Application of digital instrumentation and control (I&C) technology in nuclear power plants presents a licensing and regulatory challenge, for both the U.S. Nuclear Regulatory Commission (USNRC) and the industry, that in certain respects is unique. Advances in digital I&C technology can occur with such rapidity that product life cycles can often be shorter than the time required for the licensing and/or certification of the equipment for nuclear applications. For this reason, the regulatory review process must strive to keep apace of rapid advancements in digital I&C applications—applications that provide potentially significant benefits to the nuclear industry from a reliability and operational safety standpoint—while at the same time ensuring that the use of this technology is undertaken in a manner that is acceptable from a safety standpoint.
As individual utilities have sought to take advantage of the benefits of digital I&C technology, motivated in part by the increasing obsolescence of their analog systems, the USNRC has in turn endeavored to respond by developing a regulatory framework for the review and approval of such applications. To date, the regulatory review process for digital I&C upgrades has largely proceeded on a "case-by-case" basis. Individual utilities identify specific digital upgrades that they wish to make; the proposed change is evaluated pursuant to the criteria in 10 CFR 50.59 to determine whether prior regulatory approval is required; and, if such approval is required, the USNRC then undertakes a formal review of the proposed change before the change can implemented. In the event that prior USNRC review is required, the USNRC's evaluation is undertaken pursuant to broad regulatory standards that are generally applicable to the design and operation of nuclear power plants, including I&C systems, but that were not explicitly developed for digital systems.
Although this case-by-case process may have certain benefits—particularly where technology is rapidly evolving and neither the industry nor the regulator has extensive experience that could, in turn, be the basis for establishing generically applicable regulatory requirements for digital upgrades—a number of concerns have been raised about this process. First, the lack of clearly defined regulatory standards for digital upgrades can make it difficult for a utility to evaluate the acceptability of a particular digital upgrade and to gauge the level of effort necessary to obtain regulatory approval. Second, the lack of such standards can lead to inconsistent regulatory reviews that are sometimes heavily influenced by the individual reviewer. As a result, requirements developed and imposed in a case-by-case context often lack the degree of rigor that would normally accompany the development of generic regulatory requirements. In other instances, the rigor of such requirements may go beyond that imposed on analog systems, even though the underlying issue appears to be no different. Third, the case-by-case approach to evaluating digital upgrades has proven to be a time-consuming and, in some cases, resource-intensive process, both for the industry and the staff. Finally, there is a concern that the USNRC has not implemented a clear, consistent policy with respect to the application of 10 CFR 50.59 to digital upgrades.
The discussion that follows examines the issue of the USNRC's regulatory process for review and approval of digital I&C upgrades.
What changes should be considered in the regulatory process to provide more efficient and effective regulation of digital I&C systems in nuclear power plants? How can sufficient flexibility be incorporated to address the rapidly changing nature of the digital I&C technology and better match the time response of the regulatory process to the technology it controls? How can the regulatory process be made more efficient while maintaining its technical integrity?
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 78
9 Case-by-Case Licensing Process INTRODUCTION Application of digital instrumentation and control (I&C) technology in nuclear power plants presents a licensing and regulatory challenge, for both the U.S. Nuclear Regulatory Commission (USNRC) and the industry, that in certain respects is unique. Advances in digital I&C technology can occur with such rapidity that product life cycles can often be shorter than the time required for the licensing and/or certification of the equipment for nuclear applications. For this reason, the regulatory review process must strive to keep apace of rapid advancements in digital I&C applications—applications that provide potentially significant benefits to the nuclear industry from a reliability and operational safety standpoint—while at the same time ensuring that the use of this technology is undertaken in a manner that is acceptable from a safety standpoint. As individual utilities have sought to take advantage of the benefits of digital I&C technology, motivated in part by the increasing obsolescence of their analog systems, the USNRC has in turn endeavored to respond by developing a regulatory framework for the review and approval of such applications. To date, the regulatory review process for digital I&C upgrades has largely proceeded on a "case-by-case" basis. Individual utilities identify specific digital upgrades that they wish to make; the proposed change is evaluated pursuant to the criteria in 10 CFR 50.59 to determine whether prior regulatory approval is required; and, if such approval is required, the USNRC then undertakes a formal review of the proposed change before the change can implemented. In the event that prior USNRC review is required, the USNRC's evaluation is undertaken pursuant to broad regulatory standards that are generally applicable to the design and operation of nuclear power plants, including I&C systems, but that were not explicitly developed for digital systems. Concerns Raised by the Case-by-Case Process Although this case-by-case process may have certain benefits—particularly where technology is rapidly evolving and neither the industry nor the regulator has extensive experience that could, in turn, be the basis for establishing generically applicable regulatory requirements for digital upgrades—a number of concerns have been raised about this process. First, the lack of clearly defined regulatory standards for digital upgrades can make it difficult for a utility to evaluate the acceptability of a particular digital upgrade and to gauge the level of effort necessary to obtain regulatory approval. Second, the lack of such standards can lead to inconsistent regulatory reviews that are sometimes heavily influenced by the individual reviewer. As a result, requirements developed and imposed in a case-by-case context often lack the degree of rigor that would normally accompany the development of generic regulatory requirements. In other instances, the rigor of such requirements may go beyond that imposed on analog systems, even though the underlying issue appears to be no different. Third, the case-by-case approach to evaluating digital upgrades has proven to be a time-consuming and, in some cases, resource-intensive process, both for the industry and the staff. Finally, there is a concern that the USNRC has not implemented a clear, consistent policy with respect to the application of 10 CFR 50.59 to digital upgrades. The discussion that follows examines the issue of the USNRC's regulatory process for review and approval of digital I&C upgrades. Statement of the Issue What changes should be considered in the regulatory process to provide more efficient and effective regulation of digital I&C systems in nuclear power plants? How can sufficient flexibility be incorporated to address the rapidly changing nature of the digital I&C technology and better match the time response of the regulatory process to the technology it controls? How can the regulatory process be made more efficient while maintaining its technical integrity?
OCR for page 78
REGULATORY FRAMEWORK FOR EVALUATING DIGITAL UPGRADES Substantive Safety Standards As a general rule, the USNRC applies predefined design criteria to evaluate design adequacy in the licensing and regulation of commercial nuclear power plants. These "general design criteria," which are applicable to all nuclear power plants, are codified in Appendix A of Title 10 CFR Part 50, General Design Criteria for Nuclear Power Plants. The criteria cover, among other things, the design of I&C systems in nuclear plants. The design criteria reflect the USNRC's long-standing safety philosophies of defense-in-depth and failure invulnerability. Some aspects of the USNRC's design criteria are clear and quantitative. For example, Criterion 19, dealing with the control room, establishes the maximum radiation levels allowed for personnel in the control room. On the other hand, many design criteria are much more qualitative and general in nature. This is the case with respect to the design criteria for I&C systems. For example, Criterion 10, dealing with reactor design, states that "… control and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation. …" This, in turn, leaves considerable room for interpretation in the application of these requirements. While the general design criteria for I&C systems are written in broadly applicable terms (i.e., the general design criteria do not refer specifically to analog or digital systems—see Criteria 2, 4, 17, 20–25), the early experience with the interpretation and application of these criteria has largely focused on analog and relay systems. Because of this, the regulatory framework for analog and relay systems has evolved and become quite refined over the years, to the point where a clear understanding exists today with regard to the applicable requirements for such systems. In recent years, however, with the move toward digital instrumentation and control systems, greater attention has focused on developing a regulatory framework for the review and approval of such systems. As discussed above, because the general design criteria for I&C systems provide high level guidance, there is considerable latitude in how these requirements are interpreted and applied. As a result, the evolution of the regulatory framework for digital I&C systems has proceeded on the above-described "case-by-case" basis, as the agency has reviewed utility-specific proposed applications of digital technology for I&C functions, without a clear view to existing regulatory guidance applied to large-scale, safety-grade systems (such as the emergency core cooling system). Procedural Framework for Evaluating Digital Upgrades In addition to the broad substantive standards contained in Title 10 CFR Part 50, Appendix A, the USNRC has established a process for individual utility licensees to evaluate plant-specific modifications that they may wish to make and, in particular, defining when such changes can be made without prior USNRC approval. This process, which is codified in 10 CFR 50.59 (see also discussion in Chapter 1) and covers changes in plant hardware and procedures, as well as any new plant tests or experiments, requires individual reactor licensees to assess the impact of any such proposed plant changes pursuant to several specific criteria. In pertinent part, 10 CFR 50.59 reads as follows: The holder of a license … may (i) make changes in the facility as described in the safety analysis report, (ii) make changes in the procedures as described in the safety analysis report, and (iii) conduct tests or experiments not described in the safety analysis report, without prior Commission approval, unless the proposed change, test or experiment involves a change in the technical specifications incorporated in the license or an unreviewed safety question. This section, in turn, defines an "unreviewed safety question" as follows: A proposed change, test, or experiment shall be deemed to involve an unreviewed safety question (i) if the probability of occurrence or the consequences of an accident or malfunction of equipment important to safety previously evaluated in the safety analysis report may be increased; or (ii) if a possibility for an accident or malfunction of a different type than any previously evaluated in the safety analysis report may be created; or (iii) if the margin of safety as defined in the basis for any technical specification is reduced. Because 10 CFR 50.59 defines the circumstances under which a utility can make a change without prior USNRC approval—and because a formal "unreviewed safety question" analysis can be an expensive and time-consuming process—this regulation plays an extremely important role and has been at the center of the discussion of how best to go about implementing digital upgrades from a procedural perspective. In view of the importance of how 10 CFR 50.59 is interpreted and applied, and of the need for consistent and uniform application of the regulation by the industry, the Electric Power Research Institute (EPRI) and the Nuclear Management and Resources Council (NUMARC) undertook several years ago to develop an industry guidance document on the application of 10 CFR 50.59. This document, Guidelines for 10 CFR 50.59 Safety Evaluations (NSAC-125), was published in 1988 (EPRI/NUMARC, 1988). While this document has not been endorsed by USNRC, the agency has taken the position that the guidelines of NSAC-125 can be useful in the evaluation of proposed changes to the facility design or procedures, and are representative of logic used in making a 50.59 determination (USNRC, 1995).
OCR for page 78
OVERVIEW OF NUCLEAR APPLICATIONS OF DIGITAL TECHNOLOGY Digital technology has been used in limited nuclear applications for more than 20 years, and a substantial body of industry and regulatory guidance has been developed over this period of time to support such uses. While such applications included both nonsafety functions (e.g., feedwater control), as well as some limited safety-related functions (e.g., core protection calculators, radiation monitors, and emergency load sequencers), they did not until recently make major inroads into the reactor protection systems (RPS) or the engineered safety features actuation systems (ESFAS), systems that are central to the safe operation of a nuclear facility. With the advances in microprocessor-based digital technology, the industry expressed a growing interest in extending the benefits of digital technology beyond the traditional applications. This was driven, in part, by the realization that, as the larger I&C community was moving away from analog toward digital systems, the nuclear industry would have an increasingly difficult time servicing and replacing analog systems. But beyond this, there was a desire to take advantage of the benefits offered by digital systems from a reliability and safety standpoint. For example, the use of microprocessor-based digital technology for feedwater control (a nonsafety system) could lead to a significant reduction in plant trips, providing a clear safety and reliability advantage. In response to this interest, several vendors undertook to develop special product lines, with a particular focus on developing digital RPS systems, working closely with individual utilities and the USNRC to obtain regulatory approval. Several individual utilities, in turn, embarked upon efforts to upgrade their existing analog RPS systems. REGULATORY RESPONSE Haddam Neck and the Draft Generic Letter One of the first utilities to seek to implement a digital RPS upgrade was the Connecticut Yankee Atomic Power Company when, in 1987, the utility proposed to upgrade portions of the RPS for its Haddam Neck station. The upgrade was the first RPS upgrade to be attempted by a utility under the provisions of 10 CFR 50.59. The proposed upgrade was to take place in two phases (Phase II would have added substantially more new microprocessor equipment than Phase I). Pursuant to the requirements of 10 CFR 50.59, the utility conducted an evaluation of both phases of the upgrade to determine whether the modification involved an unreviewed safety question (USQ) or necessitated a change in the plant's technical specifications. Based upon this evaluation, the utility concluded that, because the upgrade was essentially a replacement-in-functional-kind of RPS control system analog modules with modern microprocessor-based modules, the proposed upgrade posed no unreviewed safety questions. Accordingly, the utility proceeded with installation of Phase I of the upgrade during its 1987 refueling outage. Subsequently, given the USNRC's concern over the use of licensee-configurable, microprocessor-based, protection and control system modules, the USNRC decided to review the utility's 10 CFR 50.59 determination with regard to the already implemented Phase I of the upgrade, as well as the proposed Phase II. As a result of this review, the USNRC prepared a formal safety evaluation report (SER), a step normally undertaken only when prior regulatory approval is required. In its review, the staff reached the following conclusion (USNRC, 1990): The NRC staff concludes that the Phase I RPS modification is acceptable except that [Connecticut Yankee] has not demonstrated that the electrical environment of the new equipment is enveloped by the vendor's qualification testing. Because Phase II will be complete before start-up for Cycle 16 and will add substantially more new microprocessor equipment, the NRC staff requires that CYAPO [Connecticut Yankee Atomic Power Company] submit a program plan prior to restart describing the analysis, testing and schedule to resolve this concern. The staff went on to state as follows: The licensee has demonstrated that the equipment is functionally a one-for-one replacement and does not result in a significant system level change[;] however, the staff considers that the differences in technology inherent in the new software controlled system present the possibilities for equipment malfunctions of a different type than previously evaluated. Malfunctions of a different type than previously evaluated in equipment important to safety is an unreviewed safety question. Digital microprocessors can malfunction in a different manner than the installed analog systems RPS and should not be installed via 10 CFR 50.59. Because several utilities have changed or are considering changing their analog systems with digital systems, the staff is considering the issuance of additional guidance to the industry addressing the 50.59 issue for replacement of analog with digital equipment. In response to the issues raised concerning the Haddam Neck upgrade and the utility's interpretation of 10 CFR 50.59, as well as in view of the rapidly expanding interest in the utility industry in implementing digital upgrades in safety systems and a broader concern with failures of digital systems that were occurring in both nuclear and nonnuclear applications, the USNRC in August 1992 issued a draft generic letter in which it addressed the application of 50.59 to digital upgrades. In pertinent part, the draft generic letter reads as follows (USNRC, 1992): [T]he installation of digital based safety systems (1) is an unreviewed safety question (USQ), (2) will require review by the NRC staff, and (3) cannot be performed under the 10 CFR 50.59 rule. The Staff's position applies to all safety-related digital equipment that uses software and in particular to microprocessor based systems.
OCR for page 78
For its basis, the staff noted: Digital electronic equipment has different failure mechanisms and resulting system malfunctions than the existing analog systems. Some of these failure modes and system malfunctions were either not considered as part of the initial plant design (the technology did not exist, therefore, the potential malfunctions were not considered) or may not have been evaluated in sufficient detail to support the new digital systems. Since licensees are installing digital equipment in primary safety systems such as reactor protection systems, engineered safety features systems, emergency diesel generator control systems, and pump control systems, the result could be safety system failures, and/or delays in actuation, and/or unplanned plant responses. [Garten, 1992] The effect of the draft generic letter was immediate and significant. First, it explicitly required that all safety-related digital upgrades be approved in advance by the staff, irrespective of the results of a utility's evaluation under 10 CFR 50.59. In so doing, the draft generic letter, in effect, carved out an exception to 10 CFR 50.59 for digital upgrades. Second, it caused a great deal of uncertainty among those utilities that were proceeding with digital upgrades. The utilities began to see the regulatory process governing digital upgrades as ill-defined, inconsistent, and unpredictable. Prior USNRC approval for digital upgrades was now required; and the lack of generically applicable regulatory criteria resulted in digital upgrades' being judged on a case-by-case basis. For these reasons, several utilities elected to postpone planned digital upgrades or to go forward with analog replacements as an alternative. Industry Guidance Document and USNRC's Response Because of the uncertainty attending digital upgrades as a result of the draft generic letter (USNRC, 1992), the industry (through EPRI and NUMARC) sought to develop more specific guidance addressing the applicability of 10 CFR 50.59 to digital upgrades, particularly with regard to safety systems, supplementing the more general guidance on 10 CFR 50.59 contained in NSAC-125 (EPRI/NUMARC, 1988). With the initiation of this effort, the USNRC withdrew the draft generic letter of August 1992. The industry guidance document, NUMARC/EPRI TR-102348, was published in December 1993 (EPRI, 1993) and a workshop was held on its implementation in June 1994. In April 1995, the USNRC published Generic Letter 95-02 (USNRC, 1995), which generally endorsed the approach taken in EPRI TR-102348, but with two exceptions. First, the USNRC took the position that in evaluating whether an analog-to-digital upgrade may create "a possibility for an accident or malfunction of a different type than any evaluated previously in the safety analysis report," the "system-level" to be considered should be the digital system being installed. Second, the USNRC stated that in preparing a written safety evaluation that provides the basis for the determination that the change, test, or experiment does not involve an unreviewed safety question, the basis for a utility's ''engineering judgment and the logic used in the determination should be documented to the extent practicable." APPROACHES TO REGULATION IN OTHER COUNTRIES The committee reviewed the experience of several foreign countries in dealing with digital I&C upgrades in nuclear plants. Because of the particular characteristics of the U.S. regulatory system, however, it is difficult to compare the case-by-case issues that are the subject of this chapter—the 50.59 process and the applicable regulatory requirements—with the regulatory framework in other countries. As a general proposition, however, the committee did find that in all instances, the safety authority undertook reviews similar in rigor to those undertaken in the United States and focused largely on the same issues, including software-induced common-mode failure with which the regulators in the United States were concerned. RESEARCH AND PLANS The issues associated with the case-by-case regulatory approval process are largely issues of process and policy and are not issues on which the USNRC normally conducts research. Nevertheless, there may be an important role for research with respect to the public policy impacts of the USNRC's regulatory requirements and process. ANALYSIS The issue of case-by-case licensing involves two fundamental questions: (1) What are the substantive regulatory standards that apply to digital upgrades and can standards be developed to provide a consistent and coherent regulatory framework for evaluating digital upgrades? (2) Under what circumstances should individual utilities be allowed to proceed with digital upgrades without advance USNRC review and approval? These two questions are discussed in turn below. Substantive Regulatory Standards The USNRC has maintained that digital upgrades, particularly those involving substantial safety system electronics, must be evaluated with great care, given the important role that such systems will play in plant operations and the resulting consequences if such systems fail to perform their functions properly. The USNRC points to several notable examples of such failures. These include a software error at the Bruce Unit 4 facility in Canada that resulted in a loss-of-coolant accident and minor off-site releases; software surveillance errors at the Sequoyah facility in Tennessee that
OCR for page 78
had a common-mode effect; and errors in the software involving an incorrect adjustment range in the flux incore/excore calibration factor at the Turkey Point facility in Florida. In this regard, the committee heard from several utility representatives who attested to the value that the USNRC regulatory review process brought to individual upgrade initiatives. Issues were identified and solutions found, particularly where early, proactive interaction between the utility and the USNRC took place. But, as discussed in the introduction to this chapter, there is also a concern that the regulatory review process for digital upgrades has proceeded largely on an ad hoc basis, with individual utility initiatives serving as the vehicle for fashioning a regulatory framework. Moreover, while several individual guidance documents exist (see, e.g., Regulatory Guide 1.152, Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants; ANSI/IEEE/ANS 7-4.3.2–1982, Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations; ANSI/IEEE 1012–1986, IEEE Standard for Software Verification and Validation Plans; and ASME NQA-2A–1990, Part 2.7, Quality Assurance Requirements of Computer Systems for Nuclear Facility Applications, American Society of Mechanical Engineers), there is no comprehensive body of regulatory requirements and guidance to guide the utility applicant or the USNRC reviewer. The committee recognizes that where a first-of-a-kind application of a particular technology in a nuclear plant is proposed, it would be unreasonable to expect the USNRC to have in place a comprehensive, well-developed generic regulatory framework within which to undertake an evaluation of the proposal. Indeed, there is merit to the argument that early on in the consideration of such proposals, the case-by-case approach can be an effective means for gaining experience with the issues that must be addressed, as well as to fashion a sensible, informed regulatory framework (this has been referred to by some as the so-called "revealed standard" approach). The risks that attend such an approach, however, include the potential for inconsistent results from case to case (based, at least in part, on the qualifications and perspective of the individual reviewers that might be involved); the possibility that, as individual reviews are undertaken, increasingly stringent requirements will be imposed over time; and an unpredictable or disproportionate commitment of resources, by both the utility and the applicant, to support the extensive interactions necessary to support such customized reviews. As discussed in Chapter 1, in an effort to address these criticisms, the USNRC has a process under way to systematically review its internal directives and guidelines governing reviews of I&C systems with a view to adapting them for digital I&C technology (Wermiel, 1995). To be completed in mid-1997, this process involves developing a Standard Review Plan for digital upgrades to safety-related systems. Process for Implementing Digital Upgrades As discussed above, USNRC has established a process according to which utilities can evaluate when plant modifications can be made without prior approval. This process, set forth in 10 CFR 50.59, has been in place since 1961 and is well recognized as an essential component of the regulatory process. As a general matter, the committee believes that the provisions of 10 CFR 50.59 provide a fundamentally sound framework for evaluation of digital upgrades by utilities, as it focuses a utility's attention on whether a proposed upgrade introduces an unreviewed safety question. Recognizing the concern that the Haddam Neck proposed upgrade (see above) generated with regard to the application of 10 CFR 50.59 to safety-significant upgrades, the committee nevertheless believes that the unilateral decision of the USNRC in the 1992 draft generic letter to deem all safety-related digital upgrades employing software as posing unreviewed safety questions was inconsistent with both the letter and the spirit of 10 CFR 50.59. By its terms, 10 CFR 50.59 calls for a licensee-specific evaluation of whether a proposed change in the facility involves an unreviewed safety question. Beyond this, the committee notes a concern with the interpretation that the agency has taken with regard to EPRI Report TR-102348 (noted above), wherein the agency concluded that in evaluating whether an analog-to-digital upgrade may create "a possibility for an accident or malfunction of a different type than any evaluated previously in the safety analysis report," the "system-level" to be considered should be the digital system being installed (USNRC, 1995). This interpretation of 10 CFR 50.59, which the committee was advised is not mandated as a matter of law but instead is a matter of discretion for the USNRC to decide, appears to suggest that any new failure mode at the component level would constitute an unreviewed safety question, even though the system-level function was not affected. In this regard, the committee would be concerned with the wisdom of such an approach, if the USNRC were to apply it across the board to all digital upgrades, irrespective of their safety significance. The committee heard the USNRC further refine their interpretation of the EPRI report by restricting component-level consideration for major safety systems, such as ESFAS (Wermiel, 1996). The committee strongly endorses maintaining and formalizing the distinction between major and minor safety system upgrades containing digital technology. Finally, the committee believes that it would be useful for the USNRC to establish a process whereby it can more formally catalogue 50.59 determinations—including instances where prior USNRC review has been found to be necessary, as well as instances where it has been found not to be required— so that licensees considering digital upgrades can have the benefit of this body of experience in evaluating specific upgrades that they might be considering. The committee believes that this would provide a measure of stability and uniformity to the application of 10 CFR 50.59.
OCR for page 78
CONCLUSIONS AND RECOMMENDATIONS Conclusions Conclusion 1. As a general observation, the role of the regulator in overseeing the implementation of digital upgrades can be a valuable and important one. Particularly in an area such as digital I&C systems, where the state of the art evolves rapidly and where first-of-a-kind nuclear applications are contemplated, the oversight role of the regulator can bring valuable insights to the implementation of such upgrades. Indeed, the committee found several specific examples of this happening. Conclusion 2. Nevertheless, the committee found that the regulatory response to the development and implementation of digital I&C upgrades in nuclear plants has proceeded in a manner that resulted in some degree of confusion and uncertainty within the licensee community with regard to the applicable regulatory requirements and the procedural framework for implementing such upgrades. This uncertainty and the resultant incremental cost has been a major contributor to the reluctance on the part of utilities in proceeding with digital upgrades. Conclusion 3. The lack of generically applicable regulatory requirements for digital upgrades has resulted in a case-by-case approach that has contributed to the confusion and uncertainty. This approach to reviews may have been necessary in the early phase of the transition to digital systems. But the USNRC now has a sufficient body of experience with safety-related digital upgrades, gained over recent years and supplemented by the extensive experience of other countries and other industries, to enable the agency to establish a generically applicable regulatory regime that would govern the review and approval of such upgrades. Conclusion 4. The process established in 10 CFR 50.59, wherein the agency has defined those circumstances where a licensee may make a modification without prior USNRC review and approval, is fundamentally sound, necessary, and consistent with the USNRC's responsibility to protect the public health and safety. In particular, it recognizes the practical necessity for licensees to make facility modifications consistent with their facility licensing basis, without the need for prior USNRC review and approval. Moreover, the process appropriately reflects the gradation of significance in changes that might be made in a nuclear plant and the USNRC's attendant role based upon these gradations. In this regard, the committee strongly believes that it is important for the USNRC to distinguish between digital upgrades that are significant (i.e., pose unreviewed safety questions) and those that are not, and tailor the scope and depth of the regulatory review in a manner that is commensurate with this gradation. Conclusion 5. The committee believes that defining all safety-related digital upgrades as resulting in an unreviewed safety question, as stated in the USNRC's draft generic letter of August 1992, is contrary to both the letter and spirit of 10 CFR 50.59. Conclusion 6. The agency has no formal process for cataloguing determinations made under 10 CFR 50.59 with regard to digital upgrades and the bases for these determinations. Such information would assist both the USNRC and the utilities in determining whether particular upgrades pose unreviewed safety questions. Conclusion 7. Early interaction between a utility applicant and the USNRC can be extremely helpful in identifying and fleshing out important issues. Where this "proactive" interaction has occurred, the committee found that the subsequent regulatory review was more efficient and focused, minimizing resources that would otherwise be required on the part of both the utility and the USNRC. Recommendations Recommendation 1. The USNRC should place a high priority on its effort to develop a generically applicable framework for the review and evaluation of digital I&C upgrades for operating reactors. Recommendation 2. In view of the rapid evolution of digital technology, a process should be established to ensure that the regulatory framework is updated to stay abreast of new developments. To ensure that this framework takes into account the best practices in other safety-critical industries, external and public review is highly desirable. Recommendation 3. The USNRC should consider additional ways in which the guideline development process can be accelerated and streamlined. For example, consideration could be given to establishing chartered task groups involving representatives from the USNRC, the industry, and academia. These groups would be tasked and managed on a project basis to investigate and resolve unreviewed matters of possible safety significance that arise in the development and use of digital systems. Recommendation 4. In developing its regulatory requirements, the USNRC should ensure that where issues arise that are unique to digital systems, they are treated appropriately. On the other hand, where issues arise with regard to digital upgrades that are no different from issues posed for analog systems, such issues should be treated consistently. The opportunity (or obligation) for the USNRC to review and approve digital upgrades should not be seen as an opportunity to impose new requirements on individual licensees unless the issue is unique to the application proposed.
OCR for page 78
Recommendation 5. In view of the substantial benefits of early interaction with individual utilities considering digital upgrades, as well as the benefit of working closely with industry groups and other interested members of the public in the development of standards and guidelines, the USNRC should undertake proactive efforts to interact early and frequently with individual utilities and with industry groups and other interested members of the public. In addition, it would be of benefit for the USNRC to be familiar with the broader evolving applications of digital I&C systems in both nuclear and nonnuclear applications. This, in turn, will provide a foundation for a cooperative working relationship. Recommendation 6. The USNRC should revisit the "systems level" issue addressed in Generic Letter 95-02 and EPRI Report TR-102348 to ensure that this position is consistent with the historical interpretation of 10 CFR 50.59. The committee strongly endorses maintaining and formalizing the distinction between major and minor safety system upgrades containing digital technology. Recommendation 7. The USNRC should establish a process for cataloguing 50.59 evaluations of digital upgrades in some centralized fashion, so that individual utilities considering such upgrades can review and consider past 50.59 determinations regarding when a particular modification has been found to result in an unreviewed safety question. REFERENCES EPRI (Electric Power Research Institute). 1993. Guideline on Licensing Digital Upgrades. TR-102348. Palo Alto, Calif.: EPRI. EPRI/NUMARC (Nuclear Management and Resources Council). 1988. Guidelines for 10 CFR 50.59 Safety Evaluations. NSAC-125. Palo Alto, Calif.: EPRI. Garten, G. 1992. Briefing to the USNRC on draft Generic Letter Proposal for digital I&C. Washington, D.C. USNRC (U.S. Nuclear Regulatory Commission). 1990. Safety Evaluation Report by the Office of Nuclear Reactor Regulation, Reactor Protection System Upgrade (Phase One), Connecticut Yankee Atomic Power Company, Haddam Neck Plant, Docket No. 50-213, March 21. Washington, D.C.: USNRC. USNRC. 1992. Draft Generic Letter on digital I&C upgrades. Washington, D.C.: USNRC. USNRC. 1995. Use of NUMARC/EPRI Report TR-102348, Guideline on Licensing Digital Upgrades, in Determining the Acceptability of Performing Analog-to-Digital Replacements under 10 CFR 50.59. Generic Letter 95-02. Washington, D.C.: USNRC. Wermiel, J. 1995. Update of Instrumentation and Control System Section of the Standard Review Plan, NUREG-0800. Presentation to the Advisory Committee on Resactor Safeguards of the USNRC, Rockville, Md., April 7 . Wermiel, J. 1996. USNRC briefing to the Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety, Washington, D.C., April.