Nuclear Facility Safety Design

Questions and Answers

PDF Questions PDF Answers

What is a common cause failure (CCF) in DI&C systems?

A failure of a single system due to a unique design defect.

A failure of multiple systems due to a shared cause. (correct)

A simultaneous failure of multiple identical systems due to random errors.

A failure of a system due to external stress or plant conditions.

Why are DI&C systems vulnerable to common cause failures?

Due to latent design defects in active hardware components, software, or software-based logic. (correct)

Due to the lack of redundant systems in DI&C design.

Due to the lack of traditional design-basis development, verification, validation, and testing processes.

Due to the use of analog components.

What can trigger latent design defects in DI&C systems?

The lack of redundant systems.

Certain events, unexpected external stresses, or plant conditions. (correct)

The use of analog components.

Regular maintenance and testing.

What is the purpose of considering concurrent failures of redundant elements in the design of protection systems and reactivity control systems?

To identify potential vulnerabilities in the design.

What is a benefit of using DI&C systems in nuclear power plants?

Significant operational and maintenance benefits.

What is the term 'software' referred to in the context of DI&C systems?

Software, firmware, and logic developed from software-based development systems.

Why are licensed facilities considered to have sufficient design features to address common cause failures?

Because they have sufficient design features to address CCFs associated with their specific designs and equipment.

What is the purpose of considering the possibility of systematic, nonrandom, concurrent failures of redundant elements in the design of protection systems and reactivity control systems?

To identify potential vulnerabilities in the design.

What should the reviewer consider when evaluating a CCF of an interconnected DI&C system or platform?

Spurious operations that would have unacceptable consequences

What type of spurious operations are addressed within the design basis?

Those resulting from single failures and single malfunctions

What is an important distinction between spurious operation and loss of function resulting from CCF?

Spurious operation is considered an initiating event only, without a concurrent DBE

What method(s) can be used to eliminate a potential CCF from further consideration in a D3 assessment?

All of the above

What type of failures are addressed within the design basis?

Single failures and single malfunctions

What is the purpose of evaluating spurious operation in a D3 assessment?

To identify potential CCF

What is a potential vulnerability to be addressed in the application?

The level of interconnection between safety systems and other systems

What is a regulatory requirement that addresses spurious operations?

All of the above

What is one of the two general causes of CCF vulnerabilities in DI&C systems?

Errors introduced by the system hardware or software design

What can be used in conjunction with a robust development process to correct potential design errors?

Both A and B

What is a purpose of testing in the design process?

To identify latent design defects

What should the reviewer determine when evaluating the testing of a proposed DI&C system?

Whether all latent design defects have been identified and corrected

What should the applicant use to demonstrate that identified latent design defects have been corrected?

Testing results

What should the reviewer consider when evaluating the testing methodology used by the applicant?

Case-by-case basis

What is the purpose of the acceptance criteria for use of testing?

To eliminate the potential CCF from further consideration

What is the goal of using thorough system analysis and robust development process in the design of DI&C systems?

To correct many potential design errors in the requirements or specifications

Study Notes

Consideration of Common-Cause Failures

• Licensed facilities are expected to have sufficient design features to address common-cause failures (CCFs) associated with their specific designs and equipment.
• The use of different designs, equipment, or technology may require additional design features to address specific vulnerabilities.

DI&C Systems

• DI&C systems consist of both hardware components and logic elements (e.g., software).
• Hardware components in DI&C systems are susceptible to failures similar to those considered for analog systems.
• Software refers to software, firmware, and logic developed from software-based development systems.
• DI&C systems may be vulnerable to CCFs due to latent design defects in active hardware components, software, or software-based logic.

Common-Cause Failures

• A CCF occurs when multiple (usually identical) systems fail due to a shared cause.
• Latent design defects in the design of a DI&C system can remain undetected despite traditional design-basis development, verification, validation, and testing processes.
• Certain events, unexpected external stresses, or plant conditions can trigger latent design defects within redundant portions of a system designed to perform safety functions.

Reviewer's Considerations

• The reviewer should consider whether a CCF of an interconnected DI&C system or platform could result in a spurious operation that would have unacceptable consequences.
• The reviewer should also consider the level of interconnection between a safety system and other systems as a potential vulnerability to be addressed in the application.

Spurious Operations

• Spurious operations addressed "within the design basis" include spurious operations resulting from single failures (including cascading effects) or single malfunctions.
• Consistent with regulatory requirements, spurious operations resulting from single failures and single malfunctions are expected during the lifetime of the plant and are addressed as part of the design basis.

The NRC Staff's Evaluation of Spurious Operation

• The reviewer should consider whether the D3 assessment addresses spurious operation resulting from CCF along with loss of function resulting from CCF.
• One important distinction between these two events is that, unlike loss of function, spurious operation is considered an initiating event only, without a concurrent DBE for the purposes of this assessment.

Means to Eliminate the Potential for Common-Cause Failures

• In a D3 assessment, the following methods can be used to eliminate a potential CCF from further consideration: demonstration of adequate diversity within the DI&C system, testing, and alternative approaches within the application.
• Thorough testing can help to identify latent design defects in DI&C systems, provided the design is simple enough to allow such testing.

Use of Testing to Eliminate the Potential for Common-Cause Failures

• CCF vulnerabilities in DI&C systems have two general causes: errors introduced by the system hardware or software design, and errors or defects introduced during the development of the software, hardware, or software-based logic.
• Testing can be used to uncover latent design defects for correction in the design process and to demonstrate that any identified latent design defects have been corrected.
• The reviewer should determine whether testing of the proposed DI&C system shows that all latent design defects have been identified and corrected, so that the system will function as specified under the AOOs.

Description

Safety considerations for designing nuclear facilities, including concurrent failures and protection systems.