[Federal Register Volume 59, Number 200 (Tuesday, October 18, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-25708]


[[Page Unknown]]

[Federal Register: October 18, 1994]


-----------------------------------------------------------------------


NUCLEAR REGULATORY COMMISSION
Proposed Generic Communication;

 

``Use of NUMARC/EPRI Report TR-102348, `Guideline on Licensing 
Digital Upgrades,' in Determining the Acceptability of Performing 
Analog-to-Digital Replacements Under 10 CFR 50.59''

AGENCY: Nuclear Regulatory Commission.

ACTION: Notice of opportunity for public comment.

-----------------------------------------------------------------------

SUMMARY: The Nuclear Regulatory Commission (NRC) is proposing to issue 
a generic letter to provide a new regulatory position on the use of 
Nuclear Management and Resources Council/Electrical Power Research 
Institute (NUMARC/EPRI) Report TR-102348, ``Guideline on Licensing 
Digital Upgrades.'' This report, dated December, 1993, provides 
guidance for determining when an analog-to-digital replacement can be 
performed without prior NRC approval under the requirements of 
Sec. 50.59 of title 10 of the Code of Federal Regulations (10 CFR 
50.59). The report applies to all digital equipment that uses software 
and, in particular, to microprocessor-based systems. The report, 
together with the clarifications discussed in the proposed generic 
letter, would represent a method acceptable to the NRC for use in 
making a determination of whether or not an unreviewed safety question 
exists with respect to 10 CFR 50.59 requirements. In those cases where 
a licensee proposes to retrofit with a digital replacement system that 
the NRC had previously approved, the NRC review scope would be 
significantly reduced and would focus only on plant-specific issues 
associated with the modification (e.g., environmental qualifications 
and configuration management). The NRC would not review again generic 
aspects of the proposed design, such as the software development 
program, unless these aspects had changed or were affected by plant-
specific differences.
    The NRC is seeking comment from interested parties regarding both 
the technical and regulatory aspects of the proposed generic letter 
presented under the Supplementary Information heading. The proposed 
generic letter and supporting documentation were discussed in the 259th 
meeting of the Committee to Review Generic Requirements (CRGR). The 
relevant information used to support CRGR review of the proposed 
generic letter will be available in the Public Document Rooms. In 
addition, the proposed generic letter and supporting documentation were 
discussed in a public meeting of the NRC Advisory Committee on Reactor 
Safeguards (ACRS) on September 8, 1994. Comments from the ACRS were 
incorporated in the proposed generic letter.
    The NRC will consider comments received from interested parties in 
the final evaluation of the proposed generic letter. The NRC final 
evaluation will include a review of the technical position and, when 
appropriate, an analysis of the value/impact on licensees. Should this 
generic letter be issued in final form by the NRC, it will become 
available for public inspection in the Public Document Rooms.

DATES: Comment period expires January 17, 1995. Comments submitted 
after this date will be considered if it is practical to do so, but 
assurance of consideration cannot be given except for comments received 
on or before this date.

ADDRESSES: Submit written comments to Chief, Rules Review and 
Directives Branch, U.S. Nuclear Regulatory Commission, Washington, DC. 
20555. Written comments may also be delivered to Room T-6D59, 11545 
Rockville Pike, Rockville, Maryland from 7:30 a.m. to 4:15 p.m., 
Federal workdays. Copies of written comments received may be examined 
at the NRC Public Document Room, 2120 L Street NW. (Lower Level), 
Washington, DC.

FOR FURTHER INFORMATION CONTACT: Paul Loeser, (301) 504-2825.

SUPPLEMENTARY INFORMATION:
NRC Generic Letter 94-XX  Use of NUMARC/EPRI Report TR-102348, 
``Guideline on Licensing Digital Upgrades,'' in Determining the 
Acceptability of Performing Analog-to-Digital Replacements Under 10 CFR 
50.59

Addressess

    All holders of operating licenses or construction permits for 
nuclear power reactors.

Purpose

    The U.S. Nuclear Regulatory Commission (NRC) staff is issuing this 
generic letter to inform addresses of a new staff position on the use 
of Nuclear Management and Resources Council/Electrical Power Research 
Institute (NUMARC/EPRI) Report TR-102348, ``Guideline on Licensing 
Digital Upgrades,'' dated December, 1993, as acceptable guidance for 
determining when an analog-to-digital replacement can be performed 
without prior NRC staff approval under the requirements of Sec. 50.59 
of title 10 of the Code of Federal Regulations (10 CFR 50.59). The 
report applies to all digital equipment that uses software and, in 
particular, to microprocessor-based systems. The report, together with 
the clarifications discussed in this generic letter, represents a 
method acceptable to the staff for use in making a determination of 
whether or not an unreviewed safety question exists with respect to 10 
CFR 50.59 requirements. It is expected that recipients will consider 
the information in this generic letter when performing analog-to-
digital instrumentation and control systems replacement. However, 
suggestions contained in this generic letter are not NRC requirements; 
therefore, no specific action or written response is required.

Description of Circumstances

    The age-related degradation of some earlier analog electronic 
systems and the difficulties in obtaining qualified replacement 
components for those systems, as well as a desire for enhanced features 
such as automatic self-test and diagnostics, greater flexibility, and 
increased data availability have prompted some operating reactor 
licensees to replace existing analog systems with digital systems. 
After reviewing a number of these digital system replacements and 
digital equipment failures in both nuclear and non-nuclear 
applications, the staff has identified potentially safety-significant 
concerns pertaining to digital systems in nuclear power plants. The 
concerns of the staff stem from the design characteristics specific to 
the new digital electronics that could result in failure modes and 
system malfunctions that either were not considered during the initial 
plant design or may not have been evaluated in sufficient detail in the 
safety analysis report. These concerns include potential common mode 
failures due to (1) the use of common software in redundant channels, 
(2) increased sensitivity to the effects of electromagnetic 
interference, (3) the improper use and control of equipment used to 
control and modify software and hardware configurations, (4) the effect 
that some digital designs have on diverse trip functions, (5) improper 
system integration, and (6) inappropriate commercial dedication of 
digital electronics.
    As result of the above concerns, the NRC staff issued a draft 
generic letter for public comment in the Federal Register (57FR36680) 
on August 14, 1992, wherein a position was established that essentially 
all safety-related digital replacements result in an unreviewed safety 
question because of the possibility of the creation of a different type 
of malfunction that those evaluated previously in the safety analysis 
report. The staff concluded, therefore, that prior approval by the NRC 
staff of all safety-related digital modifications was necessary. 
However, subsequent discussions and comments on the draft generic 
letter have resulted in the staff position as described in this letter.

Discussion

    To assist licensees in effectively implementing digital 
replacements by addressing the concerns indicated above and in 
determining which upgrades can be performed under 10 CFR 50.59 without 
prior NRC staff approval, Report TR-102348 has been published. The NRC 
staff reviewed and provided comments on this report while it was in 
draft form, and the final report reflects a coordinated effort between 
industry and the NRC staff. The NRC staff believes that, when properly 
implemented, modern digital systems offer the potential for greater 
system reliability and enhanced features such as automatic self-test 
and diagnostics, as well as greater flexibility, increased data 
availability, and ease of modification.
    Report TR-102348 contains guidance that will assist licensees in 
implementing and licensing digital upgrades in such a manner as to 
minimize the potential concerns indicated above. It describes actions 
to be taken in the design and implementation process to ensure that the 
digital upgrade licensing and safety issues are addressed, and ways to 
consider these issues when performing the 10 CFR 50.59 evaluation. It 
is not the intent of the report or of the NRC staff to predispose the 
outcome of the 10 CFR 50.59 process, but rather to provide a process 
that will assist licensees in reaching a proper conclusion regarding 
the existence of an unreviewed safety question when undertaking a 
digital system replacement. However, as shown in Example 5-6 of the 
report, when using this document as guidance for the analysis of 
modifications of some safety-significant systems such as the reactor 
protection system or an engineered safety feature system, it is likely 
these digital modifications will require staff review when 10 CFR 50.59 
criteria are applied.
    Report TR-102348 states in the introduction that the guidance is 
supplemental to and consistent with that provided in NSAC-125, 
``Guidelines for 10 CFR 50.59 Safety Evaluations.'' Licensees should 
bear in mind that NSAC-125 has not been endorsed by the NRC, and 
therefore any use of those guidelines is advisory only, and that 
nothing in NSAC-125 can be construed as a modification of 10 CFR 50.59. 
While the guidelines of NSAC-125 can be useful in the evaluation of 
systems, and are representative of logic used in making a 10 CFR 50.59 
determination, the actual determination of whether or not an unreviewed 
safety question exists must be done in accordance with 10 CFR 50.59.
    10 CFR 50.59(a)(2)(i) and (ii) states that a proposed change, test 
or experiment involves an unreviewed safety question if the probability 
or consequences of an accident or malfunction previously evaluated in 
the safety analysis report may increase, or if the possibility for an 
accident or malfunction of a different type than any previously 
evaluated in the safety analysis report may be created. If during the 
10 CFR 50.59 determination there is uncertainty about whether the 
probability or consequences may increase, or whether the possibility of 
a different type of accident or malfunction may be created, the 
uncertainty should lead the licensee to conclude that the probability 
or consequences may increase or a new type of malfunction may be 
created. If the uncertainty is only on the degree of improvement the 
digital system will provide, the modification would not involve an 
unreviewed safety question. If, however, the uncertainty involves 
whether or not this modification is more or less safe than the previous 
analog system, or if no degree of safety has been determined, an 
unreviewed safety question is involved.
    Subsequent 5.3 of Report TR-102348, entitled ``Compatibility With 
the Environment,'' mentions the need to ensure equipment installed as 
part of an upgrade is compatible with its environment including such 
variables as temperature, humidity, and radiation. While these 
environmental stressors are cited as examples, it should be noted that 
a proposed digital upgrade must be qualified for operability against 
those environmental stressors and for those events specified in the 
plant specific licensing basis. This may include other environmental 
stressors beyond the cited examples.
    The staff believes that two clarifications to Report TR-102348 are 
appropriate as follows:
    1. 10 CFR 50.59 requires determination of whether ``a possibility 
for an accident or malfunction of a different type than any previously 
evaluated in the safety evaluation report may be created.'' As a part 
of this determination, Report TR-102348 suggests looking for ``any new 
types of system-level failures that would result in effects not 
previously considered in the FSAR.'' (For example, see TR-102348, 
Section 4.5, Question 6.) It is the NRC staff's position that the 
system-level considered in this regard should be the digital system 
being installed. The staff believes that this clarification is 
necessary because 10 CFR 50.59 does not refer to ``system-level'' 
failure but rather refers to the malfunction of the equipment important 
to safety being modified. As an example, when installing an upgraded 
digital high pressure function of the reactor trip system, it is the 
digital instrumentation and control circuitry associated with the high 
pressure reactor trip function that would be subject to the questions 
on failure modes and effects identified in the report that would 
represent the unreviewed safety question, not the entire reactor trip 
system. If the entire trip system is being replaced with a digital 
upgrade, then the entire replacement digital instrumentation and 
control system would be subject to the failure modes and effects 
analysis, not the full range of instrumentation and control systems 
being actuated to respond to a transient or accident.
    2. 10 CFR 50.59 requires maintaining records that ``include a 
written safety evaluation which provides the bases for the 
determination that the change, test, or experiment does not involve an 
unreviewed safety question.'' Section 3.1.2 of the report points out 
that the use of qualitative engineering judgment is typically involved 
in areas that are not readily quantifiable, such as likelihood of the 
failure, its importance to the system and to the plant, and the 
practicality and incremental improvements of various options available 
for resolving the failure. Such judgments may be difficult to duplicate 
and understand at a later time. It is the NRC staff's position that the 
basis for the engineering judgment and the logic used in the 
determination should be documented to the extent practicable. This type 
of documentation is of particular importance in areas where no 
established consensus methods are available, such as for software 
reliability, or the use of commercial-grade hardware and software where 
full documentation of the design process is not available.
    EPRI Report TR-102348, together with the clarifications discussed 
in this generic letter, can be used as guidance by licensees in both 
designing analog-to-digital replacements and, with respect to 
unreviewed safety question determinations, determining if an analog-to-
digital replacement can be performed under 10 CFR 50.59 without prior 
staff approval.

    Dated at Rockville, MD, this 11th day of October 1994.

    For the Nuclear Regulatory Commission.
Brian K. Grimes,
Director, Division of Project Support, Office of Nuclear Reactor 
Regulation.
[FR Doc. 94-25708 Filed 10-17-94; 8:45 am]
BILLING CODE 7590-01-M