Title: An Integrated Risk Assessment Process for Digital Instrumentation and Control Upgrades of Nuclear Power Plants

Most of the existing nuclear power plants (NPPs) in the world rely on traditional analog instrumentation and control (I&C) systems for monitoring, control, and protection functions. With the industrial base largely moving to digital systems, the operation and maintenance of plants involves managing issues including lack of needed analog spare parts, increasing maintenance costs, and the loss of vendor support. Compared with existing analog I&C systems, digital I&C systems have significant functional advantages, such as reliable system performance in terms of accuracy and computational capability, high data handling and storage capabilities to fully measure and display operating conditions, and improved capabilities (e.g., fault tolerance, self-testing, signal validation, process system diagnostics). Therefore, the U.S. nuclear power industry has initiated the replacement of existing, aging analog systems with digital I&C technology, and is developing new designs for advanced plants using digital systems in integrated control rooms to provide modern control and protection systems. However, the qualification of digital I&C systems remains a challenge, especially the issue of software common cause failure (CCF), which has been difficult to address. A CCF is the malfunction of two or more plant components or functions due to a single failure source. CCFs have the potential to generate unanalyzed events or sequences that may not be bounded by previous plant accident analyses, therefore, to challenge the plant safety. Existing analyses on CCF in I&C systems are mainly focusing on hardware failures. With the application and upgrades of new digital I&C systems, software CCFs due to design flaws have become a potential threat to plant safety considering most redundancy designs are using the similar digital platforms or software in the operating and application systems. With complex multi-layer redundancy designs to meet the single failure criterion, these I&C safety systems are of a particular concern in the U.S. Nuclear Regulatory Commission (NRC) licensing procedures. Therefore, there is a need to develop an integrated risk assessment strategy with digital CCF and plant transient responses considered to assure the long-term safety and reliability of vital digital systems and reduce uncertainties in costs, time, and support integration of digital systems in the plant. The overall goal of this project is to deliver a strong technical basis to support effective, licensable, and secure digital I&C technologies for the digital upgrades to existing NPPs. To deal with the expensive licensing justifications from regulatory insights, this technical basis is instructive for nuclear vendors and utilities to effectively lower the costs associated with digital compliance and speed-up industry advances by: (1) defining an integrated risk-informed analysis process for digital I&C upgrades including hazard analysis, reliability analysis, and consequence analysis; (2) applying systematic and risk-informed tools to address CCFs and quantify responding failure probabilities for digital I&C technologies; (3) evaluating the impact of digital failures at the individual level, system level, and plant level; and (4) providing insights and suggestions on designs to manage the risks, thus to support the development, licensing, and deployment of advanced digital I&C technologies on NPPs. Upgrading digital I&C (safety and non-safety related) systems in existing NPPs within a cost-effective and regulatory acceptable way offers the foremost means of performance improvements and cost-reductions for existing NPPs. One key outcome of this project is to perform plant-specific risk assessment to provide a sustainable scientific support for enabling industry to balance the digital-related risks, costs, reliability, and safety.