Text

Summary of the Public Meeting to Discuss Comments Received from the Nuclear Industry and Members of the Public on the Draft Branch Technical Position 7-19, Revision 8, Held on February 11, 2020
	ML20079H603
Person / Time
Issue date:	03/19/2020
From:	Tekia Govan; NRC/NRR/DRO/IRSB
To:	Jeanne Johnston, Michael Waters; NRC/NRR/DEX/EICA, NRC/NRR/DEX/EICB
	Govan T, NRR/DRO, 415-6197
References
	Download: ML20079H603 (9)
	v • d • e

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 March 19, 2020 MEMORANDUM TO:

Jeanne D. Johnston, Chief Instrumentation and Controls Branch (A)

Division of Engineering and External Hazards Office of Nuclear Reactor Regulation Michael D. Waters, Chief Instrumentation and Controls Branch (B)

Division of Engineering and External Hazards Office of Nuclear Reactor Regulation FROM:

Tekia V. Govan, Project Manager /RA/

Oversight and Support Branch Division of Reactor Oversight Office of Nuclear Reactor Regulation

SUBJECT:

SUMMARY

OF THE PUBLIC MEETING TO DISCUSS COMMENTS RECEIVED FROM THE NUCLEAR INDUSTRY AND MEMBERS OF THE PUBLIC ON THE DRAFT BRANCH TECHNICAL POSITION 7-19, REVISION 8, HELD ON FEBRUARY 11, 2020 On February 11, 2020, the U.S. Nuclear Regulatory Commission (NRC) staff held a meeting with members of the public and the Nuclear Energy Institute (NEI) to discuss proposed public comments on draft Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Common Cause Failure Hazards Due to Latent Software Defects in Digital Instrumentation and Control Systems, Revision 8 (Agencywide Documents Access and Management System Accession (ADAMS) No. ML19256B502). Specifically, this meeting had been requested by a member of the public and the Nuclear Energy Institute to provide the NRC staff with clarification on comments that they will be submitting on the NRC docket as a response to the solicitation of public comments on BTP 7-19. The effort to revise BTP 7-19 was discussed in the NRCs Integrated Action Plan to Modernize Digital Instrumentation and Controls Regulatory Infrastructure, Revision 3, updated January 2019 (ADAMS Accession No. ML19025A312).

Prior to this meeting, comments on the draft BTP 7-19, Revision 8, were received from a member of the public (ADAMS Accession No. ML20037B054), and NEI (ADAMS Accession CONTACT: Tekia V. Govan, NRR/DRO (301) 415-6197

No. ML20038A193). The staff reviewed this information and developed clarification questions regarding the comments which were discussed during the meeting.

Meeting Summary The NRC staff engaged in discussion to understand the comments provided raised by Nuclear Automation Engineering and by the industry, as described below. However, the NRC staff made no decisions or took no agency positions during this meeting.

Nuclear Automation Engineering (NAE) Comments The meeting began with an open discussion on the BTP 7-19 comments provided by Mr. Ken Scarola of Nuclear Automation Engineering (ADAMS Accession No. ML20037B054). Of the 17 comments submitted, Mr. Scarola discussed the following comments to ensure that the NRC staff understood his concerns. The numbering of the comments below are consistent with the numbering of the comments that were submitted by Mr. Scarola as recording in the ADAMS Accession No. previously noted. Below is a summary of the comments.

1. Mr. Scarola commented that the draft BTP 7-19, Revision 8, appears to place undue emphasis on common-cause failure (CCF) due to a software defect, whereas it is equally important to emphasize other sources of CCF that apply to digital systems that did not apply to its analog predecessors. Mr. Scarola suggested that hardware design defects, such as design defects discovered in the recently-identified Boeing 737-MAX Maneuvering Characteristics Augmentation System (MCAS) flight control design were examples of this. It was pointed out that 10 Code of Federal Regulations (10 CFR) Part 50, Appendix A, General Design Criteria for Nuclear Power Plants, Criterions 22, 24, 26, and 29 require consideration of systematic, non-random failures of redundant elements of reactor protection systems and reactivity control systems, and that these criteria were developed before the onset of digital technologies. Mr. Scarola suggested that the NRC staff consider changing the title of BTP 7-19 to Guidance for Evaluation of CCFs in Digital Instrumentation and Control Systems, and that an equal emphasis should be placed on software defects and systematic and random hardware defects.

Focus on software defects downplays the importance of other types of failures

2. Mr. Scarola commented that there does not appear to be a technical or regulatory basis for the criteria distinction proposed within the draft BTP 7-19 regarding the evaluation of plant impact due to Anticipated Operational Occurrences (AOOs) and Postulated Accidents (PAs) resulting from design defects as described in Section 3.3 of the draft BTP 7-19 (i.e., the section describing how one could demonstrate that Consequences of the CCF Hazard Are Acceptable). Mr. Scarola noted that SECY 93-087 states that a CCF due to a design defect is a beyond design basis event. Therefore, there is no basis for making a distinction for the acceptance criteria for AOOs vs. PAs. The same PA acceptance criteria should apply to both. He stated that if the NRC staff believes there is a licensing basis for different acceptance criteria for AOOs and PAs, or justification for the analysis burden associated with precise offsite dose determination, then that basis/justification should be explained within BTP 7-19.

3. Mr. Scarola commented that BTP 7-19, Section 5 should distinguish between spurious operations caused by a single random hardware failure (which is expected to occur during the life of the plant and needs to have rigorous design process means applied to address them) and spurious operations caused by a single design defect (which is a rare

event that is not expected to triggered during the life of the plant). Mr. Scarola suggested that the NRC staff consider including the criteria that spurious operations due to hardware design defects may be treated the same as those due to software design defects, using best-estimate methods.

4. Mr. Scarola commented that while the quality development process of an A1 system or components may be credited to reduce the likelihood of CCFs that could lead to spurious operation of a safety function, this would not be true for CCFs due to failure of a shared hardware resource, which is a random design basis event (DBE) that must be expected during the life of the plant and therefore be analyzed conservatively. He suggested that the staff re-consider its proposed guidance in this area.

7. Mr. Scarola commented that the BTP 7-19, Section B.3.1.1.b refers to adequate diversity in several places but does not define adequate. He suggested that adequate diversity could be defined as diversity sufficient to preclude concurrent triggers of a design defect, even if a common design defect coexists in the diverse portions of the system. He further suggested that to credit non-concurrent triggers, the failure must be self-announcing and quickly correctable prior to an expected need for the system. Criteria for precluding further consideration of CCFs when crediting adequate diversity could be based on criteria in the plant technical specifications regarding safety system operability, when a safety system has multiple trains available. He stated a triggered defect in one safety division may require plant shutdown with a relatively short completion time. But when the plant is shutdown, the system may no longer be needed.

8. Mr. Scarola commented that the NRC staff consider that certain acceptance criteria regarding partial CCFs that appeared in the BTP 7-19, Revision 7 not be removed from the guidance document. He stated that partial CCFs are a valid concern, because digital systems can have a defect that is triggered in specific distributed component control processors, but not triggered in system or train initiation processors. As an example, he described new reactor applications that employ diverse actuation systems (DAS) which may be designed to monitor selected engineered safety feature components to determine when its actuation is needed (i.e., when there is an actual CCF). In such cases, a partial CCF could prevent actuation of the DAS (or a specific DAS function) when it is needed.

9. Regarding the draft BTP 7-19 proposed categorization process based on safety significance, Mr. Scarola suggested the NRC staff consider deleting the second paragraph of the description for categories B1 and B2, because there is no way of knowing if a failure has consequences, or can be mitigated, until a formal assessment is completed.

15. Regarding the NRC staffs use of the word hazard throughout the document, Mr.

Scarola commented that there is no value in using this word because all shared design and shared hardware resources must be evaluated to identify CCFs. Mr. Scarola asserted that if the CCF susceptibility evaluation demonstrates that a CCF from a shared resource will not be prevented, an additional plant level evaluation is needed to determine if there is not a new unanalyzed plant condition, or if the new plant condition is effectively mitigated. He suggested that the staff reconsider its use of the term hazard and reserve its use only for those CCFs that cannot be prevented.

16. Mr. Scarola suggested the NRC staff to provide clarification of its use of the phrase, errors in the higher-level requirements. He indicated that functional requirements for

safety systems are not the subject of the SECY 93-087, but rather it is focused on addressing new sources of CCF that apply to digital systems of advanced reactors that would not have occurred with the use of older analog technologies. Functional requirements are already addressed through adherence to 10 CFR Part 50, Appendix A, General Design Criteria 22, modeling of safety system functions in the transient and accident analysis, and the adherence to criteria in quality assurance programs.

NRC Presentation Regarding Proposed Revision 8 to BTP 7-19 The NRC staff presented an overview of the Commissions common cause failure (CCF) policy and discussed the proposed changes to BTP 7-19, Revision 8 (ADAMS Accession No. ML20038A314).

Nuclear Energy Institute (NEI) Comments NEI presented a table of comments on BTP 7-19 with identified areas in which their comments pertained, and recommendations on how each comment could be resolved (ADAMS Accession No. ML20038A193). A summary of the discussion corresponding to each of NEIs comments is provided below.

1. NEI provided its perspectives regarding the statements within the Institute of Electrical and Electronics Engineers (IEEE) standard 603-1991 regarding conditions that could degrade the safety system and provisions that should be made so that the safety system can still perform its safety functions. Specifically, NEI stated that IEEE 603-1991, Clause 5.6.3, requires that safety systems can perform in the presence of the conditions identified in IEEE 603-1991, Clause 4.8. However, NEI stated that in IEEE 603-1991, Clause 4.8, what must be documented in the design basis is the set of hazardous conditions that (a) could degrade the safety system and (b) there are provisions incorporated to retain the capability to perform the safety function. NEI noted it is clear to them that the safety system does not have to prevent the hazardous conditions. Rather, the safety system would be designed with provisions so it will continue to perform the safety function (in the presence of those conditions). NEI stated that statements within the draft BTP 7-19 require evaluations of conditions that might not be in the design basis. NEI recommended that the spurious operations guidance proposed for Revision 8 to BTP 7-19 should be removed and placed in another NRC guidance document because the licensing basis evidence that spurious operations caused by a beyond design basis event (i.e., software CCF) is already a licensing basis requirement per IEEE 603-1991.

Further, NEI provided a table that depicts how the NRC staffs guidance for spurious operations of digital instrumentation and control (I&C) equipment should be categorized into by design basis and beyond design basis for safety and non-safety related controls.

2. NEI suggested that the NRC staff consider modifying its proposed criteria for categorization of digital I&C equipment based on safety significance. NEI suggests that the categories of A1, A2, B1, and B2 be clarified at a minimum to ensure predictable outcomes. In the comments, NEI provided recommended changes with two options of implementation for the NRC staff to consider.

3. NEI suggested the staff consider modifying the Background and Purpose sections regarding the definitions and use of software versus hardware CCFs. Specifically,

NEI recommended that the scope of BTP 7-19 be limited to software CCF and remove any discussion regarding hardware and/or systems CCF.

NEI recommended that BTP 7-19 should be revised to specifically allow the previously accepted resolution of common-mode failures in the protection system affecting the response to large-break loss-of-coolant accidents and main steam line breaks based on the provision of primary and secondary coolant system leak detection, and pre-defined operating procedures that together enable operators to detect small leaks and take corrective actions before a large break occurs. This mitigation strategy would be used in lieu of more in-depth human factors evaluation of manual operator actions or the addition of diverse actuation features to address instantaneous double-ended guillotine breaks coincident with postulated a protection system CCF. In their meeting handout, and discussed at the meeting, NEI also provided specific recommendations for wording changes to the draft BTP 7-19, Sections 8.2 and 8.6, regarding the need to document the basis for assumptions pertinent to the safety analysis for large break LOCA events.

4. Quality of Non-Safety Related Equipment In draft BTP 7-19, Section B.3.2.1, had concerns with the following statement:

For existing systems that are NSR, the quality of these systems should be similar to systems required by the ATWS rule (i.e., 10 CFR 50.62), as described in the enclosure of Generic Letter 85-06.

NEI stated that they believe the statement above represents a new requirement. In past cases, for example, feedwater systems have been used as a credited existing system, which may not have similar quality characteristics. NEI recommended that the staff should consider modifying the sentence to state:

For existing systems that are NSR and not continuously operating, the reliability of these systems should be consistent with licensee design programs and processes.

Next Steps The staff discussed the following next steps with meeting participants:

Public comments on the draft BTP 7-19, Revision 8, may be submitted using the Federal Rulemaking Website https://www.regulations.gov and searching for Docket ID NRC-2019-0253. Comments must be filed no later than March 16, 2020.

The NRC staff expects to brief the Sub-Committee of the NRCs Advisory Committee on Reactor Safeguards (ACRS) on June 1, 2020. This will be followed by a briefing to the ACRS full committee in July 2020.

The final issuance BTP 7-19, Revision 8, is expected in September 2020.

Conclusion At the end of the meeting, NRC and industry management gave closing remarks. NEI and members of the public expressed appreciation for the open dialogue and willingness of the NRC staff to hear varying views.

The enclosure provides the attendance list for this meeting.

Enclosure:

As stated

MLXXXXXXXXX

via e-mail OFFICE NRR/DRO/IRSB/PM NRR/DEX/EICB/TR NRR/DRO/IRSB/LA NRR/DEX/EICB/BC NRR/DRO/IRSB/PM NAME TGovan WMorton*

BCurran*

MWaters*

TGovan DATE 03/04/2020 03/16/2020 03/05/2020 03/18/2020 03/19/2020

Enclosure LIST OF ATTENDEES PUBLIC MEETING TO DISCUSS COMMENTS RECEIVED FROM INDUSTRY AND MEMBERS OF THE PUBLIC ON THE REVISION TO BRANCH TECHNICAL POSITION 7-19 February 11, 2020, 10:30 AM to 4:00 PM Teleconference ATTENDEE ORGANIZATION

1. Paul Rebstock NRC

2. Dinesh Taneja NRC

3. Norbert Carte NRC

4. Paul Kallan NRC

5. Sushil Birla NRC

6. David Desaulniers NRC

7. Dawnmathews Kalathiveettil NRC

8. Eric Benner NRC

9. Wendell Morton NRC

10. Tekia Govan NRC

11. Maxine Segarnick NRC

12. Bob Weisman NRC