Transmittal of Research Information
Total Page:16
File Type:pdf, Size:1020Kb
RESEARCH INFORMATION LETTER 1101: Technical Basis to Review Hazard Analysis of Digital Safety Systems EXECUTIVE SUMMARY The Office of Nuclear Regulatory Research (RES) prepared RIL-1101 in response to an Office of New Reactors (NRO) user need request, dated December 8, 2011. NRO requested technical basis for the regulatory review of an applicant’s hazard analysis (HA) and corresponding acceptance criteria relevant to digital instrumentation and control (DI&C) safety systems of nuclear power plants (NPPs). The requested information supports improvements to the regulatory guidance for evaluation of an applicant's HA. The technical basis provided in RIL-1101 focuses on evaluation of an applicant’s HA—rather than performing HA—while also addressing challenges that NRO has encountered during its licensing reviews. Many of these challenges come from hazards that are rooted in systemic causes, such as inadequacies in engineering organizations, processes or methods. RIL-1101 refers to systemic causes as contributory hazards. RIL-1101 identifies systemic causes of DI&C safety system developments that may contribute to hazards. When a systemic cause can adversely affect an NPP DI&C safety system, RIL-1101 considers it a contributory hazard. RIL-1101 provides the U.S. Nuclear Regulatory Commission’s (NRC’s) licensing staff technical basis to create regulatory guidance for evaluation of an applicant’s HA for DI&C systems. An applicant's HA for a design certification or license amendment, which involves a DI&C safety system, establishes design bases of the plant and for its digital safety systems. Where RIL-1101 identifies contributory hazards relevant to DI&C safety systems, RIL-1101 also identifies conditions to address them and reduce the hazard space. These conditions to reduce the hazard space represent technical basis for potential acceptance criteria for regulatory reviews of future new and advanced reactor applications. Hazards are the potential for harm (e.g., radiological consequences leading to disease, loss of life, damage to the environment, etc.). To prevent these hazards, nuclear power plant I&C systems maintain plant processes within acceptable performance limits by making reliable and accurate measurements that lead to reliable, accurate, and timely control actions. Using redundant, independent, electrically-isolated, and physically-separated components, I&C safety systems sense plant conditions and actuate controls before a limiting safety setting is exceeded to preserve fuel and reactor vessel integrity. RIL-1101 identifies examples of hazards and factors that contribute to hazards by degrading the safety function of a DI&C system. DI&C systems differ from their analog and mechanical counterparts. Rapid changes in digital technology prevent accumulation of the kind of operating history that applies to analog and mechanical systems. Many unsafe behaviors of digital I&C systems do not relate to physical principles like those used to evaluate the safety and reliability of analog and mechanical systems. Instead, malfunctions of DI&C systems more often arise from systemic causes associated with characteristics of their design and development. These characteristics can also make verification of DI&C systems more difficult when compared to analog or mechanical systems. Furthermore, analog and mechanical systems have RIL-1101 Page i interconnections, dependencies, and interactions that are readily apparent to a reviewer as wires and pipes. In contrast, DI&C systems have interconnections, dependencies and interactions that are less obvious. When unrecognized these less obvious attributes can degrade the safety benefit presumed to exist through redundant, independent, electrically- isolated, and physically-separated safety components. RIL-1101 addresses each of the considerations, which are unique to DI&C systems. Adopters of the hazard-analysis approach in RIL-1101 can apply it to an early-stage functional concept, and iterate the approach on the successive work products, as the development progresses. When applying the hazard-analysis approach in RIL-1101, the resulting design criteria and design bases would include constraints that avoid conditions that contribute to hazards. Early Identification of these avoidable contributory hazards and constraints to eliminate them drive downstream engineering to prevent later problems. The prevention of problems earlier in the lifecycle improves lifecycle economics while increasing safety. RIL-1101 Page ii Contents Page # EXECUTIVE SUMMARY .................................................................................................................. i 1 INTRODUCTION ..................................................................................................................... 1 1.1 Regulatory basis............................................................................................................... 1 1.2 Work authorization ........................................................................................................... 1 1.3 Relationship with licensing experience ............................................................................ 1 1.4 Significance of the technical basis in licensing reviews .................................................. 2 1.5 Background ...................................................................................................................... 2 1.6 Purpose and intended audience ...................................................................................... 3 1.7 Scope ............................................................................................................................... 3 1.7.1 Immediate scope limited to learning cycles .............................................................. 4 1.7.1.1 Assumptions about areas not well understood ..................................................... 4 1.7.1.2 Extrapolation from recent licensing experience .................................................... 4 1.7.1.3 Support for application-specific customization of SRP Chapter 7........................ 4 1.7.2 Focus on evaluation rather than performance of hazard analysis ........................... 4 1.7.3 Focus on licensing reviews of safety automation ..................................................... 5 1.7.4 Focus on safety-related systems for NPPs .............................................................. 5 1.7.5 Types of systems intended in scope ........................................................................ 5 1.7.6 Focus on contributory hazards rooted in systemic causes ...................................... 5 1.7.7 Scope excludes risk quantification ........................................................................... 6 1.7.8 Relation between hazard analysis and safety analysis............................................ 6 1.8 Organization of RIL-1101 ................................................................................................. 8 2 CONSIDERATIONS IN EVALUATING HAZARD ANALYSIS .............................................. 10 2.1 Evaluation of Overall Hazard Analysis........................................................................... 11 2.1.1 Considerations for hazards within the system being analyzed .............................. 15 2.1.2 Considerations for hazards contributed through processes .................................. 15 2.2 Evaluation of hazard analysis—organizational processes ............................................ 19 2.3 Evaluation of hazard analysis—technical processes .................................................... 23 2.4 Evaluation of Hazard Analysis—System Concept ......................................................... 25 2.4.1 Hazards associated with the environment of the DI&C system ............................. 25 2.4.1.1 Hazards related to interaction with plant processes ........................................... 26 2.4.1.2 Contributory hazards from NPP-wide I&C architecture ...................................... 29 RIL-1101 Page ii 2.4.1.3 Contributory hazards from human/machine interactions .................................... 30 2.4.2 Contributory hazards in conceptual architecture .................................................... 32 2.4.3 Contributory hazards from conceptualization processes ....................................... 32 2.5 Evaluation of hazard analysis—Requirements .............................................................. 33 2.5.1 System Requirements ............................................................................................ 33 2.5.1.1 Quality requirements ........................................................................................... 33 2.5.1.2 Contributory hazards through inadequate system requirements ....................... 37 2.5.1.3 Contributory hazards from system-requirements engineering ........................... 42 2.5.2 Software Requirements .......................................................................................... 44 2.5.2.1 Contributory hazards in software requirements .................................................. 45 2.5.2.2 Contributory hazards from software-requirements engineering ......................... 45 2.6 Evaluation of hazard analysis—Architecture ................................................................. 46 2.6.1 Contributory hazards in system architecture .......................................................... 46 2.6.2 Contributory hazards from system architectural engineering ...............................