[Federal Register Volume 59, Number 200 (Tuesday, October 18, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-25708]
[[Page Unknown]]
[Federal Register: October 18, 1994]
-----------------------------------------------------------------------
NUCLEAR REGULATORY COMMISSION
Proposed Generic Communication;
``Use of NUMARC/EPRI Report TR-102348, `Guideline on Licensing
Digital Upgrades,' in Determining the Acceptability of Performing
Analog-to-Digital Replacements Under 10 CFR 50.59''
AGENCY: Nuclear Regulatory Commission.
ACTION: Notice of opportunity for public comment.
-----------------------------------------------------------------------
SUMMARY: The Nuclear Regulatory Commission (NRC) is proposing to issue
a generic letter to provide a new regulatory position on the use of
Nuclear Management and Resources Council/Electrical Power Research
Institute (NUMARC/EPRI) Report TR-102348, ``Guideline on Licensing
Digital Upgrades.'' This report, dated December, 1993, provides
guidance for determining when an analog-to-digital replacement can be
performed without prior NRC approval under the requirements of
Sec. 50.59 of title 10 of the Code of Federal Regulations (10 CFR
50.59). The report applies to all digital equipment that uses software
and, in particular, to microprocessor-based systems. The report,
together with the clarifications discussed in the proposed generic
letter, would represent a method acceptable to the NRC for use in
making a determination of whether or not an unreviewed safety question
exists with respect to 10 CFR 50.59 requirements. In those cases where
a licensee proposes to retrofit with a digital replacement system that
the NRC had previously approved, the NRC review scope would be
significantly reduced and would focus only on plant-specific issues
associated with the modification (e.g., environmental qualifications
and configuration management). The NRC would not review again generic
aspects of the proposed design, such as the software development
program, unless these aspects had changed or were affected by plant-
specific differences.
The NRC is seeking comment from interested parties regarding both
the technical and regulatory aspects of the proposed generic letter
presented under the Supplementary Information heading. The proposed
generic letter and supporting documentation were discussed in the 259th
meeting of the Committee to Review Generic Requirements (CRGR). The
relevant information used to support CRGR review of the proposed
generic letter will be available in the Public Document Rooms. In
addition, the proposed generic letter and supporting documentation were
discussed in a public meeting of the NRC Advisory Committee on Reactor
Safeguards (ACRS) on September 8, 1994. Comments from the ACRS were
incorporated in the proposed generic letter.
The NRC will consider comments received from interested parties in
the final evaluation of the proposed generic letter. The NRC final
evaluation will include a review of the technical position and, when
appropriate, an analysis of the value/impact on licensees. Should this
generic letter be issued in final form by the NRC, it will become
available for public inspection in the Public Document Rooms.
DATES: Comment period expires January 17, 1995. Comments submitted
after this date will be considered if it is practical to do so, but
assurance of consideration cannot be given except for comments received
on or before this date.
ADDRESSES: Submit written comments to Chief, Rules Review and
Directives Branch, U.S. Nuclear Regulatory Commission, Washington, DC.
20555. Written comments may also be delivered to Room T-6D59, 11545
Rockville Pike, Rockville, Maryland from 7:30 a.m. to 4:15 p.m.,
Federal workdays. Copies of written comments received may be examined
at the NRC Public Document Room, 2120 L Street NW. (Lower Level),
Washington, DC.
FOR FURTHER INFORMATION CONTACT: Paul Loeser, (301) 504-2825.
SUPPLEMENTARY INFORMATION:
NRC Generic Letter 94-XX Use of NUMARC/EPRI Report TR-102348,
``Guideline on Licensing Digital Upgrades,'' in Determining the
Acceptability of Performing Analog-to-Digital Replacements Under 10 CFR
50.59
Addressess
All holders of operating licenses or construction permits for
nuclear power reactors.
Purpose
The U.S. Nuclear Regulatory Commission (NRC) staff is issuing this
generic letter to inform addresses of a new staff position on the use
of Nuclear Management and Resources Council/Electrical Power Research
Institute (NUMARC/EPRI) Report TR-102348, ``Guideline on Licensing
Digital Upgrades,'' dated December, 1993, as acceptable guidance for
determining when an analog-to-digital replacement can be performed
without prior NRC staff approval under the requirements of Sec. 50.59
of title 10 of the Code of Federal Regulations (10 CFR 50.59). The
report applies to all digital equipment that uses software and, in
particular, to microprocessor-based systems. The report, together with
the clarifications discussed in this generic letter, represents a
method acceptable to the staff for use in making a determination of
whether or not an unreviewed safety question exists with respect to 10
CFR 50.59 requirements. It is expected that recipients will consider
the information in this generic letter when performing analog-to-
digital instrumentation and control systems replacement. However,
suggestions contained in this generic letter are not NRC requirements;
therefore, no specific action or written response is required.
Description of Circumstances
The age-related degradation of some earlier analog electronic
systems and the difficulties in obtaining qualified replacement
components for those systems, as well as a desire for enhanced features
such as automatic self-test and diagnostics, greater flexibility, and
increased data availability have prompted some operating reactor
licensees to replace existing analog systems with digital systems.
After reviewing a number of these digital system replacements and
digital equipment failures in both nuclear and non-nuclear
applications, the staff has identified potentially safety-significant
concerns pertaining to digital systems in nuclear power plants. The
concerns of the staff stem from the design characteristics specific to
the new digital electronics that could result in failure modes and
system malfunctions that either were not considered during the initial
plant design or may not have been evaluated in sufficient detail in the
safety analysis report. These concerns include potential common mode
failures due to (1) the use of common software in redundant channels,
(2) increased sensitivity to the effects of electromagnetic
interference, (3) the improper use and control of equipment used to
control and modify software and hardware configurations, (4) the effect
that some digital designs have on diverse trip functions, (5) improper
system integration, and (6) inappropriate commercial dedication of
digital electronics.
As result of the above concerns, the NRC staff issued a draft
generic letter for public comment in the Federal Register (57FR36680)
on August 14, 1992, wherein a position was established that essentially
all safety-related digital replacements result in an unreviewed safety
question because of the possibility of the creation of a different type
of malfunction that those evaluated previously in the safety analysis
report. The staff concluded, therefore, that prior approval by the NRC
staff of all safety-related digital modifications was necessary.
However, subsequent discussions and comments on the draft generic
letter have resulted in the staff position as described in this letter.
Discussion
To assist licensees in effectively implementing digital
replacements by addressing the concerns indicated above and in
determining which upgrades can be performed under 10 CFR 50.59 without
prior NRC staff approval, Report TR-102348 has been published. The NRC
staff reviewed and provided comments on this report while it was in
draft form, and the final report reflects a coordinated effort between
industry and the NRC staff. The NRC staff believes that, when properly
implemented, modern digital systems offer the potential for greater
system reliability and enhanced features such as automatic self-test
and diagnostics, as well as greater flexibility, increased data
availability, and ease of modification.
Report TR-102348 contains guidance that will assist licensees in
implementing and licensing digital upgrades in such a manner as to
minimize the potential concerns indicated above. It describes actions
to be taken in the design and implementation process to ensure that the
digital upgrade licensing and safety issues are addressed, and ways to
consider these issues when performing the 10 CFR 50.59 evaluation. It
is not the intent of the report or of the NRC staff to predispose the
outcome of the 10 CFR 50.59 process, but rather to provide a process
that will assist licensees in reaching a proper conclusion regarding
the existence of an unreviewed safety question when undertaking a
digital system replacement. However, as shown in Example 5-6 of the
report, when using this document as guidance for the analysis of
modifications of some safety-significant systems such as the reactor
protection system or an engineered safety feature system, it is likely
these digital modifications will require staff review when 10 CFR 50.59
criteria are applied.
Report TR-102348 states in the introduction that the guidance is
supplemental to and consistent with that provided in NSAC-125,
``Guidelines for 10 CFR 50.59 Safety Evaluations.'' Licensees should
bear in mind that NSAC-125 has not been endorsed by the NRC, and
therefore any use of those guidelines is advisory only, and that
nothing in NSAC-125 can be construed as a modification of 10 CFR 50.59.
While the guidelines of NSAC-125 can be useful in the evaluation of
systems, and are representative of logic used in making a 10 CFR 50.59
determination, the actual determination of whether or not an unreviewed
safety question exists must be done in accordance with 10 CFR 50.59.
10 CFR 50.59(a)(2)(i) and (ii) states that a proposed change, test
or experiment involves an unreviewed safety question if the probability
or consequences of an accident or malfunction previously evaluated in
the safety analysis report may increase, or if the possibility for an
accident or malfunction of a different type than any previously
evaluated in the safety analysis report may be created. If during the
10 CFR 50.59 determination there is uncertainty about whether the
probability or consequences may increase, or whether the possibility of
a different type of accident or malfunction may be created, the
uncertainty should lead the licensee to conclude that the probability
or consequences may increase or a new type of malfunction may be
created. If the uncertainty is only on the degree of improvement the
digital system will provide, the modification would not involve an
unreviewed safety question. If, however, the uncertainty involves
whether or not this modification is more or less safe than the previous
analog system, or if no degree of safety has been determined, an
unreviewed safety question is involved.
Subsequent 5.3 of Report TR-102348, entitled ``Compatibility With
the Environment,'' mentions the need to ensure equipment installed as
part of an upgrade is compatible with its environment including such
variables as temperature, humidity, and radiation. While these
environmental stressors are cited as examples, it should be noted that
a proposed digital upgrade must be qualified for operability against
those environmental stressors and for those events specified in the
plant specific licensing basis. This may include other environmental
stressors beyond the cited examples.
The staff believes that two clarifications to Report TR-102348 are
appropriate as follows:
1. 10 CFR 50.59 requires determination of whether ``a possibility
for an accident or malfunction of a different type than any previously
evaluated in the safety evaluation report may be created.'' As a part
of this determination, Report TR-102348 suggests looking for ``any new
types of system-level failures that would result in effects not
previously considered in the FSAR.'' (For example, see TR-102348,
Section 4.5, Question 6.) It is the NRC staff's position that the
system-level considered in this regard should be the digital system
being installed. The staff believes that this clarification is
necessary because 10 CFR 50.59 does not refer to ``system-level''
failure but rather refers to the malfunction of the equipment important
to safety being modified. As an example, when installing an upgraded
digital high pressure function of the reactor trip system, it is the
digital instrumentation and control circuitry associated with the high
pressure reactor trip function that would be subject to the questions
on failure modes and effects identified in the report that would
represent the unreviewed safety question, not the entire reactor trip
system. If the entire trip system is being replaced with a digital
upgrade, then the entire replacement digital instrumentation and
control system would be subject to the failure modes and effects
analysis, not the full range of instrumentation and control systems
being actuated to respond to a transient or accident.
2. 10 CFR 50.59 requires maintaining records that ``include a
written safety evaluation which provides the bases for the
determination that the change, test, or experiment does not involve an
unreviewed safety question.'' Section 3.1.2 of the report points out
that the use of qualitative engineering judgment is typically involved
in areas that are not readily quantifiable, such as likelihood of the
failure, its importance to the system and to the plant, and the
practicality and incremental improvements of various options available
for resolving the failure. Such judgments may be difficult to duplicate
and understand at a later time. It is the NRC staff's position that the
basis for the engineering judgment and the logic used in the
determination should be documented to the extent practicable. This type
of documentation is of particular importance in areas where no
established consensus methods are available, such as for software
reliability, or the use of commercial-grade hardware and software where
full documentation of the design process is not available.
EPRI Report TR-102348, together with the clarifications discussed
in this generic letter, can be used as guidance by licensees in both
designing analog-to-digital replacements and, with respect to
unreviewed safety question determinations, determining if an analog-to-
digital replacement can be performed under 10 CFR 50.59 without prior
staff approval.
Dated at Rockville, MD, this 11th day of October 1994.
For the Nuclear Regulatory Commission.
Brian K. Grimes,
Director, Division of Project Support, Office of Nuclear Reactor
Regulation.
[FR Doc. 94-25708 Filed 10-17-94; 8:45 am]
BILLING CODE 7590-01-M
