Guideline on Licensing Digital Upgrades, in Determining the Acceptability of Performing Analog-To-Digital Replacements Under 10CFR 50.59 | | title = NRC Generic Letter 1995-002: Use of Numarc/Epri Report TR-102348, Guideline on Licensing Digital Upgrades, in Determining the Acceptability of Performing Analog-To-Digital Replacements Under 10CFR 50.59 | ||
| author name = Zimmerman R | | author name = Zimmerman R | ||
| author affiliation = NRC/NRR | | author affiliation = NRC/NRR | ||
| addressee name = | | addressee name = | ||
| Line 14: | Line 14: | ||
| page count = 10 | | page count = 10 | ||
}} | }} | ||
{{#Wiki_filter: | {{#Wiki_filter:I | ||
UNITED STATES | |||
NUCLEAR REGULATORY COMMISSION | |||
OFFICE OF NUCLEAR REACTOR REGULATION | |||
WASHINGTON, D.C. 20555 April 26, 1995 NRC GENERIC LETTER 95-02: USE OF NUMARC/EPRI REPORT TR-102348, "GUIDELINE ON | |||
LICENSING DIGITAL UPGRADES," IN DETERMINING THE | |||
ACCEPTABILITY OF PERFORMING ANALOG-TO-DIGITAL | |||
REPLACEMENTS UNDER 10 CFR 50.59 | |||
==Addressees== | ==Addressees== | ||
All holders of operating licenses or construction permits for | nuclear power All holders of operating licenses or construction permits for reactors. | ||
==Purpose== | ==Purpose== | ||
The U.S. Nuclear Regulatory Commission (NRC) staff is issuing | this generic The U.S. Nuclear Regulatory Commission (NRC) staff is issuing of Nuclear letter to inform addressees of a new staff position on the use Research Institute Management and Resources Council/Electrical Power Upgrades," | ||
(NUMARC/EPRI) Report TR-102348, "Guideline on Licensing Digital when an analog-to- dated December 1993, as acceptable guidance for determining prior NRC staff approval under digital replacement can be performed without of Federal the requirements of Section 50.59 of Title 10 of the Code equipment that Regulations (10 CFR 50.59). The report applies to all digital The uses software and, in particular, to microprocessor-based systems. | |||
discussed in this generic letter, report, together with the clarifications a determination represents a method acceptable to the staff for use in makingrespect to of whether or not an unreviewed safety question exists with consider the | |||
10 CFR 50.59 requirements. It is expected that recipients will information in this generic letter when performing analog-to-digital suggestions instrumentation and control systems replacements. However, no contained in this generic letter are not NRC requirements; therefore, specific action or written response is required. | |||
==Description of Circumstances== | ==Description of Circumstances== | ||
The age-related degradation of some earlier analog electronic systems | systems and the The age-related degradation of some earlier analog electronic for those systems, difficulties in obtaining qualified replacement components features such as automatic self-test and as well as a desire for enhanced have diagnostics, greater flexibility, and increased data availability analog systems prompted some operating reactor licensees to replace existing system with digital systems. After reviewing a number of these digital failures in both nuclear and non-nuclear replacements and digital equipment concerns applications, the staff has identified potentially safety-significant concerns of the pertaining to digital systems in nuclear power plants. The digital staff stem from the design characteristics specific to the new that electronics that could result in failure modes and system malfunctions may not have either were not considered during the initial plant design or These in the safety analysis report. | ||
been evaluated in sufficient detail | |||
9504140227 PDR ADOCK 0SQO00o03 P 9 S o q( | |||
2/71 | |||
GL 95-02 April 26, 1995 common concerns include potential common mode failures due to (1) the use of of software in redundant channels, (2) increased sensitivity to the effects electromagnetic interference, (3) the improper use and control of equipment used to control and modify software and hardware configurations, (4) the effect that some digital designs have on diverse trip functions, (5) improper system integration, and (6) inappropriate commercial dedication of digital electronics. | |||
letter As a result of the above concerns, the NRC staff issued a draft generic for public comment in the Federal Register (57FR36680) on August 14, 1992, wherein a position was established that essentially all safety-related digital replacements result in an unreviewed safety question because of the possibility of the creation of a different type of malfunction than those evaluated previously in the safety analysis report. The staff concluded, therefore, that prior approval by the NRC staff of all safety-related digital on modifications was necessary. However, subsequent discussions and comments in the draft generic letter have resulted in the staff position as described this letter. | |||
Discussion To assist licensees in effectively implementing digital replacements by can addressing the concerns indicated above and in determining which upgrades be performed under 10 CFR 50.59 without prior NRC staff approval, Report TR- on | |||
102348 has been published. The NRC staff reviewed and provided comments this report while it was in draft form, and the final report reflects a coordinated effort between industry and the NRC staff. The NRC staff believes that, when properly implemented, modern digital systems offer the potential for greater system reliability and enhanced features such as automatic self- test and diagnostics, as well as greater flexibility, increased data availability, and ease of modification. | |||
Report TR-102348 contains guidance that will assist licensees in implementing and licensing digital upgrades in such a manner as to minimize the potential and concerns indicated above. It describes actions to be taken in the designsafety implementation process to ensure that the digital upgrade licensing and issues are addressed, and ways to consider these issues when performing the | |||
10 CFR 50.59 evaluation. It is not the intent of the report or of the NRC | |||
staff to predispose the outcome of the 10 CFR 50.59 process, but rather to provide a process that will assist licensees in reaching a proper conclusion a regarding the existence of an unreviewed safety question when undertaking digital system replacement. However, as shown in Example 5-6 of the report, when using this document as guidance for the analysis of modifications of some safety-significant systems such as the reactor protection system or an engineered safety feature system, it is likely these digital modifications TR- | |||
will require staff review when 10 CFR 50.59 criteria are applied. Report | |||
102348 states in the introduction that the guidance is supplemental to and consistent with that provided in NSAC-125, "Guidelines for 10 CFR 50.59 Safety Evaluations." Licensees should bear in mind that NSAC-125 has not been | |||
GL 95-02 April 26, 1995 endorsed by the NRC, and therefore any use of those guidelines is advisory only, and that nothing in NSAC-125 can be construed as a modification of | |||
10 CFR 50.59. While the guidelines of NSAC-125 can be useful in the evaluation of systems, and are representative of logic used in making a | |||
10 CFR 50.59 determination, the actual determination of whether or not an unreviewed safety question exists must be done in accordance with | |||
10 CFR 50.59. | |||
10 CFR 50.59(a)(2)(i) and (ii)states that a proposed change, test or experiment involves an unreviewed safety question if the probability or consequences of an accident or malfunction previously evaluated in the safety analysis report may increase, or if the possibility for an accident or malfunction of a different type than any previously evaluated in the safety analysis report may be created. If during the 10 CFR 50.59 determination there is uncertainty about whether the probability or consequences may increase, or whether the possibility of a different type of accident or malfunction may be created, the uncertainty should lead the licensee to conclude that the probability or consequences may increase or a new type of malfunction may be created. If the uncertainty is only on the degree of improvement the digital system will provide, the modification would not involve an unreviewed safety question. If, however, the uncertainty involves whether or not this modification is more or less safe than the previous analog system, or if no degree of safety has been determined, an unreviewed safety question is involved. | |||
The staff believes that two clarifications to Report TR-102348 are appropriate as follows: | |||
1. 10 CFR 50.59 requires determination of whether "a possibility for an accident or malfunction of a different type than any evaluated previously in the safety analysis report may be created." As a part of this determination, Report TR-102348 suggests looking for "any new types of system-level failures that would result in effects not previously considered in the FSAR." (For example, see TR-102348, Section 4.5, Question 6.) It is the NRC staff's position that the system-level considered in this regard should be the digital system being installed. | |||
The staff believes that this clarification is necessary because | |||
10 CFR 50.59 does not refer to an accident or malfunction that results in a "system-level" failure different from any previously analyzed but rather to the malfunction of the equipment important to safety being modified. It is the change in the facility as described in the safety analysis report that is to be analyzed under 10 CFR 50.59 to determine if it involves an unreviewed safety question, that is, the digital equipment that replaced the analog equipment, rather than the otherwise unchanged system of which that equipment is a part is to be analyzed. | |||
This does not mean that all digital equipment usage will automatically result in an unreviewed safety question simply as a result of the use of software. Software failure, including common-mode failure, must be | |||
GL 95-02 April 26, 1995 considered during the 10 CFR 50.59 evaluation as a possible different type of malfunction. However, if software failure cannot cause an equipment malfunction of a different type than any previously evaluated in the safety analysis report, then no unreviewed safety question exists with respect to this criterion, and in the absence of other disqualifying criteria, the replacement can be performed under | |||
10 CFR 50.59 without prior NRC approval. For many digital system modifications involving relatively simple systems such as discussed in example 5-5 of NUMARC/EPRI Report TR-102348, the NRC staff believes that a conclusion may be reached that there is no possibility that a different type of malfunction may be created. | |||
As an example, when installing an upgraded digital high pressure function of the reactor trip system, it is the digital instrumentation and control circuitry associated with the high pressure reactor trip function that would be subject to the questions on failure modes and effects (equipment malfunctions) identified in the report that would be analyzed to determine involvement of an unreviewed safety question, not the entire reactor trip system. If the entire trip system is being replaced with a digital upgrade, then the entire replacement digital instrumentation and control system would be subject to the failure modes and effects analysis, not the full range of instrumentation and control systems being actuated to respond to a transient or accident. | |||
2. 10 CFR 50.59 requires maintaining records that "include a written safety evaluation which provides the bases for the determination that the change, test, or experiment does not involve an unreviewed safety question." Section 3.1.2 of the report points out that the use of qualitative engineering judgment is typically involved in areas that are not readily quantifiable, such as likelihood of the failure, its importance to the system and to the plant, and the practicality and incremental improvements of various options available for resolving the failure. Such judgments may be difficult to duplicate and understand at a later time. It is the NRC staff's position that the basis for the engineering judgment and the logic used in the determination should be documented to the extent practicable. This type of documentation is of particular importance in areas where no established consensus methods are available, such as for software reliability, or the use of commercial-grade hardware and software where full documentation of the design process is not available. | |||
EPRI Report TR-102348, together with the clarifications discussed in this generic letter, can be used as guidance by licensees in both designing analog- to-digital replacements and, with respect to unreviewed safety question determinations, determining if an analog-to-digital replacement can be performed under 10 CFR 50.59 without prior staff approval. | |||
GL 95-02 April 26, 1995 This generic letter requires no specific action or written response. If you have any questions about this matter, please contact the technical contact listed below or the appropriate Office of Nuclear Reactor Regulation project manager. | |||
y .mie ant Associate Direct rojects M;;4d-a nf Mlu-1aa Rartor Reaulatiorn Technical contact: Paul J. Loeser, NRR | |||
(301) 504-2825 Lead project manager: Robert M. Pulsifer, NRR | |||
(301) 504-3016 Attachment: | |||
List of Recently Issued NRC Generic Letters t~l | |||
~ I | |||
Attachment GL 95-02 April 26, 1995 LIST OF RECENTLY ISSUED GENERIC LETTERS | |||
Generic Date of P . . L . T e.e a nt , Teciiad Tn Letter bUD.ieCt - - - - - - -- V | |||
89-04, GUIDANCE ON DEVELOPING 04/04/95 ALL HOLDERS OF OLs OR | |||
SUPP. 1 ACCEPTABLE INSERVICE CPs FOR NUCLEAR POWER | |||
TESTING PROGRAMS REACTORS. | |||
95-01 NRC STAFF TECHNICAL POSI- 01/26/95 ALL CURRENT LICENSEES | |||
TION ON FIRE PROTECTION & APPLICANTS FOR URANIUM | |||
FOR FUEL CYCLE FACILITIES CONVERSION & FUEL | |||
FABRICATION FACILITIES. | |||
94-04 VOLUNTARY REPORTING OF 09/02/94 ALL HOLDERS OF OLs OR CPs ADDITIONAL OCCUPATIONAL FOR NPRs, RADIOGRAPHY | |||
RADIATION EXPOSURE DATA LICENSEES, FUEL PROCES- | |||
SING LICENSEES, FABRICA- | |||
TING & REPROCESSING | |||
LICENSEES, MANUFACTURERS | |||
& DISTRIBUTORS OF BY- | |||
PRODUCT MAT'L, INDEPEND- | |||
DENT SPENT FUEL STORAGE | |||
INSTALLATIONS, FACILITIES | |||
FOR LAND DISPOSAL OF LOW- | |||
LEVEL WASTE, & GEOLOGIC | |||
REPOSITORIES FOR HIGH- | |||
LEVEL WASTE. | |||
94-03 INTERGRANULAR STRESS 07/22/94 ALL HOLDERS OF OLs OR CPs CORROSION CRACKING OF CORE FOR BOILING WATER | |||
SHROUDS IN BOILING WATER REACTORS EXCEPT FOR BIG | |||
ROCK POINT, WHICH DOES | |||
NOT HAVE A CORE SHROUD. | |||
94-02 LONG-TERM SOLUTIONS AND 07/11/94 ALL HOLDERS OF OLs FOR | |||
UPGRADE OF INTERIM BOILING WATER REACTORS | |||
OPERATING RECOMMENDATIONS EXCEPT BIG ROCK POINT | |||
FOR THERMAL-HYDRAULIC | |||
INSTABILITIES IN BOILING | |||
WATER REACTORS | |||
94-01 REMOVAL OF ACCELERATED 05/31/95 ALL HOLDERS OF OLs FOR | |||
TESTING AND SPECIAL RE- NPRs PORTING REQUIREMENTS FOR | |||
EMERGENCY DIESEL GENERATORS | |||
OL = OPERATING LICENSE | |||
CP = CONSTRUCTION PERMIT | |||
NPR = NUCLEAR POWER REACTORS | |||
a-X | |||
GL 95-02 April 26, 1995 This generic letter requires no specific action or written response. If you have any questions about this matter, please contact the technical contact listed below or the appropriate Office of Nuclear Reactor Regulation project manager. | |||
Roy P. Zimmerman Associate Director for Projects Office of Nuclear Reactor Regulation Technical contact: Paul J. Loeser, NRR | |||
(301) 504-2825 Lead project manager: Robert M. Pulsifer, NRR | |||
(301) 504-3016 Attachment: | |||
List of Recently Issu ed NRC Generic Letters NOTE: JHConran's 4/12/95 e-mail to PJLoeser indicated that ELJordan had determined that further formal review of the generic letter by CRGR is not needed. | |||
* SEE FJMiraglia 4/3/95 memo to ELJordan for PREVIOUS CONCURRENCEs | |||
** SEE PREVIOUS PAGE FOR CONCURRENCES | |||
DOCUMENT NAME: 95-02.GL i To receive a copy of th document, Indicate In the box: wC' - Copy without chmentJncos wEd - Copy wit atachmentlenosure 'N' = No copy OFFICE TA:DOPS/NRR** 7 rD:DOPS/NRR** I | |||
DNAME AJKugler BGrimes ADO | |||
lRP41Nma DATE 04/17/95 04/17/95 | |||
GL 95-XX | |||
April XX, 1995 This generic letter requires no specific action or written response. If you have any questions about this mat te, ple0S0 contact the technical contact listed below or the appropriate Office of Nuclear Reactor Regulation project manager. | |||
Roy P. Zimmerman Associate Director for Projects Office of Nuclear Reactor Regulation Technical contact: Paul J. Loeser, NRR | |||
(301) 504-2825 Lead project manager: Robert M. Pulsifer, NRR | |||
(301) 504-3016 Attachment: | |||
List of Recently Issued NRC Generic Letters NOTE: JHConran's 4/12/95 e-mail to PJLoeser indicated that ELJordan had determined that further formal review of the generic letter by CRGR is not needed. | |||
* SEE FJMiraglia 4/3/95 memo to ELJordan for PREVIOUS CONCURRENCEs DOCUMENT NAME: S:\DOPS SEC\A2D.GL | |||
. | |||
To mraviwe a conv of this document. Indicate In the box: 'C = Copv without attachment/enclosure 'E' = Copy with attachmentlenclosure 'N' e No copy OFFICE HICB* SC:HICB* l BC:HICB* D: DRCHI TECH ED* | |||
NAME PLoeser JMauck JWermiel BBoger MMejac DATE 03/07/95 03/07/95 03/07/95 103/09/95 03/01/95 OFFICE PM:DRCH* OGC* ADTfjR jJ GCI:NRR I | |||
NAME RPulsipher SLewis AThadani AKugler % , BGries_ | |||
DATE 03/08/95 03/21/95 03/21/95 04/./dy/95 r 04// | |||
OFFICE ADP:NRR I 1I | |||
NAME RPZimmerman DATE 04/ /95 _ | |||
GL 95-02 April 26, 1995 This generic letter requires no specific action or written response. If you have any questions about this matter, please contact the technical contact listed below or the appropriate Office of Nuclear Reactor Regulation project manager. | |||
Roy P. Zimmerman Associate Director for Projects Office of Nuclear Reactor Regulation Technical contact: Paul J. Loeser, NRR | |||
(301) 504-2825 Lead project manager: Robert M. Pulsifer, NRR | |||
(301) 504-3016 Attachment: | |||
List of Recently Issued NRC Generic Letters NOTE: JHConran's 4/12/95 e-mail to PJLoeser indicated that ELJordan had determined that further formal review of the generic letter by CRGR is not needed. | |||
* SEE FJMiraglia 4/3/95 memo to ELJordan for PREVIOUS CONCURRENCEs DOCUMENT NAME: 95-02.GL | |||
To rsceive a cop of this document. Indilcate hI the box: 'C' - Copy without attachmentlenclosure *E- - Cope with attachmentVenclasure 'N' -No copy OFFICE HICB* I SC:HICB* I BC:HICB* I D:DRCH* I TECH ED* I | |||
NAME PLoeser JMauck JWermiel BBoger MMejac DATE 03/07/95 03/07/95 03/07/95 03/09/95 03/01/95 OFFICE PM:DRCH* I OGC* ADT:NRR* I OGCB:NRR I DORS:NRR | |||
NAME RPulsipher SLewis AThadani AKugler BGrimes DATE 03/08/95 03/21/95 03/21/95 04/ /95 04/ /95 | |||
_. _ =. . .1 OFFICE ADP:NRR I I | |||
NAME RPZimmerman I | |||
DATE 04/ /95 1 | |||
Ed...8 I 1>, A | |||
, Uw4IU L.*uua I d - £ - | |||
from the Nuclear Energy Institute (NEI) and three from utilities endorsing the NEI comment) concerned the scope of the system to be considered when determining whether a different type of accident or malfunction is created as defined in 10 CFR 50.59. The NEI comment was submitted to the Office of the General Counsel (OGC) for review and legal interpretation. OGC stated that the NEI comment was an incorrect interpretation of the requirements of | |||
10 CFR 50.59 and that the original statement in the draft generic letter was correctly worded. However, OGC provided additional clarifying language, which was incorporated in the final generic letter. The fifth comment was from Florida Power & Light Company and addressed the Institute of Electrical and Electronic Engineers standards referenced in Report TR-102348. Attachment 2 is a redline version of the generic letter showing the final changes made on the basis of the public comments. | |||
Attachments 3-7 contain the comment letters received from NEI, Florida Power & | |||
Light Company, PECO Energy Company, Baltimore Gas and Electric Company, and Virginia Power. Attachment 8 contains the staff response to the comments. | |||
Attachment 9 contains the responses to the questions in Section IV.B of the CRGR Charter. Attachment 10 is a copy of the original generic report TR- | |||
102348, 'Guideline on Licensing Digital Upgrades.' | |||
No actions are requested by this proposed generic letter. | |||
No further regulatory activity is anticipated. | |||
The Office of the General Counsel has reviewed this generic letter, the public comments, and the changes as a result of the public comments, and has no legal objections. | |||
The generic letter is sponsored by Bruce A. Boger, Director, Division of Reactor Controls and Human Factors. | |||
Attachments: | |||
1. Proposed Generic Letter, Use of WUIARC/EPRI Report TR-102348. %Guideline an Licensing | 1. Proposed Generic Letter, Use of WUIARC/EPRI Report TR-102348. %Guideline an Licensing DigitaL | ||
* E TECN ED' J PN:DRC*il | Upgrades,' in Determining the Acceptability of Performing Analog-to-DigftaL Replacements Under | ||
10 CFR 50.59" | |||
2. Redline version of generic letter | |||
3. Nuclear Energy Institute letter dated January 12, 1995 | |||
4. Florida Power & Light Company letter dated January 17, 1995 | |||
5. PECO Energy Company letter dated January 20, 195 | |||
6. BaLtimore Gas and Electric Company letter dated January 23. 1995 | |||
7. Virginia Power letter dated January 24, 1995 S. Staff response to coments | |||
9. Responses to CRGR Charter Questions | |||
10. TR-102348, KGudeline on Licensing Digital Upgradesm cc: J. T. Larkins, ACRS | |||
DISTRIBUTION: | |||
B. K. Grimes, NRR Central Files B. J. Shelton, IRM HICB R/F | |||
R. K. Ingram, NRR | |||
SEE PREVIOUS CONCURRENCE* | |||
DOCUMENT KME: A:NEUCRGR.PKG | |||
To , *aawy o Oh dbamu. Wonih Or bez*n acs - CwrwfttaA &Uashrnmw/mh nnfe T - C, rcbwo ' No *qM | |||
OFFICE N B* IS C I J -C:HICs * E TECN ED' J PN:DRC*il E | |||
KANE PLoeser JJauck J~ermiet Iejac RPulsip er DATE 03/07/95 m0/07/M 103107/95 03/'q / / 03/01/95 03/08 OFFICE K ADT:NRR | |||
ff ltZ OGC tRADR DI) | |||
KANE | |||
DATE | |||
SLewis | |||
03/s?/95 r | |||
j AThadani | |||
5 AKugler | |||
[03/08/95 I __ | |||
0 95 03 4 /95 ir a | |||
03/ V /95 UtILIAL KLLUKI GUOYt L..}} | |||
{{GL-Nav}} | {{GL-Nav}} | ||
Latest revision as of 03:25, 24 November 2019
I
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555 April 26, 1995 NRC GENERIC LETTER 95-02: USE OF NUMARC/EPRI REPORT TR-102348, "GUIDELINE ON
LICENSING DIGITAL UPGRADES," IN DETERMINING THE
ACCEPTABILITY OF PERFORMING ANALOG-TO-DIGITAL
REPLACEMENTS UNDER 10 CFR 50.59
Addressees
nuclear power All holders of operating licenses or construction permits for reactors.
Purpose
this generic The U.S. Nuclear Regulatory Commission (NRC) staff is issuing of Nuclear letter to inform addressees of a new staff position on the use Research Institute Management and Resources Council/Electrical Power Upgrades,"
(NUMARC/EPRI) Report TR-102348, "Guideline on Licensing Digital when an analog-to- dated December 1993, as acceptable guidance for determining prior NRC staff approval under digital replacement can be performed without of Federal the requirements of Section 50.59 of Title 10 of the Code equipment that Regulations (10 CFR 50.59). The report applies to all digital The uses software and, in particular, to microprocessor-based systems.
discussed in this generic letter, report, together with the clarifications a determination represents a method acceptable to the staff for use in makingrespect to of whether or not an unreviewed safety question exists with consider the
10 CFR 50.59 requirements. It is expected that recipients will information in this generic letter when performing analog-to-digital suggestions instrumentation and control systems replacements. However, no contained in this generic letter are not NRC requirements; therefore, specific action or written response is required.
Description of Circumstances
systems and the The age-related degradation of some earlier analog electronic for those systems, difficulties in obtaining qualified replacement components features such as automatic self-test and as well as a desire for enhanced have diagnostics, greater flexibility, and increased data availability analog systems prompted some operating reactor licensees to replace existing system with digital systems. After reviewing a number of these digital failures in both nuclear and non-nuclear replacements and digital equipment concerns applications, the staff has identified potentially safety-significant concerns of the pertaining to digital systems in nuclear power plants. The digital staff stem from the design characteristics specific to the new that electronics that could result in failure modes and system malfunctions may not have either were not considered during the initial plant design or These in the safety analysis report.
been evaluated in sufficient detail
9504140227 PDR ADOCK 0SQO00o03 P 9 S o q(
2/71
GL 95-02 April 26, 1995 common concerns include potential common mode failures due to (1) the use of of software in redundant channels, (2) increased sensitivity to the effects electromagnetic interference, (3) the improper use and control of equipment used to control and modify software and hardware configurations, (4) the effect that some digital designs have on diverse trip functions, (5) improper system integration, and (6) inappropriate commercial dedication of digital electronics.
letter As a result of the above concerns, the NRC staff issued a draft generic for public comment in the Federal Register (57FR36680) on August 14, 1992, wherein a position was established that essentially all safety-related digital replacements result in an unreviewed safety question because of the possibility of the creation of a different type of malfunction than those evaluated previously in the safety analysis report. The staff concluded, therefore, that prior approval by the NRC staff of all safety-related digital on modifications was necessary. However, subsequent discussions and comments in the draft generic letter have resulted in the staff position as described this letter.
Discussion To assist licensees in effectively implementing digital replacements by can addressing the concerns indicated above and in determining which upgrades be performed under 10 CFR 50.59 without prior NRC staff approval, Report TR- on
102348 has been published. The NRC staff reviewed and provided comments this report while it was in draft form, and the final report reflects a coordinated effort between industry and the NRC staff. The NRC staff believes that, when properly implemented, modern digital systems offer the potential for greater system reliability and enhanced features such as automatic self- test and diagnostics, as well as greater flexibility, increased data availability, and ease of modification.
Report TR-102348 contains guidance that will assist licensees in implementing and licensing digital upgrades in such a manner as to minimize the potential and concerns indicated above. It describes actions to be taken in the designsafety implementation process to ensure that the digital upgrade licensing and issues are addressed, and ways to consider these issues when performing the
10 CFR 50.59 evaluation. It is not the intent of the report or of the NRC
staff to predispose the outcome of the 10 CFR 50.59 process, but rather to provide a process that will assist licensees in reaching a proper conclusion a regarding the existence of an unreviewed safety question when undertaking digital system replacement. However, as shown in Example 5-6 of the report, when using this document as guidance for the analysis of modifications of some safety-significant systems such as the reactor protection system or an engineered safety feature system, it is likely these digital modifications TR-
will require staff review when 10 CFR 50.59 criteria are applied. Report
102348 states in the introduction that the guidance is supplemental to and consistent with that provided in NSAC-125, "Guidelines for 10 CFR 50.59 Safety Evaluations." Licensees should bear in mind that NSAC-125 has not been
GL 95-02 April 26, 1995 endorsed by the NRC, and therefore any use of those guidelines is advisory only, and that nothing in NSAC-125 can be construed as a modification of
10 CFR 50.59. While the guidelines of NSAC-125 can be useful in the evaluation of systems, and are representative of logic used in making a
10 CFR 50.59 determination, the actual determination of whether or not an unreviewed safety question exists must be done in accordance with
10 CFR 50.59(a)(2)(i) and (ii)states that a proposed change, test or experiment involves an unreviewed safety question if the probability or consequences of an accident or malfunction previously evaluated in the safety analysis report may increase, or if the possibility for an accident or malfunction of a different type than any previously evaluated in the safety analysis report may be created. If during the 10 CFR 50.59 determination there is uncertainty about whether the probability or consequences may increase, or whether the possibility of a different type of accident or malfunction may be created, the uncertainty should lead the licensee to conclude that the probability or consequences may increase or a new type of malfunction may be created. If the uncertainty is only on the degree of improvement the digital system will provide, the modification would not involve an unreviewed safety question. If, however, the uncertainty involves whether or not this modification is more or less safe than the previous analog system, or if no degree of safety has been determined, an unreviewed safety question is involved.
The staff believes that two clarifications to Report TR-102348 are appropriate as follows:
1. 10 CFR 50.59 requires determination of whether "a possibility for an accident or malfunction of a different type than any evaluated previously in the safety analysis report may be created." As a part of this determination, Report TR-102348 suggests looking for "any new types of system-level failures that would result in effects not previously considered in the FSAR." (For example, see TR-102348, Section 4.5, Question 6.) It is the NRC staff's position that the system-level considered in this regard should be the digital system being installed.
The staff believes that this clarification is necessary because
10 CFR 50.59 does not refer to an accident or malfunction that results in a "system-level" failure different from any previously analyzed but rather to the malfunction of the equipment important to safety being modified. It is the change in the facility as described in the safety analysis report that is to be analyzed under 10 CFR 50.59 to determine if it involves an unreviewed safety question, that is, the digital equipment that replaced the analog equipment, rather than the otherwise unchanged system of which that equipment is a part is to be analyzed.
This does not mean that all digital equipment usage will automatically result in an unreviewed safety question simply as a result of the use of software. Software failure, including common-mode failure, must be
GL 95-02 April 26, 1995 considered during the 10 CFR 50.59 evaluation as a possible different type of malfunction. However, if software failure cannot cause an equipment malfunction of a different type than any previously evaluated in the safety analysis report, then no unreviewed safety question exists with respect to this criterion, and in the absence of other disqualifying criteria, the replacement can be performed under
10 CFR 50.59 without prior NRC approval. For many digital system modifications involving relatively simple systems such as discussed in example 5-5 of NUMARC/EPRI Report TR-102348, the NRC staff believes that a conclusion may be reached that there is no possibility that a different type of malfunction may be created.
As an example, when installing an upgraded digital high pressure function of the reactor trip system, it is the digital instrumentation and control circuitry associated with the high pressure reactor trip function that would be subject to the questions on failure modes and effects (equipment malfunctions) identified in the report that would be analyzed to determine involvement of an unreviewed safety question, not the entire reactor trip system. If the entire trip system is being replaced with a digital upgrade, then the entire replacement digital instrumentation and control system would be subject to the failure modes and effects analysis, not the full range of instrumentation and control systems being actuated to respond to a transient or accident.
2. 10 CFR 50.59 requires maintaining records that "include a written safety evaluation which provides the bases for the determination that the change, test, or experiment does not involve an unreviewed safety question." Section 3.1.2 of the report points out that the use of qualitative engineering judgment is typically involved in areas that are not readily quantifiable, such as likelihood of the failure, its importance to the system and to the plant, and the practicality and incremental improvements of various options available for resolving the failure. Such judgments may be difficult to duplicate and understand at a later time. It is the NRC staff's position that the basis for the engineering judgment and the logic used in the determination should be documented to the extent practicable. This type of documentation is of particular importance in areas where no established consensus methods are available, such as for software reliability, or the use of commercial-grade hardware and software where full documentation of the design process is not available.
EPRI Report TR-102348, together with the clarifications discussed in this generic letter, can be used as guidance by licensees in both designing analog- to-digital replacements and, with respect to unreviewed safety question determinations, determining if an analog-to-digital replacement can be performed under 10 CFR 50.59 without prior staff approval.
GL 95-02 April 26, 1995 This generic letter requires no specific action or written response. If you have any questions about this matter, please contact the technical contact listed below or the appropriate Office of Nuclear Reactor Regulation project manager.
y .mie ant Associate Direct rojects M;;4d-a nf Mlu-1aa Rartor Reaulatiorn Technical contact: Paul J. Loeser, NRR
(301) 504-2825 Lead project manager: Robert M. Pulsifer, NRR
(301) 504-3016 Attachment:
List of Recently Issued NRC Generic Letters t~l
~ I
Attachment GL 95-02 April 26, 1995 LIST OF RECENTLY ISSUED GENERIC LETTERS
Generic Date of P . . L . T e.e a nt , Teciiad Tn Letter bUD.ieCt - - - - - - -- V
89-04, GUIDANCE ON DEVELOPING 04/04/95 ALL HOLDERS OF OLs OR
SUPP. 1 ACCEPTABLE INSERVICE CPs FOR NUCLEAR POWER
TESTING PROGRAMS REACTORS.
95-01 NRC STAFF TECHNICAL POSI- 01/26/95 ALL CURRENT LICENSEES
TION ON FIRE PROTECTION & APPLICANTS FOR URANIUM
FOR FUEL CYCLE FACILITIES CONVERSION & FUEL
FABRICATION FACILITIES.
94-04 VOLUNTARY REPORTING OF 09/02/94 ALL HOLDERS OF OLs OR CPs ADDITIONAL OCCUPATIONAL FOR NPRs, RADIOGRAPHY
RADIATION EXPOSURE DATA LICENSEES, FUEL PROCES-
SING LICENSEES, FABRICA-
TING & REPROCESSING
LICENSEES, MANUFACTURERS
& DISTRIBUTORS OF BY-
PRODUCT MAT'L, INDEPEND-
DENT SPENT FUEL STORAGE
INSTALLATIONS, FACILITIES
FOR LAND DISPOSAL OF LOW-
LEVEL WASTE, & GEOLOGIC
REPOSITORIES FOR HIGH-
LEVEL WASTE.
94-03 INTERGRANULAR STRESS 07/22/94 ALL HOLDERS OF OLs OR CPs CORROSION CRACKING OF CORE FOR BOILING WATER
SHROUDS IN BOILING WATER REACTORS EXCEPT FOR BIG
ROCK POINT, WHICH DOES
NOT HAVE A CORE SHROUD.
94-02 LONG-TERM SOLUTIONS AND 07/11/94 ALL HOLDERS OF OLs FOR
UPGRADE OF INTERIM BOILING WATER REACTORS
OPERATING RECOMMENDATIONS EXCEPT BIG ROCK POINT
FOR THERMAL-HYDRAULIC
INSTABILITIES IN BOILING
WATER REACTORS
94-01 REMOVAL OF ACCELERATED 05/31/95 ALL HOLDERS OF OLs FOR
TESTING AND SPECIAL RE- NPRs PORTING REQUIREMENTS FOR
OL = OPERATING LICENSE
CP = CONSTRUCTION PERMIT
NPR = NUCLEAR POWER REACTORS
a-X
GL 95-02 April 26, 1995 This generic letter requires no specific action or written response. If you have any questions about this matter, please contact the technical contact listed below or the appropriate Office of Nuclear Reactor Regulation project manager.
Roy P. Zimmerman Associate Director for Projects Office of Nuclear Reactor Regulation Technical contact: Paul J. Loeser, NRR
(301) 504-2825 Lead project manager: Robert M. Pulsifer, NRR
(301) 504-3016 Attachment:
List of Recently Issu ed NRC Generic Letters NOTE: JHConran's 4/12/95 e-mail to PJLoeser indicated that ELJordan had determined that further formal review of the generic letter by CRGR is not needed.
- SEE FJMiraglia 4/3/95 memo to ELJordan for PREVIOUS CONCURRENCEs
- SEE PREVIOUS PAGE FOR CONCURRENCES
DOCUMENT NAME: 95-02.GL i To receive a copy of th document, Indicate In the box: wC' - Copy without chmentJncos wEd - Copy wit atachmentlenosure 'N' = No copy OFFICE TA:DOPS/NRR** 7 rD:DOPS/NRR** I
DNAME AJKugler BGrimes ADO
lRP41Nma DATE 04/17/95 04/17/95
GL 95-XX
April XX, 1995 This generic letter requires no specific action or written response. If you have any questions about this mat te, ple0S0 contact the technical contact listed below or the appropriate Office of Nuclear Reactor Regulation project manager.
Roy P. Zimmerman Associate Director for Projects Office of Nuclear Reactor Regulation Technical contact: Paul J. Loeser, NRR
(301) 504-2825 Lead project manager: Robert M. Pulsifer, NRR
(301) 504-3016 Attachment:
List of Recently Issued NRC Generic Letters NOTE: JHConran's 4/12/95 e-mail to PJLoeser indicated that ELJordan had determined that further formal review of the generic letter by CRGR is not needed.
- SEE FJMiraglia 4/3/95 memo to ELJordan for PREVIOUS CONCURRENCEs DOCUMENT NAME: S:\DOPS SEC\A2D.GL
.
To mraviwe a conv of this document. Indicate In the box: 'C = Copv without attachment/enclosure 'E' = Copy with attachmentlenclosure 'N' e No copy OFFICE HICB* SC:HICB* l BC:HICB* D: DRCHI TECH ED*
NAME PLoeser JMauck JWermiel BBoger MMejac DATE 03/07/95 03/07/95 03/07/95 103/09/95 03/01/95 OFFICE PM:DRCH* OGC* ADTfjR jJ GCI:NRR I
NAME RPulsipher SLewis AThadani AKugler % , BGries_
DATE 03/08/95 03/21/95 03/21/95 04/./dy/95 r 04//
OFFICE ADP:NRR I 1I
NAME RPZimmerman DATE 04/ /95 _
GL 95-02 April 26, 1995 This generic letter requires no specific action or written response. If you have any questions about this matter, please contact the technical contact listed below or the appropriate Office of Nuclear Reactor Regulation project manager.
Roy P. Zimmerman Associate Director for Projects Office of Nuclear Reactor Regulation Technical contact: Paul J. Loeser, NRR
(301) 504-2825 Lead project manager: Robert M. Pulsifer, NRR
(301) 504-3016 Attachment:
List of Recently Issued NRC Generic Letters NOTE: JHConran's 4/12/95 e-mail to PJLoeser indicated that ELJordan had determined that further formal review of the generic letter by CRGR is not needed.
- SEE FJMiraglia 4/3/95 memo to ELJordan for PREVIOUS CONCURRENCEs DOCUMENT NAME: 95-02.GL
To rsceive a cop of this document. Indilcate hI the box: 'C' - Copy without attachmentlenclosure *E- - Cope with attachmentVenclasure 'N' -No copy OFFICE HICB* I SC:HICB* I BC:HICB* I D:DRCH* I TECH ED* I
NAME PLoeser JMauck JWermiel BBoger MMejac DATE 03/07/95 03/07/95 03/07/95 03/09/95 03/01/95 OFFICE PM:DRCH* I OGC* ADT:NRR* I OGCB:NRR I DORS:NRR
NAME RPulsipher SLewis AThadani AKugler BGrimes DATE 03/08/95 03/21/95 03/21/95 04/ /95 04/ /95
_. _ =. . .1 OFFICE ADP:NRR I I
NAME RPZimmerman I
DATE 04/ /95 1
Ed...8 I 1>, A
, Uw4IU L.*uua I d - £ -
from the Nuclear Energy Institute (NEI) and three from utilities endorsing the NEI comment) concerned the scope of the system to be considered when determining whether a different type of accident or malfunction is created as defined in 10 CFR 50.59. The NEI comment was submitted to the Office of the General Counsel (OGC) for review and legal interpretation. OGC stated that the NEI comment was an incorrect interpretation of the requirements of
10 CFR 50.59 and that the original statement in the draft generic letter was correctly worded. However, OGC provided additional clarifying language, which was incorporated in the final generic letter. The fifth comment was from Florida Power & Light Company and addressed the Institute of Electrical and Electronic Engineers standards referenced in Report TR-102348. Attachment 2 is a redline version of the generic letter showing the final changes made on the basis of the public comments.
Attachments 3-7 contain the comment letters received from NEI, Florida Power &
Light Company, PECO Energy Company, Baltimore Gas and Electric Company, and Virginia Power. Attachment 8 contains the staff response to the comments.
Attachment 9 contains the responses to the questions in Section IV.B of the CRGR Charter. Attachment 10 is a copy of the original generic report TR-
102348, 'Guideline on Licensing Digital Upgrades.'
No actions are requested by this proposed generic letter.
No further regulatory activity is anticipated.
The Office of the General Counsel has reviewed this generic letter, the public comments, and the changes as a result of the public comments, and has no legal objections.
The generic letter is sponsored by Bruce A. Boger, Director, Division of Reactor Controls and Human Factors.
Attachments:
1. Proposed Generic Letter, Use of WUIARC/EPRI Report TR-102348. %Guideline an Licensing DigitaL
Upgrades,' in Determining the Acceptability of Performing Analog-to-DigftaL Replacements Under
2. Redline version of generic letter
3. Nuclear Energy Institute letter dated January 12, 1995
4. Florida Power & Light Company letter dated January 17, 1995
5. PECO Energy Company letter dated January 20, 195
6. BaLtimore Gas and Electric Company letter dated January 23. 1995
7. Virginia Power letter dated January 24, 1995 S. Staff response to coments
9. Responses to CRGR Charter Questions
10. TR-102348, KGudeline on Licensing Digital Upgradesm cc: J. T. Larkins, ACRS
DISTRIBUTION:
B. K. Grimes, NRR Central Files B. J. Shelton, IRM HICB R/F
R. K. Ingram, NRR
SEE PREVIOUS CONCURRENCE*
DOCUMENT KME: A:NEUCRGR.PKG
To , *aawy o Oh dbamu. Wonih Or bez*n acs - CwrwfttaA &Uashrnmw/mh nnfe T - C, rcbwo ' No *qM
OFFICE N B* IS C I J -C:HICs * E TECN ED' J PN:DRC*il E
KANE PLoeser JJauck J~ermiet Iejac RPulsip er DATE 03/07/95 m0/07/M 103107/95 03/'q / / 03/01/95 03/08 OFFICE K ADT:NRR
ff ltZ OGC tRADR DI)
KANE
DATE
SLewis
03/s?/95 r
j AThadani
5 AKugler
[03/08/95 I __
0 95 03 4 /95 ir a
03/ V /95 UtILIAL KLLUKI GUOYt L..